The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

“While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant,” Deep Instinct security researcher Simon Kenin said in a technical report published last week.

MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.

Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter leveraging the access to orchestrate destructive wiper attacks against Israeli entities.

The latest attack campaign, details of which were also previously revealed by Proofpoint last month, commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software.

One of the URLs in question is “kinneretacil.egnyte[.]com,” where the subdomain “kinneretacil” refers to “kinneret.ac.il,” an educational institution in Israel and a customer of Rashim, which, in turn, was breached by Lord Nemesis (aka Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country.

Lord Nemesis is suspected of being a “faketivist” operation directed against Israel. It’s also worth noting that Nemesis Kitten is a private contracting company called Najee Technology, a subgroup within Mint Sandstorm that’s backed by Iran’s Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned by the U.S. Treasury in September 2022.

“This is important because if ‘Lord Nemesis’ were able to breach Rashim’s email system, they might have breached the email systems of Rashim’s customers using the admin accounts that now we know they obtained from ‘Rashim,'” Kenin explained.

The web of connections has raised the possibility that MuddyWater may have used the email account associated with Kinneret to distribute the links, thereby giving the messages an illusion of trust and tricking the recipients into clicking them.

“While not conclusive, the timeframe and context of the events indicate a potential hand-off or collaboration between IRGC and MOIS to inflict as much harm as possible on Israeli organizations and individuals,” Kenin further added.

The attacks are also notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2 that are responsible for managing the infected endpoints. This is accomplished by means of PowerShell code designed to establish contact with the C2 server upon gaining initial access through other means.

According to independent findings from Palo Alto Networks Unit 42, the threat actor has been observed abusing the Windows Registry’s AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain.

The mechanism, in particular, involves establishing persistence through a scheduled task that runs PowerShell to leverage the AutodialDLL registry key and load the DLL for C2 framework. The cybersecurity firm said the technique was put to use in a cyber attack aimed at an unnamed Middle East target.

Other methods adopted by MuddyWater to establish a C2 connection include the use of a first-stage payload delivered via the spear-phishing email and leveraging DLL side-loading to execute a malicious library.

A successful contact allows the infected host to receive PowerShell responses that, for its part, fetches two more PowerShell scripts from the same server.

While one of the scripts is designed to read the contents of a file named “C:\ProgramData\SysInt.log” and transmit them to the C2 server via an HTTP POST request, the second script periodically polls the server to obtain additional payloads and writes the results of the execution to “SysInt.log.” The exact nature of the next-stage payload is currently unknown.

“This framework is similar to the previous C2 frameworks used by MuddyWater,” Kenin said. “PowerShell remains their ‘bread and butter.'”

Curious Serpens Targets Defense Sector with FalseFont Backdoor

The disclosure comes as Unit 42 unpacked the inner workings of a backdoor called FalseFont that’s used by an Iranian threat actor known as Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the aerospace and defense sectors.

“The threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor,” security researchers Tom Fakterman, Daniel Frank, and Jerome Tujague said, describing FalseFont as “highly targeted.”

Once installed, it presents a login interface impersonating an aerospace company and captures the credentials as well as the educational and employment history entered by the victim to a threat-actor controlled C2 server in JSON format.

The implant, besides its graphical user interface (GUI) component for user inputs, also stealthily activates a second component in the background that establishes persistence on the system, gathers system metadata, and executes commands and processes sent from the C2 server.

Other features of FalseFont include the ability to download and upload files, steal credentials, capture screenshots, terminate specific processes, run PowerShell commands, and self-update the malware.

Apr 10, 2024NewsroomMobile Security / Spyware

An active Android malware campaign dubbed eXotic Visit has been primarily targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store.

Slovak cybersecurity firm said the activity, ongoing since November 2021, is not linked to any known threat actor or group. It’s tracking the group behind the operation under the name Virtual Invaders.

“Downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT,” ESET security researcher Lukáš Štefanko said in a technical report released today.

The campaign is said to be highly targeted in nature, with the apps available on Google Play having negligible number of installs ranging from zero to 45. The apps have since been taken down.

The fake-but-functional apps primarily masquerade as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Approximately 380 victims are said to have downloaded the apps and created accounts to use them for messaging purposes.

Also employed as part of eXotic Visit are apps such as Sim Info and Telco DB, both of which claim to provide details about SIM owners simply by entering a Pakistan-based phone number. Other applications pass off as a food ordering service in Pakistan as well as a legitimate Indian hospital called Specialist Hospital (now rebranded as Trilife Hospital).

XploitSPY, uploaded to GitHub as early as April 2020 by a user named RaoMK, is associated with an Indian cyber security solutions company called XploitWizer. It has also been described as a fork of another open-source Android trojan called L3MON, which, in turn, draws inspiration from AhMyth.

It comes with a wide gamut of features that allows it to gather sensitive data from infected devices, such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content; extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail; download and upload files; view installed apps; and queue commands.

On top of that, the malicious apps are designed to take pictures and enumerate files in several directories related to screenshots, WhatApp, WhatsApp Business, Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.

“Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library,” Štefanko said.

The main purpose of the native library (“defcome-lib.so”) is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app makes use of a fake C2 server to evade detection.

Some of the apps have been propagated through websites specifically created for this purpose (“chitchat.ngrok[.]io”) that provide a link to an Android package file (“ChitChat.apk”) hosted on GitHub. It’s presently not clear how victims are directed to these apps.

“Distribution started on dedicated websites and then even moved to the official Google Play store,” Štefanko concluded. “The purpose of the campaign is espionage and probably is targeting victims in Pakistan and India.”

Apr 10, 2024NewsroomCyber Crime / Malvertising

Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024.

“Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors,” HP Wolf Security researcher Patrick Schläpfer said in a report shared with The Hacker News.

Raspberry Robin, also called QNAP worm, was first spotted in September 2021 that has since evolved into a downloader for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware.

While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since adopted other methods such as social engineering and malvertising.

It’s attributed to an emerging threat cluster tracked by Microsoft as Storm-0856, which has links to the broader cybercrime ecosystem comprising groups like Evil Corp, Silence, and TA505.

The latest distribution vector entails the use of WSF files that are offered for download via various domains and subdomains.

It’s currently not clear how the attackers are directing victims to these URLs, although it’s suspected that it could be either via spam or malvertising campaigns.

The heavily obfuscated WSF file functions as a downloader to retrieve the main DLL payload from a remote server using the curl command, but not before a series of anti-analysis and anti-virtual machine evaluations are carried out to determine if it’s being run in a virtualized environment.

It’s also designed to terminate the execution if the build number of the Windows operating system is lower than 17063 (which was released in December 2017) and if the list of running processes includes antivirus processes associated with Avast, Avira, Bitdefender, Check Point, ESET, and Kaspersky.

What’s more, it configures Microsoft Defender Antivirus exclusion rules in an effort to sidestep detection by adding the entire main drive to the exclusion list and preventing it from being scanned.

“The scripts itself are currently not classified as malicious by any an-virus scanners on VirusTotal, demonstrating the evasiveness of the malware and the risk of it causing a serious infection with Raspberry Robin,” HP said.

“The WSF downloader is heavily obfuscated and uses many an-analysis techniques enabling the malware to evade detection and slow down analysis.”

Apr 04, 2024NewsroomPhishing Attack / Malware

An updated version of an information-stealing malware called Rhadamanthys is being used in phishing campaigns targeting the oil and gas sector.

“The phishing emails use a unique vehicle incident lure and, in later stages of the infection chain, spoof the Federal Bureau of Transportation in a PDF that mentions a significant fine for the incident,” Cofense researcher Dylan Duncan said.

The email message comes with a malicious link that leverages an open redirect flaw to take the recipients to a link hosting a supposed PDF document, but, in reality, is an image that, upon clicking, downloads a ZIP archive with the stealer payload.

Written in C++, Rhadamanthys is designed to establish connections with a command-and-control (C2) server in order to harvest sensitive data from the compromised hosts.

“This campaign appeared within days of the law enforcement takedown of the LockBit ransomware group,” Duncan said. “While this could be a coincidence, Trend Micro revealed in August 2023 a Rhadamanthys variant that came bundled with a leaked LockBit payload, alongside a clipper malware and cryptocurrency miner.

“The threat actors added a combination of an information stealer and a LockBit ransomware variant in a single Rhadamanthys bundle, possibly indicating the continued evolution of the malware,” the company noted.

The development comes amid a steady stream of new stealer malware families like Sync-Scheduler and Mighty Stealer, even as existing strains like StrelaStealer are evolving with improved obfuscation and anti-analysis techniques.

It also follows the emergence of a malspam campaign targeting Indonesia that employs banking-related lures to propagate the Agent Tesla malware to plunder sensitive information such as login credentials, financial data, and personal documents.

Agent Tesla phishing campaigns observed in November 2023 have also set their sights on Australia and the U.S., according to Check Point, which attributed the operations to two African-origin threat actors tracked as Bignosa (aka Nosakhare Godson and Andrei Ivan) and Gods (aka GODINHO or Kmarshal or Kingsley Fredrick), the latter of whom works as a web designer.

“The main actor [Bignosa] appears to be a part of a group operating malware and phishing campaigns, targeting organizations, which is testified by the US and Australian email business databases, as well as individuals,” the Israeli cybersecurity company said.

The Agent Tesla malware distributed via these attack chains have been found to be secured by the Cassandra Protector, which helps protect software programs against reverse-engineering or modification efforts. The messages are sent via an open-source webmail tool called RoundCube.

“As seen from the description of these threat actors’ actions, no rocket science degree is required to conduct the cyber crime operations behind one of the most prevalent malware families in the last several years,” Check Point said.

“It’s an unfortunate course of events caused by the low-entry level threshold so that anyone willing to provoke victims to launch the malware via spam campaigns can do so.”

Mar 22, 2024NewsroomWeb Security / Vulnerability

A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.

The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.

The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.

The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.

What’s more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.

“One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.,” security researcher Ben Martin said. “If the referrer does not match to these major sites, then the malware will not execute.”

Site visitors are then taken to other scam sites by executing another JavaScript from the same server.

The Sign1 campaign, first detected in the second half of 2023, has witnessed several iterations, with the attackers leveraging as many as 15 different domains since July 31, 2023.

It’s suspected that WordPress sites have been taken over by means of a brute-force attack, although adversaries could also leverage security flaws in plugins and themes to obtain access.

“Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites,” Martin said. “Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin.”

This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.

Mar 21, 2024NewsroomNational Security / Data Privacy

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) on Wednesday announced sanctions against two 46-year-old Russian nationals and the respective companies they own for engaging in cyber influence operations.

Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and current owner of Russia-based Company Group Structura LLC (Structura), have been accused of providing services to the Russian government in connection to a “foreign malign influence campaign.”

The disinformation campaign is tracked by the broader cybersecurity community under the name Doppelganger, which is known to target audiences in Europe and the U.S. using inauthentic news sites and social media accounts.

“SDA and Structura have been identified as key actors of the campaign, responsible for providing [the Government of the Russian Federation] with a variety of services, including the creation of websites designed to impersonate government organizations and legitimate media outlets in Europe,” the Treasury said.

Both Gambashidze and Tupikin have been accused of orchestrating a campaign in the Fall of 2022 that created a network of over 60 sites designed to masquerade as legitimate news websites and fake social media accounts to disseminate the content originating from those spoofed sites.

The department said the fake websites were built with an intent to mimic the appearance of their actual counterparts, with the portals including embedded images and working links to the legitimate sites and even impersonated the cookie consent pages as part of efforts to trick visitors.

Furthermore, a closer examination of the two cryptocurrency wallets listed by OFAC as associated with Gambashidze reveals that they have received more than $200,000 worth of USDT on the TRON network, with a significant chunk originating from the now-sanctioned exchange Garantex, Chainalysis said.

“He then cashed out most of his funds to a single deposit address at a mainstream exchange,” blockchain analytics firm noted. “These transactions highlight Garantex’s continued involvement in the Russian government’s illicit activities.”

Doppelganger, active since at least February 2022, has been described by Meta as the “largest and the most aggressively-persistent Russian-origin operation.”

In December 2023, Recorded Future revealed attempts by the malign network to leverage generative artificial intelligence (AI) to create inauthentic news articles and produce scalable influence content.

SDA and Structura, along with Gambashidze, have also been the subject of sanctions imposed by the Council of the European Union as of July 2023 for conducting a digital information manipulation campaign called Recent Reliable News (RRN) aimed at amplifying propaganda declaring support for Russia’s war against Ukraine.

“This campaign […] relies on fake web pages usurping the identity of national media outlets and government websites, as well as fake accounts on social media,” the Council said at the time. “This coordinated and targeted information manipulation is part of a broader hybrid campaign by Russia against the EU and the member states.”

The development comes as the U.S. House of Representatives unanimously passed a bill (Protecting Americans’ Data from Foreign Adversaries Act, or H.R.7520) that would bar data brokers from selling Americans’ sensitive data to foreign adversaries, counting China, Russia, North Korea, and Iran.

It also arrives a week after Congress passed another bill (Protecting Americans from Foreign Adversary Controlled Applications Act, or H.R.7521) that seeks to force Chinese company ByteDance to divest popular video sharing platform TikTok within six months, or risk facing a ban, due to national security concerns.

A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information.

Cybersecurity company Securonix, which dubbed the campaign DEEP#GOSU, said it’s likely associated with the North Korean state-sponsored group tracked as Kimsuky.

“The malware payloads used in the DEEP#GOSU represent a sophisticated, multi-stage threat designed to operate stealthily on Windows systems especially from a network-monitoring standpoint,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical analysis shared with The Hacker News.

“Its capabilities included keylogging, clipboard monitoring, dynamic payload execution, and data exfiltration, and persistence using both RAT software for full remote access, scheduled tasks as well as self-executing PowerShell scripts using jobs.”

A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic.

On top of that, the use of such cloud services to stage the payloads allows for updating the functionality of the malware or delivering additional modules.

The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file (“IMG_20240214_0001.pdf.lnk”).

The .LNK file comes embedded with a PowerShell script as well as a decoy PDF document, with the former also reaching out to an actor-controlled Dropbox infrastructure to retrieve and execute another PowerShell script (“ps.bin”).

The second-stage PowerShell script, for its part, fetches a new file from Dropbox (“r_enc.bin”), a .NET assembly file in binary form that’s actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control.

It’s worth noting that Kimsuky has employed TruRat in at least two campaigns uncovered by the AhnLab Security Intelligence Center (ASEC) last year.

Also retrieved by the PowerShell script from Dropbox is a VBScript (“info_sc.txt”), which, in turn, is designed to run arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script (“w568232.ps12x”).

The VBScript is also designed to use Windows Management Instrumentation (WMI) to execute commands on the system, and set up scheduled tasks on the system for persistence.

Another noteworthy aspect of the VBScript is the use of Google Docs to dynamically retrieve configuration data for the Dropbox connection, allowing the threat actor to change the account information without having to alter the script itself.

The PowerShell script downloaded as a result is equipped to gather extensive information about the system and exfiltrate the details via a POST request to Dropbox.

“The purpose of this script appears to be designed to serve as a tool for periodic communication with a command-and-control (C2) server via Dropbox,” the researchers said. “Its main purposes include encrypting and exfiltrating or downloading data.”

In other words, it acts as a backdoor to control the compromised hosts and continuously keep a log of user activity, including keystrokes, clipboard content, and the foreground window.

The development comes as security researcher Ovi Liber detailed North Korea-linked ScarCruft’s embedding of malicious code within Hangul Word Processor (HWP) lure documents present in phishing emails to distribute malware like RokRAT.

“The email contains a HWP Doc which has an embedded OLE object in the form of a BAT script,” Liber said. “Once the user clicks on the OLE object, the BAT script executes which in turn creates a PowerShell-based reflective DLL injection attack on the victims machine.”

It also follows Andariel’s exploitation of a legitimate remote desktop solution called MeshAgent to install malware like AndarLoader and ModeLoader, a JavaScript malware meant for command execution.

“This is the first confirmed use of a MeshAgent by the Andariel group,” ASEC said. “The Andariel Group has been continuously abusing the asset management solutions of domestic companies to distribute malware in the process of lateral movement, starting with Innorix Agent in the past.”

Andariel, also known by the names Nicket Hyatt or Silent Chollima, is a sub-cluster of the notorious Lazarus Group, actively orchestrating attacks for both cyber espionage and financial gain.

The prolific state-sponsored threat actor has since been observed laundering a chunk of the crypto assets stolen from the hack of crypto exchange HTX and its cross-chain bridge (aka HECO Bridge) through Tornado Cash. The breach led to the theft of $112.5 million in cryptocurrency in November 2023.

“Following common crypto-laundering patterns, the stolen tokens were immediately swapped for ETH, using decentralized exchanges,” Elliptic said. “The stolen funds then lay dormant until March 13, 2024, when the stolen crypto assets began to be sent through Tornado Cash.”

The blockchain analytics firm said that Tornado Cash’s continuation of its operations despite sanctions have likely made it an attractive proposition for the Lazarus Group to conceal its transaction trail following the shutdown of Sinbad in November 2023.

“The mixer operates through smart contracts running on decentralized blockchains, so it cannot be seized and shut down in the same way that centralized mixers such as Sinbad.io have been,” it noted.

Mar 12, 2024NewsroomWordPress / Website Security

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code.

According to Sucuri, the campaign has infected more than 3,900 sites over the past three weeks.

“These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024,” security researcher Puja Srivastava said in a report dated March 7.

Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins.

The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.

The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.

WordPress site owners are recommended to keep their plugins up-to-date as well as scan their sites for any suspicious code or users, and perform appropriate cleanup.

“This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” Srivastava said.

The development comes as WordPress security firm Wordfence disclosed a high-severity bug in another plugin known as Ultimate Member that can be weaponized to inject malicious web scripts.

The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. It has been patched in version 2.8.4, released on March 6, 2024.

The flaw stems from insufficient input sanitization and output escaping, thereby allowing unauthenticated attackers to inject arbitrary web scripts in pages that will be executed every time a user visits them.

“Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited,” Wordfence said.

It’s worth noting that the plugin maintainers addressed a similar flaw (CVE-2024-1071, CVSS score: 9.8) in version 2.8.3 released on February 19.

It also follows the discovery of an arbitrary file upload vulnerability in the Avada WordPress theme (CVE-2024-1468, CVSS score: 8.8) and possibly executes malicious code remotely. It has been resolved in version 7.11.5.

“This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible,” Wordfence said.

Feb 01, 2024NewsroomCryptojacking / Linux Security

Exposed Docker API endpoints over the internet are under assault from a sophisticated cryptojacking campaign called Commando Cat.

“The campaign deploys a benign container generated using the Commando project,” Cado security researchers Nate Bill and Matt Muir said in a new report published today. “The attacker escapes this container and runs multiple payloads on the Docker host.”

The campaign is believed to have been active since the start of 2024, making it the second such campaign to be discovered in as many months. In mid-January, the cloud security firm also shed light on another activity cluster that targets vulnerable Docker hosts to deploy XMRig cryptocurrency miner as well as the 9Hits Viewer software.

Commando Cat employs Docker as an initial access vector to deliver a collection of interdependent payloads from an actor-controlled server that is responsible for registering persistence, backdooring the host, exfiltrating cloud service provider (CSP) credentials, and launching the miner.

The foothold obtained by breaching susceptible Docker instances is subsequently abused to deploy a harmless container using the Commando open-source tool and execute a malicious command that allows it to escape the confines of the container via the chroot command.

It also runs a series of checks to determine if services named “sys-kernel-debugger,” “gsc,” “c3pool_miner,” and “dockercache” are active on the compromised system, and proceeds to the next stage only if this step passes.

“The purpose of the check for sys-kernel-debugger is unclear – this service is not used anywhere in the malware, nor is it part of Linux,” the researchers said. “It is possible that the service is part of another campaign that the attacker does not want to compete with.”

The succeeding phase entails dropping additional payloads from the command-and-control (C2) server, including a shell script backdoor (user.sh) that’s capable of adding an SSH key to the ~/.ssh/authorized_keys file and creating a rogue user named “games” with an attacker-known password and including it in the /etc/sudoers file.

Also delivered in a similar manner are three more shell scripts – tshd.sh, gsc.sh, aws.sh – which are designed to drop Tiny SHell and an improvised version of netcat called gs-netcat, and exfiltrate credentials

The threat actors “run a command on the cmd.cat/chattr container that retrieves the payload from their own C2 infrastructure,” Muir told The Hacker News, noting this is achieved by using curl or wget and piping the resulting payload directly into the bash command shell.

“Instead of using /tmp, [gsc.sh] also uses /dev/shm instead, which acts as a temporary file store but memory backed instead,” the researchers said. “It is possible that this is an evasion mechanism, as it is much more common for malware to use /tmp.”

“This also results in the artifacts not touching the disk, making forensics somewhat harder. This technique has been used before in BPFdoor – a high profile Linux campaign.”

The attack culminates in the deployment of another payload that’s delivered directly as a Base64-encoded script as opposed to being retrieved from the C2 server, which, in turn, drops the XMRig cryptocurrency miner but not before eliminating competing miner processes from the infected machine.

The exact origins of the threat actor behind Commando Cat are currently unclear, although the shell scripts and the C2 IP address have been observed to overlap with those linked to cryptojacking groups like TeamTNT in the past, raising the possibility that it may be a copycat group.

“The malware functions as a credential stealer, highly stealthy backdoor, and cryptocurrency miner all in one,” the researchers said. “This makes it versatile and able to extract as much value from infected machines as possible.”

Jan 06, 2024NewsroomCyber Espionage / Supply Chain Attack

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the Netherlands have been targeted as part of a new cyber espionage campaign undertaken by a Türkiye-nexus threat actor known as Sea Turtle.

“The infrastructure of the targets was susceptible to supply chain and island-hopping attacks, which the attack group used to collect politically motivated information such as personal information on minority groups and potential political dissents,” Dutch security firm Hunt & Hackett said in a Friday analysis.

“The stolen information is likely to be exploited for surveillance or intelligence gathering on specific groups and or individuals.”

Sea Turtle, also known by the names Cosmic Wolf, Marbled Dust (formerly Silicon), Teal Kurma, and UNC1326, was first documented by Cisco Talos in April 2019, detailing state-sponsored attacks targeting public and private entities in the Middle East and North Africa.

Activities associated with the group are believed to have been ongoing since January 2017, primarily leveraging DNS hijacking to redirect prospective targets attempting to query a specific domain to an actor-controlled server capable of harvesting their credentials.

“The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor’s methodology in targeting various DNS registrars and registries,” Talos said at the time.

In late 2021, Microsoft noted that the adversary carries out intelligence collection to meet strategic Turkish interests from countries like Armenia, Cyprus, Greece, Iraq, and Syria, striking telecom and IT companies with an aim to “establish a foothold upstream of their desired target” via exploitation of known vulnerabilities.

Then last month, the adversary was revealed to be using a simple reverse TCP shell for Linux (and Unix) systems called SnappyTCP in attacks carried out between 2021 and 2023, according to the PricewaterhouseCoopers (PwC) Threat Intelligence team.

“The web shell is a simple reverse TCP shell for Linux/Unix that has basic [command-and-control] capabilities, and is also likely used for establishing persistence,” the company said. “There are at least two main variants; one which uses OpenSSL to create a secure connection over TLS, while the other omits this capability and sends requests in cleartext.”

The latest findings from Hunt & Hackett show that Sea Turtle continues to be a stealthy espionage-focused group, performing defense evasion techniques to fly under the radar and harvest email archives.

In one of the attacks observed in 2023, a compromised-but-legitimate cPanel account was used as an initial access vector to deploy SnappyTCP on the system. It’s currently not known how the attackers obtained the credentials.

“Using SnappyTCP, the threat actor sent commands to the system to create a copy of an email archive created with the tool tar, in the public web directory of the website that was accessible from the internet,” the firm noted.

“It is highly likely that the threat actor exfiltrated the email archive by downloading the file directly from the web directory.”

To mitigate the risks posed by such attacks, it’s advised that organizations enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attempts, monitor SSH traffic, and keep all systems and software up-to-date.