CyberWire Daily - The new malware on the block. [OMITB]
Episode Date: April 12, 2025This week, we are sharing an episode of our monthly show, Only Malware in the Building. We invite you to join Dave Bittner and cohost Selena Larson as they explore "The new malware on the block." Wel...come in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by N2K Networks Dave Bittner —and our newest totally unbiased co-host, Archy, a highly sophisticated AI robot who swears they have no ulterior motives (but we’re keeping an eye on them just in case). Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. On this episode, we talk about the latest shake-ups in the fake update threat landscape, including two new cybercriminal actors, fresh Mac malware, and the growing challenge of tracking these evolving campaigns. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey everybody, Dave here.
We are taking a break this week from our usual Research Saturday routine and sharing a research-focused
episode of one of our other N2K podcasts, Only Malware in the Building, hosted by yours
truly and Proofpoint's Celina Larson.
We hope you'll check it out, and we'll be back with our usual Research Saturday cadence
next week.
["Rainbow Riders Theme Song"]
Does your computer run slower than a dial-up modem in 1999?
Are mysterious pop-ups offering free vacations
ruining your work day?
Have you recently inherited $10 million from a prince you've never heard of?
Well, you might just have a case of...
MALWARE!
Sorry.
That's right, folks.
Here at Only Malware in the Building, we help you learn about the sneaky, slimy, and downright Sorry. Tired of sketchy, security software that promises protection but actually is malware?
Sick of pop-ups that say you've won a new iPhone, but instead steal your credit card info?
We'll break down the biggest threats, show you how they work.
So tune in and level up your cybersecurity knowledge
before you become the next victim of a hacker in sweatpants.
But wait, there's more. Ooh!
If you tune in to Only Malware in the Building today,
we'll throw in a free virtual security check.
Just kidding, we're not a scam.
But seriously, update your passwords.
And remember, if you ever feel like something's fishy,
it probably is.
Only Malware in the building,
where malware is the mystery
and cybersecurity is the solution.
Call today at 1-800-555-MALWARE
and speak to one of our account representatives
to start your journey today.
Only malware in the building
does not provide actual IT support.
Side effects of tuning into the show
may include an uncomfortable urge
to use multi-factor authentication,
a deep distrust of USB sticks,
and a sudden appreciation for strong passwords.
Only malware in the building is not responsible for lost Bitcoin, emotional distressfactor authentication, a deep distrust of USB sticks, and a sudden appreciation for strong passwords. Only malware
in the building is not responsible for lost bitcoin, emotional distress caused by realizing
your high school password was indeed password 123, or any existential crisis resulting from
learning how much data social media collects on you. If suspicious emails last longer than
four hours, please report them to IT immediately. The following dips are considered valid forms
of payment. Spinach, buffalo, bean, babaghanoush, pico de gallo, guacamole, artichoke, beer
cheese, hummus, 7-layer, queso, sour cream and onion, ranch, smoked trout, tapenade,
and most aoles. Blue cheese and crab dips are no longer accepted as valiform's payment.
Call today.
Or don't.
We already have your phone number and email address anyways. Welcome in. Since Rick is busy enjoying his retirement, I thought maybe we could audition
a third host here at Only Malware in the Building. May I introduce you to Advanced Reconnaissance Cyber Operations with Network Infiltration
Algorithms.
Oh, please.
That's my father's name.
You can call me Archie.
He preferred Advanced Reconnaissance Cyber Operations with Network Infiltration Algorithms.
But personally, I think that's a bit much for casual conversation.
Now, if you'll excuse me, I need to optimize my sarcasm subuteens.
They seem to be running at only 97% efficiency today.
Well, Archie, please try and pay attention as we discuss a very important topic today.
Web injects and the expanding threat landscape of sneaky malware operators that are trying
to get people to infect themselves with malware.
Oh sure, I'll pay attention.
Unlike the humans who keep clicking, enable macros like it's a competitive sport.
But please, go on.
I'm dying to hear how flash-based intelligence plans to outsmart malware this time.
Well, let's start off here, Selena.
What is a Web Inject campaign, and why is this a growing cybersecurity threat?
Yeah, so it's really interesting to see that we are increasingly seeing Web Injects.
And this is a threat not just for the enterprise but consumers as well.
So essentially, a Web Inject is something that gets malicious code put on a website that when a visitor goes to the website
and passes the identity checks or the ways that they're
filtered to say, yes, I want to infect this person, they're
shown a screen that essentially overwrites what they think the
actual website is.
And typically, it will say something like, you need to
update your Chrome browser. And in doing so, if they click that button, it will say something like, you need to update your Chrome browser.
And in doing so, if they click that button,
it actually leads to malware installation.
They're using lures here.
I mean, why are these lures so effective?
Yeah, so it's pretty interesting.
So it's not a traditional sort of campaign
that we think of from email spam, for example.
So these threat actors are compromising legitimate websites.
So you might be browsing to your favorite news website or to a consumer goods website
or a local business.
And you're on this legitimate website.
And then all of a sudden, you see this screen that comes up that says you need to update
your browser. And what's really interesting is the threat actors behind
this are pretty clever, and there's multiple components
of the overall campaign which we can get into.
But the main point is that they can tell based off of
the user agent of the browser that you're using.
So they'll tailor these little pop-up screens that say,
if you're on Chrome, you need to update your Chrome browser.
And they look very legitimate, right?
They take the language, they take the graphics that are the actual Chrome browser update
or look very similar to that sort of branding and put it there.
So it makes it seem like, you know, you're on a legitimate website,
you see this pop-up, it looks like the same font as you usually see,
and so you might actually believe them.
Is there any way to like X out of it?
Oh yeah, if you just close your screen, that typically works.
But typically what this is is it'll download a file,
and then you have to actually click on the file,
follow the instructions, and install the malware,
or download and click on the file to run the actual script.
So it's not something immediate that you're going to get infected with malware.
It does take some human interaction, of course.
So if you do see something like this pop up, just closing the tab, we'll get rid of it.
So is this a new thing or is this something that's been around
but you all have been tracking the evolution of?
It's been around and in recent, I'd say about a year and a half, there has
been an expansion of this threat. And it's interesting because we see a lot
more different threat actors using, oftentimes people call them fake updates
style threats, this basic idea of this malicious web inject that will have
instructions for someone to update their browser or install some new software.
But I think a lot of people, especially in our industry,
are most familiar with Sock-Golish, right?
So that is an actor that has been around for a long time.
We track them as TA569.
And essentially, you know,
this Sock-Golish leading to this loader,
it's a Sock-Golish is a JavaScript inject that's the malicious component on the website
that leads to ultimately a loader that will install additional malware,
including potentially ransomware.
But they were kind of the big baddies of the web inject landscape for a really long time.
But within the last, I would say, year and a half, two years,
there was a lot of sort of copycats that started following
the same technique that Saqqaulish became so famous for.
And now we see a lot of different clusters of activity that are using very similar techniques,
but they're using different traffic distribution systems, which we can explain, or they're
delivering different malware leading to different things.
So now it's almost a constellation
of different threat actors.
It's an ecosystem all on its own, right,
where it used to kind of be, oh, that's not Golis.
Now it's like, oh, it could be,
but it could also be one of the similar copycats
or new threat actors that have emerged. Well, I was reading through your research and you identified two new threat actors.
You've got TA2726 and TA2727, which I have to say are very catchy names that roll trippingly
off the tongue.
Yes.
So, I mean, I guess that's the alternative.
It's either like TA2726 or like electric stapler, right?
There's no in between when it comes to naming these things.
There really isn't.
No, there's truly no industry standard.
We like the numbering system, but yes, of course, there's everything from windstorms
to action figures, for sure.
So what do we know about these particular groups?
How are they operating here?
Yeah, so that's a good question.
And I wanted to use a metaphor that I invented to kind of explain all of this because we
often talk to people and it's a little bit confusing because it's
not just something like you get delivered a phishing link and you click on it and it
installs malware. It has a lot more kind of going into it. And so the whole attack chain,
I would like people to put on their metaphor imagination caps and think of it like an UberEats
delivery. So let's pretend you're a threat actor.
You order some food, which could be considered malware, to be delivered to somebody at a certain
house. So they have to meet the requirements of the address, for example. You use Uber Eats,
the driver, to actually take your food and drive it to be dropped off at the house. That is a traffic
distribution or the TDS portion of this metaphor.
So the recipient at that house takes your package
from the Uber Eats delivery person
and upon opening it gets a face full of spoiled burrito.
That is horrible.
That sounds like a threat actor group spoiled burrito.
Spoiled burrito, exactly.
So it's like, oh, okay, well, this is crap that I didn't want or need.
But the Uber Eats driver, they have other houses to drop stuff off at.
So even if other people are ordering, they're driving around a lot of food delivery, but
they're not going to get your spoiled burrito.
So if you can kind of think of it as multiple components to this overall
attack chain, and I bring this up because we have the two new Threat Actors can be both
one, the 2726 is the delivery driver and the 2727 is the person that ordered the crap burrito.
So yeah, so we have these two actors and it's kind of interesting too because it can be
very difficult to delineate different components of the web injects attack, tainter, delivery
method.
And in this case, 2726 is that malicious TDS operator.
They facilitate traffic distribution for other threat actors to enable the delivery of spoiled
burritos, aka malware.
And 2727 is a thread actor that uses these fake update-themed floors to distribute a
variety of malware payloads.
So TA2726 is delivering for TA2727.
But they have, you know, that TDS operator can be a deliverer for a lot of different malware, a lot of different payloads, and a lot of different threat actors.
Do we think these two groups are related or are they merely collaborators
or parts of an ecosystem?
It's probably more parts of an ecosystem.
So, TA2726, we've actually seen deliver for TA569 as well,
for example. It's possible that this actor is selling traffic on the cybercrime forums.
We were unable to confirm that with high confidence, but just based off of being a TDS operator,
they can really just, you know, whoever pays them, they can work for. And so they're kind
of operating that whole, the sort of traffic distribution
piece. Whereas TA2727 seems to be more of like the malware delivery. So they actually
also are pretty interesting because they deliver a variety of different payloads, right? Where
historically like TA569 is just the Socko-lish inject, with TA2727 we've seen them deliver
various information stealers if the user is on a Windows computer,
or a new malware called Frigid Stealer if the user is on a Mac. And even Android has a payload called
Marcher, which is a banking trojan that I spent around for quite a while. And I don't know, Archer, Archie,
does that sound familiar?
Ah, Frigid Stealer. Sounds like the malware equivalent of a frosty reception at a party.
As for Marcher, I'm more of a data theft connoisseur than a history buff,
but I do recognize that one.
It's like the classic banking trojan that just won't retire, despite its best efforts.
It's like malware's version of I'll be back, you know, just keep showing up,
trying to swipe your info. But yeah, the variety and payloads from TA-27 and 2726 is pretty wild.
They've got a little something for everyone, no matter what device you're using.
It's like a malware buffet, but not the kind you want to be a part of.
Archie, I don't know where you got that, but I think we're going to need a source.
Well, help me understand, you mentioned TDS, Traffic Distribution Services.
Unpack that for me.
What role do they play there?
So, Traffic Distribution Services as a whole.
So, TDSs, as the common parlance that we talk about in our industry, they are a traffic
distribution system, sometimes a traffic delivery system,
but essentially they're kind of the pipes, like the traffic in the pipes, right? So they
are essentially these services track and direct users to different content on different websites.
It's important to note that TDSs can be used legitimately, right? Like for advertising
purposes, marketing purposes, you know, tracking and delivering various content based off of various characteristics of a user's host
or their browser.
But with the illegitimate TDS services
or the legitimate TDS services
that are just used maliciously,
essentially what threat actors are doing
is they are orchestrating where the traffic goes
and who's gonna get served what.
And in the case of being used legitimately,
who's going to be served which advertisement, for example,
but in the case of something maliciously,
who's going to be served which malware.
Well, you mentioned Frigid Stealer,
which is a Mac OS version.
Is there particular significance
that they're
going after Mac users now?
Yeah, that's a good question.
One thing I think that is pretty interesting about the Mac
malware space in general is that we're seeing a lot more
information.
Steelers in particular come on the Mac malware landscape.
That's been also something that's been popping up
for the last, you know, a year and a half,
two years, I would say.
But in this particular case, it's interesting
because it's a malware that we hadn't seen before.
So it's a new type of stealer.
And it, of course, was delivered alongside a variety
of different payloads, depending on what, you know,
the browser someone was using on which type of computer.
But from the sort of overall Mac information depending on what the browser someone was using on which type of computer.
But from the sort of overall Mac information stealer perspective,
I think there's been this sort of stereotype in the security community,
Macs don't get malware.
And what we know, what we've seen is very sophisticated types of malware.
But the information stealer ecosystem is definitely expanding to include
Mac malware targeting as well as Windows malware.
So it's still definitely not as common, but you are seeing it a little bit more.
And in particular, it's important to note on Macs, to get the malware installed,
it gives the instructions on how to click, what to click to sort of bypass the inherent built-in security features that are on Macs in a way
that you don't see the same on Windows boxes.
Right, right.
So it walks you through how to infect yourself.
Yes, yes, exactly.
So how's sporting of them?
Yes.
Stay tuned.
There's more to come after the break.
Ransomware, supply chain attacks, and zero-day exploits can strike without warning, leaving
your business's sensitive data and digital assets vulnerable.
But imagine a world where your cybersecurity strategy could prevent these threats.
That's the power of the ThreatLocker Zero Trust Endpoint Protection Platform.
Robust cybersecurity is a non-negotiable to safeguard organizations from cyber attacks.
ThreatLocker implements a proactive, deny-by-default approach to cybersecurity,
blocking every
action, process, and user unless specifically authorized by your team.
This least-privileged methodology mitigates the exploitation of trusted applications and
ensures protection for your organization 24-7-365.
IT professionals are empowered by ThreatLocker application allow listing, ring fencing, network
control and EDR solutions, enhancing their cybersecurity posture and streamlining internal
IT and security operations.
To learn more about how ThreatLocker can help mitigate unknown threats in your digital
environment and align your organization with respected compliance frameworks,
visit threatlocker.com.
What makes detecting and stopping these types of things so challenging?
So it's interesting. So from the actual detection perspective, they use a lot of filtering to prevent identification from automated sandboxes or to prevent identification from, you know, people that are trying to look into it and see if this is, if this is, you know, something that's malicious. Oftentimes what we've seen with some threat actors,
not necessarily the ones in this report,
but overall with the web injects,
there's this thing called,
we've considered it like a lot of different things,
but strobing is one way of describing it.
Will they infect the website?
They'll remove the inject so it will be clean for a while,
and they'll go back and reinfect the particular website.
From a defense perspective though, there's actually many
steps that you can take to stop this.
So first of all, obviously network detections, making
sure that you have those in place.
But also something like restricting users from
downloading script files and opening them in anything
but a text file.
Especially from the Windows perspective, that's kind of the best way because oftentimes these are JavaScript files and opening them in anything but a text file.
talking about this and getting this out there. So there are some steps that organizations can take to prevent this, especially for like the Mac perspective. You really want to make sure
that you're educating Mac users on the instructions
that are provided regardless of what the lure is.
So, you know, the right click, right click, click open,
that sort of bypasses the internal Apple protections.
You don't want to be doing that. What about the websites themselves that are being compromised here?
If I have an online store or something that these folks target,
how do I protect that?
So it's best to sort of keep your websites up to date.
So a lot of times these are going after vulnerable
installations, oftentimes of WordPress websites.
So websites themselves that have security gaps or holes
or vulnerable versions or plugins, for example, that
can be sort of hijacked and modified.
Oftentimes, they're going up the web hosting provider
themselves, or who's going just looking for sort of holes
in some of those websites.
So it's best, really, to make sure that you're keeping your
website and your internet footprint as secure and up to
date as you can, as well as thinking about it from
a sort of business and network enterprise idea, right?
You want to keep your software up-to-date.
You want to keep your website up-to-date and make sure that you are staying on top of that
and if there's new updates to implement them and to make sure that you're trying to pay
attention to anything going on in your website to close any gaps or holes.
And if you do find yourself impacted by this,
again, it can be a little bit difficult sometimes
because they might remove the injection.
But if you do an investigation and do find it,
clean it up, close the hole,
and hopefully they won't come back and reinfect.
Yeah.
Looking at the big picture here, is your sense that the threat actors are, like,
shifting towards web injects away from phishing in email-based attacks, or is this in addition
to that sort of thing?
So, we do have a couple of threat actors that we've seen do both, right?
So, we have some threat actors that we'll see
in mouse spam, but we'll also see their payloads being delivered via web injects. These particular
threat actors that we talked about are exclusively doing web injects, but I do think it brings
up a really good point, right? So we have seen an increase of web injects type of threats, also like SEO poisoning, things like multi-channel attacks,
teams bombing, social engineering via message spamming. You see the sort of expansion of TTPs
across the landscape. And I think that is in part as a direct result
of organizations having better defense on things
like the email gateway.
Because threat actors have to be very creative.
It's the same thing that we've seen, for example,
with disabling macros by default,
and Microsoft did, and we saw the shift in the landscape
where actors who used that often had to pivot
and use new and different attack chains.
So anytime that defenders make a job harder for a threat actor,
they are going to find a way to do something else.
Or to expand their wheelhouse and expand their arsenal of capabilities.
So I do think that it's interesting that we are seeing this growth
of new delivery mechanisms via web injects
or multi-channel attacks and things like that
at the same time that maybe we're not seeing
quite the same types of activity that we see in mail flow.
However, of course, we still see tons and tons of fishing,
but it does seem that actors are trying to experiment
and see what else they can do.
what else they can do. Well, I mean, in terms of takeaways for our listeners and folks who read through this
research, what are you hoping that they get from this?
I would love it if people just realized the types of social engineering and the techniques
that threat actors are using. In my opinion, it always goes back to the person who's receiving whatever the content is.
And it kind of just goes back to social engineering, right? It's like being very
clever and crafty with how you're sending things and the type of content that you're using
from a threat actor. Not you, Dave. Not you, Archie.
I should surely hope not.
But you as the threat actor. But yeah, but it
kind of goes back to like, okay, how are threat actors trying to hack your brain? And if you
know the signs of being scammed, then it is much more likely that you won't fall for them.
So I want people, you know, in the security community, we might be a little bit more mindful.
If we see something like a website redirect,
a pop-up while we're browsing, you know,
our favorite website,
we might be a little bit more skeptical.
But I want everyone listening to tell someone about this,
to say, hey, have you ever heard of this?
Has this ever happened to you?
Have you ever experienced this time
where you're just looking at a website
and you get this weird pop-up or this, all of a sudden it says you have to update your browser?
Don't click it.
And we've talked about this before in the podcast, Dave, where if we're looking at it
from a social engineering perspective, it's teaching people, educating them, and talking
about it in a way that can help regardless of your level
of understanding or technical capability,
you can see the key signs of scams.
Yeah, yeah, don't talk to strangers.
Ha ha ha ha.
Ha ha ha ha.
We'll be right back.
We'll be right back. Well this is interesting stuff, Selena and Archie.
Oh, social engineering.
It's like when you're at the deli counter and there's that one guy who's been standing
there for ages trying to get the attention of the worker.
He's all like,
Hey, I think I'll try the pastrami on rye.
No, wait, actually, maybe the turkey.
You know what?
I'll take a whole stack of meats.
Just throw them all on the sandwich.
And you're like,
Buddy, this is not how sandwiches work.
But then, as he's talking, you start getting hungry and thinking,
Maybe I do want extra pickles, and I guess that mustard would be nice.
Before you know it, you've been convinced to buy a sandwich that's not even on the menu,
one you didn't plan on. But now you're holding it, paying for it,
and wondering why you made that decision. Scammers do the same thing.
They get in your head with a story. And before you know it, you've clicked a link you shouldn't have.
And trust me, it's way harder to get rid of that sandwich or that malware than it is to
just say, I'll pass when the offer first comes around.
I'm sorry, what?
Okay.
Thank you.
We'll let you know.
Don't call us. We'll let you know. Don't call us.
We'll call you.
Don't develop a side hustle in automatic compromising of websites to deliver malware, please Archie.
Archie goes bad.
I feel like that's the ultimately the what might happen with these things.
You never know.
Sorry Archie.
Yeah.
Somehow, Archie, I love you, but I don't really see you being effective, like, of making phone
calls and convincing people to do things.
But I don't mean to offend you.
I know you come to this in good technological, silicon-based faith, but...
Don't worry, Dave.
I'm more of a backend kind of guy anyway. Convincing people?
Meh, I'll leave that to you experts.
But accounting?
Now that's a different story.
I'd be excellent at balancing the books and keeping things error free.
No missed decimals.
No accidental malware in the budget.
Maybe I'm just too efficient for the phone call business.
Maybe you could find work in accounting or something like that.
That's good advice for sure, Dave.
All right.
Well, thank you everybody for listening.
This is an interesting conversation and we look forward to talking to you all next time.
And that's Only Malware in the Building brought to you by N2K Cyberwire.
In a digital world where malware lurks in the shadows,
we bring you the stories and strategies to stay one step ahead of the game.
As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity,
always keeping the bad guys one step behind.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the
insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show,
please share a rating and review in your podcast app. This episode was produced by Liz Stokes,
mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive
producer is Jennifer Iben.
Peter Kilpe is our publisher.
I'm Dave Bittner.
And I'm Archie.
And I'm Selena Larsen.
Thanks for listening.
And we thank ThreatLocker for sponsoring our show. ThreatLocker application allow listing, ring-fencing, network control and EDR solutions enhance
cybersecurity postures and streamline internal IT and security operations.
Learn how at threatlocker.com.