Saturday , April 19 2025
Lummac2

BD CIRT alert
Lumma C2 malware attack Bangladeshi several websites

The Cyber Threat Intelligence (CTI) Unit at BGD e-GOV CIRT has discovered a malware campaign involving the Lumma Stealer family. They’ve found that various types of stealer malware are being spread using similar methods.

   Source: BGD e-GOV CIRT

CIRT is monitoring stealer malware campaigns and has found malware that steals sensitive information. Recently, the unit identified Lumma Stealer malware spreading through fake CAPTCHA pages.

CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers

Hackers can exploit a vulnerability in Asus routers to execute unauthorized functions. This serious issue, rated 9.2 out of 10,...
Read More
CVE-2025-2492  ASUS warns of critical auth bypass flaw in routers

16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia

According to Shadowserver Foundation around 17,000 Fortinet devices worldwide have been compromised using a new technique called "symlink". This number...
Read More
16,000+  Fortinet devices compromised with symlink backdoor, Mostly in Asia

Patch now! Critical Erlang/OTP SSH Vuln Allows UCE

A critical security flaw has been found in the Erlang/Open Telecom Platform (OTP) SSH implementation, allowing an attacker to run...
Read More
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE

CISA warns of increasing risk tied to Oracle legacy Cloud leak

On Wednesday, CISA alerted about increased breach risks due to the earlier compromise of legacy Oracle Cloud servers, emphasizing the...
Read More
CISA warns of increasing risk tied to Oracle legacy Cloud leak

CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App

Cisco issued a security advisory about a serious vulnerability in its Webex App that allows unauthenticated remote code execution (RCE)...
Read More
CVE-2025-20236  Cisco Patches Unauthenticated RCE Flaw in Webex App

Apple released emergency security updates for 2 zero-day vulns

On Wednesday, Apple released urgent operating system updates to address two security vulnerabilities that had already been exploited in highly...
Read More
Apple released emergency security updates for 2 zero-day vulns

Oracle Released Patched for 378 flaws for April 2025

On April 15, 2025, Oracle released a Critical Patch Update for 378 flaws for its products. The patch update covers...
Read More
Oracle Released Patched for 378 flaws for April 2025

CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild

Check Point Research warns of the active exploitation of a new vulnerability, CVE-2025-24054, which lets hackers leak NTLMv2-SSP hashes using...
Read More
CVE-2025-24054  Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild

Bengaluru firm got ransomware attack, Hacker demanded $70,000

Bengaluru's Whiteboard Technologies Pvt Ltd was hit by a ransomware attack, with hackers demanding a ransom of up to $70,000...
Read More
Bengaluru firm got ransomware attack, Hacker demanded $70,000

MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today

MITRE Vice President Yosry Barsoum warned that U.S. government funding for the Common Vulnerabilities and Exposures (CVE) and Common Weakness...
Read More
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today

Stealer Malware’s Footprint in Bangladesh:

Several popular movie streaming websites in Bangladesh have been found to spread malicious content. Users encounter a convincing CAPTCHA, and after solving it, are told to paste a long, suspicious string into the Windows RUN prompt.

   Source: BGD e-GOV CIRT

When a user clicks “I’m not a robot” to refresh the screen, a PowerShell script is generated in the background. It automatically copies the script to the clipboard and prompts the user to run it from their command line. When the user does the activities as per instruction on the malicious URL, PowerShell script will execute on user’s device and perform bad activities.

CIRT examining several logs from various malware types found the following information:

Chart
Source: BGD e-GOV CIRT

YARA Rule for Detection of NetVineSigned.exe Malware:

CIRT said, the YARA rule helps identify files associated with the NetVineSigned.exe malware, offering a simple detection method for security teams aiming to stop this stealer malware.

Potential Risks and Impact:

This PowerShell script introduces several key risks:

1. Remote File Download and Execution:
The malware automatically downloads and runs a file (norm4.zip) from an external URL, which contains a malicious executable (NetVineSigned.exe) that indicates remote code execution (RCE) tactics. Attackers can change the file at any time to deliver new malware.

2. Hidden File Extraction and Execution:
The malware uses the AppData directory to evade detection. By storing files in less monitored areas and running them quietly, it becomes harder for standard endpoint protection tools to detect it.

3. Persistence via Registry Modification:
Malware adds a registry entry under HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to stay active after system reboots, making it difficult to remove. This persistence is common in long-term infections.

4. Dynamic Execution via PowerShell:
PowerShell is often used by attackers due to its trustworthiness and pre-installation on Windows systems. Many organizations struggle to monitor PowerShell activity effectively, which adds a layer of stealth to attacks.

To reduce the risk of cyber-attacks, BGD e-GOV CIRT suggests the following measures:

Mitigation Steps:

1. Network Blocking:
Block the identified URLs (norm4.b-cdn.net) at the network edge to stop further infections.

2. PowerShell Monitoring:
Turn on PowerShell logging and watch for unusual commands, particularly those related to BitsTransfer or changes to the registry.

3. Endpoint Protection:
Make sure your endpoint protection system notices and warns about unusual changes to the Run registry key, which malware often uses to stay active.

4. User Awareness:
Teach users to stay away from suspicious links or websites, especially those that ask for system-level actions (e.g., running commands or scripts).

Related topics:

Bangladeshi 32.4% government websites face cyber attack: NAS report

BD CIRT announce “Cyber Drill 2024”: Registration open

Check Also

CISA warns of increasing risk tied to Oracle legacy Cloud leak

On Wednesday, CISA alerted about increased breach risks due to the earlier compromise of legacy …

Leave a Reply

Your email address will not be published. Required fields are marked *