News from our Cybersecurity Expert Center
We bring you the latest news and alerts detected from Cybersecurity.
Connect with us by siainfo@sia.es
Share in:
Outstanding cybersecurity news
Vulnerabilities
Cybercriminals are actively exploiting a 0-day vulnerability in Sonic Wall's SMA1000 product (CVE-2025-23006).
Cisco patches a critical privilege escalation vulnerability in its Meeting Management tool (CVE-2025-20156)
Malware
Malware campaign spoofs Reddit and WeTransfer to distribute Lumma Stealer
New malware called BackConnect linked to Qakbot loader
Cybersecurity
Hacktivist group Mr Hanza claims responsibility for DDoS attack on ChatGPT causing worldwide service outage
Spanish footwear, clothing and accessories firm Hoff suffers a cyberattack that could affect personal data of its customers
Latest threats detected
RansomHub affiliate uses Python backdoor to compromise networks
27/01/2025
Executive summary
A RansomHub affiliate uses a Python backdoor to spread ransomware on compromised networks.
Data
Type:
TLP:
Targets:
Affected assets:
Attack vector:
Tags:
Malware
White
Multiple
Multiple
Browser updates
RansomHub, SocGholish, backdoor, python, ransomware
Description
An attack has been detected in which a malicious actor used a Python-based backdoor to maintain persistent access to compromised systems and subsequently deploy the RansomHub ransomware across the affected network.
Technical Details
Initial access was gained via a JavaScript malware known as SocGholish, which is distributed via campaigns that trick users into installing fake web browser updates. These campaigns often involve legitimate but infected websites, to which victims are redirected from search engine results manipulated with SEO techniques.
Once executed, SocGholish communicates with a server controlled by the attacker to download additional malicious payloads. Subsequently, the Python backdoor is installed approximately 20 minutes after the initial SocGholish infection and then the backdoor propagates to other machines on the same network via RDP sessions. The Python script acts as a reverse proxy that connects to a predefined IP address.
After establishing a connection to the C2 server, it creates a tunnel based on the SOCKS5 protocol, allowing the attacker to move laterally through the compromised network using the victim's system as a proxy.
This backdoor has been active since December 2023, featuring superficial changes aimed at improving its obfuscation methods to evade detection. The script code is polished and well-structured, suggesting that the malware author is meticulous in maintaining readable and testable Python code, or uses artificial intelligence tools to assist in programming.
In addition to the Python backdoor, other tools used prior to ransomware deployment have been identified, such as EDRSilencer and Backstab to disable detection and response solutions on endpoints, LaZagne for credential theft, MailBruter for forcing email credentials, and Sirefef and Mediyes to maintain access and deliver additional payloads.
Techniques used
INITIAL ACCESS
Drive-by Compromise - T1189
Spearphishing Link - T1566.002
EXECUTION
Command and Scripting Interpreter: Python - T1059.006
User Execution: Malicious File - T1204.001
DEFENSE EVASION
Impair Defenses: Disable or Modify Tools - T1562.001
Obfuscated Files or Information - T1027
COMMAND & CONTROL
Proxy: Multi-hop Proxy - T1090.003
DISCOVERY
Remote System Discovery - T1018
System Information Discovery - T1082
IMPACT
Data Encrypted for Impact - T1486
Inhibit System Recovery - T1490
Recommendations
Protection
- Have an updated inventory of network systems, including communication flows.
- Carry out regular security audits on network access points (xDSL, WiFi, modem, VPN, etc.).
- Use analysis tools (Antivirus, EDR, etc.) that detect suspicious behaviour.
- Have an up-to-date inventory of all assets.
- Having defence systems (Antivirus) to detect malicious behaviour, as well as having a correct configuration of firewalls at application level based on white lists of permitted applications.
- Establish security policies in the system to prevent the execution of files from directories commonly used by ransomware (App Data, Local App Data, etc.).
- Perform proper network segregation, as well as establish an appropriate user profiling policy in order to minimise the impact of ransomware.
- Maintain access control lists for network-mapped drives. In case of infection, it is possible for the encryption to spread to all mapped network drives on the victim's computer.
- It is recommended to install ‘Anti Ransom’ tools that block the encryption process of ransomware.
Detection
- Scan the network with the IoCs included in this threat.
Mitigation
- On suspicion of an intrusion, isolate computers on the network, do not shut them down, and initiate containment and incident response.
- Proceed to isolate infected computers to prevent the spread of malware on the network.
- Have a system of regular backups of all systems. It is necessary to keep these copies isolated and without connectivity to other systems, thus avoiding access from infected computers.
- Perform a memory dump as soon as possible on infected systems in order to try to recover the encryption key.
- To prevent the spread of ransomware, isolate the computers on which the threat has been detected.
We promote the transformation of business and society through innovative solutions and services, putting people at the center.
Indra is one of the leading global technology and consulting companies: the technology partner for key operations of client businesses worldwide.