The Deep Purple Sec – Apr 2025

📝 Goodbye HTA, Hello MSI: New TTPs and Clusters of an APT driven by Multi-Platform Attacks

Seqrite Labs details the evolving tactics of the Pakistan-linked SideCopy APT group, which has expanded its targeting to include railway, oil & gas, and external affairs ministries. The group has shifted from HTML Application (HTA) files to Microsoft Installer (MSI) packages to evade detection, using advanced techniques like DLL side-loading and AES decryption via PowerShell.
SideCopy APT has introduced new payloads, including a custom version of Xeno RAT and CurlBack, which registers victims with the C2 server. The campaigns use sophisticated phishing tactics, including compromised domains and fake government personas, targeting both Windows and Linux environments with customized tools like Spark RAT.
The investigation reveals credential phishing and open directories to host payloads, focusing on critical Indian sectors. The APT’s infrastructure includes compromised domains and fake e-governance sites, enhancing persistence and evasion. The article provides insights into the TTPs employed by SideCopy, including reflective loading and custom RATs, along with IOCs and MITRE ATT&CK techniques associated with these campaigns.

📌 Source: https://www.seqrite.com/blog/goodbye-hta-hello-msi-new-ttps-and-clusters-of-an-apt-driven-by-multi-platform-attacks/

📝 Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor’s Infrastructure

Resecurity’s article details an operation against the BlackLock ransomware group, active since March 2024. They exploited a vulnerability in BlackLock’s Data Leak Site (DLS) on the TOR network, gathering intelligence on the group’s activities and planned attacks.
The DLS compromise revealed critical information about the group’s operations, enabling Resecurity to predict and prevent future attacks and disrupt their activities, emphasizing a proactive approach to combating ransomware.
Resecurity exposed 46 victims from various sectors, noting BlackLock’s aggressive recruitment and a 1,425% increase in data leak posts in Q4 2024, highlighting the effectiveness of proactive cybersecurity measures.

📌 Source: https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure

📝 TROX Stealer: A deep dive into a new Malware as a Service (MaaS) attack campaign

The article from Sublime Security discusses TROX Stealer, an infostealer malware offered as Malware-as-a-Service (MaaS). First seen in December 2024, it may have been released as early as April 2024. It is marketed for rapid deployment of large-scale attack campaigns, typically licensed weekly.
TROX Stealer targets consumers, stealing credit card details and sensitive data from browsers and chat clients like Discord and Telegram. It uses urgency-themed lures to trick victims into opening malicious emails that execute the payload.
TROX Stealer’s infrastructure includes various domains and IPs, with certificate management for persistence. It uses WebAssembly (Wasm) code in Base64 and junk code to obscure its functions. Sublime Security’s AI detection engine has been key in preventing these attacks at the email delivery stage, emphasizing the need for advanced threat detection.

📌 Source: https://sublime.security/blog/trox-stealer-a-deep-dive-into-a-new-malware-as-a-service-maas-attack-campaign/

📝 ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures

The ATT&CK v17 update brings new features to help defenders stay aligned with adversary trends. The update includes the ESXi platform, reflecting increased attacks on virtualization infrastructure, and renames the Network platform to Network Devices. Data components have been enhanced to provide platform-specific advice on data collection. The update also includes new techniques and tools for mobile environments, as well as updates on groups, campaigns, and software used by adversaries.
Additionally, the mitreattack-python library has been updated to work with ATT&CK v17 STIX content, and Workbench has adopted semantic versioning to preview upcoming changes.
Note: These changes have already been taken into account in the BlackNoise application.

📌 Source: https://medium.com/mitre-attack/attack-v17-dfb59eae2204

📝 CISA extends Mitre CVE contract at last moment

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended its contract with MITRE for the Common Vulnerabilities and Exposures (CVE) Program at the last moment. The agreement was reached late on Tuesday, April 15, 2025, ensuring the continuity of the vital CVE Program, which is crucial for the global cybersecurity community.
The 11-month extension was executed to prevent any lapse in service, highlighting CISA’s commitment to maintaining this essential resource for vulnerability management. The decision came amid concerns from the cybersecurity community about the potential impacts of a lapse in the CVE Program, which is widely relied upon for tracking and managing security vulnerabilities.

📌 Source: https://www.computerweekly.com/news/366622896/CISA-extends-MITRE-CVE-contract-at-last-moment

🛠️ Cloud Incident Readiness: Key logs for cloud incidents

The Invictus article highlights the importance of logging in cloud incident readiness, discussing key logs for major providers like Microsoft, AWS, and Google Workspace. It categorizes logs into « Must-Have » for critical response and « Nice-to-Have » for deeper analysis, emphasizing their role in investigative questions during incidents. It also advises on prioritizing logs due to potential budget constraints.

📌 Source: https://www.invictus-ir.com/news/cloud-incident-readiness-key-logs-for-cloud-incidents