Mar 28, 2024NewsroomCyber Espionage / Malware

The Police of Finland (aka Poliisi) has formally accused a Chinese nation-state actor tracked as APT31 for orchestrating a cyber attack targeting the country’s Parliament in 2020.

The intrusion, per the authorities, is said to have occurred between fall 2020 and early 2021. The agency described the ongoing criminal probe as both demanding and time-consuming, involving extensive analysis of a “complex criminal infrastructure.”

The breach was first disclosed in December 2020, with the Finnish Security and Intelligence Service (Supo) describing it as a state-backed cyber espionage operation designed to penetrate the Parliament’s information systems.

“The police have previously informed that they are investigating the hacking group APT31’s connections with the incident,” Poliisi said. “These connections have now been confirmed by the investigation, and the police have also identified one suspect.”

APT31, also called Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), is a Chinese state-backed group that has been active since at least 2010.

Earlier this week, the U.K. and the U.S. blamed the adversarial collective for engaging in a widespread cyber espionage campaign targeting businesses, government officials, dissidents, and politicians.

Seven operatives associated with the group have been charged in the U.S. for their involvement in the hacking spree. Two of them – Ni Gaobin and Zhao Guangzong – have been sanctioned by the two nations, alongside a company named Wuhan XRZ, which allegedly served as a cover for orchestrating cyber attacks against critical infrastructure.

“Guangzong is a Chinese national who has conducted numerous malicious cyber operations against U.S. victims as a contractor for Wuhan XRZ,” the U.S. Treasury said. “Ni Gaobin assisted Zhao Guangzong in many of his most high profile malicious cyber activities while Zhao Guangzong was a contractor at Wuhan XRZ.”

In July 2021, the U.S. and its allies implicated APT31 in a widespread campaign exploiting zero-day security flaws in Microsoft Exchange servers with the goal of likely “acquiring personally identifiable information and intellectual property.”

China, however, has hit back against the accusations that it’s behind the hacking campaign targeting the West. It has accused the Five Eyes (FVEY) alliance of spreading “disinformation about the threats posed by the so-called ‘Chinese hackers.'”

“We urge the U.S. and the U.K. to stop politicizing cybersecurity issues, stop smearing China and imposing unilateral sanctions on China, and stop cyberattacks against China,” China’s Foreign Ministry Spokesperson Lin Jian said. “China will take necessary measures to firmly safeguard its lawful rights and interests.”

Two China-linked advanced persistent threat (APT) groups have been observed targeting entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN) as part of a cyber espionage campaign over the past three months.

This includes the threat actor known as Mustang Panda, which has been recently linked to cyber attacks against Myanmar as well as other Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.

Mustang Panda, also called Camaro Dragon, Earth Preta, and Stately Taurus, is believed to have targeted entities in Myanmar, the Philippines, Japan and Singapore, targeting them with phishing emails designed to deliver two malware packages.

“Threat actors created malware for these packages on March 4-5, 2024, coinciding with the ASEAN-Australia Special Summit (March 4-6, 2024),” Palo Alto Networks Unit 42 said in a report shared with The Hacker News.

One of the malware package is a ZIP file that contains within it an executable (“Talking_Points_for_China.exe”), that when launched, loads a DLL file (“KeyScramblerIE.dll”) and ultimately deploys a known Mustang Panda malware called PUBLOAD, a downloader previously employed to drop PlugX.

It’s worth pointing out here that the binary is a renamed copy of a legitimate software called KeyScrambler.exe that’s susceptible to DLL side-loading.

The second package, on the other hand, is a screensaver executable (“Note PSO.scr”) that’s used to retrieve next-stage malicious code from a remote IP address, including a benign program signed by a video game company renamed as WindowsUpdate.exe and a rogue DLL that’s launched using the same technique as before.

“This malware then attempts to establish a connection to www[.]openservername[.]com at 146.70.149[.]36 for command-and-control (C2),” the researchers said.

Unit 42 said it also detected network traffic between an ASEAN-affiliated entity and the C2 infrastructure of a second Chinese APT group, suggesting a breach of the victim’s environment. This unnamed threat activity cluster has been attributed to similar attacks targeting Cambodia.

“These types of campaigns continue to demonstrate how organizations are targeted for cyber espionage purposes, where nation-state affiliated threat groups collect intelligence of geopolitical interests within the region,” the researchers said.

Earth Krahang Emerges in Wild

The findings arrive a week after Trend Micro shed light on a new Chinese threat actor known as Earth Krahang that has targeted 116 entities spanning 35 countries by leveraging spear-phishing and flaws in public-facing Openfire and Oracle servers to deliver bespoke malware such as PlugX, ShadowPad, ReShell, and DinodasRAT (aka XDealer).

The earliest attacks date back to early 2022, with the adversary leveraging a combination of methods to scan for sensitive data.

Earth Krahang, which has a strong focus in Southeast Asia, also exhibits some level of overlap with another China-nexus threat actor tracked as Earth Lusca (aka RedHotel). Both the intrusion sets are likely managed by the same threat actor and connected to a Chinese government contractor called I-Soon.

“One of the threat actor’s favorite tactics involves using its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts,” the company said.

“Earth Krahang also uses other tactics, such as building VPN servers on compromised public-facing servers to establish access into the private network of victims and performing brute-force attacks to obtain email credentials. These credentials are then used to exfiltrate victim emails.”

The I-Soon Leaks and the Shadowy Hack-for-hire Scene

Last month, a set of leaked documents from I-Soon (aka Anxun) on GitHub revealed how the company sells a wide array of stealers and remote access trojans like ShadowPad and Winnti (aka TreadStone) to multiple Chinese government entities. This also encompasses an integrated operations platform that’s designed to carry out offensive cyber campaigns and an undocumented Linux implant codenamed Hector.

“The integrated operations platform encompasses both internal and external applications and networks,” Bishop Fox said. “The internal application is mainly for mission and resource management. The external application is designed to carry out cyber operations.”

The obscure hack-for-hire entity has also been implicated in the 2019 POISON CARP campaign aimed at Tibetan groups and the 2022 hack of Comm100, in addition to attacks targeting foreign governments and domestic ethnic minorities to gain valuable information, some of which are carried out independently on their own in hopes of landing a government customer.

“The data leak has provided rare insight into how the Chinese government outsources parts of its cyber operations to private third-party companies, and how these companies work with one another to fulfill these demands,” ReliaQuest noted.

Cybersecurity firm Recorded Future, in its own analysis, said the leak unravels the “operational and organizational ties” between the company and three different Chinese state-sponsored cyber groups such as RedAlpha (aka Deepcliff), RedHotel, and POISON CARP.

“It provides supporting evidence regarding the long-suspected presence of ‘digital quartermasters‘ that provide capabilities to multiple Chinese state-sponsored groups.”

It also said the overlaps suggest the presence of multiple sub-teams focused on particular missions within the same company. I-Soon’s victimology footprint spreads to at least 22 countries, with government, telecommunications, and education representing the most targeted sectors.

Furthermore, the publicized documents confirm that Tianfu Cup – China’s own take on the Pwn2Own hacking contest – acts as a “vulnerability feeder system” for the government, allowing it to stockpile zero-day exploits and devise exploit code.

“When the Tianfu Cup submissions aren’t already full exploit chains, the Ministry of Public Security disseminates the proof of concept vulnerabilities to private firms to further exploit these proof-of-concept capabilities,” Margin Research said.

“China’s vulnerability disclosure requirement is one part of the puzzle of how China stockpiles and weaponizes vulnerabilities, setting in stone the surreptitious collection offered by Tianfu Cup in previous years.”

The source of the leak is currently not known, although two employees of I-Soon told The Associated Press that an investigation is ongoing in collaboration with law enforcement. The company’s website has since gone offline.

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” SentinelOne’s Dakota Cary and Aleksandar Milenkoski said. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

The U.S. Department of Justice (DoJ) on Monday unsealed indictments against seven Chinese nationals for their involvement in a hacking group that targeted U.S. and foreign critics, journalists, businesses, and political officials for about 14 years.

The defendants include Ni Gaobin (倪高彬), Weng Ming (翁明), Cheng Feng (程锋), Peng Yaowen (彭耀文), Sun Xiaohui (孙小辉), Xiong Wang (熊旺), and Zhao Guangzong (赵光宗).

The suspected cyber spies have been charged with conspiracy to commit computer intrusions and conspiracy to commit wire fraud in connection with a state-sponsored threat group tracked as APT31, which is also known as Altaire, Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium). The hacking collective has been active since at least 2010.

Specifically, their responsibilities entail testing and exploiting the malware used to conduct the intrusions, managing the attack infrastructure, and conducting surveillance of specific U.S. entities, federal prosecutors noted, adding the campaigns are designed to advance China’s economic espionage and foreign intelligence objectives.

Both Gaobin and Guangzong are alleged to be linked to Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ), a front company that’s believed to have conducted several malicious cyber operations for the Ministry of State Security (MSS).

Intrusion Truth, in a report published in May 2023, characterized Wuhan XRZ as a “sketchy-looking company in Wuhan looking for vulnerability-miners and foreign language experts.”

As well as announcing a reward of up to $10 million for information that could lead to identification or whereabouts of people associated with APT31, the U.K. and the U.S. have also levied sanctions against the Gaobin, Guangzong, and Wuhan XRZ for endangering national security and for targeting parliamentarians across the world.

“These allegations pull back the curtain on China’s vast illegal hacking operation that targeted sensitive data from U.S. elected and government officials, journalists and academics; valuable information from American companies; and political dissidents in America and abroad,” stated U.S. Attorney Breon Peace.

“Their sinister scheme victimized thousands of people and entities across the world, and lasted for well over a decade.”

The sprawling hacking operation involved the defendants and other members of APT31 sending more than 10,000 emails to targets of interest that came with hidden tracking links that exfiltrated the victims’ location, internet protocol (IP) addresses, network schematics, and the devices used to access the email accounts simply upon opening the messages.

This information subsequently enabled the threat actors to conduct more targeted attacks tailored to specific individuals, including by compromising the recipients’ home routers and other electronic devices.

The threat actors are also said to have leveraged zero-day exploits to maintain persistent access to victim computer networks, resulting in the confirmed and potential theft of telephone call records, cloud storage accounts, personal emails, economic plans, intellectual property, and trade secrets associated with U.S. businesses.

Other spear-phishing campaigns orchestrated by APT31 have further been found to target U.S. government officials working in the White House, at the Departments of Justice, Commerce, Treasury and State, and U.S. Senators, Representatives, and election campaign staff of both political parties.

The attacks were facilitated by means of custom malware such as RAWDOOR, Trochilus, EvilOSX, DropDoor/DropCat, and others that established secure connections with adversary-controlled servers to receive and execute commands on the victim machines. Also put to use was a cracked version of Cobalt Strike Beacon to conduct post-exploitation activities.

Some of the prominent sectors targeted by the group are defense, information technology, telecommunications, manufacturing and trade, finance, consulting, and legal and research industries. APT31 also singled out dissidents around the world and others who were perceived to be supporting them.

“APT31 is a collection of Chinese state-sponsored intelligence officers, contract hackers, and support staff that conduct malicious cyber operations on behalf of the Hubei State Security Department (HSSD),” the Treasury said.

“In 2010, the HSSD established Wuhan XRZ as a front company to carry out cyber operations. This malicious cyber activity resulted in the surveillance of U.S. and foreign politicians, foreign policy experts, academics, journalists, and pro-democracy activists, as well as persons and companies operating in areas of national importance.”

“Chinese state-sponsored cyber espionage is not a new threat and the DoJ’s unsealed indictment today showcases the full gambit of their cyber operations in order to advance the People’s Republic of China (PRC) agenda. While this is not a new threat, the scope of the espionage and the tactics deployed are concerning,” Alex Rose, director of government partnerships at Secureworks Counter Threat Unit, said.

“The Chinese have evolved their typical MO in the last couple of years to evade detection and make it harder to attribute specific cyber-attacks to them. This is part of a broader strategic effort that China is able to execute on. The skills, resources and tactics at the disposal of the PRC make them an ongoing high and persistent threat to governments, businesses, and organizations around the world.”

The charges come after the U.K. government pointed fingers at APT31 for “malicious cyber campaigns” aimed at the country’s Electoral Commission and politicians. The breach of the Electoral Commission led to the unauthorized access of voter data belonging to 40 million people.

The incident was disclosed by the regulator in August 2023, although there is evidence that the threat actors accessed the systems two years prior to it.

China, however, has rejected the accusations, describing them as “completely fabricated” and amounting to “malicious slanders.” A spokesperson for the Chinese embassy in Washington D.C. told the BBC News the countries have “made groundless accusations.”

“The origin-tracing of cyberattacks is highly complex and sensitive. When investigating and determining the nature of cyber cases, one needs to have adequate and objective evidence, instead of smearing other countries when facts do not exist, still less politicize cybersecurity issues,” Foreign Ministry Spokesperson Lin Jian said.

“We hope relevant parties will stop spreading disinformation, take a responsible attitude and jointly safeguard peace and security in the cyberspace. China opposes illegal and unilateral sanctions and will firmly safeguard its lawful rights and interests.”

Mar 15, 2024NewsroomMalvertising / Threat Intelligence

Chinese users looking for legitimate software such as Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and bogus links to distribute trojanized versions of the software and ultimately deploy Geacon, a Golang-based implementation of Cobalt Strike.

“The malicious site found in the notepad++ search is distributed through an advertisement block,” Kaspersky researcher Sergey Puzan said.

“Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐.”

The website, named vnote.fuwenkeji[.]cn, contains download links to Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).

The Linux and macOS versions, on the other hand, lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.

In a similar fashion, the fake look-alike websites for VNote (“vnote[.]info” and “vnotepad[.]com”) lead to the same set of myqcloud[.]com links, in this case, also pointing to a Windows installer hosted on the domain. That said, the links to the potentially malicious versions of VNote are no longer active.

An analysis of the modified Notepad– installers reveals that they are designed to retrieve a next-stage payload from a remote server, a backdoor that exhibits similarities with Geacon.

It’s capable of creating SSH connections, performing file operations, enumerating processes, accessing clipboard content, executing files, uploading and downloading files, taking screenshots, and even entering into sleep mode. Command-and-control (C2) is facilitated by means of HTTPS protocol.

The development comes as malvertising campaigns have also acted as a conduit for other malware such as FakeBat (aka EugenLoader) malware with the help of MSIX installer files masquerading as Microsoft OneNote, Notion, and Trello.

Mar 07, 2024NewsroomCyber Espionage / Software Security

The China-linked threat actor known as Evasive Panda orchestrated both watering hole and supply chain attacks targeting Tibetan users at least since September 2023.

The end of the attacks is to deliver malicious downloaders for Windows and macOS that deploy a known backdoor called MgBot and a previously undocumented Windows implant known as Nightdoor.

The findings come from ESET, which said the attackers compromised at least three websites to carry out watering-hole attacks as well as a supply-chain compromise of a Tibetan software company. The operation was discovered in January 2024.

Evasive Panda, active since 2012 and also known as Bronze Highland and Daggerfly, was previously disclosed by the Slovak cybersecurity firm in April 2023 as having targeted an international non-governmental organization (NGO) in Mainland China with MgBot.

Another report from Broadcom-owned Symantec around the same time implicated the adversary to a cyber espionage campaign aimed at infiltrating telecom services providers in Africa at least since November 2022.

The latest set of cyber assaults entails the strategic web compromise of the Kagyu International Monlam Trust’s website (“www.kagyumonlam[.]org”).

“The attackers placed a script in the website that verifies the IP address of the potential victim and if it is within one of the targeted ranges of addresses, shows a fake error page to entice the user to download a ‘fix’ named certificate,” ESET researchers said.

“This file is a malicious downloader that deploys the next stage in the compromise chain.” The IP address checks show that the attack is specifically designed to target users in India, Taiwan, Hong Kong, Australia, and the U.S.

It’s suspected that Evasive Panda capitalized on the annual Kagyu Monlam Festival that took place in India in late January and February 2024 to target the Tibetan community in several countries and territories.

The executable – named “certificate.exe” on Windows and “certificate.pkg” for macOS – serves as a launchpad for loading the Nightdoor implant, which, subsequently, abuses the Google Drive API for command-and-control (C2).

In addition, the campaign is notable for infiltrating an Indian software company’s website (“monlamit[.]com”) and supply chain in order to distribute trojanized Windows and macOS installers of the Tibetan language translation software. The compromise occurred in September 2023.

“The attackers also abused the same website and a Tibetan news website called Tibetpost – tibetpost[.]net – to host the payloads obtained by the malicious downloads, including two full-featured backdoors for Windows and an unknown number of payloads for macOS,” the researchers noted.

The trojanized Windows installer, for its part, triggers a sophisticated multi-stage attack sequence to either drop MgBot or Nightdoor, signs of which have been detected as early as 2020.

The backdoor comes equipped with features to gather system information, list of installed apps, and running processes; spawn a reverse shell, perform file operations, and uninstall itself from the infected system.

“The attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several networks in East Asia,” ESET said.

At least two different suspected China-linked cyber espionage clusters, tracked as UNC5325 and UNC3886, have been attributed to the exploitation of security flaws in Ivanti Connect Secure VPN appliances.

UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as maintain persistent access to compromised appliances, Mandiant said.

The Google-owned threat intelligence firm has assessed with moderate confidence that UNC5325 is associated with UNC3886 owing to source code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware used by the latter.

It’s worth pointing out that UNC3886 has a track record of leveraging zero-day flaws in Fortinet and VMware solutions to deploy a variety of implants like VIRTUALPITA, VIRTUALPIE, THINCRUST, and CASTLETAP.

“UNC3886 has primarily targeted the defense industrial base, technology, and telecommunication organizations located in the U.S. and [Asia-Pacific] regions,” Mandiant researchers said.

The active exploitation of CVE-2024-21893 – a server-side request forgery (SSRF) vulnerability in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA – by UNC5325 is said to have occurred as early as January 19, 2024, targeting a limited number of devices.

The attack chain entails combining CVE-2024-21893 with a previously disclosed command injection vulnerability tracked as CVE-2024-21887 to gain unauthorized access to susceptible appliances, ultimately leading to the deployment of a new version of BUSHWALK.

Some instances have also involved the misuse of legitimate Ivanti components, such as SparkGateway plugins, to drop additional payloads. This includes the PITFUEL plugin to load a malicious shared object codenamed LITTLELAMB.WOOLTEA, which comes with capabilities to persist across system upgrade events, patches, and factory resets.

It further acts as a backdoor that supports command execution, file management, shell creation, SOCKS proxy, and network traffic tunneling.

Also observed is another malicious SparkGateway plugin dubbed PITDOG that injects a shared object known as PITHOOK in order to persistently execute an implant referred to as PITSTOP that’s designed for shell command execution, file write, and file read on the compromised appliance.

Mandiant described the threat actor as having demonstrated a “nuanced understanding of the appliance and their ability to subvert detection throughout this campaign” and using living-off-the-land (LotL) techniques to fly under the radar.

The cybersecurity firm said it expects “UNC5325 as well as other China-nexus espionage actors to continue to leverage zero day vulnerabilities on network edge devices as well as appliance-specific malware to gain and maintain access to target environments.”

Links Found Between Volt Typhoon and UTA0178

The disclosure comes as industrial cybersecurity company Dragos attributed China-sponsored Volt Typhoon (aka Voltzite) to reconnaissance and enumeration activities aimed at multiple U.S.-based electric companies, emergency services, telecommunication providers, defense industrial bases, and satellite services.

“Voltzite’s actions towards U.S. electric entities, telecommunications, and GIS systems signify clear objectives to identify vulnerabilities within the country’s critical infrastructure that can be exploited in the future with destructive or disruptive cyber attacks,” it said.

Volt Typhoon’s victimology footprint has since expanded to include African electric transmission and distribution providers, with evidence connecting the adversary to UTA0178, a threat activity group linked to the zero-day exploitation of Ivanti Connect Secure flaws in early December 2023.

The cyber espionage actor, which heavily relies on LotL methods to sidestep detection, joins two other new groups, namely Gananite and Laurionite, that came to light in 2023, conducting long-term reconnaissance and intellectual property theft operations targeting critical infrastructure and government entities.

“Voltzite uses very minimal tooling and prefers to conduct their operations with as little a footprint as possible,” Dragos explained. “Voltzite heavily focuses on detection evasion and long-term persistent access with the assessed intent of long-term espionage and data exfiltration.”

A Chinese-speaking threat actor codenamed GoldFactory has been attributed to the development of highly sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe that’s capable of harvesting identity documents, facial recognition data, and intercepting SMS.

“The GoldPickaxe family is available for both iOS and Android platforms,” Singapore-headquartered Group-IB said in an extensive report shared with The Hacker News. “GoldFactory is believed to be a well-organized Chinese-speaking cybercrime group with close connections to Gigabud.”

Active since at least mid-2023, GoldFactory is also responsible for another Android-based banking malware called GoldDigger and its enhanced variant GoldDiggerPlus as well as GoldKefu, an embedded trojan inside GoldDiggerPlus.

Social engineering campaigns distributing the malware have been found to target the Asia-Pacific region, specifically Thailand and Vietnam, by masquerading as local banks and government organizations.

In these attacks, prospective victims are sent smishing and phishing messages and guided to switch the conversation to instant messaging apps like LINE, before sending bogus URLs that lead to the deployment of GoldPickaxe on the devices.

Some of these malicious apps targeting Android are hosted on counterfeit websites resembling Google Play Store pages or fake corporate websites to complete the installation process.

GoldPickaxe for iOS, however, employs a different distribution scheme, with successive iterations leveraging Apple’s TestFlight platform and booby-trapped URLs that prompt users to download an Mobile Device Management (MDM) profile to grant complete control over the iOS devices and install the rogue app.

Both these propagation mechanisms were disclosed by the Thailand Banking Sector CERT (TB-CERT) and the Cyber Crime Investigation Bureau (CCIB), respectively, in November 2023.

The sophistication of GoldPickaxe is also evident in the fact that it’s designed to get around security measures imposed by Thailand that require users to confirm larger transactions using facial recognition to prevent fraud.

“GoldPickaxe prompts the victim to record a video as a confirmation method in the fake application,” security researchers Andrey Polovinkin and Sharmine Low said. “The recorded video is then used as raw material for the creation of deepfake videos facilitated by face-swapping artificial intelligence services.”

Furthermore, the Android and iOS flavors of the malware are equipped to collect the victim’s ID documents and photos, intercept incoming SMS messages, and proxy traffic through the compromised device. It’s suspected that the GoldFactory actors use their own devices to sign-in to the bank application and perform unauthorized fund transfers.

That having said, the iOS variant exhibits fewer functionalities when compared to its Android counterpart owing to the closed nature of the iOS operating system and relatively stricter nature of iOS permissions.

The Android version – considered an evolutionary successor of GoldDiggerPlus – also poses as over 20 different applications from Thailand’s government, the financial sector, and utility companies to steal login credentials from these services. However, it’s currently not clear what the threat actors do with this information.

Another notable aspect of the malware is its abuse of Android’s accessibility services to log keystrokes and extract on-screen content.

GoldDigger also shares code-level similarities to GoldPickaxe, although it is chiefly designed to steal banking credentials, while the latter is geared more towards gathering of personal information from victims. No GoldDigger artifacts aimed at iOS devices have been identified to date.

“The primary feature of GoldDigger is that it targets over 50 applications from Vietnamese financial companies, including their packages’ names in the trojan,” the researchers said. “Whenever the targeted applications open, it will save the text displayed or written on the UI, including passwords, when they are entered.”

The base version of GoldDigger, which was first discovered in June 2023 and continues to be still in circulation, has since paved the way for more upgraded variants, including GoldDiggerPlus, which comes embedded with another trojan APK component dubbed GoldKefu, to unleash the malicious actions.

GoldDiggerPlus is said to have emerged in September 2023, with GoldKefu impersonating a popular Vietnamese messaging app to siphon banking credentials associated with 10 financial institutions.

Goldkefu also integrates with the Agora Software Development Kit (SDK) to facilitate interactive voice and video calls and trick victims into contacting a bogus bank customer service by sending fake alerts that induce a false sense of urgency by claiming that a fund transfer to the tune of 3 million Thai Baht has taken place on their accounts.

If anything, the development is a sign that the mobile malware landscape remains a lucrative market for cybercriminals looking for quick financial gain, even as they find ways to circumvent defensive measures erected by banks to counter such threats. It also demonstrates the ever-shifting and dynamic nature of social engineering schemes that aim to deliver malware to victims’ devices.

To mitigate the risks posed by GoldFactory and its suite of mobile banking malware, it’s strongly advised not to click on suspicious links, install any app from untrusted sites, as they are a common vector for malware, and periodically review the permissions given to apps, particularly those requesting for Android’s accessibility services.

“GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection,” the researchers said. “The team comprises separate development and operator groups dedicated to specific regions.”

“The gang has well-defined processes and operational maturity and constantly enhances its toolset to align with the targeted environment showcasing a high proficiency in malware development.”

The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years.

Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam.

“Volt Typhoon’s choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence gathering operations, and the U.S. authoring agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions,” the U.S. government said.

The joint advisory, which was released by the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Federal Bureau of Investigation (FBI), was also backed by other nations that are part of the Five Eyes (FVEY) intelligence alliance comprising Australia, Canada, New Zealand, the U.K.

Volt Typhoon – which is also called Bronze Silhouette, Insidious Taurus, UNC3236, Vanguard Panda, or Voltzite – a stealthy China-based cyber espionage group that’s believed to be active since June 2021.

It first came to light in May 2023 when Microsoft revealed that the hacking crew managed to establish a persistent foothold into critical infrastructure organizations in the U.S. and Guam for extended periods of time sans getting detected by principally leveraging living-off-the-land (LotL) techniques.

“This kind of tradecraft, known as ‘living off the land,’ allows attackers to operate discreetly, with malicious activity blending in with legitimate system and network behavior making it difficult to differentiate – even by organizations with more mature security postures,” the U.K. National Cyber Security Centre (NCSC) said.

Another hallmark tactic adopted by Volt Typhoon is the use of multi-hop proxies like KV-botnet to route malicious traffic through a network of compromised routers and firewalls in the U.S. to mask its true origins.

Cybersecurity firm CrowdStrike, in a report published in June 2023, called out its reliance on an extensive arsenal of open-source tooling against a narrow set of victims to achieve its strategic goals.

“Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise,” the agencies noted.

“The group also relies on valid accounts and leverages strong operational security, which combined, allows for long-term undiscovered persistence.”

Furthermore, the nation-state has been observed attempting to obtain administrator credentials within the network by exploiting privilege escalation flaws, subsequently leveraging the elevated access to facilitate lateral movement, reconnaissance, and full domain compromise.

The ultimate goal of the campaign is to retain access to the compromised environments, “methodically” re-targeting them over years to validate and expand their unauthorized accesses. This meticulous approach, per the agencies, is evidenced in cases where they have repeatedly exfiltrated domain credentials to ensure access to current and valid accounts.

“In addition to leveraging stolen account credentials, the actors use LOTL techniques and avoid leaving malware artifacts on systems that would cause alerts,” CISA, FBI, and NSA said.

“Their strong focus on stealth and operational security allows them to maintain long-term, undiscovered persistence. Further, Volt Typhoon’s operational security is enhanced by targeted log deletion to conceal their actions within the compromised environment.”

The development comes as the Citizen Lab revealed a network of at least 123 websites impersonating local news outlets spanning 30 countries in Europe, Asia, and Latin America that’s pushing pro-China content in a widespread influence campaign linked to a Beijing public relations firm named Shenzhen Haimaiyunxiang Media Co., Ltd.

The Toronto-based digital watchdog, which dubbed the influence operation PAPERWALL, said it shares similarities with HaiEnergy, albeit with different operators and unique TTPs.

“A central feature of PAPERWALL, observed across the network of websites, is the ephemeral nature of its most aggressive components, whereby articles attacking Beijing’s critics are routinely removed from these websites some time after they are published,” the Citizen Lab said.

In a statement shared with Reuters, a spokesperson for China’s embassy in Washington said “it is a typical bias and double standard to allege that the pro-China contents and reports are ‘disinformation,’ and to call the anti-China ones’ true information.'”

Feb 07, 2024NewsroomCyber Espionage / Network Security

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NetGear routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

Jan 31, 2024NewsroomCyber Attack / Network Security

A pair of recently disclosed zero-day flaws in Ivanti Connect Secure (ICS) virtual private network (VPN) devices have been exploited to deliver a Rust-based payload called KrustyLoader that’s used to drop the open-source Sliver adversary simulation tool.

The security vulnerabilities, tracked as CVE-2023-46805 (CVSS score: 8.2) and CVE-2024-21887 (CVSS score: 9.1), could be abused in tandem to achieve unauthenticated remote code execution on susceptible appliances.

As of January 26, patches for the two flaws have been delayed, although the software company has released a temporary mitigation through an XML file.

Volexity, which first shed light on the shortcomings, said they have been weaponized as zero-days since December 3, 2023, by a Chinese nation-state threat actor it tracks under the name UTA0178. Google-owned Mandiant has assigned the moniker UNC5221 to the group.

Following public disclosure earlier this month, the vulnerabilities have come under broad exploitation by other adversaries to drop XMRig cryptocurrency miners as well as Rust-based malware.

Synacktiv’s analysis of the Rust malware, codenamed KrustyLoader, has revealed that it functions as a loader to download Sliver from a remote server and execute it on the compromised host.

Image Credit: Recorded Future

Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that has emerged as a lucrative option for threat actors in comparison to other well-known alternatives like Cobalt Strike.

That said, Cobalt Strike continues to be the top offensive security tool observed among attacker-controlled infrastructure in 2023, followed by Viper, and Meterpreter, according to a report published by Recorded Future earlier this month.

“Both Havoc and Mythic have also become relatively popular but are still observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper,” the company said. “Four other well-known frameworks are Sliver, Havoc, Brute Ratel (BRc4), and Mythic.”