A suspected Vietnamese-origin threat actor has been observed targeting victims in several Asian and Southeast Asian countries with malware designed to harvest valuable data since at least May 2023.

Cisco Talos is tracking the cluster under the name CoralRaider, describing it as financially motivated. Targets of the campaign include India, China, South Korea, Bangladesh, Pakistan, Indonesia, and Vietnam.

“This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts,” security researchers Chetan Raghuprasad and Joey Chen said. “They use RotBot, a customized variant of Quasar RAT, and XClient stealer as payloads.”

Other commodity malware used by the group comprises a combination of remote access trojans and information stealers such as AsyncRAT, NetSupport RAT, and Rhadamanthys.

The targeting of business and advertisement accounts has been of particular focus for attackers operating out of Vietnam, with various stealer malware families like Ducktail, NodeStealer, and VietCredCare deployed to take control of the accounts for further monetization.

The modus operandi entails the use of Telegram to exfiltrate the stolen information from victim machines, which is then traded in underground markets to generate illicit revenues.

“CoralRaider operators are based in Vietnam, based on the actor messages in their Telegram C2 bot channels and language preference in naming their bots, PDB strings, and other Vietnamese words hard-coded in their payload binaries,” the researchers said.

Attack chains start with a Windows shortcut file (LNK), although there is currently no clear explanation as to how these files are distributed to the targets.

Should the LNK file be opened, an HTML application (HTA) file is downloaded and executed from an attacker-controlled download server, which, in turn, runs an embedded Visual Basic script.

The script, for its part, decrypts and sequentially executes three other PowerShell scripts that are responsible for performing anti-VM and anti-analysis checks, circumventing Windows User Access Control (UAC), disabling Windows and application notifications, and downloading and running RotBot.

RotBot is configured to contact a Telegram bot and retrieve the XClient stealer malware and execute it in memory, ultimately facilitating the theft of cookies, credentials, and financial information from web browsers like Brave, Cốc Cốc, Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera; Discord and Telegram data; and screenshots.

XClient is also engineered to siphon data from victims’ Facebook, Instagram, TikTok and YouTube accounts, gathering details about the payment methods and permissions associated with their Facebook business and ads accounts.

“RotBot is a variant of the Quasar RAT client that the threat actor has customized and compiled for this campaign,” the researchers said. “[XClient] has extensive information-stealing capability through its plugin module and various modules for performing remote administrative tasks.”

The development comes as Bitdefender disclosed details of a malvertising campaign on Facebook that’s taking advantage of the buzz surrounding generative AI tools to push an assortment of information stealers like Rilide, Vidar, IceRAT, and a new entrant known as Nova Stealer.

The starting point of the attack is the threat actor taking over an existing Facebook account and modifying its appearance to mimic well-known AI tools from Google, OpenAI, and Midjourney, and expanding their reach by running sponsored ads on the platform.

One is imposter page masquerading as Midjourney had 1.2 million followers before it was taken down on March 8, 2023. The threat actors managing the page were mainly from Vietnam, the U.S., Indonesia, the U.K., and Australia, among others.

“The malvertising campaigns have tremendous reach through Meta’s sponsored ad system and have actively been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere,” the Romanian cybersecurity company said.

Mar 18, 2024NewsroomCyber Warfare / Malware

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 leverage the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Feb 21, 2024NewsroomMalware / Cyber Espionage

The China-linked threat actor known as Mustang Panda has targeted various Asian countries using a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

“The piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter,” Trend Micro researchers Sunny Lu and Pierre Lee said in a new technical write-up.

Targets of DOPLUGS have been primarily located in Taiwan, and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China.

PlugX is a staple tool of Mustang Panda, which is also tracked as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416, and TEMP.Hex. It’s known to be active since at least 2012, although it first came to light in 2017.

The threat actor’s tradecraft entails carrying out well-forged spear-phishing campaigns that are designed to deploy custom malware. It also has a track record of deploying its own customized PlugX variants such as RedDelta, Thor, Hodur, and DOPLUGS (distributed via a campaign named SmugX) since 2018.

Compromise chains leverage a set of distinct tactics, using phishing messages as a conduit to deliver a first-stage payload that, while displaying a decoy document to the recipient, covertly unpacks a legitimate, signed executable that’s vulnerable to DLL side-loading in order to side-load a dynamic-link library (DLL), which, in turn, decrypts and executes PlugX.

The PlugX malware subsequently retrieves Poison Ivy remote access trojan (RAT) or Cobalt Strike Beacon to establish a connection with a Mustang Panda-controlled server.

In December 2023, Lab52 uncovered a Mustang Panda campaign targeting Taiwanese political, diplomatic, and governmental entities with DOPLUGS, but with a notable difference.

“The malicious DLL is written in the Nim programming language,” Lab52 said. “This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that use the Windows Cryptsp.dll library.”

DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is orchestrated to download the general type of the PlugX malware.

Trend Micro said it also identified DOPLUGS samples integrated with a module known as KillSomeOne, a plugin that’s responsible for malware distribution, information collection, and document theft via USB drives.

This variant comes fitted with an extra launcher component that executes the legitimate executable to perform DLL-sideloading, in addition to supporting functionality to run commands and download the next-stage malware from an actor-controlled server.

It’s worth noting that a customized PlugX variant, including the KillSomeOne module designed for spreading via USB, was uncovered as early as January 2020 by Avira as part of attacks directed against Hong Kong and Vietnam.

“This shows that Earth Preta has been refining its tools for some time now, constantly adding new functionalities and features,” the researchers said. “The group remains highly active, particularly in Europe and Asia.”