Podcast Summary: CyberWire Daily – "The New Malware on the Block"
Release Date: April 12, 2025
Host/Author: N2K Networks
Introduction
In this episode of CyberWire Daily, hosted by Dave Bittner and featuring cybersecurity expert Selina Larson, the discussion delves into the evolving landscape of malware, particularly focusing on web injects and the emergence of new threat actors. The conversation provides an in-depth analysis of current cyber threats, their mechanisms, and strategies for detection and prevention.
Understanding Web Injects and the Expanding Threat Landscape
Selina Larson initiates the discussion by explaining the concept of web injects and their growing prominence in cybersecurity threats.
[04:29] Selina Larson: "A web inject is something that gets malicious code put on a website that, when a visitor goes to the website and passes the identity checks or the ways that they're filtered to say, yes, I want to infect this person, they're shown a screen that essentially overwrites what they think the actual website is."
Web injects involve injecting malicious code into legitimate websites, which can deceive users into believing they are interacting with authentic site elements. For example, users might encounter pop-ups prompting them to update their browser, which, if clicked, could lead to malware installation.
[05:20] Selina Larson: "They can tell based off of the user agent of the browser that you're using. So they'll tailor these little pop-up screens that say if you're on Chrome, you need to update your Chrome browser."
These tailored pop-ups mimic genuine update notifications, leveraging the user's browser information to increase their legitimacy and the likelihood of user interaction.
Emergence of New Threat Actors: TA2726 and TA2727
The conversation shifts to the identification of new threat actors, TA2726 and TA2727, highlighting their roles and operations within the malware ecosystem.
[07:00] Selina Larson: "TA2726 is the delivery driver and TA2727 is the person that ordered the crap burrito. So we have these two actors and it's kind of interesting. It can be very difficult to delineate different components of the web Inject's attack chain delivery method."
Using a metaphor, Larson describes TA2726 as the traffic distribution service (TDS) operator, facilitating the delivery of malware (referred to as "spoiled burritos") for other threat actors like TA2727. This ecosystem allows for the distribution of various malware payloads across different platforms, including Windows, Mac, and Android.
Characteristics of TA2726 and TA2727:
- TA2726: Acts as a TDS operator, managing the distribution channels for malware delivery.
- TA2727: Utilizes web injects to distribute diverse malware payloads, such as information stealers for Windows and a new Mac malware called Frigid Stealer.
[09:17] Selina Larson: "There really isn't. No, no. There's truly no industry standard. We like the numbering system... everything from windstorms to action figures."
Larson emphasizes the lack of standardized naming conventions for threat actors, often leading to a variety of names ranging from numerical codes to arbitrary terms.
Detection Challenges and Defensive Strategies
The hosts explore the complexities involved in detecting web injects and other sophisticated malware threats.
[18:45] Selina Larson: "From the actual detection perspective, they use a lot of filtering to prevent identification from automated sandboxes or to prevent identification from people that are trying to look into it and see if this is something that's malicious."
Threat actors employ techniques like strobing—periodically removing and reinfecting websites—to evade detection by automated systems and security analysts. Larson outlines several defensive measures organizations can adopt:
- Network Detections: Implement robust network monitoring to identify and block malicious traffic.
- Restrict Script Downloads: Prevent users from downloading and executing script files, especially JavaScript, unless necessary.
- User Training: Educate users on recognizing and avoiding suspicious prompts and social engineering tactics.
- Website Security: Regularly update and patch websites, particularly those built on platforms like WordPress, to close vulnerabilities that could be exploited for web injects.
[15:28] Selina Larson: "It's important to note that TDS can be used legitimately... but with the illegitimate TDS services, essentially what threat actors are doing is they are orchestrating where the traffic goes and who's going to get served what malware."
Targeting Mac Users: Rising Threats in Mac Malware
Another significant point of discussion is the increasing targeting of Mac users by sophisticated malware.
[15:18] Selina Larson: "One thing I think that is pretty interesting about the Mac malware space in general is that we're seeing a lot more information stealers in particular come on."
Despite the common misconception that Macs are immune to malware, Larson highlights a surge in Mac-targeted threats, including novel malware like Frigid Stealer. These attacks often require users to bypass built-in security features, underscoring the importance of user vigilance and education.
[16:56] Selina Larson: "If you do see something like this up, just closing the tab will get rid of it."
Shifting Tactics: Beyond Phishing and Email-Based Attacks
Larson and Bittner discuss the shifting tactics of threat actors, moving away from traditional phishing and email-based attacks towards more sophisticated methods like web injects and multi-channel attacks.
[22:38] Selina Larson: "Anytime that defenders make a job harder for a threat actor, they are going to find a way to do something else or to expand their wheelhouse and expand their arsenal of capabilities."
As defensive measures for email improve, threat actors innovate by adopting new delivery mechanisms, making cybersecurity a constantly evolving battle.
Social Engineering: The Human Element in Cybersecurity
The episode underscores the pivotal role of social engineering in successful cyber attacks. Larson emphasizes the need for continuous education to help users identify and resist manipulative tactics employed by attackers.
[25:01] Selina Larson: "If you know the signs of being scammed, then it is much more likely that you won't fall for them."
She encourages listeners to share knowledge about these threats, fostering a culture of awareness and proactive defense within the community.
Conclusion and Takeaways
The episode concludes with key takeaways for listeners to bolster their cybersecurity defenses:
- Stay Informed: Keep abreast of the latest cyber threats and attack vectors.
- Implement Robust Security Measures: Utilize network detections, restrict script executions, and regularly update all software and platforms.
- Educate and Train Users: Continuous user education is essential in recognizing and avoiding social engineering attacks.
- Secure Websites: Regularly patch and update websites to prevent them from becoming vectors for malware distribution.
[24:36] Selina Larson: "I want everyone listening to tell someone about this to say, hey, have you ever heard of this? Has this ever happened to you?"
By understanding the evolving strategies of threat actors and implementing comprehensive security measures, organizations and individuals can better protect themselves against the sophisticated threats highlighted in this episode.
Speaker Attributions:
- Dave Bittner: Host, CyberWire Daily
- Selina Larson: Guest, Cybersecurity Expert from Proofpoint
- Archie: Co-host, Representing Advanced Reconnaissance Cyber Operations
Notable Quotes:
- Selina Larson [04:29]: "A web inject is something that gets malicious code put on a website..."
- Selina Larson [07:00]: "TA2726 is the delivery driver and TA2727 is the person that ordered the crap burrito."
- Selina Larson [15:18]: "From the actual detection perspective, they use a lot of filtering..."
- Selina Larson [22:38]: "Anytime that defenders make a job harder for a threat actor, they are going to find a way to do something else..."
By providing a comprehensive overview of the current malware threats and offering actionable insights, this episode serves as a valuable resource for anyone looking to enhance their cybersecurity posture.
![The new malware on the block. [OMITB] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F1e055db0-16ee-11f0-b6f5-e7892393ba3f%2Fimage%2Fd9f0cdb0dcdd515f0dfd92da4cc68fb2.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)