Researchers uncovered the resurgence of APT-C-01, also known as the Poison Ivy group, an advanced persistent threat organization notorious for its sustained cyber attacks.
This group has been actively targeting sectors such as defense, government, technology, and education since 2007, utilizing sophisticated phishing techniques including watering hole phishing and spear phishing.
Recent threat-hunting activities have revealed an uptick in Poison Ivy’s operations. Investigators have discovered the group mimicking official websites to create convincing phishing pages.
Upon visiting these sites, victims unknowingly trigger the automatic download of malicious payloads designed to deploy the Sliver Remote Access Trojan (RAT).
This malware facilitates unauthorized access, allowing the attackers to steal sensitive information and conduct remote operations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Poison Ivy’s modus operandi involves creating near-identical copies of legitimate websites. Upon accessing these spoofed sites, the target automatically downloads a malicious loader, disguised with a PDF icon to avoid suspicion.
This loader is a heavily obfuscated .NET compiled Portable Executable (PE) file, configured to decrypt an initial URL along with a specific AES key and initialization vector.
It subsequently downloads, decrypts, and executes shellcode that loads the final Sliver RAT component.
Security analysts have isolated and scrutinized several samples of this loader. A notable sample, disguised as “auto-download.zip,” measures 119.50 KB and has an MD5 hash of 61c42751f6bb4efafec524be23055fba.
Upon execution, this file decrypts a specially encrypted payload embedded within the shellcode, ultimately loading the Sliver RAT into memory.
Sliver is an open-source, cross-platform command-and-control (C2) framework written in Golang, capable of operating on Windows, Linux, and macOS.
Its features include file manipulation, process operations, privilege escalation, process injection, lateral movement, remote shell execution, and obfuscation of function names to evade detection.
The persistence of APT-C-01 and their adept use of deceptive phishing strategies underscore the importance of heightened cybersecurity awareness.
Organizations and individuals are urged to exercise caution with unfamiliar links and email attachments to prevent potential breaches of sensitive information.
Maintaining robust security practices is essential to defending against such sophisticated cyber threats.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.
D5:
C2:
LegionLoader, a C/C++ downloader malware, first seen in 2019, delivers payloads like malicious Chrome extensions,…
In a recent security advisory, ASUS has alerted users to critical vulnerabilities affecting several of…
NTT Docomo, one of Japan’s leading telecommunications and IT service providers, experienced a massive disruption…
Apple Inc. has agreed to pay $95 million to settle a proposed class-action lawsuit alleging…
A critical vulnerability discovered in the popular macOS terminal emulator iTerm2 has raised concerns among…
The CVE-2024-49112 vulnerability in Windows LDAP allows remote code execution on unpatched Domain Controllers, as…