Today's cybersecurity headlines are brought to you by ThreatPerspective
| Follow @EthHackingNews |
| Follow @EthHackingNews |
Advanced SnakeDisk malware has been deployed by the Hive0154 threat actor, showcasing its advanced capabilities and tactics. This latest variant highlights the group's sophistication and expertise, emphasizing the need for organizations to stay vigilant in their cybersecurity defenses.
Recently, researchers from X-Force have shed light on a new variant of the SnakeDisk malware family, which has been linked to the Hive0154 threat actor. This latest deployment showcases the advanced tactics, techniques, and procedures (TTPs) employed by this highly capable threat actor, who continues to refine its large malware arsenal and target public and private organizations worldwide.
The SnakeDisk malware variant in question is a USB-based worm that utilizes the "SnakeDisk" backdoor to establish persistence on infected systems. When deployed via a USB device removal or startup, the malware checks for a specific marker file to determine if the system is already infected. If not, it builds its payloads in memory using XOR decryption and writes multiple files to C:\Users\Public. These files are then combined into two final payloads: a DLL and an executable with a random name.
Upon execution, the EXE payload is a signed application that sideloads the malicious DLL, thereby activating SnakeDisk's core functionality. This clever deployment technique allows the malware to remain undetected on systems running legitimate software applications, making it a formidable threat actor in the world of cybersecurity.
In terms of its TTPs, the SnakeDisk variant exhibits similarities with other Hive0154 backdoor families, such as Toneshell and Pubload. It also shares technical overlaps with Tonedisk's propagation, configuration, and sideload techniques, indicating a high level of sophistication and expertise among this threat actor group.
Furthermore, researchers have highlighted the subclusters' tendency to reuse and share code across worm and backdoor families. This practice allows them to rapidly adapt and evolve their tactics, making it increasingly challenging for defenders to detect and counter these threats.
The report from X-Force emphasizes that Hive0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles. The organization's confidence in this assessment is high, given the ongoing refinement of its malware arsenal and the frequency of new deployments.
Ultimately, this latest deployment serves as a stark reminder for organizations to remain vigilant and proactive in their cybersecurity defenses. By adopting detection mechanisms and staying informed about emerging threats like SnakeDisk, defenders can reduce the risk of falling victim to these sophisticated attacks.
| Follow @EthHackingNews |