Apr 02, 2024NewsroomCyber Espionage / Threat Intelligence

A threat activity cluster tracked as Earth Freybug has been observed using a new malware called UNAPIMON to fly under the radar.

“Earth Freybug is a cyberthreat group that has been active since at least 2012 that focuses on espionage and financially motivated activities,” Trend Micro security researcher Christopher So said in a report published today.

“It has been observed to target organizations from various sectors across different countries.”

The cybersecurity firm has described Earth Freybug as a subset within APT41, a China-linked cyber espionage group that’s also tracked as Axiom, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti.

The adversarial collective is known to rely on a combination of living-off-the-land binaries (LOLBins) and custom malware to realize its goals. Also adopted are techniques like dynamic-link library (DLL) hijacking and application programming interface (API) unhooking.

Trend Micro said the activity shares tactical overlaps with a cluster previously disclosed by cybersecurity company Cybereason under the name Operation Cuckoobees, which refers to an intellectual property theft campaign targeting technology and manufacturing companies located in East Asia, Western Europe, and North America.

The starting point of the attack chain is the use of a legitimate executable associated with VMware Tools (“vmtoolsd.exe”) to create a scheduled task using “schtasks.exe” and deploy a file named “cc.bat” in the remote machine.

It’s currently not known how the malicious code came to be injected in vmtoolsd.exe, although it’s suspected that it may have involved the exploitation of external-facing servers.

The batch script is designed to amass system information and launch a second scheduled task on the infected host, which, in turn, executes another batch file with the same name (“cc.bat”) to ultimately run the UNAPIMON malware.

“The second cc.bat is notable for leveraging a service that loads a non-existent library to side-load a malicious DLL,” So explained. “In this case, the service is SessionEnv.”

This paves the way for the execution of TSMSISrv.DLL that’s responsible for dropping another DLL file (i.e., UNAPIMON) and injecting that same DLL into cmd.exe. Simultaneously, the DLL file is also injected into SessionEnv for defense evasion.

On top of that, the Windows command interpreter is designed to execute commands coming from another machine, essentially turning it into a backdoor.

A simple C++-based malware, UNAPIMON is equipped to prevent child processes from being monitored by leveraging an open-source Microsoft library called Detours to unhook critical API functions, thereby evading detection in sandbox environments that implement API monitoring through hooking.

The cybersecurity company characterized the malware as original, calling out the author’s “coding prowess and creativity” as well as their use of an off-the-shelf library to carry out malicious actions.

“Earth Freybug has been around for quite some time, and their methods have been seen to evolve through time,” Trend Micro said.

“This attack also demonstrates that even simple techniques can be used effectively when applied correctly. Implementing these techniques to an existing attack pattern makes the attack more difficult to discover.”

Mar 22, 2024NewsroomCyber Defense / Vulnerability

A China-linked threat cluster leveraged security flaws in Connectwise ScreenConnect and F5 BIG-IP software to deliver custom malware capable of delivering additional backdoors on compromised Linux hosts as part of an “aggressive” campaign.

Google-owned Mandiant is tracking the activity under its uncategorized moniker UNC5174 (aka Uteus or Uetus), describing it as a “former member of Chinese hacktivist collectives that has since shown indications of acting as a contractor for China’s Ministry of State Security (MSS) focused on executing access operations.”

The threat actor is believed to have orchestrated widespread attacks against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charities and non-governmental organizations (NGOs), and U.S. and U.K. government organizations between October and November 2023, and again in February 2024 using the ScreenConnect bug.

Initial access to target environments is facilitated by the exploitation of known security flaws in Atlassian Confluence (CVE-2023-22518), ConnectWise ScreenConnect (CVE-2024-1709), F5 BIG-IP (CVE-2023-46747), Linux Kernel (CVE-2022-0185), and Zyxel (CVE-2022-3052).

A successful foothold is followed by extensive reconnaissance and scanning of internet-facing systems for security vulnerabilities, with UNC5174 also creating administrative user accounts to execute malicious actions with elevated privileges, including dropping a C-based ELF downloader dubbed SNOWLIGHT.

SNOWLIGHT is designed to download the next-stage payload, an obfuscated Golang backdoor named GOREVERSE, from a remote URL that’s related to SUPERSHELL, an open-source command-and-control (C2) framework that allows attackers to establish a reverse SSH tunnel and launch interactive shell sessions to execute arbitrary code.

Also put to use by the threat actor is a Golang-based tunneling tool known as GOHEAVY, which is likely employed to facilitate lateral movement within compromised networks, as well as other programs like afrog, DirBuster, Metasploit, Sliver, and sqlmap.

In one unusual instance spotted by the threat intelligence firm, the threat actors have been found to apply mitigations for CVE-2023-46747 in a likely attempt to prevent other unrelated adversaries from weaponizing the same loophole to obtain access.

“UNC5174 (aka Uteus) was previously a member of Chinese hacktivist collectives ‘Dawn Calvary’ and has collaborated with ‘Genesis Day”https://thehackernews.com/”Xiaoqiying’ and ‘Teng Snake,'” Mandiant assessed. “This individual appears to have departed these groups in mid-2023 and has since focused on executing access operations with the intention of brokering access to compromised environments.”

There is evidence to suggest that the threat actor may be an initial access broker, even claiming to be affiliated with the MSS in dark web forums. This is bolstered by the fact some of the U.S. defense and U.K. government entities were simultaneously targeted by another access broker referred to as UNC302.

The findings once again underscore Chinese nation-state groups’ continued efforts to breach edge appliances by swiftly co-opting recently disclosed vulnerabilities into their arsenal in order to conduct cyber espionage operations at scale.

“UNC5174 has been observed attempting to sell access to U.S. defense contractor appliances, U.K. government entities, and institutions in Asia in late 2023 following CVE-2023-46747 exploitation,” Mandiant researchers said.

“There are similarities between UNC5174 and UNC302, which suggests they operate within an MSS initial access broker landscape. These similarities suggest possible shared exploits and operational priorities between these threat actors, although further investigation is required for definitive attribution.”

The disclosure comes as the MSS warned that an unnamed foreign hacking group had infiltrated “hundreds” of Chinese business and government organizations by leveraging phishing emails and known security bugs to breach networks. It did not reveal the threat actor’s name or origin.

The U.S. government on Wednesday said it took steps to neutralize a botnet comprising hundreds of U.S.-based small office and home office (SOHO) routers hijacked by a China-linked state-sponsored threat actor called Volt Typhoon and blunt the impact posed by the hacking campaign.

The existence of the botnet, dubbed KV-botnet, was first disclosed by the Black Lotus Labs team at Lumen Technologies in mid-December 2023. The law enforcement effort was reported by Reuters earlier this week.

“The vast majority of routers that comprised the KV-botnet were Cisco and NetGear routers that were vulnerable because they had reached ‘end of life’ status; that is, they were no longer supported through their manufacturer’s security patches or other software updates,” the Department of Justice (DoJ) said in a press statement.

Volt Typhoon (aka DEV-0391, Bronze Silhouette, or Vanguard Panda) is the moniker assigned to a China-based adversarial collective that has been attributed to cyber attacks targeting critical infrastructure sectors in the U.S. and Guam.

“Chinese cyber actors, including a group known as ‘Volt Typhoon,’ are burrowing deep into our critical infrastructure to be ready to launch destructive cyber attacks in the event of a major crisis or conflict with the United States,” CISA Director Jen Easterly noted.

The cyber espionage group, believed to be active since 2021, is known for its reliance on legitimate tools and living-off-the-land (LotL) techniques to fly under the radar and persist within victim environments for extended periods of time to gather sensitive information.

Another important aspect of its modus operandi is that it tries to blend into normal network activity by routing traffic through compromised SOHO network equipment, including routers, firewalls, and VPN hardware, in an attempt to obfuscate their origins.

This is accomplished by means of the KV-botnet, which commandeers devices from Cisco, DrayTek, Fortinet, and NETGEAR for use as a covert data transfer network for advanced persistent threat actors. It’s suspected that the botnet operators offer their services to other hacking outfits, including Volt Typhoon.

In January 2024, a report from SecurityScorecard this month revealed how the botnet has been responsible for compromising as much as 30% — or 325 of 1,116 — of end-of-life Cisco RV320/325 routers over a 37-day period from December 1, 2023, to January 7, 2024.

“Volt Typhoon is at least one user of the KV-botnet and […] this botnet encompasses a subset of their operational infrastructure,” Lumen Black Lotus Labs said, adding the botnet “has been active since at least February 2022.”

The botnet is also designed to download a virtual private network (VPN) module to the vulnerable routers and set up a direct encrypted communication channel to control the botnet and use it as an intermediary relay node to achieve their operational goals.

“One function of the KV-botnet is to transmit encrypted traffic between the infected SOHO routers, allowing the hackers to anonymize their activities (i.e., the hackers appear to be operating from the SOHO routers, versus their actual computers in China),” according to affidavits filed by the U.S. Federal Bureau of Investigation (FBI).

As part of its efforts to disrupt the botnet, the agency said it remotely issued commands to target routers in the U.S. using the malware’s communication protocols to delete the KV-botnet payload and prevent them from being re-infected. The FBI said it also notified every victim about the operation, either directly or via their internet service provider if contact information was not available.

“The court-authorized operation deleted the KV-botnet malware from the routers and took additional steps to sever their connection to the botnet, such as blocking communications with other devices used to control the botnet,” the DoJ added.

It’s important to point out here that the unspecified prevention measures employed to remove the routers from the botnet are temporary and cannot survive a reboot. In other words, simply restarting the devices would render them susceptible to re-infection.

“The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors – steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous,” FBI Director Christopher Wray said.

However, the Chinese government, in a statement shared with Reuters, denied any involvement in the attacks, dismissing it as a “disinformation campaign” and that it “has been categorical in opposing hacking attacks and the abuse of information technology.”

Coinciding with the takedown, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published new guidance urging SOHO device manufacturers to embrace a secure by design approach during development and shift the burden away from customers.

Specifically, it’s recommending that manufacturers eliminate exploitable defects in SOHO router web management interfaces and modify default device configurations to support automatic update capabilities and require a manual override to remove security settings.

The compromise of edge devices such as routers for use in advanced persistent attacks mounted by Russia and China highlights a growing problem that’s compounded by the fact that legacy devices no longer receive security patches and do not support endpoint detection and response (EDR) solutions.

“The creation of products that lack appropriate security controls is unacceptable given the current threat environment,” CISA said. “This case exemplifies how a lack of secure by design practices can lead to real-world harm both to customers and, in this case, our nation’s critical infrastructure.”

Jan 30, 2024NewsroomMalware / Cyber Espionage

The China-based threat actor known as Mustang Panda is suspected to have targeted Myanmar’s Ministry of Defence and Foreign Affairs as part of twin campaigns designed to deploy backdoors and remote access trojans.

The findings come from CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts in connection with the attacks were uploaded to the VirusTotal platform.

“The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs),” CSIRT-CTI said.

Mustang Panda, active since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex.

In recent months, the adversary has been attributed to attacks targeting an unnamed Southeast Asian government as well as the Philippines to deliver backdoors capable of harvesting sensitive information.

The November 2023 infection sequence starts with a phishing email bearing a booby-trapped ZIP archive attachment containing a legitimate executable (“Analysis of the third meeting of NDSC.exe”) that’s originally signed by B&R Industrial Automation GmbH and a DLL file (“BrMod104.dll”).

The attack takes advantage of the fact that the binary is susceptible to DLL search order hijacking to side-load the rogue DLL and subsequently establish persistence and contact with a command-and-control (C2) server and retrieve a known backdoor called PUBLOAD, which, in turn, acts as a custom loader to drop the PlugX implant.

“The threat actors attempt to disguise the [C2] traffic as Microsoft update traffic by adding the ‘Host: www.asia.microsoft.com’ and ‘User-Agent: Windows-Update-Agent’ headers,” CSIRT-CTI noted, mirror a May 2023 campaign disclosed by Lab52.

On the other hand, the second campaign observed earlier this month employs an optical disc image (“ASEAN Notes.iso”) containing LNK shortcuts to trigger a multi-stage process that uses another bespoke loader called TONESHELL to likely deploy PlugX from a now-inaccessible C2 server.

It’s worth noting that a similar attack chain attributed to Mustang Panda was previously unearthed by EclecticIQ in February 2023 in intrusions aimed at government and public sector organizations across Asia and Europe.

“Following the rebel attacks in northern Myanmar [in October 2023], China has expressed concern regarding its effect on trade routes and security around the Myanmar-China border,” CSIRT-CTI said.

“Stately Taurus operations are known to align with geopolitical interests of the Chinese government, including multiple cyberespionage operations against Myanmar in the past.”