I am testing Huntress on a few of our computers before deciding on whether to provide it to our customers. Unfortunately this happened because of an upstream library we use became infected." The updating probably wont work because Windows Defender will flag it. And we will have a new one in the next few hours via updates. CSA-230494: ArcfeedLoader Malware Used in Supply Chain Attack Leveraging Trojanized 3CX Installers Confirms Attribution to LABYRINTH CHOLLIMA ( US-1 | US-2 | EU | GOV )Īt this point, my recommendation would be to remove 3CX software from endpoints until advised by the vendor that future installers and builds are safe.ĬEO Finally Speaks! ( After an unacceptably long time).CSA-230489: LABYRINTH CHOLLIMA Suspected of Conducting Supply Chain Attack with 3CX Application ( US-1 | US-2 | EU | GOV ). CSA-230387: LABYRINTH CHOLLIMA Uses TxRLoader and Vulnerable Drivers to Target Financial and Energy Sectors ( US-1 | US-2 | EU | GOV ).CrowdStrike Intelligence customers can view the following reports for full technical details: Once active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a Macampaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA. The MSI will drop three files, with the primary fulcrum being the compromised binary ffmpeg.dll ( 7986bbaee8940da11ce089383521ab420c443ab7b15ed42aed91fd31ce833896). S1 report shows an info stealer, presumably to identify high value targets at the moment and leading to the hands on crowdstrike is seeing sometimes.Īfter review and reverse engineering by the CrowdStrike Intelligence Team, the signed MSI ( aa124a4b4df12b34e74ee7f6c683b2ebec4ce9a8edcf9be345823b4fdcf5d868) is malicious. They suspect the same group that did wannacry so while it seems targeted now they may go for mass disruption when they realise they've been blown.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |