The Iranian threat actor known as MuddyWater has been attributed to a new command-and-control (C2) infrastructure called DarkBeatC2, becoming the latest such tool in its arsenal after SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

“While occasionally switching to a new remote administration tool or changing their C2 framework, MuddyWater’s methods remain constant,” Deep Instinct security researcher Simon Kenin said in a technical report published last week.

MuddyWater, also called Boggy Serpens, Mango Sandstorm, and TA450, is assessed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS). It’s known to be active since at least 2017, orchestrating spear-phishing attacks that lead to the deployment of various legitimate Remote Monitoring and Management (RMM) solutions on compromised systems.

Prior findings from Microsoft show that the group has ties with another Iranian threat activity cluster tracked as Storm-1084 (aka DarkBit), with the latter leveraging the access to orchestrate destructive wiper attacks against Israeli entities.

The latest attack campaign, details of which were also previously revealed by Proofpoint last month, commences with spear-phishing emails sent from compromised accounts that contain links or attachments hosted on services like Egnyte to deliver the Atera Agent software.

One of the URLs in question is “kinneretacil.egnyte[.]com,” where the subdomain “kinneretacil” refers to “kinneret.ac.il,” an educational institution in Israel and a customer of Rashim, which, in turn, was breached by Lord Nemesis (aka Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country.

Lord Nemesis is suspected of being a “faketivist” operation directed against Israel. It’s also worth noting that Nemesis Kitten is a private contracting company called Najee Technology, a subgroup within Mint Sandstorm that’s backed by Iran’s Islamic Revolutionary Guard Corps (IRGC). The company was sanctioned by the U.S. Treasury in September 2022.

“This is important because if ‘Lord Nemesis’ were able to breach Rashim’s email system, they might have breached the email systems of Rashim’s customers using the admin accounts that now we know they obtained from ‘Rashim,'” Kenin explained.

The web of connections has raised the possibility that MuddyWater may have used the email account associated with Kinneret to distribute the links, thereby giving the messages an illusion of trust and tricking the recipients into clicking them.

“While not conclusive, the timeframe and context of the events indicate a potential hand-off or collaboration between IRGC and MOIS to inflict as much harm as possible on Israeli organizations and individuals,” Kenin further added.

The attacks are also notable for relying on a set of domains and IP addresses collectively dubbed DarkBeatC2 that are responsible for managing the infected endpoints. This is accomplished by means of PowerShell code designed to establish contact with the C2 server upon gaining initial access through other means.

According to independent findings from Palo Alto Networks Unit 42, the threat actor has been observed abusing the Windows Registry’s AutodialDLL function to side-load a malicious DLL and ultimately set up connections with a DarkBeatC2 domain.

The mechanism, in particular, involves establishing persistence through a scheduled task that runs PowerShell to leverage the AutodialDLL registry key and load the DLL for C2 framework. The cybersecurity firm said the technique was put to use in a cyber attack aimed at an unnamed Middle East target.

Other methods adopted by MuddyWater to establish a C2 connection include the use of a first-stage payload delivered via the spear-phishing email and leveraging DLL side-loading to execute a malicious library.

A successful contact allows the infected host to receive PowerShell responses that, for its part, fetches two more PowerShell scripts from the same server.

While one of the scripts is designed to read the contents of a file named “C:\ProgramData\SysInt.log” and transmit them to the C2 server via an HTTP POST request, the second script periodically polls the server to obtain additional payloads and writes the results of the execution to “SysInt.log.” The exact nature of the next-stage payload is currently unknown.

“This framework is similar to the previous C2 frameworks used by MuddyWater,” Kenin said. “PowerShell remains their ‘bread and butter.'”

Curious Serpens Targets Defense Sector with FalseFont Backdoor

The disclosure comes as Unit 42 unpacked the inner workings of a backdoor called FalseFont that’s used by an Iranian threat actor known as Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) in attacks targeting the aerospace and defense sectors.

“The threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor,” security researchers Tom Fakterman, Daniel Frank, and Jerome Tujague said, describing FalseFont as “highly targeted.”

Once installed, it presents a login interface impersonating an aerospace company and captures the credentials as well as the educational and employment history entered by the victim to a threat-actor controlled C2 server in JSON format.

The implant, besides its graphical user interface (GUI) component for user inputs, also stealthily activates a second component in the background that establishes persistence on the system, gathers system metadata, and executes commands and processes sent from the C2 server.

Other features of FalseFont include the ability to download and upload files, steal credentials, capture screenshots, terminate specific processes, run PowerShell commands, and self-update the malware.

Feb 08, 2024NewsroomEndpoint Security / Cyber Threat

The threat actors behind a loader malware called HijackLoader have added new techniques for defense evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling.

“The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe,” CrowdStrike researchers Donato Onofri and Emanuele Calvelli said in a Wednesday analysis. “This new approach has the potential to make defense evasion stealthier.”

HijackLoader was first documented by Zscaler ThreatLabz in September 2023 as having been used as a conduit to deliver DanaBot, SystemBC, and RedLine Stealer. It’s also known to share a high degree of similarity with another loader known as IDAT Loader.

Both the loaders are assessed to be operated by the same cybercrime group. In the intervening months, HijackLoader has been propagated via ClearFake and put to use by TA544 (aka Narwhal Spider, Gold Essex, and Ursnif Gang) to deliver Remcos RAT and SystemBC via phishing messages.

“Think of loaders like wolves in sheep’s clothing. Their purpose is to sneak in, introduce and execute more sophisticated threats and tools,” Liviu Arsene, director of threat research and reporting at CrowdStrike, said in a statement shared with The Hacker News.

“This recent variant of HijackLoader (aka IDAT Loader) steps up its sneaking game by adding and experimenting with new techniques. This is similar to enhancing its disguise, making it stealthier, more complex, and more difficult to analyze. In essence, they’re refining their digital camouflage.”

The starting point of the multi-stage attack chain is an executable (“streaming_client.exe”) that checks for an active internet connection and proceeds to download a second-stage configuration from a remote server.

The executable then loads a legitimate dynamic-link library (DLL) specified in the configuration to activate shellcode responsible for launching the HijackLoader payload via a combination of process doppelgänging and process hollowing techniques that increases the complexity of analysis and the defense evasion capabilities.

“The HijackLoader second-stage, position-independent shellcode then performs some evasion activities to bypass user mode hooks using Heaven’s Gate and injects subsequent shellcode into cmd.exe,” the researchers said.

“The injection of the third-stage shellcode is accomplished via a variation of process hollowing that results in an injected hollowed mshtml.dll into the newly spawned cmd.exe child process.”

Heaven’s Gate refers to a stealthy trick that allows malicious software to evade endpoint security products by invoking 64-bit code in 32-bit processes in Windows, effectively bypassing user-mode hooks.

One of the key evasion techniques observed in HijackLoader attack sequences is the use of a process injection mechanism called transacted hollowing, which has been previously observed in malware such as the Osiris banking trojan.

“Loaders are meant to act as stealth launch platforms for adversaries to introduce and execute more sophisticated malware and tools without burning their assets in the initial stages,” Arsene said.

“Investing in new defense evasion capabilities for HijackLoader (aka IDAT Loader) is potentially an attempt to make it stealthier and fly below the radar of traditional security solutions. The new techniques signal both a deliberate and experimental evolution of the existing defense evasion capabilities while also increasing the complexity of analysis for threat researchers.”

Jan 10, 2024NewsroomServer Security / Cryptocurrency

A new Mirai-based botnet called NoaBot is being used by threat actors as part of a crypto mining campaign since the beginning of 2023.

“The capabilities of the new botnet, NoaBot, include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims,” Akamai security researcher Stiv Kupchik said in a report shared with The Hacker News.

Mirai, which had its source code leaked in 2016, has been the progenitor of a number of botnets, the most recent being InfectedSlurs, which is capable of mounting distributed denial-of-service (DDoS) attacks.

There are indications that NoaBot could be linked to another botnet campaign involving a Rust-based malware family known as P2PInfect, which recently received an update to target routers and IoT devices.

This is based on the fact that threat actors have also experimented with dropping P2PInfect in place of NoaBot in recent attacks targeting SSH servers, indicating likely attempts to pivot to custom malware.

Despite NaoBot’s Mirai foundations, its spreader module leverages an SSH scanner to search for servers susceptible to dictionary attack in order to brute-force them and add an SSH public key in the .ssh/authorized_keys file for remote access. Optionally, it can also download and execute additional binaries post successful exploitation or propagate itself to new victims.

“NoaBot is compiled with uClibc, which seems to change how antivirus engines detect the malware,” Kupchik noted. “While other Mirai variants are usually detected with a Mirai signature, NoaBot’s antivirus signatures are of an SSH scanner or a generic trojan.”

Besides incorporating obfuscation tactics to render analysis challenging, the attack chain ultimately results in the deployment of a modified version of the XMRig coin miner.

What makes the new variant a cut above other similar Mirai botnet-based campaigns is that it does not contain any information about the mining pool or the wallet address, thereby making it impossible to assess the profitability of the illicit cryptocurrency mining scheme.

“The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner,” Kupchik said, highlighting some level of preparedness of the threat actors.

Akamai said it identified 849 victim IP addresses to date that are spread geographically across the world, with high concentrations reported in China, so much so that it amounts to almost 10% of all attacks against its honeypots in 2023.

“The malware’s method of lateral movement is via plain old SSH credentials dictionary attacks,” Kupchik said. “Restricting arbitrary internet SSH access to your network greatly diminishes the risks of infection. In addition, using strong (not default or randomly generated) passwords also makes your network more secure, as the malware uses a basic list of guessable passwords.”

Dec 29, 2023NewsroomMalware / Cyber Threat

Nation-state actors affiliated to North Korea have been observed using spear-phishing attacks to deliver an assortment of backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to seize control of compromised machines.

South Korea-based cybersecurity company AhnLab attributed the activity to an advanced persistent threat group known as Kimsuky.

“A notable point about attacks that use AppleSeed is that similar methods of attack have been used for many years with no significant changes to the malware that are used together,” the AhnLab Security Emergency Response Center (ASEC) said in an analysis published Thursday.

Kimsuky, active for over a decade, is known for its targeting of a wide range of entities in South Korea, before expanding its focus to include other geographies in 2017. It was sanctioned by the U.S. government late last month for amassing intelligence to support North Korea’s strategic objectives.

The threat actor’s espionage campaigns are realized through spear-phishing attacks containing malicious lure documents that, upon opening, culminate in the deployment of various malware families.

One such prominent Windows-based backdoor used by Kimsuky is AppleSeed (aka JamBog), a DLL malware which has been put to use as early as May 2019 and has been updated with an Android version as well as a new variant written in Golang called AlphaSeed.

AppleSeed is designed to receive instructions from an actor-controlled server, drop additional payloads, and exfiltrate sensitive data such as files, keystrokes, and screenshots. AlphaSeed, like AppleSeed, incorporates similar features but has some crucial differences as well.

“AlphaSeed was developed in Golang and uses chromedp for communications with the [command-and-control] server,” ASEC said, in contrast to AppleSeed, which relies on HTTP or SMTP protocols. Chromedp is a popular Golang library for interacting with the Google Chrome browser in headless mode through the DevTools Protocol.

There is evidence to suggest the Kimsuky has used AlphaSeed in attacks since October 2022, with some intrusions delivering both AppleSeed and AlphaSeed on the same target system by means of a JavaScript dropper.

Also deployed by the adversary are Meterpreter and VNC malware such as TightVNC and TinyNuke (aka Nuclear Bot), which can be leveraged to take control of the affected system.

The development comes as Nisos said it discovered a number of online personas on LinkedIn and GitHub likely used by North Korea’s information technology (IT) workers to fraudulently obtain remote employment from companies in the U.S. and act as a revenue-generating stream for the regime and help fund its economic and security priorities.

“The personas often claimed to be proficient in developing several different types of applications and have experience working with crypto and blockchain transactions,” the threat intelligence firm said in a report released earlier this month.

“Further, all of the personas sought remote-only positions in the technology sector and were singularly focused on obtaining new employment. Many of the accounts are only active for a short period of time before they are disabled.”

North Korean actors, in recent years, have launched a series of multi-pronged assaults, blending novel tactics and supply chain weaknesses to target blockchain and cryptocurrency firms to facilitate the theft of intellectual property and virtual assets.

The prolific and aggressive nature of the attacks points to the different ways the country has resorted in order to evade international sanctions and illegally profit from the schemes.

“People tend to think, … how could the quote-unquote ‘Hermit Kingdom’ possibly be a serious player from a cyber perspective?,” CrowdStrike’s Adam Meyers was quoted as saying to Politico. “But the reality couldn’t be further from the truth.”

Dec 20, 2023NewsroomIdentity Theft / SMS Phishing

The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.

“These criminals send malicious links to their victims’ mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send,” Resecurity said in a report published this week. “This helps them protect the fake website’s domain and hosting location.”

Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group’s use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.

The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engaging in Magecart-style attacks on e-commerce platforms to inject malicious code and pilfer customer data.

“This fraud-as-a-service (FaaS) model enables ‘Smishing Triad’ to scale their operations by empowering other cybercriminals to leverage their tooling and launch independent attacks,” Resecurity noted.

The latest attack wave is designed to target individuals who have recently updated their residence visas with harmful messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.

Recipients who click on the embedded link the message are taken to a bogus, lookalike website (“rpjpapc[.]top”) impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information.

What makes the campaign noteworthy is the use of a geofencing mechanism to load the phishing form only when visited from UAE-based IP addresses and mobile devices.

“The perpetrators of this act may have access to a private channel where they obtained information about UAE residents and foreigners living in or visiting the country,” Resecurity said.

“This could be achieved through third-party data breaches, business email compromises, databases purchased on the dark web, or other sources.”

Smishing Triad’s latest campaign coincides with the launch of a new underground market known as OLVX Marketplace (“olvx[.]cc”) that operates on the clear web and claims to sell tools to carry out online fraud, such as phish kits, web shells, and compromised credentials.

“While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX’s ability to maintain and attract customers to the platform,” ZeroFox said.

Cyber Criminals Misuse Predator Bot Detection Tool for Phishing Attacks

The disclosure comes as Trellix revealed how threat actors are leveraging Predator, an open-source tool designed to combat fraud and identify requests originating from automated systems, bots, or web crawlers, as part of various phishing campaigns.

The starting point of the attack is a phishing email sent from a previously compromised account and containing a malicious link, which, when clicked, checks if the incoming request is coming from a bot or a crawler, before redirecting to the phishing page.

The cybersecurity firm said it identified various artifacts where the threat actors repurposed the original tool by providing a list of hard-coded links as opposed to generating random links dynamically upon detecting a visitor is a bot.

“Cyber criminals are always looking for new ways to evade detection from organizations’ security products,” security researcher Vihar Shah and Rohan Shah said. “Open-source tools such as these make their task easier, as they can readily use these tools to avoid detection and more easily achieve their malicious goals.”