Last week in security news, researchers observed the Nefilim ransomware family threatening to publish its victims’ data if they did not pay their ransoms within a week. Nefilim wasn’t the only malware that made headlines last week. Ursnif also drew some attention with a new campaign targeting Italy. Additionally, researchers spotted Cookiethief attempting to steal access to its victims’ social media accounts.

Top Story of the Week: Nefilim Threatens to Publish Victims’ Data After 7 Days

Security researchers informed Bleeping Computer that Nefilim first started up in February 2020. Their analysis of the threat determined that Nefilim shared some code with Nemty, another ransomware family. Even so, Nefilim differed from Nemty in that it lacked a ransomware-as-a-service (RaaS) component and told its victims they could receive payment instructions by contacting an email address, not visiting a Tor portal, according to the researchers.

Upon successful infection, Nefilim used AES-128 encryption to render its victims’ data inaccessible. It then dropped a note in which it informed its victims that it would publish their stolen data unless they paid their ransom within a week.

Source: iStock

Also in Security News

  • New Campaign Launched by Ursnif Targets Italy: Researchers at Cybaze-Yoroi Zlab detected a new phishing campaign that leveraged a compromised Italian law-themed website as a DropURL to download a self-extracting archive. This file’s contents ultimately led the campaign to execute a JavaScript module containing an executable responsible for running Ursnif malware.
  • Website for Manufacturer Infected by Magecart Skimmer: Near the end of February, RiskIQ observed that Magecart Group 8 had injected a JavaScript-based skimmer onto the website of a blender manufacturer. The security firm ultimately stopped the attack by taking down the exfiltration domain employed by the threat actors.
  • All Other Stalkerware Dwarfed by MonitorMinor: Kaspersky Lab discovered that MonitorMinor arrived with the ability to run the SuperUser (SU) utility on an infected Android device for the purpose of gaining access to numerous social networking apps and functionality. Running the SU utility also gave MonitorMinor the ability to steal a victim’s screen lock credentials.
  • Social Media Accounts Targeted by Cookiethief Infostealer: Just a day prior to its discovery of MonitorMinor, Kaspersky Lab disclosed its discovery of a new cookie-stealing Android Trojan called Cookiethief. This malware used root privileges to transfer cookies for social networking accounts and browsers, all for the purpose of distributing spam.
  • Security of Intel CPUs Threatened by Snoop Attacks: According to Intel, a software engineer demonstrated that a susceptibility in its processors could enable attackers to insert malicious code after a change in the L1D cache, causing the CPU to update all cache levels. Bad actors could then leverage that technique to produce errors that would leak data from a CPU’s inner memory.
  • Most Ransomware Executed Three Days After First Signs of Malicious Activity: In its analysis of ransomware response investigations between 2017 and 2019, FireEye found that most ransomware infections had occurred at least three days after the first signs of malicious activity appeared. The security firm also found that approximately three-quarters of ransomware infections had occurred outside of normal working hours.

Security Tip of the Week: Strengthen Your Anti-Ransomware Measures

Security professionals can help strengthen their organizations’ anti-ransomware measures by ensuring that they have access to the latest threat intelligence. Doing so will help organizations stay abreast of the latest techniques and attacks employed by ransomware actors. Additionally, infosec personnel should endeavor to inventory the locations of the organization’s critical business assets so they can craft defensive strategies accordingly.

More from

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…

OneNote, Many Problems? The New Phishing Framework

There are plenty of phish in the digital sea, and attackers are constantly looking for new bait that helps them bypass security perimeters and land in user inboxes. Their newest hook? OneNote documents. First noticed in December 2022, this phishing framework has seen success in fooling multiple antivirus (AV) tools by using .one file extensions, and January 2023 saw an attack uptick as compromises continued. While this novel notes approach will eventually be phased out as phishing defenses catch up,…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…