Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Espionage Campaign. Show all posts

This Hacker Outfit has Targeted Thousands of Companies Across the Globe

 

ESET's cybersecurity researchers have recently uncovered a relatively new hacker outfit that has had great success targeting organisations all around the world. 

The researchers are still unsure of the group's eventual goal, which goes by the name of Asylum Ambuscade. BleepingComputer claims that over the past three years, it has been active all over the world, but primarily in the West.

It makes use of many different tools, such as the Sunseed malware, Akhbot, and Nodebot, which enable the team to carry out a wide range of malicious operations, such as stealing screenshots, stealing passwords stored in well-known web browsers, deploying Cobalt Strike loaders, running a keylogger, and more. In short, the group's skills encompass everything from espionage to cybercrime. 

They have a wide range of targets, including small and medium-sized businesses (SMB), government officials and organisations, bank customers, cryptocurrency speculators, and traders. 

Modus operandi 

Typically, a phishing email including a malicious script is the first step in an assault. Depending on the target's endpoints, the group selects which extra payloads to send after downloading the Sunseed virus. 

The researchers discovered that in certain cases the group generated Google Ads that drove consumers to websites that included malicious JavaScript code.

Additionally, the organisation appears to be very successful. Researchers at ESET began monitoring the gang's activity in January of last year and have since discovered almost 4,500 victims, which suggests the group targeted 265 businesses and organisations each month.

The group's intentions continue to be the biggest mystery. The researchers are unable to precisely identify what the group is attempting to do because they have access to a wide variety of tools that can be used to commit all types of cybercrime and a diverse list of victims. One explanation contends that the group is just selling knowledge and access to other threat actors, which explains their diverse strategy.

Webworm Hackers Deploy Modified RATs in Espionage Assaults to Target Government Entities

 

A Chinese hacker tracked under the moniker Webworm has been linked to multiple Windows-based remote-access Trojans, some of which are believed to be in the experimentation phase. 

Threat analysts from Symantec, part of Broadcom Software, said "the group has developed customized versions of three older remote access trojans (RATs), including Trochilus RAT, Gh0st RAT, and 9002 RAT.”  

The researchers stated at least one of the indicators of compromise (IOCs) was employed in a cyber assault against an IT service vendor operating in several Asian nations. 

It's worth noting that all three backdoors are mainly linked to Chinese hackers such as Stone Panda (APT10), Aurora Panda (APT17), Emissary Panda (APT27), and Judgement Panda (APT31), among others, although they have been utilized by other hacking groups. 

Symantec said the Webworm hacker group employs multiple methodologies that overlap with other threat actor groups reported and analyzed this year. Earlier this year in May, Positive Technologies tracked the group as Space Pirates striking entities in the Russian aerospace industry with novel malware. 

The malicious group is also associated with other Chinese hackers tracked as Wicked Panda and Mustang Panda. These hackers also rely on the usage of post-exploitation modular RATs and other pieces of malware like ShadowPad. 

The Webworm hacking group has been operating since 2017 and has a track record of targeting government organizations involved in IT services, aerospace, and electric power industries located in Russia, Georgia, Mongolia, and multiple other Asian countries. 

A malicious campaign involves the use of dropper malware that harbors a loader manufactured to target modified versions of Trochilus, Gh0st, and 9002 remote access trojans. Most of the changes are intended to bypass detection tools. 

"Webworm's use of customized versions of older, and in some cases open-source, malware, as well as code, overlaps with the group known as Space Pirates, suggest that they may be the same threat group," the researchers added. 

"However, the common use of these types of tools and the exchange of tools between groups in this region can obscure the traces of distinct threat groups, which is likely one of the reasons why this approach is adopted, another being cost, as developing sophisticated malware can be expensive in terms of both money and time."