Mar 30, 2024NewsroomMalware / Cryptocurrency

Malicious ads and bogus websites are acting as a conduit to deliver two different stealer malware, including Atomic Stealer, targeting Apple macOS users.

The ongoing infostealer attacks targeting macOS users may have adopted different methods to compromise victims’ Macs, but operate with the end goal of stealing sensitive data, Jamf Threat Labs said in a report published Friday.

One such attack chain targets users searching for Arc Browser on search engines like Google to serve bogus ads that redirect users to look-alike sites (“airci[.]net”) that serve the malware.

“Interestingly, the malicious website cannot be accessed directly, as it returns an error,” security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. “It can only be accessed through a generated sponsored link, presumably to evade detection.”

The disk image file downloaded from the counterfeit website (“ArcSetup.dmg”) delivers Atomic Stealer, which is known to request users to enter their system passwords via a fake prompt and ultimately facilitate information theft.

Jamf said it also discovered a phony website called meethub[.]gg that claims to offer a free group meeting scheduling software, but actually installs another stealer malware capable of harvesting users’ keychain data, stored credentials in web browsers, and information from cryptocurrency wallets.

Much like Atomic stealer, the malware – which is said to overlap with a Rust-based stealer family known as Realst – also prompts the user for their macOS login password using an AppleScript call to carry out its malicious actions.

Attacks leveraging this malware are said to have approached victims under the pretext of discussing job opportunities and interviewing them for a podcast, subsequently asking them to download an app from meethub[.]gg to join a video conference provided in the meeting invites.

“These attacks are often focused on those in the crypto industry as such efforts can lead to large payouts for attackers,” the researchers said. “Those in the industry should be hyper-aware that it’s often easy to find public information that they are asset holders or can easily be tied to a company that puts them in this industry.”

The development comes as MacPaw’s cybersecurity division Moonlock Lab disclosed that malicious DMG files (“App_v1.0.4.dmg”) are being used by threat actors to deploy a stealer malware designed to extract credentials and data from various applications.

This is accomplished by means of an obfuscated AppleScript and bash payload that’s retrieved from a Russian IP address, the former of which is used to launch a deceptive prompt (as mentioned above) to trick users into providing the system passwords.

“Disguised as a harmless DMG file, it tricks the user into installation via a phishing image, persuading the user to bypass macOS’s Gatekeeper security feature,” security researcher Mykhailo Hrebeniuk said.

The development is an indication that macOS environments are increasingly under threat from stealer attacks, with some strains even boasting of sophisticated anti-virtualization techniques by activating a self-destructing kill switch to evade detection.

In recent weeks, malvertising campaigns have also been observed pushing the FakeBat loader (aka EugenLoader) and other information stealers like Rhadamanthys via a Go-based loader through decoy sites for popular software such as Notion and PuTTY.

Mar 23, 2024NewsroomCyber Espionage / Cyber Warfare

The WINELOADER backdoor used in recent cyber attacks targeting diplomatic entities with wine-tasting phishing lures has been attributed as the handiwork of a hacking group with links to Russia’s Foreign Intelligence Service (SVR), which was responsible for breaching SolarWinds and Microsoft.

The findings come from Mandiant, which said Midnight Blizzard (aka APT29, BlueBravo, or Cozy Bear) used the malware to target German political parties with phishing emails bearing a logo from the Christian Democratic Union (CDU) around February 26, 2024.

“This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions,” researchers Luke Jenkins and Dan Black said.

WINELOADER was first disclosed by Zscaler ThreatLabz last month as part of a cyber espionage campaign that’s believed to have been ongoing since at least July 2023. It attributed the activity to a cluster dubbed SPIKEDWINE.

Attack chains leverage phishing emails with German-language lure content that purports to be an invite for a dinner reception to trick recipients into clicking on a phony link and downloading a rogue HTML Application (HTA) file, a first-stage dropper called ROOTSAW (aka EnvyScout) that acts as a conduit to deliver WINELOADER from a remote server.

“The German-language lure document contains a phishing link directing victims to a malicious ZIP file containing a ROOTSAW dropper hosted on an actor-controlled compromised website,” the researchers said. “ROOTSAW delivered a second-stage CDU-themed lure document and a next stage WINELOADER payload.”

WINELOADER, invoked via a technique called DLL side-loading using the legitimate sqldumper.exe, comes equipped with abilities to contact an actor-controlled server and fetch additional modules for execution on the compromised hosts.

It’s said to share similarities with known APT29 malware families like BURNTBATTER, MUSKYBEAT, and BEATDROP, suggesting the work of a common developer.

WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024.

“ROOTSAW continues to be the central component of APT29’s initial access efforts to collect foreign political intelligence,” the company said.

“The first-stage malware’s expanded use to target German political parties is a noted departure from the typical diplomatic focus of this APT29 subcluster, and almost certainly reflects the SVR’s interest in gleaning information from political parties and other aspects of civil society that could advance Moscow’s geopolitical interests.”

The development comes as German prosecutors have charged a military officer, named Thomas H, with espionage offenses after he was allegedly caught spying on behalf of Russian intelligence services and passing on unspecified sensitive information. He was arrested in August 2023.

“From May 2023, he approached the Russian Consulate General in Bonn and the Russian Embassy in Berlin several times on his own initiative and offered to cooperate,” the Office of the Federal Prosecutor said. “On one occasion, he transmitted information that he had obtained in the course of his professional activities for forwarding to a Russian intelligence service.”

Mar 22, 2024NewsroomLinux / Cyber Warfare

The data wiping malware called AcidPour may have been deployed in attacks targeting four telecom providers in Ukraine, new findings from SentinelOne show.

The cybersecurity firm also confirmed connections between the malware and AcidRain, tying it to threat activity clusters associated with Russian military intelligence.

“AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions,” security researchers Juan Andres Guerrero-Saade and Tom Hegel said.

AcidPour is a variant of AcidRain, a wiper that was used to render Viasat KA-SAT modems operable at the onset of the Russo-Ukrainian war in early 2022 and cripple Ukraine’s military communications.

It also builds upon the latter’s features, while targeting Linux systems running on x86 architecture. AcidRain, on the other hand, is compiled for MIPS architecture.

Where AcidRain was more generic, AcidPour incorporates logic to target embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.

That said, both the strains overlap when it comes to the use of the reboot calls and the method employed for recursive directory wiping. Also identical is the IOCTLs-based device-wiping mechanism that also shares commonalities with another malware linked to Sandworm known as VPNFilter.

“One of the most interesting aspects of AcidPour is its coding style, reminiscent of the pragmatic CaddyWiper broadly utilized against Ukrainian targets alongside notable malware like Industroyer 2,” the researchers said.

The C-based malware comes with a self-delete function that overwrites itself on disk at the beginning of its execution, while also employing an alternate wiping approach depending on the device type.

AcidPour has been attributed to a hacking crew tracked as UAC-0165, which is associated with Sandworm and has a track record of striking Ukrainian critical infrastructure.

The Computer Emergency Response Team of Ukraine (CERT-UA), in October 2023, implicated the adversary to attacks targeting at least 11 telecommunication service providers in the country between May and September of last year.

“[AcidPour] could have been used in 2023,” Hegel told The Hacker News. “It’s likely the actor has made use of AcidRain/AcidPour related tooling consistently throughout the war. A gap in this perspective speaks to the level of insight the public often has to cyber intrusions – generally quite limited and incomplete.”

The ties to Sandworm are further bolstered by the fact that a threat actor known as Solntsepyok (aka Solntsepek or SolntsepekZ) claimed to have infiltrated four different telecommunication operators in Ukraine and disrupted their services on March 13, 2024, three days prior to the discovery of AcidPour.

Solntsepyok, according to the State Special Communications Service of Ukraine (SSSCIP), is a Russian advanced persistent threat (APT) with likely ties to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), which also operates Sandworm.

It’s worth pointing out that Solntsepyok has also been accused of hacking into Kyivstar’s systems as early as May 2023. The breach came to light in late December.

While it’s currently not clear if AcidPour was used in the latest set of attacks, the discovery suggests that threat actors are constantly refining their tactics to stage destructive assaults and inflict significant operational impact.

“This progression reveals not only a refinement in the technical capabilities of these threat actors but also their calculated approach to select targets that maximize follow-on effects, disrupting critical infrastructure and communications,” the researchers said.

Mar 13, 2024The Hacker NewsFinancial Fraud / Mobile Security

The threat actors behind the PixPirate Android banking trojan are leveraging a new trick to evade detection on compromised devices and harvest sensitive information from users in Brazil.

The approach allows it to hide the malicious app’s icon from the home screen of the victim’s device, IBM said in a technical report published today.

“Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background,” security researcher Nir Somech said.

PixPirate, which was first documented by Cleafy in February 2023, is known for its abuse of Android’s accessibility services to covertly perform unauthorized fund transfers using the PIX instant payment platform when a targeted banking app is opened.

The constantly mutating malware is also capable of stealing victims’ online banking credentials and credit card information, as well as capturing keystrokes and intercepting SMS messages to access two-factor authentication codes.

Typically distributed via SMS and WhatsApp, the attack flow entails the use of a dropper (aka downloader) app that’s engineered to deploy the main payload (aka droppee) to pull off the financial fraud.

“Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant,” Somech explained.

“In the case of PixPirate, the downloader is responsible not only for downloading and installing the droppee but also for running and executing it. The downloader plays an active part in the malicious activities of the droppee as they communicate with each other and send commands to execute.”

The downloader APK app, once launched, prompts the victim to update the app to either retrieve the PixPirate component from an actor-controlled server or install it if it’s embedded within itself.

What’s changed in the latest version of the droppee is the absence of activity with the action “android.intent.action.Main” and the category “android.intent.category.LAUNCHER” that allows a user to launch an app from the home screen by tapping its icon.

Put differently, the infection chain requires both the downloader and the droppee to work in tandem, with the former responsible for running the PixPirate APK by binding to a service exported by the droppee.

“Later, to maintain persistence, the droppee is also triggered to run by the different receivers that it registered,” Somech said. “The receivers are set to be activated based on different events that occur in the system and not necessarily by the downloader that initially triggered the droppee to run.”

“This technique allows the PixPirate droppee to run and hide its existence even if the victim removes the PixPirate downloader from their device.”

The development comes as Latin American (LATAM) banks have become the target of a new malware called Fakext that employs a rogue Microsoft Edge extension named SATiD to carry out man-in-the-browser and web injection attacks with the goal of grabbing credentials entered in the targeted bank site.

It’s worth noting that SAT ID is a service offered by Mexico’s Tax Administration Service (SAT) to generate and update electronic signatures for filing taxes online.

In select cases, Fakext is engineered to display an overlay that urges the victim to download a legitimate remote access tool by purporting to be the bank’s IT support team, ultimately enabling the threat actors to conduct financial fraud.

The campaign – active since at least November 2023 – singles out 14 banks operating in the region, a majority of which are located in Mexico. The extension has since been taken down from the Edge Add-ons store.

Mar 07, 2024NewsroomCyber Espionage / Software Security

The China-linked threat actor known as Evasive Panda orchestrated both watering hole and supply chain attacks targeting Tibetan users at least since September 2023.

The end of the attacks is to deliver malicious downloaders for Windows and macOS that deploy a known backdoor called MgBot and a previously undocumented Windows implant known as Nightdoor.

The findings come from ESET, which said the attackers compromised at least three websites to carry out watering-hole attacks as well as a supply-chain compromise of a Tibetan software company. The operation was discovered in January 2024.

Evasive Panda, active since 2012 and also known as Bronze Highland and Daggerfly, was previously disclosed by the Slovak cybersecurity firm in April 2023 as having targeted an international non-governmental organization (NGO) in Mainland China with MgBot.

Another report from Broadcom-owned Symantec around the same time implicated the adversary to a cyber espionage campaign aimed at infiltrating telecom services providers in Africa at least since November 2022.

The latest set of cyber assaults entails the strategic web compromise of the Kagyu International Monlam Trust’s website (“www.kagyumonlam[.]org”).

“The attackers placed a script in the website that verifies the IP address of the potential victim and if it is within one of the targeted ranges of addresses, shows a fake error page to entice the user to download a ‘fix’ named certificate,” ESET researchers said.

“This file is a malicious downloader that deploys the next stage in the compromise chain.” The IP address checks show that the attack is specifically designed to target users in India, Taiwan, Hong Kong, Australia, and the U.S.

It’s suspected that Evasive Panda capitalized on the annual Kagyu Monlam Festival that took place in India in late January and February 2024 to target the Tibetan community in several countries and territories.

The executable – named “certificate.exe” on Windows and “certificate.pkg” for macOS – serves as a launchpad for loading the Nightdoor implant, which, subsequently, abuses the Google Drive API for command-and-control (C2).

In addition, the campaign is notable for infiltrating an Indian software company’s website (“monlamit[.]com”) and supply chain in order to distribute trojanized Windows and macOS installers of the Tibetan language translation software. The compromise occurred in September 2023.

“The attackers also abused the same website and a Tibetan news website called Tibetpost – tibetpost[.]net – to host the payloads obtained by the malicious downloads, including two full-featured backdoors for Windows and an unknown number of payloads for macOS,” the researchers noted.

The trojanized Windows installer, for its part, triggers a sophisticated multi-stage attack sequence to either drop MgBot or Nightdoor, signs of which have been detected as early as 2020.

The backdoor comes equipped with features to gather system information, list of installed apps, and running processes; spawn a reverse shell, perform file operations, and uninstall itself from the infected system.

“The attackers fielded several downloaders, droppers, and backdoors, including MgBot – which is used exclusively by Evasive Panda – and Nightdoor: the latest major addition to the group’s toolkit and which has been used to target several networks in East Asia,” ESET said.

Mar 01, 2024NewsroomPhishing Kit / Cryptocurrency

A novel phishing kit has been observed impersonating the login pages of well-known cryptocurrency services as part of an attack cluster designed to primarily target mobile devices.

“This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” Lookout said in a report.

Targets of the phishing kit include employees of the Federal Communications Commission (FCC), Binance, Coinbase, and cryptocurrency users of various platforms like Binance, Coinbase, Gemini, Kraken, ShakePay, Caleb & Brown, and Trezor. More than 100 victims have been successfully phished to date.

The phishing pages are designed such that the fake login screen is displayed only after the victim completes a CAPTCHA test using hCaptcha, thus preventing automated analysis tools from flagging the sites.

In some cases, these pages are distributed via unsolicited phone calls and text messages by spoofing a company’s customer support team under the pretext of securing their account after a purported hack.

Once the user enters their credentials, they are either asked to provide a two-factor authentication (2FA) code or asked to “wait” while it claims to verify the provided information.

“The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access,” Lookout said.

The phishing kit also attempts to give an illusion of credibility by allowing the operator to customize the phishing page in real-time by providing the last two digits of the victim’s actual phone number and selecting whether the victim should be asked for a six or seven digit token.

The one-time password (OTP) entered by the user is then captured by the threat actor, who uses it to sign in to the desired online service using the provided token. In the next step, the victim can be directed to any page of the attacker’s choosing, including the legitimate Okta login page or a page that displays customized messages.

Lookout said the campaign shares similarities with that of Scattered Spider, specifically in its impersonation of Okta and the use of domains that have been previously identified as affiliated with the group.

“Despite the URLs and spoofed pages looking similar to what Scattered Spider might create, there are significantly different capabilities and C2 infrastructure within the phishing kit,” the company said. “This type of copycatting is common amongst threat actor groups, especially when a series of tactics and procedures have had so much public success.”

It’s currently also not clear if this is the work of a single threat actor or a common tool being used by different groups.

“The combination of high quality phishing URLs, login pages that perfectly match the look and feel of the legitimate sites, a sense of urgency, and consistent connection through SMS and voice calls is what has given the threat actors so much success stealing high quality data,” Lookout noted.

The development comes as Fortra revealed that financial institutions in Canada have come under the target of a new phishing-as-service (PhaaS) group called LabHost, overtaking its rival Frappo in popularity in 2023.

LabHost’s phishing attacks are pulled off by means of a real-time campaign management tool named LabRat that makes it possible to stage an adversary-in-the-middle (AiTM) attack and capture credentials and 2FA codes.

Also developed by the threat actor is an SMS spamming tool dubbed LabSend that provides an automated method for sending links to LabHost phishing pages, thereby allowing its customers to mount smishing campaigns at scale.

“LabHost services allow threat actors to target a variety of financial institutions with features ranging from ready-to-use templates, real-time campaign management tools, and SMS lures,” the company said.

Feb 28, 2024NewsroomCyber Espionage / Malware

An Iran-nexus threat actor known as UNC1549 has been attributed with medium confidence to a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E.

Other targets of the cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.

UNC1549 is said to overlap with Smoke Sandstorm (previously Bohrium) and Crimson Sandstorm (previously Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.

“This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024,” the company said. “While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide.”

The attacks entail the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering involving job-related lures to deliver two backdoors dubbed MINIBIKE and MINIBUS.

The spear-phishing emails are designed to disseminate links to fake websites containing Israel-Hamas related content or phony job offers, resulting in the deployment of a malicious payload. Also observed are bogus login pages mimicking major companies to harvest credentials.

The custom backdoors, upon establishing C2 access, act as a conduit for intelligence collection and for further access into the targeted network. Another tool deployed at this stage is a tunneling software called LIGHTRAIL that communicates using Azure cloud.

While MINIBIKE is based in C++ and capable of file exfiltration and upload, and command execution, MINIBUS serves as a more “robust successor” with enhanced reconnaissance features.

“The intelligence collected on these entities is of relevance to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations,” Mandiant said.

“The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity.”

CrowdStrike, in its Global Threat Report for 2024, described how “faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as ‘pro-Palestinian’ focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023.”

This includes Banished Kitten, which unleashed the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping activity against more than 20 companies’ industrial control systems (ICS) in Israel.

That said, Hamas-linked adversaries have been noticeably absent from conflict-related activity, something the cybersecurity firm has attributed to likely power and internet disruptions in the region.

Cybersecurity researchers are warning about a spike in email phishing campaigns that are weaponizing the Google Cloud Run service to deliver various banking trojans such as Astaroth (aka Guildma), Mekotio, and Ousaban (aka Javali) to targets across Latin America (LATAM) and Europe.

“The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s),” Cisco Talos researchers disclosed last week.

The high-volume malware distribution campaigns, observed since September 2023, have employed the same storage bucket within Google Cloud for propagation, suggesting potential links between the threat actors behind the distribution campaigns.

Google Cloud Run is a managed compute platform that enables users to run frontend and backend services, batch jobs, deploy websites and applications, and queue processing workloads without having to manage or scale the infrastructure.

“Adversaries may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing,” the researchers said.

A majority of the systems used to send phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. The emails bear themes related to invoices or financial and tax documents, in some cases purporting to be from local government tax agencies.

Embedded within these messages are links to a website hosted on run[.]app, resulting in the delivery of a ZIP archive containing a malicious MSI file either directly or via 302 redirects to a Google Cloud Storage location, where the installer is stored.

The threat actors have also been observed attempting to evade detection using geofencing tricks by redirecting visitors to these URLs to a legitimate site like Google when accessing them with a U.S. IP address.

Besides leveraging the same infrastructure to deliver both Mekotio and Astaroth, the infection chain associated with the latter acts as a conduit to distribute Ousaban.

Astaroth, Mekotio, and Ousaban are all designed to single out financial institutions, keeping tabs on users’ web browsing activity as well as logging keystrokes and taking screenshots should one of the target bank websites be open.

Ousaban has a history of weaponizing cloud services to its advantage, having previously employed Amazon S3 and Microsoft Azure to download second-stage payloads, and Google Docs to retrieve command-and-control (C2) configuration.

The development comes amid phishing campaigns propagating malware families such as DCRat, Remcos RAT, and DarkVNC that are capable of harvesting sensitive data and taking control of compromised hosts.

It also follows an uptick in threat actors deploying QR codes in phishing and email-based attacks (aka quishing) to trick potential victims into installing malware on their mobile devices.

“In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered,” Talos said.

“QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.”

Phishing campaigns have also set their eyes on the oil and gas sector to deploy an information stealer called Rhadamanthys, which has currently reached version 0.6.0, highlighting a steady stream of patches and updates by its developers.

“The campaign starts with a phishing email using a vehicle incident report to lure victims into interacting with an embedded link that abuses an open redirect on a legitimate domain, primarily Google Maps or Google Images,” Cofense said.

Users who click on the link are then redirected to a website hosting a bogus PDF file, which, in reality, is a clickable image that contacts a GitHub repository and downloads a ZIP archive containing the stealer executable.

“Once a victim attempts to interact with the executable, the malware will unpack and start a connection with a command-and-control (C2) location that collects any stolen credentials, cryptocurrency wallets, or other sensitive information,” the company added.

Other campaigns have abused email marketing tools like Twilio’s SendGrid to obtain client mailing lists and take advantage of stolen credentials to send out convincing-looking phishing emails, per Kaspersky.

“What makes this campaign particularly insidious is that the phishing emails bypass traditional security measures,” the Russian cybersecurity company noted. “Since they are sent through a legitimate service and contain no obvious signs of phishing, they may evade detection by automatic filters.”

These phishing activities are further fueled by the easy availability of phishing kits such as Greatness and Tycoon, which have become a cost-effective and scalable means for aspiring cyber criminals to mount malicious campaigns.

“Tycoon Group [phishing-as-a-service] is sold and marketed on Telegram for as low as $120,” Trustwave SpiderLabs researcher Rodel Mendrez said last week, noting the service first came into being around August 2023.

“Its key selling features include the ability to bypass Microsoft two-factor authentication, achieve ‘link speed at the highest level,’ and leveraging Cloudflare to evade antibot measures, ensuring the persistence of undetected phishing links.”

Feb 21, 2024NewsroomPhishing Attack / Information Warfare

Cybersecurity researchers have unearthed a new influence operation targeting Ukraine that leverages spam emails to propagate war-related disinformation.

The activity has been linked to Russia-aligned threat actors by Slovak cybersecurity company ESET, which also identified a spear-phishing campaign aimed at a Ukrainian defense company in October 2023 and a European Union agency in November 2023 with an aim to harvest Microsoft login credentials using fake landing pages.

Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages.

The disinformation operation took place over two waves in November and December 2023, with the email messages bearing PDF attachments and content related to heating interruptions, drug shortages, and food shortages.

The November wave targeted no less than a few hundred recipients in Ukraine, including the government, energy companies, and individuals. It’s currently not known how the target list was created.

“What’s interesting to note is that the email was sent from a domain masquerading as the Ministry of Agrarian Policy and Food of Ukraine, while the content is about drug shortages and the PDF is misusing the logo of the Ministry of Health of Ukraine,” ESET said in a report shared with The Hacker News.

“It is possibly a mistake from the attackers or, at least, shows they did not care about all details.”

The second disinformation email campaign that commenced on December 25, 2023, is notable for expanding its targeting beyond Ukraine to include Ukrainian speakers in other European nations owing to the fact that all the messages are in Ukrainian.

These messages, while wishing recipients a happy holiday season, also adopted a darker tone, going as far as to suggest that they ampute one of their arms or legs to avoid military deployment. “A couple of minutes of pain, but then a happy life!,” the email goes.

ESET said one of the domains used to propagate the phishing emails in December 2023, infonotification[.]com, also engaged in sending hundreds of spam messages beginning January 7, 2024, redirecting potential victims to a fake Canadian pharmacy website.

It’s exactly unclear why this email server was repurposed to propagate a pharmacy scam, but it’s suspected that the threat actors decided to monetize their infrastructure for financial gain after realizing that their domains have been detected by defenders.

“Operation Texonto shows yet another use of technologies to try to influence the war,” the company said.

The development comes as Meta, in its quarterly Adversarial Threat Report, said it took down three networks across its platforms originating from China, Myanmar, and Ukraine that engaged in coordinated inauthentic behavior (CIB).

While none of the networks were from Russia, social media analytics firm Graphika said posting volumes by Russian state-controlled media has declined 55% from pre-war levels and engagement has plummeted 94% compared to two years ago.

“Russian state media outlets have increased their focus on non-political infotainment content and self-promotional narratives about Russia since the start of the war,” it said. “This could reflect a wider off-platform effort to cater to domestic Russian audiences after multiple Western countries blocked the outlets in 2022.”

Feb 19, 2024NewsroomMalware / Cyber Espionage

The Iranian-origin threat actor known as Charming Kitten has been linked to a new set of attacks aimed at Middle East policy experts with a new backdoor called BASICSTAR by creating a fake webinar portal.

Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a wide net in their targeting, often singling out think tanks, NGOs, and journalists.

“CharmingCypress often employs unusual social-engineering tactics, such as engaging targets in prolonged conversations over email before sending links to malicious content,” Volexity researchers Ankur Saini, Callum Roxan, Charlie Gardner, and Damien Cash said.

Last month, Microsoft revealed that high-profile individuals working on Middle Eastern affairs have been targeted by the adversary to deploy malware such as MischiefTut and MediaPl (aka EYEGLASS) that are capable of harvesting sensitive information from a compromised host.

The group, assessed to be affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), has also distributed several other backdoors such as PowerLess, BellaCiao, POWERSTAR (aka GorjolEcho), and NokNok over the past year, emphasizing its determination to continue its cyber onslaught, adapting its tactics and methods despite public exposure.

The phishing attacks observed between September and October 2023 involved the Charming Kitten operators posing as the Rasanah International Institute for Iranian Studies (IIIS) to initiate and build trust with targets.

The phishing attempts are also characterized by the use of compromised email accounts belonging to legitimate contacts and multiple threat-actor-controlled email accounts, the latter of which is called Multi-Persona Impersonation (MPI).

The attack chains typically employ RAR archives containing LNK files as a starting point to distribute malware, with the messages urging prospective targets to join a fake webinar about topics that are of interest to them. One such multi-stage infection sequence has been observed to deploy BASICSTAR and KORKULOADER, a PowerShell downloader script.

BASICSTAR, a Visual Basic Script (VBS) malware, is capable of gathering basic system information, remotely executing commands relayed from a command-and-control (C2) server, and downloading and displaying a decoy PDF file.

What’s more, some of these phishing attacks are engineered to serve different backdoors depending on the machine’s operating system. While Windows victims are compromised with POWERLESS, Apple macOS victims are targeted with an infection chain culminating in NokNok via a functional VPN application that’s laced with malware.

“This threat actor is highly committed to conducting surveillance on their targets in order to determine how best to manipulate them and deploy malware,” the researchers said. “Additionally, few other threat actors have consistently churned out as many campaigns as CharmingCypress, dedicating human operators to support their ongoing efforts.”

The disclosure comes as Recorded Future uncovered IRGC’s targeting of Western countries using a network of contracting companies that also specialize in exporting technologies for surveillance and offensive purposes to countries like Iraq, Syria, and Lebanon.

The relationship between intelligence and military organizations and Iran-based contractors takes the form of various cyber centers that act as “firewalls” to conceal the sponsoring entity.

They include Ayandeh Sazan Sepher Aria (suspected to be associated with Emennet Pasargad), DSP Research Institute, Sabrin Kish, Soroush Saman, Mahak Rayan Afraz, and the Parnian Telecommunication and Electronic Company.

“Iranian contracting companies are established and run by a tight-knit network of personas, who, in some cases, represent the contractors as board members,” the company said. “The individuals are closely associated with the IRGC, and in some cases, are even representatives of sanctioned entities (such as the IRGC Cooperative Foundation).”