Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Cyberespionage Operation. Show all posts

APT41: Cyberespionage Group Targets Asian Materials Industry


The Chinese-sponsored APT41 cyberespionage group, also known as Blackfly, Barium Bronze Atlas, Double Dragon, Wicked Panda, and Wicked Spider has emerged as one of the most active threat groups since at least 2007. 

The cyber-threat group has recently been targeting two subsidiaries of a major Asian conglomerate, which apparently specializes in materials and composites. The attack follows right after another distinct campaign against the Asian material sector. 

The APT attack was seen utilizing the Winnkit backdoor, Mimikatz, and several tools for credential dumping, screen capture, process hollowing, SQL querying, memory dumping (ForkPlayground), and proxy configuration. 

In one of the instances, Symantec discovered a material research organization in Asia that was being targeted by a previously unidentified threat group named ‘Clasiopa,’ which does not seem to be linked to the APTs. 

It is believed that Clasiopa acquired access to the targeted organization by brute forcing public facing servers and using a variety of post-exploitation tools like Atharvan remote access trojan (RAT), which is a modified version of the Lilith RAT, the Thumbsender hacking tool, and a custom proxy tool. The threat actor, according to Symantec, utilized the backdoors to compile lists of files and exfiltrate them, deleted logs, set a scheduled task to list file names, and verified the IP addresses of the compromised machines in an effort to disable endpoint protections. 

Moreover, it appears that Clasiopa used authorised software from Agile and Domino throughout the attack, but it is still unclear whether the attackers actually deployed the tools or simply abused the existing installations. Apparently Atharvan backdoor is able to download arbitrary files from the server, execute files, and configure communications through the C&C server, all based on the commands received from its operators. 

Adding to this, the Atharvan RAT can terminate or restart programs, send remote commands and PowerShell scripts, as well as terminate and uninstall itself. Further analysis on Atharvan revealed a Hindi mutex and a password, suggesting that Clasiopa could be based in India, although Symantec says that these could be some of the false flags planted by the threat group to muddle with the investigation.  

Windows, Linux and macOS Users Hit by Chinese Iron Tiger

China-sponsored cyberhackers group Iron Tiger (aka LuckyMouse) has been exposed using the compromised servers of a chat application called MiMi to execute malware to Windows, Linux, and macOS systems. The primary targets of Iron Tiger in this campaign were located in Taiwan and the Philippines. 

Cybersecurity organizations Trend Micro and SEKOIA published a detailed report stating that the Iron Tiger organized a new cyberespionage campaign by the Iron Tiger, also known as Emissary Panda, Cycldek, Bronze Union, Goblin Panda Conimes, LuckyMouse, APT27, and Threat Group 3390 (TG-3390). This group has been active since at least 2010, victimizing hundreds of organizations worldwide for cyberespionage purposes. 

Additionally, the group has a history of working around targeted servers in pursuit of its political and military intelligence-collection objectives aligned with China. Trend Micro has identified one of the victims of this attack  a Taiwan-based gaming development firm that along with thirteen other entities was targeted. 

The advanced persistent threat (APT) group used the compromised servers of MiMi, a messaging application available on different platforms with its installer files compromised to download and install HyperBro samples for the Windows operating system and rshell artifacts for Windows, Android, macOS, and iOS. The desktop version of MiMi has been built using the cross-platform framework ElectronJS. 

“Iron Tiger compromised the server hosting the legitimate installers for this chat application for a supply chain attack,” says Trend Micro. 

Trend Micro has uncovered various rshell samples, including some targeting Linux. Prior samples were uploaded in June 2021. Further Sekoia wrote in its blog post that the campaign has all elements of a supply chain attack since the hackers control the host servers of the app.

“We noticed that a chat application named MiMi retrieved the rshell executable, an app we came across recently while investigating threat actor Earth Berberoka. We noticed Iron Tiger controlling the servers hosting the app installers of MiMi, suggesting a supply chain attack.” the trend microblog post read.

Every Tenth Stalking and Espionage Attack in the World is Directed at Android Users from Russia

 

According to analysts at ESET (an international developer of antivirus software headquartered in Slovakia), commercial developers who openly offer spyware to control spouses or children are gaining popularity. 

"ESET global telemetry data for the period from September to December 2021 shows an increase in spyware activity by more than 20%. At the same time, every tenth stalking and espionage attack in the world is directed at Android users from Russia," the company's press service reported. 

ESET threat researcher Lukas Stefanko reported that unwanted stalking software, according to him, in most cases is distributed by attackers through clones of legal applications downloaded from unofficial stores. 

Alexander Dvoryansky, Director of Special Projects at Angara Security, confirms that Android spyware is very common and continues to gain popularity. According to him, it is advantageous for attackers to develop malicious software for this operating system because of its widespread use. Android smartphones accounted for 84.5% of total device sales in 2021. 

According to Lucas Stefanko, it is not uncommon for stalker software to be installed on smartphones to track them in case they are stolen or lost. Despite Google's ban on advertising stalker apps, there are apps available on Google Play that are positioned as private detective or parental control tools. In 2018, the Supreme Court allowed the acquisition and use of spy equipment to ensure their own security, so the demand for software promoted as "monitoring one's mobile devices" has increased. But many install it covertly on the phones of relatives or employees for espionage. 

If the program is installed on the phone openly and with the consent of a person, then there will be nothing illegal in tracking geolocation, as well as obtaining other information, says lawyer KA Pen & Paper by Alexander Kharin. However, secretly installing a spyware program on a phone can result in a penalty of up to two years in prison, and for a developer, the term can be up to four years. But so far, criminal cases on the fact of stalking are rarely initiated. 

Earlier, CySecurity News reported that the exact location of any Russian on the black market can be found for about 130 dollars.

Cyber-Surveillance Operation Resumed by Iran After a Long Break

 

Iran, one of the resourceful countries in Western Asia in terms of weapons and cyber intelligence has resumed its cyberespionage operation after a two-year downtime. Cybersecurity firms SafeBreach and Check Point directed joint research to discover an Iran-linked cyberespionage operation which has resumed with the latest second-stage malware and with an updated version of the Infy malware.

Espionage, destructive attacks, and social media manipulation- three major weapons of Iranian cyber capabilities, and the evidence suggest that Iran started the cyberespionage operation way back in 2007. For the first time, in 2016 the details regarding this operation were disclosed, Foudre a type of malware was used in these operations, and by 2018 it was updated eight times.

In the fast half of 2020, the operation was resumed with the latest versions of Foudre (versions20-22) and with new documents that were designed to tempt the victims and to execute the malicious code when closed. Following the execution of malicious code Foudre links to the command and control (C&C) server and fetches a new part of the malware, called Tonnerre.

According to the cybersecurity experts, Tonnerre is designed to expand the capabilities of Foudre but it is released as a different component. Foudre may only be deployed when the situation is out of control and it poses as legitimate software that can steal files from corrupt machines, can execute commands received from the C&C server, record sound and capture the screenshots.

Domain Generating Algorithms (DGA) are used by Tonnerre to link to the C&C which then stores data about the target, steal files, download updates and get an additional C&C. Both HTTP and FTP are used by Tonnerre to communicate with the C&C server. During the investigation, SafeBreach and Check Point spotted two dozen victims, most located in Sweden (6), the Netherlands (4), Turkey (3), and the United States (3). While, Romania, India, Russia, Iraq, the United Kingdom, Germany, Canada, and Azerbaijan had one victim each.

Last week, Check Point reported that the Iranian government has targeted more than 1,200 citizens in extensive cyber-surveillance operations. A blog post containing details on both Foudre and Tonnerre read, “it seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities”.