Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber-Espionage. Show all posts
Microsoft Outlook security
Advanced persistent threats (APT) Cyber-Espionage Data malware Malware Detection Microsoft Outlook security

Cyber-Espionage Malware FinalDraft Exploits Outlook Drafts for Covert Operations

 

A newly identified malware, FinalDraft, has been leveraging Microsoft Outlook email drafts for command-and-control (C2) communication in targeted cyberattacks against a South American foreign ministry.

Elastic Security Labs uncovered the attacks, which deploy an advanced malware toolset comprising a custom loader named PathLoader, the FinalDraft backdoor, and multiple post-exploitation utilities. By exploiting Outlook drafts instead of sending emails, the malware ensures stealth, allowing threat actors to conduct data exfiltration, proxying, process injection, and lateral movement while minimizing detection risks.

The attack initiates with the deployment of PathLoader—a lightweight executable that runs shellcode, including the FinalDraft malware, retrieved from the attacker's infrastructure. PathLoader incorporates security mechanisms such as API hashing and string encryption to evade static analysis.

Stealth Communication via Outlook Drafts

FinalDraft facilitates data exfiltration and process injection by establishing communication through Microsoft Graph API, transmitting commands via Outlook drafts. The malware retrieves an OAuth token from Microsoft using a refresh token embedded in its configuration and stores it in the Windows Registry for persistent access. By leveraging drafts instead of sending emails, it seamlessly blends into Microsoft 365 network traffic, evading traditional detection mechanisms.

Commands from the attacker appear in drafts labeled r_, while responses are stored as p_. Once executed, draft commands are deleted, making forensic analysis significantly more challenging.

FinalDraft supports 37 commands, enabling sophisticated cyber-espionage activities, including:

  • Data exfiltration: Extracting sensitive files, credentials, and system information.
  • Process injection: Running malicious payloads within legitimate processes such as mspaint.exe.
  • Pass-the-Hash attacks: Stealing authentication credentials to facilitate lateral movement.
  • Network proxying: Establishing covert network tunnels.
  • File operations: Copying, deleting, or modifying files.
  • PowerShell execution: Running PowerShell commands without launching powershell.exe.

Elastic Security Labs also detected a Linux variant of FinalDraft, which utilizes Outlook via REST API and Graph API while supporting multiple C2 communication channels, including HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based exchanges.

The research team attributes the attack to a campaign named REF7707, which primarily targets South American governmental entities. However, infrastructure analysis indicates links to Southeast Asian victims, suggesting a larger-scale operation. The investigation also revealed an additional undocumented malware loader, GuidLoader, designed to decrypt and execute payloads in memory.

Further examination showed repeated attacks on high-value institutions via compromised telecommunications and internet infrastructure in Southeast Asia. Additionally, a Southeast Asian university’s public-facing storage system was found hosting malware payloads, potentially indicating a prior compromise or a foothold in a supply chain attack.

Security teams can utilize YARA rules provided in Elastic’s reports to detect and mitigate threats associated with GuidLoader, PathLoader, and FinalDraft. The findings underscore the increasing sophistication of cyber-espionage tactics and the need for robust cybersecurity defenses.
Read more »
Technology
Cyber-Espionage CyberCrime Cyberhackers CyberThreat PlugX Ransomware Software Technology

Chinese Spies Allegedly Engaged in Ransomware Operations

 


Backed by the Chinese government, a cyber-espionage group has been observed engaging in ransomware-related activities as part of its intelligence activities. Further, this observation demonstrates how nation-state cyber operations and financially motivated cybercrimes have become increasingly convergent as a result of financial incentives. 

In late November 2024, Symantec's research team observed that threat actors infiltrated a medium-sized software and services company in South Asia by exploiting a critical authentication bypass vulnerability (CVE-2024-0012) in Palo Alto Network's security systems to gain access to its databases. Several days after the initial compromise, the attackers obtained administrative credentials from the company's intranet, and this gave them access to the Veeam server. 

Upon discovering the AWS S3 credentials on the server, they discovered that data management tools like Veeam are often using these credentials to facilitate access to cloud storage accounts through the use of cloud storage tools. It is believed that these credentials were used by the attackers to gain access to the company's sensitive data stored in an S3 buckettoo to encrypt its Windows-based systems with RA World ransomware. At first, the attackers demanded a ransom of $2 million but offered a $1 million reduction if the ransom was paid within three days. 

Cybersecurity professionals are becoming increasingly concerned about the increasing intersection between state-sponsored cyberespionage, as well as traditional cybercriminal tactics, which further complicates the task of attribution of threat information and developing defense strategies against it. In addition to a legitimate Toshiba executable, which has been deployed on the victims' computers to facilitate DLL sideloading, the threat actors have also used a legitimate Toshiba executable to implement a DLL sideload. The PlugX backdoor is the result of this technique.

It is heavily obfuscated and contains the backdoor, Korplug. It has been previously reported by Symantec that the custom PlugX backdoor you see here has been associated with Mustang Panda (also known as Earth Preta), a Chinese espionage group that is believed to have been used for economic purposes. However, this specific variant has never been associated with non-Chinese threat actors. 

There are four government ministries involved in Southeast Asian countries from differing nations: the foreign ministry of one country in the region, the government of another Southeastern European country, a telecommunications operator from the region, and two other government ministries involved in different Southeast Asian nations. These intrusions are all related to espionage, all of which are driven by espionage purposes.

A Symantec analysis indicates, however, that the same toolset was employed in a November 2024 extortion attempt targeting a medium-sized software and services company based in South Asia, as well. In this case, the attacker leveraged the Toshiba executable to sideload the malicious DLL, which had the same PlugX variant as used in earlier espionage attacks, to install the malicious DLL. As a result, the victim's systems were infected with the ransomware known as RA World, which marked a shift in cyber-espionage towards financial extortion, as opposed to traditional cyber-espionage.

Several cyber-espionage groups allegedly backed by the Chinese government have been observed participating in ransomware activities, thus emphasizing how nation-state cyber operations and financially motivated cybercrime are becoming increasingly intertwined. In a report released by Symantec in late November 2024, a research team uncovered that threat actors successfully infiltrated a medium-sized software and services company in South Asia by exploiting a critical authentication bypass vulnerability found in Palo Alto Networks' security system (CVE-2024-0012).

Aside from stealing administrative credentials from the company's intranet following the initial compromise, the attackers were able to gain access to the Veeam server via the exfiltration of administrative credentials from the company's intranet. They found AWS S3 credentials on this server that are commonly used to facilitate access to cloud storage accounts by data management tools like Veeam. 

Using these credentials, the attackers were able to access sensitive data stored in S3 buckets of the company's servers before encrypting the Windows-based systems with the RA World ransomware. As a first response, the attackers initially demanded a ransom of $2 million. However, if the ransom was paid within three days, they reduced the amount to $1 million. Cybersecurity professionals are becoming increasingly concerned about the increasing intersection between state-sponsored cyberespionage, as well as traditional cybercriminal tactics, which further complicates the task of attribution of threat information and developing defense strategies against it. 

In the latest RA World ransomware attack, Bronze Starlight (also known as Emperor Dragonfly) has been identified as a possible source of the attack, a Chinese-based threat group previously linked with numerous ransomware attacks, including LockFile, AtomSilo, and NightSky. There was also evidence that the attackers used NPS, a proxy tool developed in China and previously associated with Bronze Starlight, which further strengthened the connection between the attackers and Bronze Starlight. 

A group whose mission is to provide espionage services is typically not involved in financially motivated cybercrime on a large scale. However, the possibility that this group may be involved in ransomware operations raises serious concerns. As one theory suggests, the ransomware deployment may have been an attempt to distract from the true espionage objectives of the operation, to obscure these objectives. Despite this, this theory fails to hold water due to the absence of sophisticated concealment techniques as well as the fact that it targets a non-strategic company. 

Several cybersecurity experts have suggested that the most likely explanation is that either one or more individuals in the group are seeking to profit financially from the espionage tools and infrastructure they already have. The same pattern has also been observed by other threat actor groups, in which members repurpose advanced cyber capabilities for their benefit. Even though cyber threats continue to evolve, some lines continue to blur between state-sponsored cyber operations and financially driven cybercrime.

In the case of the RA World ransomware attack, Bronze Starlight (also known as Emperor Dragonfly) has been linked with the attack, which is an established China-based cyber threat group. In the past, this group was responsible for distributing LockFile, AtomSilo, and NightSky ransomware. Moreover, the ransomware operation was also accompanied by the use of NPS, a proxy tool developed by the Chinese government and previously employed by Bronze Starlight, further suggesting a connection between the ransomware operation and the group. Even though the possibility of Bronze Starlight being associated with RA World ransomware raises several concerns, it is unlikely that espionage-focused threat actors will engage in financially motivated cybercrime. 

Ransomware deployments are thought to serve as diversionary tactics that may hide the underlying espionage objectives that are driving the operation. Despite this, the fact that the espionage tools were obfuscated in a way that is not sophisticated and that the company targeted was not a strategic company casts doubt on this hypothesis. Experts in the field of cyber security propose a more plausible explanation for the attack: an individual or a small faction in the threat group aims to gain financial gain through the use of tools and infrastructure that were originally designed to conduct espionage operations during the attack. 

Observations have been made of the same pattern by other cyber threat groups, where members repurpose their skills and access to advanced cyber capabilities for their benefit. State-sponsored cyber operations have been converged with traditional cybercrime for some time, making it more difficult to attribute and mitigate threats of this kind. The analysis conducted by Symantec suggests that the RA World ransomware attack was likely perpetrated by a single individual, likely due to his or her desire to generate personal financial gain by impersonating their employer's operations to exploit the cyber assets of the company. 

Symantec points out several inconsistencies with the alternative theory that the ransomware deployment was merely a decoy of a broader espionage campaign, stating that it may have been a decoy. There was no strategic significance for the target, no effort was put into concealing the attacker's actions, and evidence was found to be that the attacker was actively negotiating with the victim regarding a ransom payment, indicating there was more to it than just a distraction involving financial gain. 

The Symantec report also points out that Chinese cyber-espionage groups usually work together very closely and share resources, so direct involvement in ransomware attacks is an anomaly. This tactic has been observed by North Korean state-sponsored cyber actors in the past, so strategies within the threat landscape may be evolving in the future.
Read more »
News
Chinese Hackers cyber attack Cyber-Espionage cyberattacks trending news cybersecurity news News

Chinese Hackers Exploit SSH Daemon to Maintain Persistent Access in Cyber-Espionage Operations

 

A sophisticated cyber-espionage campaign attributed to the Chinese hacking group Evasive Panda, also known as DaggerFly, has been uncovered, targeting network appliances through a newly identified attack suite. According to cybersecurity researchers at Fortinet’s FortiGuard Labs, the attackers are leveraging a malicious toolkit named ELF/Sshdinjector.A!tr, injecting malware into the SSH daemon (SSHD) to establish long-term access and execute covert operations. 

Active since at least mid-November 2024, this attack method enables unauthorized control over compromised systems. While the initial entry point remains unclear, once infiltrated, a dropper module determines whether the device is already infected and assesses its privilege level. If running under root permissions, the malware deploys multiple binaries, including libssdh.so, which serves as the primary backdoor responsible for command-and-control (C2) communication and data exfiltration. 

Additional components such as “mainpasteheader” and “selfrecoverheader” are used to maintain persistence. The injected SSH library covertly monitors and executes commands received from a remote C2 server, allowing the attackers to conduct system reconnaissance, steal credentials, manipulate files, and execute arbitrary commands. 

The malware supports fifteen different functions, ranging from collecting system details and listing active processes to reading sensitive user data and gaining remote shell access. It can also upload and download files, delete specific records, rename files, and notify the attacker when the malware is active. 

Despite previous detections of similar threats, FortiGuard’s research is the first to provide a detailed analysis of how ELF/Sshdinjector.A!tr operates. The group behind this attack, Evasive Panda, has been active since 2012 and has previously conducted cyber-espionage campaigns, including supply chain attacks via ISPs in Asia and targeted intelligence collection from U.S. organizations. 

The group was also recently linked to deploying a novel macOS backdoor. Notably, Fortinet researchers leveraged AI-assisted tools to aid in the malware’s reverse engineering process. While challenges such as hallucinations, extrapolation errors, and omissions were encountered, the experiment demonstrated AI’s growing potential in cybersecurity research. 

Fortinet assures that its customers are already protected against this threat through its FortiGuard AntiVirus service, which detects the malware as ELF/Sshdinjector.A!tr and Linux/Agent.ACQ!tr. The company has also provided hashes of identified samples on VirusTotal for further investigation by the security community.
Read more »
UNC2970
Cyber Attacks Cyber-Espionage North Korean Hackers Threat Landscape UNC2970

North Korean Hackers Target Energy and Aerospace Industries in Novel Espionage Campaign

 

As per recent findings from Mandiant, companies operating in the energy and aerospace sectors are being targeted by a cyber-espionage campaign that has connections with North Korea.

The outfit behind the campaign, dubbed UNC2970, is most likely linked to North Korea and shares similarities with another Pyongyang-backed threat actor, TEMP.Hermit. Researchers at the Google-owned cybersecurity firm discovered UNC2970's latest campaign in June 2024 and published their findings on Tuesday. 

The group was initially identified in 2021, and it has since targeted victims in the United States, United Kingdom, the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. 

According to the research, UNC2970 hackers engage with their victims via email and WhatsApp, posing as recruiters for well-known companies. They eventually share a malware archive that claims to have a job description in PDF format.

The PDF file can only be read with a trojanized version of SumatraPDF, an actual open-source document viewer that installs a backdoor called Mistpen via the Burnbook launcher. Researchers revealed that the attackers updated the open-source code of an older version of SumatraPDF for this campaign, but that the SumatraPDF service itself was not compromised. UNC2970 uses real job description text to target victims, including those employed in critical infrastructure sectors in the United States. 

The Mistpen virus is a fork of a legitimate plugin for the Notepad++ open-source text and source code editor. The backdoor has been upgraded over time with new features, including a network connectivity check, which complicates sample analysis, researchers noted. Although Mandiant does not name the specific victims of this attack, researchers believe the hackers are targeting senior or manager-level employees. 

"This suggests the threat actor aims to gain access to sensitive and confidential information typically restricted to higher-level employees,” researchers stated. "The hackers also tailor their malicious messages to better align with the victim's profile."
Read more »
Ukraine
Cyber Attacks Cyber-Espionage Cybercrimes Cybersecurity FSB Microsoft Military Cyber Defense Ukraine

A US Cyber Team's Perspective on US Military Cyber Defense of Ukraine

 


Despite analysts' numerous predictions, Russia could not destroy Ukraine's computer systems in this year's invasion with a massive cyber-attack. This may be because an unknown US military branch hunts down rivals online to enforce their interests. To cover these global missions, the BBC was granted exclusive access to the cyber-operators who carried them out. 

The US military landed in Ukraine in December last year on a recon mission led by a young major who led a small team. There were plans to deploy more troops ahead of this deployment. 

On Thursday, the Ukrainian government's premier counterintelligence and law enforcement agency revealed the real identities of five individuals allegedly involved in cyber-espionage activities attributed to the Gamaredon cyber-espionage group. According to the agency, these members are connected to the Russian Federal Security Service (FSB). 

It has been apparent in recent months that Gamaredon is very active in the threat actor community. When you open Twitter and type in #Gamaredon, you'll find several tweets a week with updated information on the IOC and samples it has created. 

Gamaredon Group is another advanced persistent threat (APT) group targeting the Ukrainian government today. It is also known as Shuckworm, Iron Tilden, Primitive Bear, Winter Flounder, and Accinium. 

A common attack tool is phishing emails with attachments of Microsoft Office documents. These emails can be used to gain access to the victim's system through initial attacks using phishing emails. 

In recent months, there have been reports of Russian troops amassing along the Ukrainian border, raising fears of war breaking out. As much as Russia denies any plans to invade, it demands sweeping security guarantees, including a guarantee that NATO will never admit the Ukrainians to NATO. 

The Ukrainian security services, who believed that the act of terrorism had been committed by officers of the Russian Federal Security Service from Crimea, publicly attributed the act of terrorism to Gamaredon in November. An online comment request was sent to the Russian Embassy in Washington regarding Gameredon; however, there was no immediate response from the Russian Embassy. 

A spokesperson for Ukraine's Security Service (SSU) said in a statement today that the hacker group had been depicted as "an FSB special project that specifically targeted Ukraine," at the same time confirming that many of the perpetrators of the hack were "Crimean FSB officers and traitors who defected to the enemy during the occupation of the peninsula in 2014." 

According to the country's authorities, over 1,500 government entities, public entities, and private enterprises have been targeted by actors in the past seven years in Ukraine. This group aims to gather intelligence, disrupt operations, and take control of critical infrastructure facilities to collect critical data. 

Between 2020 and the present, Malwarebytes has identified five operations that have taken place. They were victims of armed clashes between Russian-aligned individuals and Ukrainian citizens who had taken part in the discredited referendums called for by Moscow on September 2022. These referendums were called for in the Ukrainian territories of Luhansk, Donetsk, Zaporizhzhia, and Kherson. In the Dnepropetrovsk, Lugansk, and Crimea regions, there has been a massive outbreak of infections in state, agricultural, and transportation ministries. 

Ukrainian intelligence agencies track Armageddon, a threat group that launched the attacks, as responsible for the attacks. While it is known by the names Gamaredon, Primitive Bear, Winterflounder, BlueAlpha, Blue Otso, Iron Tilden, and Sector C08 in the cybersecurity community, it operates by many other names as well. 

Several campaigns in eastern Ukraine involved Malwarebyte attackers exfiltrating snapshots, USB flash drives, keyboard strokes, and microphone recordings, depending on the campaign. 

On Wednesday, Anne Neuberger, a White House cyber official, said Russia could destabilize and invade Ukraine using cyberattacks. 

In early 2013, it appeared that Russia had sponsored the Gamaredon Group, which is a misspelled anagram of the word "armageddon" and has been sporadically perpetrating cyberattacks on Ukrainian military, government, and non-profit organizations since then. 

Threat actors leverage legitimate Microsoft® Office documents to inject remote templates into legitimate Microsoft® Office documents. The technique works even when Microsoft® Word security features have been turned on. There is a way to bypass Microsoft Word macro protections, which are designed to prevent attackers from compromising sensitive systems with malware, infecting them with the infection, accessing the data, and then spreading the infection to other systems.
Read more »
Subscribe to: Posts (Atom)