Apr 09, 2024NewsroomCyber Espionage / Malware

Human rights activists in Morocco and the Western Sahara region are the targets of a new threat actor that leverages phishing attacks to trick victims into installing bogus Android apps and serve credential harvesting pages for Windows users.

Cisco Talos is tracking the activity cluster under the name Starry Addax, describing it as primarily singling out activists associated with the Sahrawi Arab Democratic Republic (SADR).

Starry Addax’s infrastructure – ondroid[.]site and ondroid[.]store – is designed to target both Android and Windows users, with the latter involving fake websites masquerading as login pages for popular social media websites.

The adversary, believed to be active since January 2024, is known to send spear-phishing emails to targets, urging recipients to install Sahara Press Service’s mobile app or a relevant decoy related to the region.

Depending on the operating system from where the request is originating from, the target is either served a malicious APK that impersonates the Sahara Press Service or redirected to a social media login page to harvest their credentials.

The novel Android malware, dubbed FlexStarling, is versatile and equipped to deliver additional malware components and steal sensitive information from infected devices.

Once installed, it requests the victim to grant it extensive permissions that allow the malware to perform nefarious actions, including fetching commands to be executed from a Firebase-based command-and-control (C2), a sign that the threat actor is looking to fly under the radar.

“Campaigns like this that target high-value individuals usually intend to sit quietly on the device for an extended period,” Talos said.

“All components from the malware to the operating infrastructure seem to be bespoke/custom-made for this specific campaign indicating a heavy focus on stealth and conducting activities under the radar.”

The development comes amid the emergence of a new commercial Android remote access trojan (RAT) known as Oxycorat that’s being offered for sale with diverse information gathering capabilities.

Apr 08, 2024NewsroomCybersecurity / Malvertising

A new phishing campaign has set its eyes on the Latin American region to deliver malicious payloads to Windows systems.

“The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious file download posing as an invoice,” Trustwave SpiderLabs researcher Karla Agregado said.

The email message, the company said, originates from an email address format that uses the domain “temporary[.]link” and has Roundcube Webmail listed as the User-Agent string.

The HTML file points containing a link (“facturasmex[.]cloud”) that displays an error message saying “this account has been suspended,” but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile.

This step paves the way for a redirect to another domain from where a malicious RAR file is downloaded. The RAR archive comes with a PowerShell script that gathers system metadata as well as checks for the presence of antivirus software in the compromised machine.

It also incorporates several Base64-encoded strings that are designed to run PHP scripts to determine the user’s country and retrieve a ZIP file from Dropbox containing “many highly suspicious files.”

Trustwave said the campaign exhibits similarities with that of Horabot malware campaigns that have targeted Spanish-speaking users in Latin America in the past.

“Understandably, from the threat actors’ point of view, phishing campaigns always try different [approaches] to hide any malicious activity and avoid immediate detection,” Agregado said.

“Using newly created domains and making them accessible only in specific countries is another evasion technique. especially if the domain behaves differently depending on their target country.”

The development comes as Malwarebytes revealed a malvertising campaign targeting Microsoft Bing search users with bogus ads for NordVPN that lead to the distribution of a remote access trojan called SectopRAT (aka ArechClient) hosted on Dropbox via a phony website (“besthord-vpn[.]com”).

“Malvertising continues to show how easy it is to surreptitiously install malware under the guise of popular software downloads,” security researcher Jérôme Segura said. “Threat actors are able to roll out infrastructure quickly and easily to bypass many content filters.”

It also follows the discovery of a fake Java Access Bridge installer that serves as a conduit to deploy the open-source XMRig cryptocurrency miner, per SonicWall.

The network security company said it also discovered a Golang malware that “uses multiple geographic checks and publicly available packages to screenshot the system before installing a root certificate to the Windows registry for HTTPS communications to the [command-and-control server].”

Apr 05, 2024NewsroomCyber Espionage / Cybersecurity

Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted by a new version of an “evolving threat” called JSOutProx.

“JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET,” Resecurity said in a technical report published this week.

“It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target.”

First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider. The operations track record of striking banks and other big companies in Asia and Europe.

In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India. Other campaign waves have taken aim at Indian government establishments as far back as April 2020.

Attack chains are known to leverage spear-phishing emails bearing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to deploy the heavily obfuscated implant.

“This malware has various plugins to perform various operations such as exfiltration of data, performing file system operations,” Quick Heal noted [PDF] at the time. “Apart from that, it also has various methods with offensive capabilities that perform various operations.”

The plugins allow it to harvest a wide range of information from the compromised host, control proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP. A unique feature of the malware is its use of the Cookie header field for command-and-control (C2) communications.

JSOutProx also stands for the fact that it’s a fully functional RAT implemented in JavaScript.

“JavaScript simply does not offer as much flexibility as a PE file does,” Fortinet FortiGuard Labs said in a report released in December 2020, describing a campaign directed against governmental monetary and financial sectors in Asia.

“However, as JavaScript is used by many websites, it appears to most users as benign, as individuals with basic security knowledge are taught to avoid opening attachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through undetected.”

The latest set of attacks documented by Resecurity entails using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. The activity is said to have witnessed a spike starting February 8, 2024.

The artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down.

“Once the malicious code has been successfully delivered, the actor removes the repository and creates a new one,” the cybersecurity company said. “This tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets.”

The exact origins of the e-crime group behind the malware are presently unknown, although the victimology distribution of the attacks and the sophistication of the implant alludes to them originating from China or affiliated with it, Resecurity posited.

The development comes as cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization.

Offered for only $80 per month (or $700 for a lifetime license), the tool allows the operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, as well as bypass anti-fraud filters.

Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content.

“The ease of access to GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors,” Resecurity said.

Apr 02, 2024NewsroomMalvertising / Threat Intelligence

The threat actor known as TA558 has been attributed to a new massive phishing campaign that targets a wide range of sectors in Latin America with the goal of deploying Venom RAT.

The attacks primarily singled out hotel, travel, trading, financial, manufacturing, industrial, and government verticals in Spain, Mexico, United States, Colombia, Portugal, Brazil, Dominican Republic, and Argentina.

Active since at least 2018, TA558 has a history of targeting entities in the LATAM region to deliver a variety of malware such as Loda RAT, Vjw0rm, and Revenge RAT.

The latest infection chain, according to Perception Point researcher Idan Tarab, leverages phishing emails as an initial access vector to drop Venom RAT, a fork of Quasar RAT that comes with capabilities to harvest sensitive data and commandeer systems remotely.

The disclosure comes as threat actors have been increasingly observed using the DarkGate malware loader following the law enforcement takedown of QakBot last year to target financial institutions in Europe and the U.S.

“Ransomware groups utilize DarkGate to create an initial foothold and to deploy various types of malware in corporate networks,” EclecticIQ researcher Arda Büyükkaya noted.

“These include, but are not limited to, info-stealers, ransomware, and remote management tools. The objective of these threat actors is to increase the number of infected devices and the volume of data exfiltrated from a victim.”

It also follows the emergence of malvertising campaigns designed to deliver malware like FakeUpdates (aka SocGholish), Nitrogen, and Rhadamanthys.

Earlier this month, Israeli ad security company GeoEdge revealed that a notorious malvertising group tracked as ScamClub “has shifted its focus towards video malvertising assaults, resulting in a surge in VAST-forced redirect volumes since February 11, 2024.”

The attacks entail the malicious use of Video Ad Serving Templates (VAST) tags – which are used for video advertising – to redirect unsuspecting users to fraudulent or scam pages but only upon successful passage of certain client-side and server-side fingerprinting techniques.

A majority of the victims are located in the U.S. (60.5%), followed by Canada (7.2%), the U.K. (4.8%), Germany (2.1%), and Malaysia (1.7%), among others.

Mar 29, 2024NewsroomSupply Chain Attack / Threat Intelligence

The maintainers of the Python Package Index (PyPI) repository briefly suspended new user sign-ups following an influx of malicious projects uploaded as part of a typosquatting campaign.

It said “new project creation and new user registration” was temporarily halted to mitigate what it said was a “malware upload campaign.” The incident was resolved 10 hours later, on March 28, 2024, at 12:56 p.m. UTC.

Software supply chain security firm Checkmarx said the unidentified threat actors behind flooding the repository targeted developers with typosquatted versions of popular packages.

“This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.), and various credentials,” researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain said. “In addition, the malicious payload employed a persistence mechanism to survive reboots.”

The findings were also corroborated independently by Mend.io, which noted that it detected more than 100 malicious packages targeting machine learning (ML) libraries such as Pytorch, Matplotlib, and Selenium.

The development comes as open-source repositories are increasingly becoming an attack vector for threat actors to infiltrate enterprise environments.

Typosquatting is a well-documented attack technique in which adversaries upload packages with names closely resembling their legitimate counterparts (e.g., Matplotlib vs. Matplotlig or tensorflow vs. tensourflow) in order to trick unsuspecting users into downloading them.

These deceptive variants – totalling over 500 packages, per Check Point – have been found to be uploaded from a unique account starting March 26, 2024, suggesting that the whole process was automated.

“The decentralized nature of the uploads, with each package attributed to a different user, complicates efforts to cross-identify these malicious entries,” the Israeli cybersecurity company said.

Cybersecurity firm Phylum, which has also been tracking the same campaign, said the attackers published –

• 67 variations of requirements
• 38 variations of Matplotlib
• 36 variations of requests
• 35 variations of colorama
• 29 variations of tensorflow
• 28 variations of selenium
• 26 variations of BeautifulSoup
• 26 variations of PyTorch
• 20 variations of pillow
• 15 variations of asyncio

The packages, for their part, check if the installer’s operating system was Windows, and if so, proceed to download and execute an obfuscated payload retrieved from an actor-controlled domain (“funcaptcha[.]ru”).

The malware functions as a stealer, exfiltrating files, Discord tokens, as well as data from web browsers and cryptocurrency wallets to the same server. It further attempts to download a Python script (“hvnc.py”) to the Windows Startup folder for persistence.

The development once again illustrates the escalating risk posed by software supply chain attacks, making it crucial that developers scrutinize every third-party component to ensure that it safeguards against potential threats.

This is not the first time PyPI has resorted to such a measure. In May 2023, it temporarily disabled user sign-ups after finding that the “volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion.”

PyPI suspended new user registrations a second-time last year on December 27 for similar reasons. It was subsequently lifted on January 2, 2024.

Mar 19, 2024NewsroomLinux / Cyber Espionage

A new variant of a data wiping malware called AcidRain has been detected in the wild that’s specifically designed for targeting Linux x86 devices.

The malware, dubbed AcidPour, is compiled for Linux x86 devices, SentinelOne’s Juan Andres Guerrero-Saade said in a series of posts on X.

“The new variant […] is an ELF binary compiled for x86 (not MIPS) and while it refers to similar devices/strings, it’s a largely different codebase,” Guerrero-Saade noted.

AcidRain first came to light in the early days of the Russo-Ukrainian war, with the malware deployed against KA-SAT modems from U.S. satellite company Viasat.

An ELF binary compiled for MIPS architectures is capable of wiping the filesystem and different known storage device files by recursively iterating over common directories for most Linux distributions.

The cyber attack was subsequently attributed to Russia by the Five Eyes nations, along with Ukraine and the European Union.

AcidPour, as the new variant is called, is designed to erase content from RAID arrays and Unsorted Block Image (UBI) file systems through the addition of file paths like “/dev/dm-XX” and “/dev/ubiXX,” respectively.

It’s currently not clear who the intended victims are, although SentinelOne said it notified Ukrainian agencies. The exact scale of the attacks is presently unknown.

The discovery once again underscores the use of wiper malware to cripple targets, even as threat actors are diversifying their attack methods for maximum impact.

Mar 18, 2024NewsroomCyber Warfare / Malware

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 leverage the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Mar 15, 2024NewsroomMalvertising / Threat Intelligence

Chinese users looking for legitimate software such as Notepad++ and VNote on search engines like Baidu are being targeted with malicious ads and bogus links to distribute trojanized versions of the software and ultimately deploy Geacon, a Golang-based implementation of Cobalt Strike.

“The malicious site found in the notepad++ search is distributed through an advertisement block,” Kaspersky researcher Sergey Puzan said.

“Opening it, an attentive user will immediately notice an amusing inconsistency: the website address contains the line vnote, the title offers a download of Notepad‐‐ (an analog of Notepad++, also distributed as open-source software), while the image proudly shows Notepad++. In fact, the packages downloaded from here contain Notepad‐‐.”

The website, named vnote.fuwenkeji[.]cn, contains download links to Windows, Linux, and macOS versions of the software, with the link to the Windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).

The Linux and macOS versions, on the other hand, lead to malicious installation packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.

In a similar fashion, the fake look-alike websites for VNote (“vnote[.]info” and “vnotepad[.]com”) lead to the same set of myqcloud[.]com links, in this case, also pointing to a Windows installer hosted on the domain. That said, the links to the potentially malicious versions of VNote are no longer active.

An analysis of the modified Notepad– installers reveals that they are designed to retrieve a next-stage payload from a remote server, a backdoor that exhibits similarities with Geacon.

It’s capable of creating SSH connections, performing file operations, enumerating processes, accessing clipboard content, executing files, uploading and downloading files, taking screenshots, and even entering into sleep mode. Command-and-control (C2) is facilitated by means of HTTPS protocol.

The development comes as malvertising campaigns have also acted as a conduit for other malware such as FakeBat (aka EugenLoader) malware with the help of MSIX installer files masquerading as Microsoft OneNote, Notion, and Trello.

Mar 06, 2024NewsroomPrivacy / Spyware

The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two individuals and five entities associated with the Intellexa Alliance for their role in “developing, operating, and distributing” commercial spyware designed to target government officials, journalists, and policy experts in the country.

“The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal,” the agency said.

“The Intellexa Consortium, which has a global customer base, has enabled the proliferation of commercial spyware and surveillance technologies around the world, including to authoritarian regimes.”

The Intellexa Alliance is a consortium of several companies, including Cytrox, linked to a mercenary spyware solution called Predator. In July 2023, the U.S. government added Cytrox and Intellexa, as well as their corporate holdings in Hungary, Greece, and Ireland, to the Entity List.

Predator, much like NSO Group’s Pegasus, can infiltrate Android and iOS devices using zero-click attacks that require no user interaction. Once installed, the spyware makes it possible for the operators to harvest sensitive data and surveil targets of interest.

OFAC said unspecified foreign actors had deployed Predator against U.S. government officials, journalists, and policy experts.

“In the event of a successful Predator infection, the spyware’s operators can access and retrieve sensitive information including contacts, call logs, and messaging information, microphone recordings, and media from the device,” the Treasury Department said.

The sanctions designations apply to the following individuals and entities –

• Tal Jonathan Dilian (Dilian), the founder of the Intellexa Consortium
• Sara Aleksandra Fayssal Hamou (Hamou), a corporate off-shoring specialist who has provided managerial services to the Intellexa Consortium
• Intellexa S.A., a Greece-based software development company
• Intellexa Limited, an Ireland-based company
• Cytrox AD, a North Macedonia-based company that’s responsible for the development of Predator
• Cytrox Holdings Zartkoruen Mukodo Reszvenytarsasag (Cytrox Holdings ZRT), a Hungary-based entity
• Thalestris Limited, an Ireland-based entity that holds distribution rights to the Predator spyware

It’s worth noting that Intellexa S.A., Intellexa Limited, Cytrox AD, and Cytrox Holdings ZRT were added to the aforementioned economic blocklist last year.

The development comes as new revelations about Predator’s multi-tiered delivery infrastructure from Recorded Future, and Sekoia prompted the operators to shut down their servers.

The sanctions targeting the makers of Predator also arrived after the U.S. government unveiled a new policy last month that will allow it to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware.

Citizen Lab security researcher John Scott-Railton described the OFAC designations as a huge deal, stating they mark the “First time they’re used against a mercenary spyware company.”

“The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson.

U.S. cybersecurity and intelligence agencies have warned of Phobos ransomware attacks targeting government and critical infrastructure entities, outlining the various tactics and techniques the threat actors have adopted to deploy the file-encrypting malware.

“Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the government said.

The advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Active since May 2019, multiple variants of Phobos ransomware have been identified to date, namely Eking, Eight, Elbie, Devos, Faust, and Backmydata. Late last year, Cisco Talos revealed that the threat actors behind the 8Base ransomware are leveraging a Phobos ransomware variant to conduct their financially motivated attacks.

There is evidence to suggest that Phobos is likely closely managed by a central authority, which controls the ransomware’s private decryption key.

Attack chains involving the ransomware strain have typically leveraged phishing as an initial access vector to drop stealthy payloads like SmokeLoader. Alternatively, vulnerable networks are breached by hunting for exposed RDP services and exploiting them by means of a brute-force attack.

A successful digital break-in is followed by the threat actors dropping additional remote access tools, taking advantage of process injection techniques to execute malicious code and evade detection, and making Windows Registry modifications to maintain persistence within compromised environments.

“Additionally, Phobos actors have been observed using built-in Windows API functions to steal tokens, bypass access controls, and create new processes to escalate privileges by leveraging the SeDebugPrivilege process,” the agencies said. “Phobos actors attempt to authenticate using cached password hashes on victim machines until they reach domain administrator access.”

The e-crime group is also known to use open-source tools such as Bloodhound and Sharphound to enumerate the active directory. File exfiltration is accomplished via WinSCP and Mega.io, after which volume shadow copies are deleted in an attempt to make recovery harder.

The disclosure comes as Bitdefender detailed a meticulously coordinated ransomware attack impacting two separate companies at the same time. The attack, described as synchronized and multifaceted, has been attributed to a ransomware actor called CACTUS.

“CACTUS continued infiltrating the network of one organization, implanting various types of remote access tools and tunnels across different servers,” Martin Zugec, technical solutions director at Bitdefender, said in a report published last week.

“When they identified an opportunity to move to another company, they momentarily paused their operation to infiltrate the other network. Both companies are part of the same group, but operate independently, maintaining separate networks and domains without any established trust relationship.”

The attack is also notable for the targeting of the unnamed company’s virtualization infrastructure, indicating that CACTUS actors have broadened their focus beyond Windows hosts to strike Hyper-V and VMware ESXi hosts.

It also leveraged a critical security flaw (CVE-2023-38035, CVSS score: 9.8) in an internet-exposed Ivanti Sentry server less than 24 hours after its initial disclosure in August 2023, once again highlighting opportunistic and rapid weaponization of newly published vulnerabilities.

Ransomware continues to be a major money spinner for financially motivated threat actors, with initial ransomware demands reaching a median of $600,000 in 2023, a 20% jump from the previous year, according to Arctic Wolf. As of Q4 2023, the average ransom payment stands at $568,705 per victim.

What’s more, paying a ransom demand does not amount to future protection. There is no guarantee that a victim’s data and systems will be safely recovered and that the attackers won’t sell the stolen data on underground forums or attack them again.

Data shared by cybersecurity company Cybereason shows that “a staggering 78% [of organizations] were attacked again after paying the ransom – 82% of them within a year,” in some cases by the same threat actor. Of these victims, 63% were “asked to pay more the second time.”