Saturday , March 29 2025
Lummac2

BD CIRT alert
Lumma C2 malware attack Bangladeshi several websites

The Cyber Threat Intelligence (CTI) Unit at BGD e-GOV CIRT has discovered a malware campaign involving the Lumma Stealer family. They’ve found that various types of stealer malware are being spread using similar methods.

   Source: BGD e-GOV CIRT

CIRT is monitoring stealer malware campaigns and has found malware that steals sensitive information. Recently, the unit identified Lumma Stealer malware spreading through fake CAPTCHA pages.

FBI investigating cyberattack at Oracle, Bloomberg News reports

The Federal Bureau of Investigation (FBI) is probing the cyberattack at Oracle (ORCL.N), opens new tab that has led to...
Read More
FBI investigating cyberattack at Oracle, Bloomberg News reports

OpenAI Offering $100K Bounties for Critical Vulns

OpenAI has increased its maximum bug bounty payout to $100,000, up from $20,000, to encourage the discovery of critical vulnerabilities...
Read More
OpenAI Offering $100K Bounties for Critical Vulns

Splunk Alert User RCE and Data Leak Vulns

Splunk has released a security advisory about critical vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These issues could lead...
Read More
Splunk Alert User RCE and Data Leak Vulns

CIRT alert Situational Awareness for Eid Holidays

As the Eid holidays near, cybercriminals may try to take advantage of weakened security during this time. The CTI unit...
Read More
CIRT alert Situational Awareness for Eid Holidays

Cyberattack on Malaysian airports: PM rejected $10 million ransom

Operations at Kuala Lumpur International Airport (KLIA) were unaffected by a cyber attack in which hackers demanded US$10 million (S$13.4...
Read More
Cyberattack on Malaysian airports: PM rejected $10 million ransom

Micropatches released for Windows zero-day leaking NTLM hashes

Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to steal NTLM credentials by deceiving...
Read More
Micropatches released for Windows zero-day leaking NTLM hashes

VMware Patches Authentication Bypass Flaw in Windows Tool

On Tuesday, VMware issued an urgent fix for a security flaw in its VMware Tools for Windows. CVE-2025-22230 allows a...
Read More
VMware Patches Authentication Bypass Flaw in Windows Tool

IngressNightmare
Over 40% of cloud environments are vulnerable to RCE

Kubernetes users of the Ingress NGINX Controller are advised to fix four newly found remote code execution ( RCE) vulnerabilities,...
Read More
IngressNightmare  Over 40% of cloud environments are vulnerable to RCE

(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass

Next.js, a widely used React framework for building full-stack web applications, has fixed a serious security vulnerability. Used by many...
Read More
(CVE-2025-29927)  Urgently Patch Your Next.js for Authorization Bypass

Oracle refutes breach after hacker claims 6 million data theft

A hacker known as “rose87168” claims to have stolen six million records from Oracle Cloud servers. The stolen data includes...
Read More
Oracle refutes breach after hacker claims 6 million data theft

Stealer Malware’s Footprint in Bangladesh:

Several popular movie streaming websites in Bangladesh have been found to spread malicious content. Users encounter a convincing CAPTCHA, and after solving it, are told to paste a long, suspicious string into the Windows RUN prompt.

   Source: BGD e-GOV CIRT

When a user clicks “I’m not a robot” to refresh the screen, a PowerShell script is generated in the background. It automatically copies the script to the clipboard and prompts the user to run it from their command line. When the user does the activities as per instruction on the malicious URL, PowerShell script will execute on user’s device and perform bad activities.

CIRT examining several logs from various malware types found the following information:

Chart
Source: BGD e-GOV CIRT

YARA Rule for Detection of NetVineSigned.exe Malware:

CIRT said, the YARA rule helps identify files associated with the NetVineSigned.exe malware, offering a simple detection method for security teams aiming to stop this stealer malware.

Potential Risks and Impact:

This PowerShell script introduces several key risks:

1. Remote File Download and Execution:
The malware automatically downloads and runs a file (norm4.zip) from an external URL, which contains a malicious executable (NetVineSigned.exe) that indicates remote code execution (RCE) tactics. Attackers can change the file at any time to deliver new malware.

2. Hidden File Extraction and Execution:
The malware uses the AppData directory to evade detection. By storing files in less monitored areas and running them quietly, it becomes harder for standard endpoint protection tools to detect it.

3. Persistence via Registry Modification:
Malware adds a registry entry under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to stay active after system reboots, making it difficult to remove. This persistence is common in long-term infections.

4. Dynamic Execution via PowerShell:
PowerShell is often used by attackers due to its trustworthiness and pre-installation on Windows systems. Many organizations struggle to monitor PowerShell activity effectively, which adds a layer of stealth to attacks.

To reduce the risk of cyber-attacks, BGD e-GOV CIRT suggests the following measures:

Mitigation Steps:

1. Network Blocking:
Block the identified URLs (norm4.b-cdn.net) at the network edge to stop further infections.

2. PowerShell Monitoring:
Turn on PowerShell logging and watch for unusual commands, particularly those related to BitsTransfer or changes to the registry.

3. Endpoint Protection:
Make sure your endpoint protection system notices and warns about unusual changes to the Run registry key, which malware often uses to stay active.

4. User Awareness:
Teach users to stay away from suspicious links or websites, especially those that ask for system-level actions (e.g., running commands or scripts).

Related topics:

Bangladeshi 32.4% government websites face cyber attack: NAS report

BD CIRT announce “Cyber Drill 2024”: Registration open

Check Also

NTLM

Micropatches released for Windows zero-day leaking NTLM hashes

Unofficial patches are available for a new Windows zero-day vulnerability that allows remote attackers to …

Leave a Reply

Your email address will not be published. Required fields are marked *