Mar 26, 2024NewsroomIndustrial Espionage / Threat Intelligence

Threat hunters have identified a suspicious package in the NuGet package manager that’s likely designed to target developers working with tools made by a Chinese firm that specializes in industrial- and digital equipment manufacturing.

The package in question is SqzrFramework480, which ReversingLabs said was first published on January 24, 2024. It has been downloaded 2,999 times as of writing.

The software supply chain security firm said it did not find any other package that exhibited similar behavior.

It, however, theorized the campaign could likely be used for orchestrating industrial espionage on systems equipped with cameras, machine vision, and robotic arms.

The indication that SqzrFramework480 is seemingly tied to a Chinese firm named Bozhon Precision Industry Technology Co., Ltd. comes from the use of a version of the company’s logo for the package’s icon. It was uploaded by a Nuget user account called “zhaoyushun1999.”

Present within the library is a DLL file “SqzrFramework480.dll” that comes with features to take screenshots, ping a remote IP address after every 30 seconds until the operation is successful, and transmit the screenshots over a socket created and connected to said IP address.

“None of those behaviors are resolutely malicious. However, when taken together, they raise alarms,” security researcher Petar Kirhmajer said. “The ping serves as a heartbeat check to see if the exfiltration server is alive.”

The malicious use of sockets for data communication and exfiltration has been observed in the wild previously, as in the case of the npm package nodejs_net_server.

The exact motive behind the package is unclear as yet, although it’s a known fact that adversaries are steadily resorting to concealing nefarious code in seemingly benign software to compromise victims.

An alternate, innocuous explanation could be that the package was leaked by a developer or a third party that works with the company.

“They may also explain seemingly malicious continuous screen capture behavior: it could simply be a way for a developer to stream images from the camera on the main monitor to a worker station,” Kirhmajer said.

The ambiguity surrounding the package aside, the findings underscore the complicated nature of supply chain threats, making it imperative that users scrutinize libraries prior to downloading them.

“Open-source repositories like NuGet are increasingly hosting suspicious and malicious packages designed to attract developers and trick them into downloading and incorporating malicious libraries and other modules into their development pipelines,” Kirhmajer said.

Feb 29, 2024NewsroomCyber Espionage / Malware

A previously undocumented threat actor dubbed SPIKEDWINE has been observed targeting officials in European countries with Indian diplomatic missions using a new backdoor called WINELOADER.

The adversary, according to a report from Zscaler ThreatLabz, used a PDF file in emails that purported to come from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024.

The PDF document was uploaded to VirusTotal from Latvia on January 30, 2024. That said, there is evidence to suggest that this campaign may have been active at least since July 6, 2023, going by the discovery of another similar PDF file uploaded from the same country.

“The attack is characterized by its very low volume and the advanced tactics, techniques, and procedures (TTPs) employed in the malware and command-and-control (C2) infrastructure,” security researchers Sudeep Singh and Roy Tay said.

Central to the novel attack is the PDF file that comes embedded with a malicious link that masquerades as a questionnaire, urging the recipients to fill it out in order to participate. Clicking on the link paves the way for an HTML application (“wine.hta”) that contains obfuscated JavaScript code to retrieve an encoded ZIP archive bearing WINELOADER from the same domain.

The malware is packed with a core module that’s designed to Execute modules from the C2 server, inject itself into another dynamic-link library (DLL), and update the sleep interval between beacon requests.

A notable aspect of the cyber incursions is the use of compromised websites for C2 and hosting intermediate payloads. It’s suspected that the “C2 server only responds to specific types of requests at certain times,” thereby making the attacks more evasive.

“The threat actor put additional effort into remaining undetected by evading memory forensics and automated URL scanning solutions,” the researchers said.

Feb 05, 2024NewsroomCryptocurrency / Financial Fraud

A 42-year-old Belarusian and Cypriot national with alleged connections to the now-defunct cryptocurrency exchange BTC-e is facing charges related to money laundering and operating an unlicensed money services business.

Aliaksandr Klimenka, who was arrested in Latvia on December 21, 2023, was extradited to the U.S. If convicted, he faces a maximum penalty of 25 years in prison.

BTC-e, which had been operating since 2011, was seized by law enforcement authorities in late July 2017 following the arrest of another key member Alexander Vinnik, in Greece.

The exchange is alleged to have received deposits valued at over $4 billion, with Vinnik laundering funds received from the hack of another digital exchange, Mt. Gox, through various online exchanges, including BTC-e.

Court documents allege that the exchange was a “significant cybercrime and online money laundering entity,” allowing its users to trade in bitcoin with high levels of anonymity, thereby building a customer base that engaged in criminal activity.

This included hacking incidents, ransomware scams, identity theft schemes, and narcotics distribution rings.

“BTC-e’s servers, maintained in the United States, were allegedly one of the primary ways in which BTC-e and its operators effectuated their scheme,” the U.S. Department of Justice (DoJ) said.

These servers were leased to and maintained by Klimenka and Soft-FX, a technology services company controlled by the defendant.

BTC-e has also been accused of failing to establish an anti-money laundering process or know-your-customer (KYC) verification in accordance with U.S. federal laws.

In June 2023, two Russian nationals – Alexey Bilyuchenko and Aleksandr Verner – were charged for their roles in masterminding the 2014 digital heist of Mt. Gox.

News of Klimenka’s indictment comes as the DoJ charged Noah Michael Urban, 19, of Palm Coast, Florida, with wire fraud and aggravated identity theft for offenses that led to the theft of $800,000 from at least five different victims between August 2022 and March 2023.

Urban, who went by the aliases Sosa, Elijah, King Bob, Anthony Ramirez, and Gustavo Fring, is said to be a key member of the cybercrime group known as Scattered Spider, according to KrebsOnSecurity, as well as a “top member” of a broader cybercrime ecosystem that calls itself The Com.

It also follows the Justice Department’s announcement of charges against three individuals, Robert Powell, Carter Rohn, and Emily Hernandez, in relation to a SIM swapping attack aimed at crypto exchange FTX to steal more than $400 million at the time of its collapse in 2022.

Powell (aka R, R$, and ElSwapo1), Rohn (aka Carti and Punslayer), and Hernandez (aka Em) are accused of running a massive cybercriminal theft ring dubbed the Powell SIM Swapping Crew that orchestrated SIM swapping attacks between March 2021 and April 2023 and stole hundreds of millions of dollars from victims’ accounts.

Blockchain analytics firm Elliptic, in October 2023, said the plunder assets had been laundered through cross-chain crime in collaboration with Russia-nexus intermediaries in an attempt to obscure the trail.

Jan 25, 2024NewsroomCyber Attack / Data Breach

Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise’s (HPE) cloud email environment to exfiltrate mailbox data.

“The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company said in a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

The intrusion has been attributed to the Russian state-sponsored group known as APT29, and which is also tracked under the monikers BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

The disclosure arrives days after Microsoft implicated the same threat actor to the breach of its corporate systems in late November 2023 to steal emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

HPE said it was notified of the incident on December 12, 2023, meaning that the threat actors persisted within its network undetected for more than six months.

It also noted that attack is likely connected to a prior security event, also attributed to APT29, which involved unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. It was alerted of the malicious activity in June 2023.

HPE, however, emphasized that the incident has not had any material impact on its operations to date. The company did not disclose the scale of the attack and the exact email information that was accessed.

APT29, assessed to be part of Russia’s Foreign Intelligence Service (SVR), has been behind some high-profile hacks in recent years, including the 2016 attack on the Democratic National Committee and the 2020 SolarWinds supply chain compromise.