CyberBakery Chronicles

Your Weekly Cybersecurity Update (21 Mar 2025)

• Ukrainian Military Targeted in New Signal-Based Spear-Phishing Attacks

• WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware

• GPU-Powered Akira Ransomware Decryptor Released: A Breakthrough in File Recovery

• Unpatched Windows Zero-Day Exploited by State-Sponsored Hackers Since 2017

• Betruger: The Custom Backdoor Powering RansomHub’s Latest Cyber Threats

Ukrainian Military Targeted in New Signal-Based Spear-Phishing Attacks

Ukraine’s Computer Emergency Response Team (CERT-UA) has reported that Ukrainian defense industry employees and military personnel are targeted through compromised Signal accounts. Attackers send messages containing archives disguised as meeting reports. These archives include a PDF and an executable file. Opening the executable deploys the DarkTortilla loader, installing the Dark Crystal RAT (DCRAT) remote access trojan. Notably, some messages originate from known contacts, increasing the likelihood of recipients opening the malicious files. 

CERT-UA has been monitoring this threat, identified as UAC-0200, since June 2024. The phishing lures were initially generic, but since February 2025, they’ve been tailored to topics like UAVs and electronic warfare systems. 

To mitigate such risks, Signal users, especially those susceptible to espionage or spear-phishing, should:

• Disable automatic attachment downloads.

• Be cautious of unsolicited messages, even from known contacts.

• Regularly review linked devices in Signal settings.

• Keep the Signal app updated.

• Enable two-factor authentication.

Implementing these measures can enhance security against such sophisticated phishing attempts. 

WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware

WhatsApp has addressed a critical zero-click, zero-day vulnerability that was exploited to install Paragon Solutions’ Graphite spyware on targeted devices. This exploit allowed attackers to compromise devices without any user interaction. 

Details of the Exploit

Security researchers from the University of Toronto’s Citizen Lab discovered that the attackers added targets to a WhatsApp group and sent a malicious PDF file. The victim’s device automatically processed this PDF, exploiting the vulnerability to install the Graphite spyware. Once installed, the spyware provided attackers with access to the victims’ messaging applications and other data. 

WhatsApp’s Response

Upon learning of the exploit, WhatsApp acted swiftly to mitigate the attack vector in late 2024 without requiring a client-side fix. The company chose not to assign a CVE-ID after reviewing guidelines published by MITRE and its internal policies. WhatsApp also notified approximately 90 users across over two dozen countries, including journalists and members of civil society, who were targeted by this spyware campaign. 

Broader Implications

This incident underscores the persistent threats of advanced spyware tools like Graphite, which can infiltrate devices without user interaction. It also highlights the challenges secure messaging platforms face in defending against sophisticated exploits. WhatsApp’s proactive measures in addressing the vulnerability and notifying affected users demonstrate the importance of vigilance and rapid response in cybersecurity.

You can refer to Citizen Lab's detailed report for a comprehensive analysis of Paragon’s spyware operations.

GPU-Powered Akira Ransomware Decryptor Released: A Breakthrough in File Recovery

Security researcher Yohanes Nugroho has developed a GPU-accelerated decryptor for the Linux/ESXi variant of the Akira ransomware, enabling victims to recover their files without paying a ransom. 

Background on Akira Ransomware

Akira ransomware encrypts files on compromised systems, rendering them inaccessible and demanding payment for their release. The variant analyzed by Nugroho has been active since late 2023 and targets Linux and VMware ESXi systems. 

Development of the Decryptor

Nugroho’s motivation to create the decryptor stemmed from assisting a company affected by Akira. He observed that Akira’s reliance on nanosecond-precision timestamps for key generation presented an opportunity for brute-forcing the keys, provided the approximate encryption times were known. However, the process was computationally intensive. Initial attempts using consumer-grade GPUs like the RTX 3060 and RTX 3090 proved insufficient, leading Nugroho to utilize cloud-based GPU services. By employing sixteen RTX 4090 GPUs, he successfully brute-forced the decryption key in approximately 10 hours.

The code is here: https://github.com/yohanes/akira-bruteforce

Availability and Usage

The decryptor, complete with instructions for use, has been made publicly available on GitHub. It’s important to note that the tool is tailored for the Linux/ESXi variant of Akira ransomware that has been active since late 2023. Users should ensure they are dealing with this specific variant before attempting decryption.

Considerations

While this decryptor offers a lifeline to victims, the decryption process demands substantial computational resources, making it less accessible for individuals or small organizations without access to high-performance GPUs. Additionally, there’s a possibility that the creators of Akira may alter their encryption methods in response to this development, potentially rendering the current decryptor ineffective against future versions. 

Preventive Measures

This development underscores the critical importance of proactive cybersecurity measures:

• Regular Backups: Maintain offline backups of critical data to ensure recovery options during ransomware attacks.

• System Updates: Keep operating systems and software up to date to mitigate vulnerabilities that ransomware can exploit.

• Security Solutions: Deploy reputable security software capable of detecting and preventing ransomware infections.

Unpatched Windows Zero-Day Exploited by State-Sponsored Hackers Since 2017

A newly disclosed Windows zero-day vulnerability tracked as ZDI-CAN-25373, has been actively exploited by at least 11 state-backed hacking groups, including those from China, Iran, North Korea, and Russia. The flaw allows attackers to execute hidden malicious commands using specially crafted Windows Shortcut (.LNK) files, a technique that has remained undetected for years.

How the Exploit Works

Attackers manipulate .LNK files by embedding hidden command-line arguments disguised with various whitespace characters, including spaces, tabs, and carriage returns. This obfuscation technique makes it difficult for traditional security tools to detect and analyse malicious activity.

Who Is Being Targeted?

Since its exploitation began in 2017, the vulnerability has been used against:

• Government agencies

• Financial institutions

• Telecommunications providers

• Military organisations

• Energy and critical infrastructure sectors

The attacks have primarily targeted entities in the United States, Canada, Russia, South Korea, Vietnam, and Brazil. North Korean groups are responsible for 46% of documented exploits. Other significant attackers include Russian, Chinese, and Iranian threat actors.

Microsoft’s Response & Security Risks

Despite the severity of this exploit and its widespread abuse, Microsoft has stated that it does not plan to issue a fix, classifying the issue as a user interface misrepresentation flaw rather than a critical security risk. This decision leaves Windows users vulnerable to continued exploitation.

How to Protect Yourself

Since there is no official patch, security experts recommend the following steps:

✔ Avoid Opening Untrusted .LNK Files – Be cautious of shortcut files received via email or downloaded from unknown sources.

✔ Use Endpoint Security Solutions – Ensure your antivirus and endpoint detection tools can identify and block malicious shortcut files.

✔ Strengthen Network Protections – Configure email gateways and firewalls to filter out suspicious .LNK attachments.

Without a Microsoft patch, users must rely on proactive security measures to mitigate this ongoing threat.

Betruger: The Custom Backdoor Powering RansomHub’s Latest Cyber Threats

A recent investigation by Symantec’s Threat Hunter team has uncovered that an affiliate of the RansomHub ransomware-as-a-service (RaaS) operation is deploying a sophisticated custom backdoor named Betruger. 

Betruger Backdoor Capabilities

Betruger is a multi-functional backdoor designed to streamline various malicious activities typically carried out during ransomware attacks. Its capabilities include: 

• Screenshot Capture: Allows attackers to monitor user activities.

• Keylogging: Records keystrokes to capture sensitive information such as passwords.

• File Uploads: Enables data exfiltration to command and control (C2) servers. 

• Network Scanning: Identifies other devices and services within the compromised network.

• Privilege Escalation: Gains higher system permissions to execute advanced malicious operations.

• Credential Dumping: Extracts stored credentials for further exploitation. 

By consolidating these functions into a single tool, Betruger reduces the need for multiple separate utilities, thereby minimizing the attackers’ footprint and potentially lowering the chances of detection. 

Deployment and Masquerading Techniques

The backdoor has been observed using filenames such as mailer.exe and turbomailer.exe, suggesting an attempt to disguise itself as a legitimate mailing application. This masquerading tactic evades initial scrutiny from security defences and unsuspecting users. 

RansomHub’s Evolving Tactics

RansomHub affiliates have been noted for employing a variety of tools and techniques to enhance their attack strategies, including: 

• Bring Your Own Vulnerable Driver (BYOVD): Utilising tools like EDRKillshifter to disable security solutions by exploiting legitimate, vulnerable drivers. 

• Exploitation of Known Vulnerabilities: Leveraging vulnerabilities such as CVE-2022-24521 (Windows Privilege Escalation) and CVE-2023-27532 (Veeam credential leakage) to infiltrate and escalate privileges within target systems. 

• Use of Publicly Available Tools: Deploy tools like Impacket for remote service execution and credential dumping, Stowaway Proxy Tool for network traffic proxying, and SystemBC as a commodity backdoor for C2 communication. 

Integrating the Betruger backdoor into their arsenal signifies RansomHub’s commitment to developing custom malware to enhance operational efficiency and effectiveness. 

Implications and Recommendations

The deployment of multi-functional backdoors like Betruger underscores the evolving tactics of ransomware groups to streamline their operations while reducing detection risks. To mitigate such threats, organisations should: 

• Enhance Monitoring: Implement advanced threat detection systems to identify anomalous behaviours associated with backdoor functionalities. 

• Regularly Update and Patch Systems: Ensure all software and systems are up-to-date to prevent exploitation of known vulnerabilities.

• Conduct Security Awareness Training: Educate employees about phishing attacks and the importance of verifying the legitimacy of executable files.

• Restrict Administrative Privileges: Limit user permissions to reduce the impact of potential privilege escalation by attackers.