Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Google TAG. Show all posts

ColdRiver APT: Google TAG Warns Against Russian APT Group is Using a Custom Backdoor


Google has warned that a Russia-linked threat actor named ‘COLDRIVER’ which is expanding its targets has also been developing custom malware. 

ColdRiver APT

The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage outfit that has been targeting government officials, military personnel, journalists and think tanks since at least 2015.

The threat actor has previously engaged in ongoing phishing and credential theft efforts that resulted in intrusions and data theft. Although specialists have noticed efforts targeting the Baltics, Nordics, and Eastern Europe regions, including Ukraine, the APT predominantly targets NATO member states.

Google TAG researchers have warned against COLDRIVER, claiming that it is enhancing its tactics techniques and procedures (TTPs), in order to evade detection. 

TAG has recently seen COLDRIVER use phishing efforts to spread bespoke malware using PDFs as lure materials. Google experts discovered and stopped these attempts by adding all known domains and hashes to Safe Browsing blocklists.

In November 2022, TAG observed that COLDRIVER was sending its targets malicious PDF documents from their fraudulent accounts. Threat actors asked for the recipient's feedback on fresh opinion pieces or other kinds of publications that they were hoping to publish using the lure materials. The victims see an encrypted text when they view the PDF.

In case the targets fail to read the content, following which they contact the threat actors, they receive a link from the cyberspies to a decryption tool located on the threat actors' website. After downloading and running the tool, a backdoor—tracking as SPICA—is installed and a bogus document appears. 

“Once executed, SPICA decodes an embedded PDF, writes it to disk, and opens it as a decoy for the user. In the background, it establishes persistence and starts the main C2 loop, waiting for commands to execute,” reads TAG’s analysis. 

Spica is a Rust backdoor that uses JSON over websockets for C2. Spica supports multiple capabilities, such as: 

  • Executing arbitrary shell commands. 
  • Stealing cookies from Chrome, Firefox, Opera and Edge. 
  • Uploading and downloading files. 
  • Perusing the filesystem by listing the contents of it. 
  • Enumerating documents and exfiltrating them in an archive 
  • There is also a command called “telegram,” however the functionality of this command is unclear.

An obfuscated PowerShell command that generates a scheduled activity called CalendarChecker is how the infection stays persistent.

The Russian APT has reportedly been using SPICA since at least November 2022, while the researchers have only observed its use since early September 2023.

Google TAG Alerts on Rising Heliconia Exploit Framework for RCE

 

The Threat Analysis Group (TAG) at Google has discovered Heliconia, a cyberattack framework designed to exploit zero-day and n-day security flaws in Chrome, Firefox, and Microsoft Defender. It is likely linked to Variston IT, a gray-market spyware broker, demonstrating how this shadowy sector is thriving. The Heliconia threat is made up of three modules:
  • Heliconia Noise for compromising the Chrome browser, escaping the sandbox, and installing malware;
  • Heliconia Soft, a Web framework that deploys a PDF containing a Windows Defender exploit for CVE-2021-42298 that allows privilege escalation to SYSTEM and remote code execution (RCE);
  • And the Heliconia Files package which contains a fully documented Firefox exploit chain for Windows and Linux, including CVE-2022-26485 for RCE.
The threat was discovered after TAG received an anonymous submission to the Chrome bug reporting program. Further investigation revealed that the Heliconia framework's source code includes a script that refers to Variston IT, a Barcelona-based company that claims to provide "custom security solutions."

Commercial spyware is frequently sold by organizations claiming to be legitimate businesses for "law enforcement use." According to a TAG posting on Wednesday, mounting evidence shows that too often, these brokers don't vet their clients, "putting advanced surveillance capabilities in the hands of governments who use them to spy on journalists, human rights activists, political opposition, and dissidents.

Researchers noted that Variston IT is firmly in the middle of this rapidly expanding market, which has seen sanctioning by the US and others against organizations such as the infamous NSO Group, creators of the Pegasus spyware.

Hyperscraper: A New Tool that Iranian Hackers Use for Stealing E-mails


State Sponsored Threat 

Charming Kitten, a state-sponsored Iranian hacking group is using a new tool to download emails from targeted Yahoo, Microsoft Outlook, and Gmail accounts. 

The utility is called Hyperscraper and like many hackers' operations and tools, it is in no way sophisticated. But its lack of sophistication is balanced by effectiveness, letting the threat actors hack a target's e-mail inbox without leaving any traces of the intrusion. 

Simple but effective email scraper

In a recent technical report, experts from Google's TAG (Threat Analyst Group), shared information about Hyperscraper's capabilities and said that it is under active development. 

Google TAG links the tool to Charming Kitten, a threat group based in Iran that is also called APT35 and Phosphorus, and said the earliest samples were found from 2020. 

The researchers discovered Hyperscraper in December 2021 and analysed it using a Gmail test account. Hyperscraper isn't a hacking tool but an instrument that lets threat actors steal email data and store it on their devices after getting into the victim's email account. 

How does Hyperscraper work?

Getting the login credentials for the victim's inbox is done in an earlier stage of the attack, generally by stealing them. 

Hyperscraper has an embedded browser and fools the user agent to imitate an outdated web browser, it provides a basic HTML view of the Gmail account's details. 

Google TAG says that once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. 

Google TAG Experts' Analysis 

When the extraction is completed, Hyperscraper changes the language settings to English and moves through the contents of the email inbox, downloading messages individually as .eml files extension and marking them unread. 

Google TAG experts said earlier variants of Charming Kitten's utility could get data from 'Google Take-out,' a feature that lets users shift data from their Google account for making a backup or using it with a third-party service. 

While running, Hyperscraper works via the C2 (Command and Control) server, waiting for a 'go' sign to start the exfiltration process. 

How does threat actor use Hyperscraper?

The operator can change the tool with important parameters (identifier string, operation mode, path to valid cookie file) via command-line arguments or using a minimal user interface. 

If the path to the cookie file isn't given over the command line, the operator has the option to drag and drop it into a new form. After the cookie has been parsed successfully and embedded in the local cache of the web browser, 

Victims have been notified 

Hyperscraper makes a 'Download' folder where it throws the contents of the target inbox. The victims of Charming Kitten who were attacked with Hyperscraper have been informed about the government-backed attacks. 

"Users that received such a warning are encouraged to bolster their defenses against more sophisticated attackers by enrolling in Google’s Advanced Protection Program (AAP) and by activating the Enhanced Safe Browsing feature, both provided an added security layer to existing protection mechanisms," said Bleeping Computers.