At a glance.
- WildCard deploys SysJoker malware.
- DPRK cryptocurrency theft.
- Ransomware attacks against healthcare organizations.
- The status of Ukraine's IT Army.
- Russian news outlet outs Killmilk.
- Former deputy head of SSSCIP arrested.
- Smartphones as a source of battlefield OSINT.
- Generative AI and security.
- A snapshot of global threats.
WildCard deploys SysJoker malware.
Researchers have found a new strain of SysJoker malware. Check Point describes a variant written in Rust that's being actively deployed against targets, mostly Israeli, in connection with the ongoing war between Hamas and Israel. The researchers don't have an attribution to offer, but they do regard the malware's use as aligned with Hamas interests. They note that SysJoker has been used since 2021, and they connect it with attacks against infrastructure. The malware, formerly prepared in C++, has been completely rewritten in Rust. It appears to bear some connection with the Electric Powder Operation against Israel Electric Company in 2016 and 2017. That action has been attributed to the Gaza Cybergang.
Intezer, who, as BleepingComputer notes, first described SysJoker, regards the current activity as the work of a hitherto unremarked advanced persistent threat (APT) it calls "WildCard." WildCard, whose precise place among various anti-Israeli actors remains obscure, makes its initial approach through social engineering, using phishing emails, bogus social media profiles, and fake news sites, all techniques in which it's invested considerable resources. The APT also abuses legitimate cloud sevices. Intezer concludes, "Clustering these different sets of activities showcases an APT group consistently targeting Israeli critical sectors like education, IT infrastructure, and possibly electric power generation active to this day."
DPRK cryptocurrency theft.
Researchers at SentinelOne describe two North Korean cryptocurrency theft campaigns, tracked as “RustBucket” and “KandyKorn”: “The initial RustBucket campaign used a second-stage malware, dubbed ‘SwiftLoader’, which functioned externally as a PDF Viewer for a lure document sent to targets. While victims viewed the lure, SwiftLoader retrieved and executed a further stage malware written in Rust. The KandyKorn campaign, meanwhile, was an elaborate multi-stage operation targeting blockchain engineers of a crypto exchange platform. Python scripts were used to drop malware that hijacked the host’s installed Discord app, and subsequently delivered a backdoor RAT written in C++ and called ‘KandyKorn.’”
Recently, the threat actors have begun merging elements of the two campaigns, “with SwiftLoader droppers being used to deliver KandyKorn payloads.”