Weekly Cyber Threat Intelligence Summary

Welcome to this week’s Cyber Threat Intelligence Summary, where we bring you the latest updates and insights on significant cyber threats. This edition covers alleged access to high-revenue organisations advertised by IntelBroker, TransparentTribe targeting the gaming industry with spyware, and an analysis of the FakeBat loader.

1. IntelBroker advertises alleged access to high-revenue organisations

Full report available for CYMON users here.

Key Takeaways:

  • IntelBroker advertised access to two high-revenue organisations.
  • Claims include access to “Bitbucket, AWS S3, AWS Cognito, SSH, software signing keys, certificates & AWS API”.
  • Organisations reportedly have revenues of $25 billion and $95 billion; names, sectors, or locations are not specified.

Analyst comment:

  • IntelBroker is a well-known data and initial access broker.
  • Claims to have impacted organisations globally, including Apple, T-Mobile, Space Eyes, and Europol.
  • Has advertised several exploits, including an alleged Atlassian zero-day remote code execution (RCE).

2. TransparentTribe targets the gaming industry with spyware

Full report available for CYMON users here.

Key Takeaways:

  • Researchers found four new malicious APKs distributed in the wild, attributed to Pakistan-based APT @TransparentTribe using gaming and application-related lures.
  • The group previously launched the CapraTube campaign in September 2023, distributing CapraRAT via APKs mimicking YouTube.
  • The malicious APKs use matching icons and names. When installed, the app requires permission before opening a WebView pane loading a YouTube channel page or a mini-game website.

Analysts Comment:

  • Remote access Trojans (RATs) are used by opportunistic, financially motivated attackers and state-sponsored threat actors.
  • RATs conduct surveillance on targets of interest.
  • This malware grants full control over the infected device. Allows threat actors to gather stored credentials, harvest files, and monitor device activity in real time.

3. Analysis of FakeBat loader

Full report available for CYMON users here.

Key Takeaways:

  • All types of threat actors use Malware loaders to deploy final-stage payloads. FakeBat, observed since December 2022, has grown significantly in prominence.
  • FakeBat is sold on cybercriminal forums under the Malware-as-a-Service (MaaS) model. This model allows threat actors of all levels to rent access, benefiting the author financially.
  • Purchasing FakeBat grants access to a web panel for generating payloads, managing existing ones, and monitoring deployments.

Analysts Comment:

  • Loader malware is commonly used in infection chains to deploy the final payload. Benefits include the final payload not touching the system if it fails, reducing the chance of researchers obtaining samples for analysis.
  • This results in sample-based protections not being available for that malware.
  • Loaders allow the final payload to be less reliant on finding privilege escalation methods, as some loaders have that feature built-in.

Discover the strategic and tactical insights, plus expert analyst comments

Stay ahead of cyber threats with our comprehensive threat intelligence reports. Request a demo today to access these invaluable insights and enhance your cybersecurity posture.

Scroll to Top