Hackers often target internal communications tools to obtain confidential information like employee records, business plans, and proprietary technologies.
With these characteristics of trust and openness, internal communications provide valuable but less secure means for cyber-attacks to be launched against an organization.
Cybersecurity researchers at SentinelOne Labs recently identified the tools used by the NullBulge actor, who releases Disney’s internal Slack communications.
The NullBulge group was launched between April and June 2024. It focused on AI and gaming communities and used innovative malware distribution techniques.
This means that despite claiming anti-AI activism, their activities suggest profit motives for the group.
They specialize in compromising plug-ins and mods for AI-art applications and games that involve ‘supply chain poisoning’ on platforms such as GitHub, Reddit, and Hugging Face.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Their campaigns consist of Python-based payloads that exfiltrate data through Discord webhooks. They also used malware tools like Async RAT and Xworm.
NullBulge uses infected libraries, custom Python wheels, and scripts to collect browser data and system details. It also utilizes the LockBit ransomware strain, researchers added.
This sophisticated approach compromises legitimate software repositories as well as a range of malicious tools dispersed on AI platforms, which demonstrate multiple threats to AI and Gaming ecosystems.
.webp "Tools Used By NullBulge Actor, Who Releases Disney's Internal Communications 2")
The AppleBotzz identity is central to NullBulge’s attacks on GitHub, Hugging Face, and ModLand, raising questions about their relationship.
NullBulge claims to have compromised the original ComfyUI_LLMVISION repository maintainer’s credentials, enabling their malicious code posts.
They assert that AppleBotzz is a separate entity whose accounts they have taken over on various platforms.
However, the consistent use of AppleBotzz for malware staging and delivery suggests NullBulge might control this identity.
While NullBulge denies this connection, the lack of non-malicious code in the compromised repositories and the widespread use of AppleBotzz across platforms cast doubt on their separation claims, though conclusive evidence is lacking.
In an attempt to hack BeamNG players, NullBulge released mods laced with convoluted PowerShell scripts that dropped either Async RAT or Xworm via encoded hyperlinks on social media sites and gaming platforms.
These first attacks launched custom LockBit ransomware variants. The team uses a modified config file within the LockBit 3.0 builder that grants several malicious functionalities.
.webp "Tools Used By NullBulge Actor, Who Releases Disney's Internal Communications 3"){kind=tracking}
NullBulge rents active leakage portals that feature several victims inside them.
Notably, they asserted that they had attacked Disney and leaked DuckTales production files and later an enormous 1.2TB collection of supposed internal Slack data.
.webp "Tools Used By NullBulge Actor, Who Releases Disney's Internal Communications 4")
The group’s advanced system employs supply chain attacks, multi-stage malware campaigns, and high-profile data dumpages, showing their emerging threat capabilities in today’s threat scenes.
NullBulge stores and vends off stolen infostealer logs and OpenAI API keys in diverse underground forums, unveiling a financial motive beyond their united artistic protection.
.webp "Tools Used By NullBulge Actor, Who Releases Disney's Internal Communications 5")
They have a GitHub repository for their self-made tools and mysellix.io profile, where they sell API keys.
NullBulge, although not very sophisticated, poses a considerable threat by focusing on AI-based applications and games with basic malware and ransomware.
Recommendations
Here below we have mentioned all the recommendations:-
- Secure API keys by using the vaults, avoid hardcoding and rotate regularly.
- Scrutinize third-party code by checking for suspicious content, especially in dependencies.
- Verify code sources by using the trusted, verified sources for third-party code.
- Monitor commit histories by knowing the active contributors to spot suspicious activity.
- Always be cautious with public code by avoiding installation from unknown sources.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo