Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label APT Group. Show all posts

New Cybersecurity Threat for the Middle Eastern Countries: OilRig Malware

 



Cybersecurity experts say that there is a new threat against Middle East organisations, and more specifically within the United Arab Emirates, and other Gulf countries. There is an Iranian gang cybercrime known as OilRig that aims to hunt login credentials for access into several organisations and personal systems, with a focus on infiltration of key infrastructures within the region.


Role of OilRig in Attacks

OilRig is another notorious state-sponsored hacking group. At other times, it was known by the designations APT43 and Cobalt Gipsy. Its origins date back to Iranian government sponsorship. And in previous campaigns, OilRig has mainly focused on exploiting exposed servers with web shells - a category of malicious software. This gives attackers the ability to take control of an affected server remotely and run PowerShell scripts from it. As such, such a gain in access allows it to facilitate attackers in finding deeper access into the system.

Once the group fully takes over the system, they exploit the flaw CVE-2024-30088. Microsoft discovered that it had patched this security vulnerability in June 2024 for the Windows operating system. This allows the attackers to elevate their privilege, which gives attackers access to the forbidden areas of the system, thus limiting their operations. According to Microsoft, this is a high-risk vulnerability with a base score of 7.0.


How the Malware Works

This attack utilises a malware referred to as STEEL HOOK, that is a very sophisticated piece of malware. STEALHOOK gathers sensitive information from the infected systems. It tumbles the gathered data with other legitimate data that would aid in its undetected operation. Then, it sends it back to the attackers using an Exchange server. This exfiltrated the data, keeping it hidden from cybersecurity defences. Since it moves as traffic, the attackers subtly can extract sensitive information without immediately causing an alarm.


Ties to Ransomware and Other APT Groups

OilRig's operations closely relate to another Iranian threat group known as FOX Kitten, which is particularly infamous for ransomware campaigns. These connections suggest a broader strategy by Iranian hacking groups in targeting and disrupting key industries, with a specific focus on the energy sector. According to Trend Micro, most of OilRig's targets fall in the energy sector; disruption in such industries could have ripple effects at regional and global levels. This sector is also important, and any extended interference could seriously affect daily life because energy supply lines take such a large part of this region's infrastructure.


Vulnerability Not Yet Flagged By CISA

Shockingly though there is a belief that this flaw is already being exploited, the United States Cybersecurity and Infrastructure Security Agency (CISA) has yet to include CVE-2024-30088 in the Known Exploited Vulnerabilities catalogue. Therefore, for organisations to decide and focus on patching the exploited vulnerabilities used by hackers, this catalogue becomes highly important. Its absence on the list means that there still exists an increased need for a general awareness of the threat and hence affected organisations need to patch up their systems actively.

Among the many malware campaigns that have lately been in view targeting the Middle East, OilRig seemed to reflect the rising complexity and frequency of cyber attacks. In fact, energy sector organisations need to be highly aware of such sophisticated attacks. Ultimately, the case of exploitation involving CVE-2024-30088 would reflect critical and constant risks given by state-sponsored cyber criminals. Meanwhile, it emphasises the advisability of timely software updates and the need for strong cybersecurity measures against unauthorised access and data theft.

In that respect, there is a call for protection of the information systems companies have from these advanced threats from corporate and individual entities. In this respect, OilRig can be prevented through great proactive steps and awareness in preventing these powerful cyberattacks from taking their worse course of follow-up actions.


Ransomware Attacks on the Rise! Nearly 2900 Assaults Reported in the First Quarter of 2024

 

The increasing frequency of ransomware attacks is a significant challenge, as seen by the recent rise in APT groups with ties to Pakistan before the Indian elections and the disruption of significant Ransomware-as-a-Service (RaaS) operations.

The Seqrite report states that initial access brokers are selling more access to Indian entities (corporate and government) in the underground forums. This led to over 2900 disruptive actions in the first quarter of 2024 by over 85 Telegram hacktivist groups, including DDoS, website defacement, and database dumps. According to the report, there is one ransomware attack for every 650 detections. 

The most recent findings paint a picture of increasing threats, with sophisticated attacks targeting governments, organisations, and individuals alike. 

The report also highlighted a recent spike in cyberattacks by Pakistan-linked APT groups such as SideCopy and APT36 (Transparent Tribe) targeting not only the Indian government and military bodies, which is especially concerning given the ongoing elections, but also new spear-phishing campaigns such as Operation RusticWeb and FlightNight. 

Another crimeware report by Arete discloses that during Q1, law enforcement continued to put pressure on large Ransomware-as-a-Service (RaaS) companies, significantly impacting LockBit activities. While LockBit and ALPHV's combined activity no longer accounts for the majority of ransomware engagements, Arete saw a much broader and more evenly spread threat landscape, with activity from groups such as 8Base, BianLian, Black Basta, Cactus, DragonForce, Hunters International, HsHarada, Medusa, Phobos, Rhysida, and Trigona.

Furthermore, the trend of fewer organisations paying ransoms persisted, with a ransom paid in 34% of Arete engagements in the first quarter of 2024. Another recent report, Cybernomics 101 by Barracuda, found that 71% of respondents had suffered a ransomware assault in the previous year, with 61% paying the ransom. 

Prevention tips

The researchers believe that backing up critical data is the most effective strategy to recover from a ransomware infestation. There are a few things to consider. Backup files should be appropriately safeguarded and stored offline or out-of-band so that attackers cannot target them. Using cloud services may help alleviate a ransomware outbreak because many retain prior copies of files, allowing you to restore to an unencrypted version. Make careful to test backups on a regular basis to ensure their effectiveness. In the case of an attack, ensure that your backups are not compromised before rolling back. 

Additionally, ensure that all of the organization's operating systems, apps, and software are frequently updated. Applying the most recent updates will help close the security gaps that attackers are attempting to exploit. Wherever possible, enable auto-updates so that you always have the most recent security upgrades.

MITRE Links Recent Attack to China-Associated UNC5221

 

MITRE recently provided further insight into the recent cyber intrusion, shedding light on the new malicious software employed and a timeline detailing the attacker's actions.

In April 2024, MITRE announced a breach in one of its research and prototyping networks. Following the discovery, MITRE's security team swiftly initiated an investigation, ejected the threat actor, and enlisted third-party forensics Incident Response teams for independent analysis alongside internal experts. It was revealed that a nation-state actor had infiltrated MITRE's systems in January 2024 by exploiting two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).

The intrusion was detected when MITRE noticed suspicious activity from a foreign nation-state threat actor targeting its Networked Experimentation, Research, and Virtualization Environment (NERVE), which is utilized for research and prototyping purposes. MITRE promptly took NERVE offline and commenced mitigation procedures. Although investigations are ongoing to ascertain the extent of compromised information, MITRE has informed relevant authorities and affected parties while endeavoring to restore alternative collaboration platforms.

Despite MITRE's adherence to industry best practices, vendor recommendations, and governmental directives to bolster its Ivanti system, oversight led to unauthorized access into its VMware infrastructure. However, MITRE emphasized that neither its core enterprise network nor its partners' systems were impacted by the breach.

MITRE researchers identified indicators of compromise associated with UNC5221, a China-linked APT group, coinciding with the security breach. The hackers gained initial access to NERVE on December 31, deploying the ROOTROT web shell on Internet-facing Ivanti appliances.

On January 4, 2024, the threat actors conducted reconnaissance within the NERVE environment, leveraging compromised Ivanti appliances to access vCenter and communicate with multiple ESXi hosts. Subsequently, the attackers utilized hijacked credentials to infiltrate accounts via RDP, accessing user bookmarks and file shares to probe the network and manipulate VMs, compromising the infrastructure.

Further malicious activities ensued, including deploying the BRICKSTORM backdoor and the BEEFLUSH web shell on January 7, 2024, facilitating persistent access and arbitrary command execution. The hackers maintained control through SSH manipulation and script execution, exploiting default VMware accounts and establishing communication with designated C2 domains.

Additional payloads, such as the WIREFIRE (aka GIFTEDVISITOR) web shell and the BUSHWALK web shell for data exfiltration, were deployed on the target infrastructure. Despite attempts at lateral movement between mid-February and mid-March, the threat actors failed to compromise other resources beyond NERVE.

MITRE concluded its update with malware analysis and Indicators of Compromise for the involved payloads, highlighting the adversary's persistent attempts to infiltrate and maintain control within the network.

ToddyCat APT Is Siphoning Data on 'Industrial Scale'

 

ToddyCat, an advanced persistent threat (APT) gang that targets the government and defence industries, has been seen collecting stolen data "on an industrial scale" from victim organisations in Asia-Pacific. 

Kaspersky researchers first disclosed details regarding the elusive gang's actions in 2022, despite the fact that it has been functioning since December 2020. ToddyCat is believed to be a Chinese-speaking gang, though its origins and ties are unknown.

Initially, the threat group targeted only certain organisations in Taiwan and Vietnam. When the ProxyLogon vulnerabilities in Microsoft Exchange Server were discovered in early 2021, it broadened the scope of its operations, now targeting multiple European and Asian organisations. 

ToddyCat upgraded its tools and strategies in 2023, and launched a long-running attack against government entities and telecom providers in multiple Asian countries. 

In Kaspersky's most recent review of the group, published last week, researchers Andrey Gunkin, Alexander Fedotov, and Natalya Shornikova explained the techniques the gang had lately been seen employing to exfiltrate massive volumes of data. 

“During the observation period, we noted that this group stole data on an industrial scale,” researchers explained. “To collect large volumes of data from many hosts, attackers need to automate the data harvesting process as much as possible, and provide several alternative means to continuously access and monitor systems they attack.”

One of the group's attacks was its predilection for creating many tunnels with various tools to gain access to the infrastructure of the organisations it targeted. This allowed the gang to continue using the compromised systems even after one of the tunnels was identified and eliminated, according to the experts.

ToddyCat used reverse SSH tunnels to get access to remote network services. The gang also employed SoftEther VPN, an open-source tool that allows for the establishment of VPN connections using a variety of popular protocols.

“In virtually every case we observed, the attackers renamed vpnserver_x64.exe to hide its purpose in the infected system,” the researchers added. “To transfer the tools to victim hosts, the attackers used their standard technique of copying files through shared resources, and downloaded files from remote resources using the curl utility.” 

To protect against the gang, the researchers advised defenders to add the resources and IP addresses of cloud providers that allow traffic tunnelling to their firewall deny lists. The researchers also recommended limiting the tools administrators can use to remotely access hosts.

Analysing Advanced Persistent Threats 2023: Tactics, Targets, and Trends

 

The term "Advanced Persistent Threat" (APT) denotes a highly specialised category of cyber adversaries within the field of cybersecurity. These entities distinguish themselves through advanced skill sets and substantial access to resources, often employing sophisticated tools and techniques. APTs typically exhibit state sponsorship, indicating either direct or indirect government support or intricate ties to organized crime syndicates. 

This connection to state actors or criminal groups grants them a level of persistence and capability that far exceeds that of conventional cybercriminals. In 2023, the cybersecurity landscape has witnessed the persistent activity of several Advanced Persistent Threat (APT) groups, with attributions largely pointing to nation-states, notably Iran and China. These sophisticated entities operate at the forefront of cyber capabilities, employing advanced tactics, techniques, and procedures. Their activities extend beyond conventional cybercriminal motives, often involving strategic objectives tied to geopolitical influence, military espionage, or the compromise of critical infrastructure. As the year unfolds, the vigilance of cybersecurity experts remains crucial in monitoring and responding to the evolving tactics employed by these APT groups, reflecting the ongoing challenge of safeguarding against state-sponsored cyber threats.  

Here’s a summary of some of the most active and prominent APT Groups as of 2023:  

1) APT39  

APT39, believed to be associated with Iran, has emerged as a notable player in the cyber threat landscape in 2023. This advanced persistent threat group strategically directs its efforts towards the Middle East, with a specific focus on key sectors such as telecommunications, travel, and information technology firms. APT39 employs a sophisticated arsenal of cyber tools, including the use of SEAWEED and CACHEMONEY backdoors, along with spearphishing techniques for initial compromise. 

2) APT35 

APT35, believed to be affiliated with Iran, has solidified its position as a significant threat in 2023, honing its focus on military, diplomatic, and government personnel across the U.S., Western Europe, and the Middle East. Employing a sophisticated toolkit that includes malware such as ASPXSHELLSV and BROKEYOLK, the group employs a multifaceted approach, leveraging spearphishing and password spray attacks to infiltrate target networks. APT35's strategic interests span various sectors, encompassing U.S. and Middle Eastern military, diplomatic and government personnel, as well as organizations in the media, energy, defense industrial base (DIB), and the engineering, business services, and telecommunications sectors.  

3) APT41 

APT41, believed to be linked to China, continues to pose a significant cyber threat in 2023, targeting a diverse range of sectors including healthcare, telecommunications, high-tech, education, and news/media. Renowned for employing an extensive arsenal of malware and spear-phishing tactics with attachments, APT41 demonstrates a multifaceted approach, engaging in both state-sponsored espionage and financially motivated activities. Researchers have identified APT41 as a Chinese state-sponsored espionage group that has also ventured into financially motivated operations. Active since at least 2012, the group has been observed targeting industries such as healthcare, telecom, technology, and video games across 14 countries. APT41's activities overlap, at least partially, with other known threat groups, including BARIUM and Winnti Group, underscoring the complexity and interconnected nature of cyber threats associated with this sophisticated actor.  

4) APT40 

APT40, associated with China, maintains a strategic focus on countries crucial to China's Belt and Road Initiative, with a particular emphasis on the maritime, defense, aviation, and technology sectors. Notably active in 2023, APT40 employs a diverse range of techniques for initial compromise, showcasing their sophisticated capabilities. These methods include web server exploitation, phishing campaigns delivering both publicly available and custom backdoors, and strategic web compromises. APT40's modus operandi involves the utilization of compromised credentials to access connected systems and conduct reconnaissance. The group further employs Remote Desktop Protocol (RDP), Secure Shell (SSH), legitimate software within victim environments, an array of native Windows capabilities, publicly available tools, and custom scripts to facilitate internal reconnaissance. This comprehensive approach highlights APT40's adaptability and underscores the persistent and evolving nature of cyber threats in the geopolitical landscape. 

5) APT31 

Focused on government entities, international financial organizations, aerospace, and defense sectors, among others, APT31, also known as Zirconium or Judgment Panda, stands out as a formidable Advanced Persistent Threat group with a clear mission likely aligned with gathering intelligence on behalf of the Chinese government. Operating in 2023, APT31 exhibits a strategic approach, concentrating on exploiting vulnerabilities in applications like Java and Adobe Flash to achieve its objectives. Similar to other nation-state actors, the group's primary focus is on acquiring data relevant to the People's Republic of China (PRC) and its strategic and geopolitical ambitions. The group's activities underscore the ongoing challenge of safeguarding sensitive information against sophisticated state-sponsored cyber threats. 

6) APT30 

APT30, believed to be associated with China, distinguishes itself through its noteworthy focus on long-term operations and the infiltration of air-gapped networks, specifically targeting members of the Association of Southeast Asian Nations (ASEAN). Employing malware such as SHIPSHAPE and SPACESHIP, this threat actor utilizes spear-phishing techniques to target government and private sector agencies in the South China Sea region. Notably, APT30's objectives appear to lean towards data theft rather than financial gain, as they have not been observed targeting victims or data that can be readily monetized, such as credit card information or bank credentials. Instead, the group's tools demonstrate functionality tailored for identifying and stealing documents, with a particular interest in those stored on air-gapped networks. APT30 employs decoy documents on topics related to Southeast Asia, India, border areas, and broader security and diplomatic issues, indicating a strategic approach to lure in and compromise their intended targets in the geopolitical landscape. 

7) APT27 

APT27 believed to be operating from China, is a formidable threat actor specializing in global intellectual property theft across diverse industries. Employing sophisticated malware such as PANDORA and SOGU, the group frequently relies on spear-phishing techniques for initial compromise. APT27 demonstrates versatility in deploying a wide array of tools and tactics for its cyberespionage missions. Notably, between 2015 and 2017, the group executed watering hole attacks through the compromise of nearly 100 legitimate websites to infiltrate victims' networks. Targeting sectors including government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics, APT27 operates across regions such as North America, South-East Asia, Western Asia, Eastern Asia, South America, and the Middle East. The group's motives encompass cyberespionage, data theft, and ransom, employing a diverse range of malware including Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, and FoundCore. 

8) APT26 

APT26, suspected to have origins in China, specializes in targeting the aerospace, defense, and energy sectors. Recognized for its strategic web compromises and deployment of custom backdoors, this threat actor's primary objective is intellectual property theft, with a specific focus on data and projects that provide a competitive edge to targeted organizations within their respective fields. The group's tactics involve the utilization of associated malware such as SOGU, HTRAN, POSTSIZE, TWOCHAINS, and BEACON. APT26 employs strategic web compromises as a common attack vector to gain access to target networks, complementing their approach with custom backdoors deployed once they penetrate a victim's environment.  

9) APT25 

APT25, also recognized as Uncool, Vixen Panda, Ke3chang, Sushi Roll, and Tor, is a cyber threat group with suspected ties to China. The group strategically targets the defense industrial base, media, financial services, and transportation sectors in both the U.S. and Europe. APT25's primary objective is data theft, and its operations are marked by the deployment of associated malware such as LINGBO, PLAYWORK, MADWOFL, MIRAGE, TOUGHROW, TOYSNAKE, and SABERTOOTH. Historically, the group has relied on spear-phishing techniques in its operations, incorporating malicious attachments and hyperlinks in deceptive messages. APT25 actors typically refrain from using zero-day exploits but may leverage them once they become public knowledge. The group's consistent focus on targeted sectors and methods underscores its persistence and intent to pilfer sensitive information from key industries in the U.S. and Europe. 

10) APT24 

APT24, also known as PittyTiger and suspected to have origins in China, conducts targeted operations across a diverse array of sectors, including government, healthcare, construction, mining, nonprofit, and telecommunications industries. The group has historically targeted organizations in countries such as the U.S. and Taiwan. APT24 is distinguished by its use of the RAR archive utility to encrypt and compress stolen data before exfiltration from the network. Notably, the stolen data primarily consists of politically significant documents, indicating the group's intention to monitor the positions of various nation-states on issues relevant to China's ongoing territorial or sovereignty disputes. Associated malware utilized by APT24 includes PITTYTIGER, ENFAL, and TAIDOOR. The group employs phishing emails with themes related to military, renewable energy, or business strategy as lures, and its cyber operations primarily focus on intellectual property theft, targeting data and projects that contribute to an organization's competitiveness within its field. 

11) APT23 

APT23, suspected to have ties to China, directs its cyber operations towards the media and government sectors in the U.S. and the Philippines, with a distinct focus on data theft of political and military significance. Unlike other threat groups, APT23's objectives lean towards traditional espionage rather than intellectual property theft. The stolen information suggests a strategic interest in political and military data, implying that APT23 may be involved in supporting more traditional espionage operations. The associated malware used by APT23 is identified as NONGMIN. The group employs spear-phishing messages, including education-related phishing lures, as attack vectors to compromise victim networks. While APT23 actors are not known for utilizing zero-day exploits, they have demonstrated the capability to leverage these exploits once they become public knowledge. 

12) APT22 

Also known as Barista and suspected to be linked to China, APT22 focuses its cyber operations on political, military, and economic entities in East Asia, Europe, and the U.S., with a primary objective of data theft and surveillance. Operating since at least early 2014, APT22 is believed to have a nexus to China and has targeted a diverse range of public and private sector entities, including dissidents. The group utilizes associated malware such as PISCES, SOGU, FLATNOTE, ANGRYBELL, BASELESS, SEAWOLF, and LOGJAM. APT22 employs strategic web compromises as a key attack vector, allowing for the passive exploitation of targets of interest. Additionally, threat actors associated with APT22 identify vulnerable public-facing web servers on victim networks, uploading webshells to gain access to the victim's network. This comprehensive approach underscores APT22's persistent and multifaceted tactics in carrying out intrusions and surveillance activities on a global scale. 

13) APT43 

Linked to North Korea, APT43 has targeted South Korea, the U.S., Japan, and Europe across various sectors, including government, education/research/think tanks, business services, and manufacturing. Employing spear-phishing and fake websites, the group utilizes the LATEOP backdoor and other malicious tools to gather information. A distinctive aspect of APT43's operations involves stealing and laundering cryptocurrency to purchase operational infrastructure, aligning with North Korea's ideology of self-reliance, thereby reducing fiscal strain on the central government. APT43 employs sophisticated tactics, creating numerous convincing personas for social engineering, masquerading as key individuals in areas like diplomacy and defense. Additionally, the group leverages stolen personally identifiable information (PII) to create accounts and register domains, establishing cover identities for acquiring operational tooling and infrastructure. 

14) Storm-0978 (DEV-0978/RomCom) 

Storm-0978, also known as RomCom, is a Russian-based cybercriminal group identified by Microsoft. Specializing in ransomware, extortion-only operations, and credential-stealing attacks, this group operates, develops, and distributes the RomCom backdoor, and its latest campaign, detected in June 2023, exploited CVE-2023-36884 to deliver a backdoor with similarities to RomCom. Storm-0978's targeted operations have had a significant impact on government and military organizations primarily in Ukraine, with additional targets in Europe and North America linked to Ukrainian affairs. The group is recognized for its tactic of targeting organizations with trojanized versions of popular legitimate software, leading to the installation of RomCom. Notably, ransomware attacks attributed to Storm-0978 have affected industries such as telecommunications and finance, highlighting the group's broad impact and the evolving nature of cyber threats in the geopolitical landscape. 

15) Camaro Dragon 

A Chinese state-sponsored hacking group named 'Camaro Dragon' has recently shifted its focus to infecting residential TP-Link routers with a custom malware called 'Horse Shell.' European foreign affairs organizations are the specific targets of this cyber campaign. The attackers utilize a malicious firmware exclusively designed for TP-Link routers, enabling them to launch attacks appearing to originate from residential networks rather than directly targeting sensitive networks. Check Point, the cybersecurity firm that uncovered this campaign, clarifies that homeowners with infected routers are unwitting contributors rather than specific targets. The infection is attributed to self-propagating malware spread via USB drives. Checkpoint identified updated versions of the malware toolset, including WispRider and HopperTick, with similar capabilities for spreading through USB drives. These tools are associated with other tools employed by the same threat actor, such as the Go-based backdoor TinyNote and a malicious router firmware implant named HorseShell. The shared infrastructure and operational objectives among these tools provide further evidence of Camaro Dragon's extensive and coordinated cyber activities. 

In conclusion, the cybersecurity landscape of 2023 has been defined by a substantial surge in Advanced Persistent Threat (APT) activities, reflecting a sophisticated and dynamic threat environment. This analysis has delved into the intricate and evolving nature of these threats, emphasizing the persistent and increasingly sophisticated endeavours of emerging and established APT groups. These actors, distinguished by high skill levels and substantial resources, often operate with state sponsorship or connections to organized crime, enabling them to execute complex and prolonged cyber campaigns. 

Throughout the year, APTs have prominently featured, executing meticulously planned operations focused on long-term infiltration and espionage. Their objectives extend beyond financial gain, encompassing geopolitical influence, military espionage, and critical infrastructure disruption, posing a significant threat to global stability and security. 

Key regions such as the Asia-Pacific (APAC), South America, Russia, and the Middle East have witnessed diverse APT activities, showcasing unique tactics and targeting various sectors. Notable incidents, including compromising secure USB drives, deploying remote access Trojans (RATs), and sophisticated spear-phishing campaigns, underscore the adaptability of APT groups. The emergence of new actors alongside well-established groups, utilizing platforms like Discord and exploiting zero-day vulnerabilities, highlights the need for enhanced cyber defenses and international cooperation. 

Incidents like the Sandworm attack and exploitation of Atlassian Confluence flaws exemplify the diverse and evolving nature of APT threats, emphasizing their technical prowess and strategic focus on critical sectors and infrastructure. In response, a comprehensive and adaptive approach involving robust security measures, intelligence sharing, and strategic collaboration is essential to effectively mitigate the multifaceted risks posed by these highly skilled adversaries in the ever-evolving cyber threat landscape.

Iranian APT Group Charming Kitten Updates Powerstar Backdoor

According to researchers from cybersecurity firm Volexity, the most recent variant of malware is probably backed by a custom server-side component. This component assists the Powerstar backdoor operator by automating basic tasks. The latest version of the malware utilizes a distributed file protocol to disseminate personalized phishing links. 

Researchers have discovered that the malware incorporates various functionalities, such as leveraging the InterPlanetary File System (IPFS) and employing publicly accessible cloud hosts to remotely host its decryption function and configuration details. 

In April, Microsoft identified a group named Mint Sandstorm. This group utilized an implant called CharmPower, which was distributed through targeted spear-phishing campaigns. The campaigns specifically targeted individuals associated with the security community, as well as those affiliated with think tanks or universities in Israel, North America, and Europe. 

The threat actor known as Charming Kitten also referred to as Phosphorus, TA453, APT35, Cobalt Illusion, ITG18, and Yellow Garuda, has been involved in surveillance activities targeting journalists and activists since at least 2013. Recently, researchers have discovered that the attackers are adopting the guise of a reporter from an Israeli media organization. 

Their strategy involves sending targeted individuals an email containing a malicious attachment. The phishing email urges the recipient to review a document pertaining to U.S. foreign policy. To mitigate the chances of detection and analysis, the malware employs a tactic that separates the decryption method from the initial code and ensures it is never written to the disk. This approach minimizes the risk of exposure during analysis and detection processes. 

Volexity researchers found that the malware captures and uploads screenshots to the attacker's server, detects antivirus software, establishes persistence using a Registry Run key for the IPFS variant of Powerstar, collects system information, and employs a clean-up module to erase traces. 

The InterPlanetary File System (IPFS) is a decentralized network where files are stored and accessed through unique content identifiers. It functions similarly to a BitTorrent swarm and Git repository, facilitating decentralized file storage and retrieval.

SideWinder APT Group: Victims in Pakistan and Turkey Stricken with Multiphase Polymorphic Attack


Government authorities and individuals in Turkey are apparently been targeted by India’s well-known SideWinder APT group, which is using polymorphism techniques, enabling bypass standard signature-based antivirus (AV) detection and deliver a next-stage payload.

In an article published on their blog on May 8, the researchers from the BlackBerry Threat Research and Intelligence team described how attacks make use of documents with information catered to their interests that, when opened, leverages a remote template injection issue to deliver malicious payloads.

The campaign's first phase, identified last November, targets Pakistani targets with a server-side polymorphic attacks, while a later phase, discovered earlier this year, employs phishing techniques to spread malicious lure documents to victims. 

While, rather than using malicious macron with documents to disseminate malware, which is frequently the case when documents are used as lures, the APT uses the CVE-2017-0199 vulnerability to deliver the payloads.

How Polymorphism Deceits Defenders 

Attackers have been utilizing the Server-side polymorphism as a way to evade detection by AV tools. The researchers noted that it accomplishes this by utilizing malicious code that modifies its appearance through encryption and obfuscation, ensuring that no two samples seem the same and are therefore difficult to analyze.

“The attack can fool defenders because it serves the victim with a new sample each time a link is clicked,” says Dmitry Bestuzhev, senior director of cyber-threat intelligence at BlackBerry. “In this case, each new download has a new hash, which “effectively breaks hash-based detections used by security operations centers (SOCs) and some endpoint scanners,” he says.

“Since there’s a new hash each time, there is no information on a given sample on public multi scanners like VirusTotal unless each new sample is uploaded over and over for further analysis[…]So it makes life harder for the victims because of the lack of information on public sandboxes and other-like security services,” Bestuzhev continues. 

The Latest Threat Campaigns 

Blackberry researchers evaluated the campaign's numerous documents, which were located on an attacker-controlled server and distributed to victims. Researchers first came across one with the subject line "GUIDELINES FOR BEACON JOURNAL - 2023 PAKISTAN NAVY WAR COLLEGE (PNWC)," and in early December identified another that claimed to be a letter of offer and acceptance "for the purchase of defense articles, defense services, or both."

In both of these cases, “The name of the file ‘file.rtf’ and the file type are the same; however, the contents, file size and the file hash are different[…]This is an example of server-based polymorphism, where each time the server responds with a different version of file, so bypassing the victim’s antivirus scanner (presuming the antivirus uses signature-based detection),” they added.

In case the user does not fall under the Pakistani IP range, 8 byte RTF file that contains a single string. In contrary, if the user is within the Pakistani IP range, the server then returns the RTF payload, varying between 406KB to 414KB in size.

Attacks Expanding to Turkey and Beyond 

Early in March, the researchers found a new malicious document connected to the prior attack that had been transmitted via phishing emails. This discovery suggested that Turkey had become a new target country for SideWinder. The servers were put up so that a victim in Turkey could get a second-stage payload, according to the researchers, who discovered them in mid-March.

While Southeast Asian regions like Pakistan and Sri Lanka have always been prime targets of SideWinder, them targeting victims in Turkey makes sense, considering their geopolitical conditions where the Turkish Government has been backing Pakistan, sparking criticism from India, according to the researchers.

While polymorphic attacks overall can be difficult to defend against, detection and prevention strategies based on behavior and hashes can be effectively used against them, Bestuzhev notes.

“The key for organizations to mitigate these attacks”, Bestuzhev adds, “is not to focus on volatile indicators of compromise but on meaningful tactics, techniques, and procedures (TTPs) and behaviors in the system or code blocks covered by machine learning technologies.”

APT Groups Tomiris and Turla Target Governments

 


As a result of an investigation under the Advanced Persistence Threat (APT) name Tomiris, the group has been discovered using tools such as KopiLuwak and TunnusSched that were previously linked to another APT group known as Turla. 

Positive results are the result of an investigation conducted into the Tomiris APT group. This investigation focused on an intelligence-gathering campaign in Central Asia. As a possible method to obstruct attribution, the Russian-speaking actor used a wide array of malware implants that were created rapidly and in all programming languages known to man to develop the malware implants. A recently published study aims to understand how the group uses malware previously associated with Turla, one of the most notorious APT groups. 

Cyberspace is a challenging environment for attribution. There are several ways highly skilled actors throw researchers off track with their techniques. These include masking their origins, rendering themselves anonymous, or even misrepresenting themselves as part of other threat groups using false flags. Adam Flatley, formerly Director of Operations at the National Security Agency and Vice President for Intelligence at [Redacted], explains this in excellent depth. Adam and his team can determine their real identities only by taking advantage of threat actor operational security mistakes. 

Based on Kaspersky's observations, the observed attacks were backed by several low-sophisticated "burner" implant attacks using different programming languages, regularly deployed against the same targets by using basic but efficient packaging and distribution techniques as well as deployed against the same targets consistently. Tomiris also uses open-source or commercial risk assessment tools. 

In addition to spear-phishing emails with malicious content attached (password-protected archives, malicious documents, weaponized LNKs), Tomiris uses a wide range of other attack vectors. Tomiris' creative methods include DNS hijacking, exploiting vulnerabilities (specifically ProxyLogon), suspected drive-by downloads, etc. 

To steal documents inside the CIS, the threat actor targets governments and diplomatic entities within that region. There have been instances where victims have turned up in other regions (overseas as the Middle East and Southeast Asia) only to be foreigners representing the countries of the Commonwealth of Independent States, a clear indication of Tomiris's narrow focus on the region. 

An important clue to figuring out what's happening is the targeting. As Delcher explained, Tomiris focuses on government organizations in CIS, including the Russian Federation. However, in the cybersecurity industry, some vendors refer to Turla as a Russian-backed entity. A Russian-sponsored actor would not target the Russian Federation, which does not make sense. 

According to Delcher, it is not simply an educational exercise to differentiate between threat actors and legitimate actors. A stronger defense can be achieved through the use of such software. There may be some campaigns and tools that need to be re-evaluated in light of the date Tomiris started utilizing KopiLuwak. In addition, there are several tools associated with Turla.

Dark Pink: New APT Group Targets Asia-Pacific, Europe With Spear Phishing Attacks


A new wave of advanced persistent threat (APT) attacks has been discovered, that is apparently launched by a threat group named Dark Pink. 

The attack was launched between June and December 2022 and has been targeting countries in the Asia-Pacific, such as Cambodia, Vietnam, Malaysia, Indonesia, and the Philippines. Along with these, one European country, Bosnia and Herzegovina was also targeted. 

Details Of The Attack 

The attack was first discovered by Albert Priego, a Group-IB malware analyst, and was labeled ‘The Dark Pink.’  This APT group has also been named Saaiwc Group by a Chinese cybersecurity researcher. 

Researchers from Group-IB found activity on Dark Pink's GitHub account, which suggests that Dark Pink's operations may be traced as far back as mid-2021. However, from mid to late 2022, the group's activity increased significantly. 

In regards to the attack, the Group-IB stated in a blog post that the Dark Pink operators are “leveraging a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups.” Furthermore, Group-IB wrote of a custom toolkit "featuring four different infostealer: TelePowerBot, KamiKakaBot, Cucky, and Ctealer." 

These infostealers are being utilized by the threat group to extract important documents stored inside government and military networks. 

Group-IB discovered one of Dark Pink's spear-phishing emails that were used to obtain the initial access. In this case, the threat actor purported to be a candidate for a PR and communications intern position. The threat actor may have scanned job boards and used this information to construct highly relevant phishing emails when they mention in the email that they found the position on a jobseeker website. 

This simply serves to highlight how precisely these phishing emails are crafted in to appear so dangerous. 

Reportedly, Dark Pink possesses the ability to exploit the USB devices linked to compromised systems. Moreover, Dark Pink can also access the messengers installed on the infected computers. 

Dark Pink APT Group Remains Active 

The Dark Pink APT group still remains active. Since the attacks continued until the end of 2022, Group-IB is still investigating the issue and estimating its size. 

The company hopes to unveil the operators’ identity, and states in the blog post that the initial research conducted on the incident should "go a long way to raising awareness of the new TTPs utilized by this threat actor and help organizations to take the relevant steps to protect themselves from a potentially devastating APT attack." 

APTs: Description, Key Threats, and Best Management Practices


An Advances Persistent Threat (APT) is a sophisticated, multiple staged cyberattack, in which the threat actor covertly creates and maintain its presence within an organization’s network, undetected, over a period of time. 

A government agency or a business could be the target, and the information could be stolen or used to do additional harm. When attempting to penetrate a high-value target, an APT may be launched against the systems of one entity. APTs have been reported to be carried out by both state actors and private criminals. 

Several organizations closely monitor the threat actor groups that pose these APTs. CrowdStrike, a security company that monitors over 170 APT groups, claims to have witnessed a nearly 45% rise in interactive infiltration efforts between year 2020 and 2021. Nation-state espionage activities are now a strong second in frequency, although (financial) e-crime is still the most frequently identified motive.

An APT comprises of mainly three main reasons: 

  1. Network infiltration 
  2. The expansion of the attacker’s presence 
  3. The extraction of amassed data (or, in some instances, the launch of sabotage within the system)

Since the threat is established to both evade detection and acquire sensitive information, each of these steps may entail several steps and be patiently carried out over an extended period of time.

Successful breaches may operate covertly for years; yet, some acts, including jumping from a third-party provider to the ultimate target or carrying out a financial exfiltration, may be carried out very rapidly. 

APTs have a reputation for using deception to avoid giving proper, direct credit for their work. An APT for one country could incorporate language from another country into its code to confuse investigators. 

Investigating teams may as well have close relationships with state-intelligence agencies, leading some to raise questions pertaining to the objectivity of their findings. 

Amidst this, the tactics, techniques, and procedures (TTPs) of APTs are up for constant updates, in response to the continuously changing environment and countermeasures. “This past year, there was a dramatic uptick in APT attacks on critical infrastructure such as the transportation and financial sectors,” says Trellix’s Head of Threat Intelligence. 

List of key threats

New APTs based on advanced techniques are, by nature, generally operating yet being undetected. Additionally, quite challenging attacks continue to be carried out against organizations, long after they were first detected (for instance, SolarWinds). 

Moreover, fresh common trends and patterns are constantly being identified and duplicated, unless a means is discovered in order to render them ineffective. Listed below are some of the major trends in APTs, identified by a Russian internet security firm ‘Kaspersky’: 

The private sector supporting an influx of new APT players: It is anticipated that more and more APTs will use commercially available products like the Pegasus software from the Israeli company NSO Group, which is marketed to government agencies for its zero-click surveillance capabilities. 

Mobile devices exposed to wide, sophisticated attacks: Although Apple's new Lockdown Mode for the iOS 16 iPhone software update is meant to address the exploitation of spyware by NSO Group, its phones still stand with Android and other mobile devices as the top targets of APTs. 

More supply-chain attacks: Supply-chain attacks should continue to be a particularly effective strategy for reaching high-value government and private targets, as demonstrated by SolarWinds. 

Continued exploitation of work-from-home (WFH): With the emerging WFH arrangements since the year 2020, hacker groups will continue targeting employees’ remote systems, until those systems are potent enough to combat exploitation. 

Increase in APT intrusions in the Middle East, Turkey, and Africa (META) region, (especially in Africa): With the constantly diminishing geopolitical situation, globally, espionage is emerging rapidly in areas where systems and communications are the most vulnerable. 

APT Identification and Management Practices: 

Since APTs are designed to be covert, facilitated, backed by constant advancement, and illicit traffic in zero-day exploits, it becomes intrinsically challenging to detect them. Attacks, however, frequently follow a pattern, going for predictable targets like admin credentials and privileged data repositories that represent important company assets. 

Following are 5 recommendations for avoiding and identifying APT intrusion: 

1. Threat modeling and instrumentation: According to Igor Volovich, Vice President of Compliance for Omulos “Threat modeling is a useful practice that helps defenders understand their risk posture from an attacker’s perspective, informing architecture and design decisions around security controls […] Instrumenting the environment with effective controls capable of detecting malicious activity based on intent rather than specific technique is a strategic direction that enterprises should pursue.” 

2. Stay alert: Pay closer attention to the operation of security analyst and security community posting, which keeps a check on the APT groups, since they look for activities pertaining to indications of threat group actions, or that of an activity group and threat actors; as well as activities that indicate a potential intrusion or cyber-campaigns. 

3. Baseline: It is crucial to understand your own environment and establish a common baseline in order to identify anomalous behavior in the environment and, consequently, spot the tell-tale signs of the presence of APTs. It is easier to identify odd traffic patterns and unusual behavior by using this baseline. 

4. Use your tools: In order to identify APTs, one may as well use existing security tools like endpoint protection, network prevention systems, firewalls, and email protection. 

5. Threat Intelligence: Threat intelligence sources should be evaluated against data from security tools and information on potentially unusual traffic. Organizations that use threat feeds can describe the threat and what it can signify for the target organisation. These technologies can help a management team identify potential attackers and determine their possible objectives.  

Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.

SideWinder Launched Nearly 1000 Assaults in Two Years

 

The South Asian APT organization SideWinder has been on a tear for the past two years gone, launching nearly 1,000 raids and deploying increasingly sophisticated assault techniques. 

Earlier this week, Noushin Shaba, a senior security researcher at Kaspersky shared her findings at the Black Hat Asia conference regarding SideWinders’ attacking methodologies. The APT group primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries.

SideWinder has been active since at least 2012 and primarily targets military and law enforcement agencies in Pakistan, Bangladesh, and other South Asian countries. In recent years, they have also targeted departments of Foreign Affairs, Scientific and Defence organizations, Aviation, IT industry, and Legal firms. Some of their newly registered domains and spear-phishing documents indicate this threat actor is expanding the geography of its targets to other countries and regions. 

SideWinder has become one of the planet's most prolific hacking groups by expanding the geography of its targets to other countries and regions. However, the reason behind its expansion remains unknown. 

Last year, the group deployed new obfuscation techniques for the JavaScript it drops into .RTF files, .LNK files, and Open Office documents. Kaspersky has observed unique encryption keys deployed across over 1,000 malware samples sourced from the group.

Threat actors even ran two versions of its obfuscation techniques over several months, and appear to have shifted from an older and less stealthy version to its current malware. SideWinder also exchanges domains regularly for its command-and-control servers as well as for its download servers. That's mostly to ensure that if a domain gets detected, it still has a way to get to its targets, Shabab explains. Spreading activity across different domains in the attacks is less likely to raise suspicion as well. 

In January 2020, Trend Micro researchers revealed that they had unearthed SideWinder exploiting a zero-day local privilege-escalation vulnerability (CVE-2019-2215) that affected hundreds of millions of Android users when it was first published. 

“I think what really makes them stand out among other APTs [advanced persistent threat] actors are the big toolkit they have with many different malware families, lots of new spear-phishing documents, and a very large infrastructure. I have not seen 1,000 attacks from a single APT from another group until further,” Shaba stated.

US has Offered a $10 Million Bounty on Data About Russian Sandworm Hackers

 

The United States announced a reward of up to $10 million for information on six Russian military intelligence service hackers. According to the State Department's Rewards for Justice Program, "these people engaged in hostile cyber actions on behalf of the Russian government against U.S. vital infrastructure in violation of the Computer Fraud and Abuse Act."

The US Department of State has issued a request for information on six Russian officers (also known as Voodoo Bear or Iron Viking) from the Main Intelligence Directorate of the General Staff of the Russian Federation's Armed Forces (GRU) regarding their alleged involvement in malicious cyberattacks against critical infrastructure in the United States. The linkages attributed are as follows : 

  • Artem Valeryevich Ochichenko has been linked to technical reconnaissance and spear-phishing efforts aimed at gaining illegal access to critical infrastructure sites' IT networks around the world. 
  • Petr Nikolayevich Pliskin, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, and Yuriy Sergeyevich Andrienko, are accused of developing components of the NotPetya and Olympic Destroyer malware used by the Russian government to infect computer systems on June 27, 2017, and Yuriy Sergeyevich Andrienko, who are accused of developing components of the NotPetya and Olympic De.
  • Anatoliy Sergeyevich Kovalev is accused of inventing spear-phishing techniques and communications which were utilized by the Russian government to hack into critical infrastructure computer systems. 

On October 15, 2020, the US Justice Department charged the mentioned officials with conspiracy to commit wire fraud and aggravated identity theft for carrying out damaging malware assaults to disrupt and destabilize other countries and cause monetary damages. 

According to the indictment, GRU officers were involved in attacks on Ukraine, including the BlackEnergy and Industroyer malware-based attacks on the country's power grid in 2015 and 2016. The folks are accused of causing damage to protected computers, conspiring to commit computer fraud and abuse, wire fraud, conspiracy to commit wire fraud, and aggravated identity theft by the US Department of Justice. According to the US Department of State, the APT group's cyber actions resulted in roughly $1 billion in losses for US firms.

The Rewards of Justice has established a Tor website at "he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad[.]onion" as part of the project, which may be used to anonymously submit reports on these threat actors or to communicate the information using Signal, Telegram, or WhatsApp. 

Recently, the Sandworm collective was linked to Cyclops Blink, a sophisticated botnet malware that snagged internet-connected firewall devices and routers from WatchGuard and ASUS. Other recent hacking efforts linked to the gang include the use of an improved version of the Industroyer virus against high-voltage electrical substations in Ukraine amid Russia's continuing invasion.

Chinese Hackers Target Betting Firms in South East Asia

 

An unknown Chinese-speaking advanced persistent threat (APT) has been associated to a new campaign targeting betting firms in South East Asia, specifically Taiwan, the Philippines, and Hong Kong. 

The campaign, which Avast dubs Operation Dragon Castling (ODC), is exploiting a security loophole (CVE-2022-24934) in WPS Office to deploy a backdoor on the targeted systems. The vulnerability has since been addressed by Kingsoft Office, the developers of the office software. However, with 1.2 billion WPS Office downloads around the globe, there are likely a high number of systems open to compromise. 

According to Avast researchers, the bug was exploited to deploy a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a multi-stage infection chain that leads to the deployment of intermediate payloads and allows for privilege escalation before finally deploying the Proto8 module. 

"The core module is a single DLL that is responsible for setting up the malware's working directory, loading configuration files, updating its code, loading plugins, beaconing to [command-and-control] servers, and waiting for commands," Avast researchers Luigino Camastra, Igor Morgenstern, Jan Holman explained. 

Proto8’s plugin-based technique applied to prolong its functionality permits the malware to achieve persistence, bypass user account control (UAC) mechanisms, develop new backdoor accounts, and even execute arbitrary commands on the infected program. 

While researchers haven’t linked this malicious campaign to any known actors, they believe it is the work of a Chinese APT either looking to gather intelligence or achieve financial gains. Considering the nature of the targets, which is betting companies, the motive of the threat actors may have been to steal financial credentials or take over accounts and cash out escrow balances. 

The techniques and the powerful toolset employed in the campaign reflect a skillful adversary, so not being able to make attributions with high confidence is somewhat expected. However, this isn’t the first instance that China-sponsored hackers have targeted betting firms. 

Last year in January 2021, Chinese hackers targeted gambling firms that have been promoting their products to Chinese nationals without authorization. Attackers demanded at least $100 million be paid in Bitcoin to restore access to gambling operators’ servers, but companies remained adamant in the face of the threat and never paid a penny.

Threat Actors Modified Open-Source Tool to Target organizations

 

Cybersecurity researchers have unearthed an interesting ransomware campaign in which the malicious actors employed custom tools commonly used by APT (Advanced Persistent Threat) groups.

Earlier this week, Security Joes' researchers published a report highlighting attackers' modus operandi to target one of its clients in the gambling industry. During the attack, the ransomware operators used custom open-source tools. 

The operational strategies, methodology of targeting victims, and malware customization capabilities signify a potential link between APT and ransomware operators, explained the report from Security Joes. However, no concrete evidence has been uncovered till now. 

The attackers employed a modified version of the Ligolo, a reverse tunneling utility available for pentesters on GitHub, and a custom tool to dump credentials from LSASS. According to the Security Joes team, the ransomware campaign showcased excellent ransomware training and knowledge of threat actors. The stolen SSLVPN credentials of one of the employees helped attackers to penetrate the victim's systems, followed by admin scans and RDP brute-force, and then credential harvesting efforts.

At the final stage of the campaign, threat actors deployed proxy tunneling for a secure connection and installed the famous Cobalt Strike. Security Joes' team believes that the attackers would launch the ransomware as the next step since the methods followed match those of typical ransomware gang operations. However, it did not come to this, so it is impossible to say with certainty.

The attackers employed multiple off-the-shelve open-source tools typically used by numerous adversaries, like Mimikatz, SoftPerfect, and Cobalt Strike. One notable differentiation was the installation of ‘Sockbot’, a GoLang-written utility based on the Ligolo open-source reverse tunneling tool. The attackers modified Ligolo with meaningful additions that removed the need to use command-line parameters and included several execution checks to avoid running multiple processes.

Additionally, the malicious actors took into their arsenal a custom tool "lsassDumper", also written in GoLang. It was used to automatically steal data from the LSASS process. As experts noted, they observed lsassDumper in real attacks for the first time. 

"Comparing the new variant (Sockbot) to the original source code available online, the threat actors added several execution checks to avoid multiple instances running at the same time, defined the value of the Local Relay as a hard-coded string to avoid the need of passing command line parameters when executing the attack and set the persistence via a scheduled task," researchers concluded.

UNC1151 Targets Ukrainian Armed Forces Personnel with Spear Phishing Campaign

 

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about an ongoing spear-phishing campaign targeting private email accounts belonging to Ukrainian military personnel. The Ukrainian agency attributes the campaign to the UNC1151 cyber espionage gang, which is linked to Belarus. In mid-January, the Kyiv administration blamed Belarusian APT group UNC1151 for the defacement of tens of Ukrainian government websites. 

“We believe preliminarily that the group UNC1151 may be involved in this attack,” Serhiy Demedyuk, deputy secretary of the national security and defence council, told Reuters. “This is a cyber-espionage group affiliated with the special services of the Republic of Belarus. The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future.”

The following message was shown on defaced websites in Russian, Ukrainian, and Polish. “Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab public, fairy tale and wait for the worst. It is for you for your past, the future, and the future. For Volhynia, OUN UPA, Galicia, Poland, and historical areas.” read a translation of the message. 

Mandiant Threat Intelligence researchers attributed the Ghostwriter disinformation campaign (aka UNC1151) to the government of Belarus in November 2021. FireEye security analysts discovered a misinformation campaign aimed at discrediting NATO in August 2020 by circulating fake news articles on compromised news websites. According to FireEye, the GhostWriter campaign has been running since at least March 2017 and is aligned with Russian security interests. 

GhostWriter, unlike other disinformation campaigns, did not propagate via social media; instead, threat actors behind this campaign employed compromised content management systems (CMS) of news websites or forged email accounts to disseminate bogus news. The attackers were disseminating false content, such as forged news articles, quotations, correspondence, and other documents purporting to be from military authorities and political people in some targeted countries. According to researchers, the campaign particularly targeted people in specific alliance member states such as Lithuania, Latvia, and Poland. 

The phishing messages employed a typical social engineering method to deceive victims into submitting their information in order to prevent having their email accounts permanently suspended. According to Ukraine's State Service of Special Communications and Information Protection (SSSCIP), phishing assaults are also targeting Ukrainian citizens.

Iranian Hackers Employs PowerShell Backdoor to Bypass Security Products

 

Security researchers from Cybereason have discovered that an advanced persistent threat organization with inbounds links to Iran has modified its malware toolset to incorporate a unique PowerShell-based implant named PowerLess Backdoor. 

The Boston-headquartered cybersecurity firm identified a new toolkit used by the Phosphorus group, also known as Charming Kitten and APT35, that installs malicious Microsoft PowerShell code to operate as a remote access backdoor to download further malware payloads.

"The PowerShell code runs in the context of a .NET application, thus not launching 'powershell.exe' which enables it to evade security products," Daniel Frank, a senior malware researcher at Cybereason, explained. "The toolset analyzed includes extremely modular, multi-staged malware that decrypts and deploys additional payloads in several stages for the sake of both stealth and efficacy." 

The hacking group that was first identified in 2017, has employed many attacks in recent years, including ones in which the adversary pretended to be journalists or academicians to trick targets into downloading malware and collecting confidential material. 

Last month, Check Point Research disclosed specifics of an espionage operation that concerned the hacking team abusing the Log4Shell vulnerabilities to install a modular backdoor dubbed CharmPower for follow-on attacks. 

Cybereason discovered that the latest additions to its arsenal form an entirely new toolset that includes the PowerLess Backdoor, which can download and run other modules like a browser info-stealer and a keylogger. Also potentially linked to the same developer of the backdoor are a number of other malware artifacts, counting an audio recorder, an earlier variant of the information stealer, and what the researchers suspect to be an unfinished ransomware variant coded in .NET. 

Additionally, infrastructure overlaps have been noticed between the Phosphorus group and a new ransomware strain named Memento, which initially emerged in November 2021 and took the unusual step of locking files into password-protected archives, then encrypting the password and erasing the original files after their attempts to encrypt the data directly were stopped by endpoint protection. 

"The activity of Phosphorus with regard to ProxyShell took place in about the same time frame as Memento. Iranian threat actors were also reported to be turning to ransomware during that period, which strengthens the hypothesis that Memento is operated by an Iranian threat actor,” Frank added.