Researchers uncovered the resurgence of APT-C-01, also known as the Poison Ivy group, an advanced persistent threat organization notorious for its sustained cyber attacks.
This group has been actively targeting sectors such as defense, government, technology, and education since 2007, utilizing sophisticated phishing techniques including watering hole phishing and spear phishing.
Recent threat-hunting activities have revealed an uptick in Poison Ivy’s operations. Investigators have discovered the group mimicking official websites to create convincing phishing pages.
Upon visiting these sites, victims unknowingly trigger the automatic download of malicious payloads designed to deploy the Sliver Remote Access Trojan (RAT).
This malware facilitates unauthorized access, allowing the attackers to steal sensitive information and conduct remote operations.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Poison Ivy’s modus operandi involves creating near-identical copies of legitimate websites. Upon accessing these spoofed sites, the target automatically downloads a malicious loader, disguised with a PDF icon to avoid suspicion.
This loader is a heavily obfuscated .NET compiled Portable Executable (PE) file, configured to decrypt an initial URL along with a specific AES key and initialization vector.
It subsequently downloads, decrypts, and executes shellcode that loads the final Sliver RAT component.
Security analysts have isolated and scrutinized several samples of this loader. A notable sample, disguised as “auto-download.zip,” measures 119.50 KB and has an MD5 hash of 61c42751f6bb4efafec524be23055fba.
Upon execution, this file decrypts a specially encrypted payload embedded within the shellcode, ultimately loading the Sliver RAT into memory.
Sliver is an open-source, cross-platform command-and-control (C2) framework written in Golang, capable of operating on Windows, Linux, and macOS.
Its features include file manipulation, process operations, privilege escalation, process injection, lateral movement, remote shell execution, and obfuscation of function names to evade detection.
The persistence of APT-C-01 and their adept use of deceptive phishing strategies underscore the importance of heightened cybersecurity awareness.
Organizations and individuals are urged to exercise caution with unfamiliar links and email attachments to prevent potential breaches of sensitive information.
Maintaining robust security practices is essential to defending against such sophisticated cyber threats.
Analyse Advanced Malware & Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.
D5:
C2:
Recent research uncovered a novel crypto-jacking attack targeting the Python Package Index (PyPI), where malicious…
Amazon has taken a significant step forward to enhance the security of its cloud environment.…
In a recent announcement, Linus Torvalds, the creator of Linux, officially released the first release…
Cybersecurity researchers have identified a critical 0-day vulnerability in Windows Server 2012 and Server 2012…
A critical vulnerability identified as CVE-2024-44308 has been actively exploited in the wild, affecting multiple…
Several vulnerabilities affecting MediaTek processors have been identified, potentially allowing attackers to escalate privileges on…