2 weeks Ago
Beware the smokedham backdoor, security experts warn Trac-Labs , which describes itself as being a “few dedicated researchers with a shared passion for researching and fighting cybercrime,” has published a new analysis of a particularly worrying threat from an actor called UNC2465, which is best known for being a past affiliate of the now defunct Darkside rasnomware group . The threat itself is not new, but this latest analysis and warning suggest that the smoked ham Windows backdoor is active and threatening users. Here’s what you need to know.
Smoked Ham Is On The Windows Backdoor Hacking Menu Although you would hope that the disbanding of the Darkside ransomware group and the ongoing law enforcement disruption to the Lockbit group’s operating infrastructure, that well-known cybercrime affiliates such as UNC2465 would also be going out of business. Any such hope would best be filed under forlorn, unfortunately. “In recent activity, UNC2465 has leveraged trojanized installers disguised as legitimate tools,” in order to deliver smoked ham backdoor payloads, the security researchers said , adding that “it is likely future UNC2465 operations will rely on different ransomware families ,” given the aforementioned changes to the threat landscape.
The researchers reported how UNC2465 has been seen distributing the smoked ham Windows backdoor by way of the now standard phishing email tactic, as well malicious advertising, or malvertising if you prefer, campaigns via Bing and Google ads. “Services such as Google Drive and Dropbox have been utilized to host malicious payloads,” the report stated. When it comes to technicalities, the Trac-Labs researchers said, the smoked ham Windows backdoor facilitates initial access and persistence within targeted networks.
UNC2465 leverages readily available and legitimate penetration testing tools for its network reconnaissance and deploys the remote desktop protocol for lateral network movement with Mimikatz then used for credential harvesting. Save Up To 75% With The Best Black Friday Clothing Deals That Are Still Running 10 Unofficial Hoka Cyber Week Sales You Don’t Want To Miss The Cyber Threat Cluster Posing A Threat To Windows Users Given that UNC2465 is what the security researchers called a “cyber threat cluster” that is “known for conducting multifaceted extortion campaigns,” it would be foolish to write them off following the demise of some of the ransomware groups they were previously affiliated with. The truth of the matter is that ransomware groups come and go , no matter how prolific, how high-profile, eventually they are toppled either by law enforcement or greed and break up to form new threats.
This evolution of group activity is why the ransomware landscape remains so dangerous, regardless of who is behind the threat. It also explains why affiliates, the cybercriminals that do the hacking donkey work, will continue to find work. UNC2465 will use the smoked ham Windows backdoor, just like other threat actors with other Windows backdoors, and as such organizations worldwide should continue to follow security best-practices to defend against the ongoing threat.
Be assured that Microsoft, Google and Dropbox all have security measures in place to prevent malicious advertising and the hosting of malicious files, and any campaigns that breach those defenses are removed as quickly as possible. In the meantime, stay alert and don’t fall for the phishers..
..
