SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Lazarus Group starts using new MagicRAT in attacks targeting vulnerable VMware Horizon platforms
Description: Cisco Talos discovered a new remote access trojan (RAT) named "MagicRAT" that Talos attributed with moderate to high confidence to the Lazarus threat actor, a state-sponsored APT attributed to North Korea by the U.S. Cyber Security & Infrastructure Agency (CISA). This new RAT was found on victims that had been initially compromised through the exploitation of publicly exposed VMware Horizon platforms. While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely. Talos also found evidence to suggest that once MagicRAT is deployed on infected systems, it launches additional payloads such as custom-built port scanners. Additionally, we've found that MagicRAT's C2 infrastructure was also used to host newer variants of known Lazarus implants such as TigerRAT. The discovery of MagicRAT in the wild is an indication of Lazarus' motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.
References: https://blog.talosintelligence.com/2022/09/lazarus-magicrat.html
Snort SIDs: 60459 - 60466
Title: Number of attacks against Linux machines on the rise
Description: A new report indicates that attackers are increasingly targeting Linux machines as the operating system becomes increasingly popular among enterprise users. Security firm Trend Micro said that there’s been a 75 percent increase in ransomware attacks against Linux systems in the first half of 2022 compared to the same stretch last year. The report also said the firm’s seen more than 1,900 instances of Linux-based malware being used against its customers in the first half of 2022. These attacks are mainly coming from the operators of the REvil and DarkSide ransomware-as-a-service groups, along with a recently released Linux version of the LockBit ransomware. Cloud computing company VMware released a different report earlier this year warning against a rise in cryptocurrency mining attacks against Linux systems, such as XMRig, to hijack CPU power on Linux machines to mine Monero and other virtual currencies.
References: https://www.darkreading.com/application-security/defenders-prepared-cyberattacks-linux-cloud-migration
Snort SIDs: 55223, 55224, 57621 and 57622