In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.
BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193.…
In July 2022, the CrowdStrike Intelligence Advanced Research Team hosted the second edition of our Adversary Quest. As in the previous year, this “capture the flag” event featured 12 information security challenges in three different tracks: eCrime, Hacktivism and Targeted Intrusion. In each track, four consecutive challenges awaited the players, requiring different skills including reverse engineering, vulnerability analysis and exploitation, and cryptanalysis.…
In April 2022, PT Expert Security Center detected an attack on a number of Russian media and energy companies that used a malicious document called «list.docx» to extract a malicious payload packed with VMProtect. Having analyzed the network packet, we found it to be identical to the one we studied in our report on APT31 tools, suggesting that these may belong to one and the same group.…
For each discovered drive, ROADSWEEP will initialize a new thread which is responsible for encrypting all files within that drive. This thread enumerates the file system using the Windows FindFirstFileW and FindNextFileW APIs. For each root directory, a ransomware note is created with the content and filename noted above.…
By: Joshua Platt and Jason Reaves
PrivateLoader[1,2,3,4] continues to function as an effective loading service, recently leveraging the use of SmokeLoader for their loads.
A recent sample of their SmokeLoader can be seen here(b01195c3e828d9a79c958e4c810a363d804d51996337db89a5d248096846b27a), the C2 domains for the sample are a hallmark for PrivateLoader:
host-file-host6.comhost-host-file8.com…Industrial Spy is a relatively new ransomware group that emerged in April 2022. In some instances, the threat group appears to only exfiltrate and ransom data, while in other cases they encrypt, exfiltrate and ransom data. Industrial Spy started as a data extortion marketplace where criminals could buy large companies’ internal data; they promoted this marketplace using README.txt…
In this blog, the Qualys Research Team explains the mechanics of a Linux malware variant named BPFdoor. We then demonstrate the efficacy of Qualys Custom Assessment and Remediation to detect it, and Qualys Multi-Vector EDR to protect against it.
BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.…
A few months ago, we reported on an interesting site called the Chameleon Phishing Page. These websites have the capability to change their background and logo depending on the user’s domain. The phishing site is stored in IPFS (InterPlanetary File System) and after reviewing the URLs used by the attacker, we noticed an increasing number of phishing emails containing IPFS URLs as their payload. …
A few days ago we discovered a very interesting sample that was uploaded from Iran. The document is a contract for the supply of services to an energy company from southern Iran «Tavangoostar Niro va Gashtavar Jonob». The document also contains a link to this energy company.…
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine — this time aimed at a large software development company whose software is used in various state organizations within Ukraine.…
Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that goes mainstream and targets some of the world’s top brands.
Case in point, we recently uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams.…
Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has modular plugins and the ability to install rootkits.
Year after year Linux environments increasingly become the target of malware due to continued threat actor interest in the space. Malware targeting Linux environments surged in 2021, with a large amount of innovation resulting in new malicious code, especially in ransomwares, trojans, and botnets.…
In April 2022, ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised Mac and exclusively uses public cloud storage services to communicate back and forth with its operators. Following analysis, we named it CloudMensis. Its capabilities clearly show that the intent of its operators is to gather information from the victims’ Macs by exfiltrating documents, keystrokes, and screen captures.…
Over the last month a crimeware group best known as 8220 Gang has expanded their botnet to roughly 30,000 hosts globally through the use of Linux and common cloud application vulnerabilities and poorly secured configurations. In a recent campaign, the group was observed making use of a new version of the IRC botnet, PwnRig cryptocurrency miner, and its generic infection script.…
This post is also available in: 日本語 (Japanese)
Executive SummaryOrganizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google Drive – to conduct day-to-day operations. However, our latest research shows that threat actors are finding ways to take advantage of that trust to make their attacks extremely difficult to detect and prevent.…
Cybercriminals are always looking for innovative techniques to evade security solutions. Based on the Resecurity® HUNTER assessment, attackers are actively leveraging tools allowing them to generate malicious shortcut files (.LNK files) for payload delivery.
Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500’s worldwide, has detected an update to one of them most popular tools used by cybercriminals.…
日前,安天副总工程师李柏松接受《环球时报》记者的采访,披露了安天CERT近期发现的印度APT组织“Confucius”,及其针对巴基斯坦政府、军事机构的攻击活动(环球网文章详见今日第二条转载文章)。本篇为详细分析报告。
01 概述近期,安天CERT在对来自南亚次大陆方向的攻击事件进行追踪和梳理时,发现一起Confucius组织针对巴基斯坦政府、军事机构的攻击活动。
该组织的命名最早出自国外安全厂商Palo Alto Networks在2016年发布的分析报告[1],在该报告中,Palo Alto Networks披露了一个印度攻击组织的攻击活动,该组织攻击活动最早可追溯至2013年,其擅长使用鱼叉式钓鱼邮件、水坑攻击以及钓鱼网站,配合丰富的社会工程学手段对中国、巴基斯坦、孟加拉国等印度周边国家政府、军事、能源等领域开展以窃取敏感资料为目的的攻击活动。该组织在早期攻击活动中,曾借助具备留言互动功能的国际知名网站(例如Quora,类似我国的知乎),在公开的留言中夹带经过加密编码处理的木马远控服务器地址。该组织使用的木马被植入受害主机后,可从这类公开留言中获取内容,解密还原真正远控服务器地址。因此,木马在受害主机的首次网络访问行为会被视为正常的网页请求,而攻击者却可以借助这些国际知名网站持续更换远控地址或下发其他指令。Palo Alto Networks在相关恶意代码连接的一个Quora页面中,发现攻击者张贴的内容有“Confucius says”字样,即“孔夫子说”,或“子曰”,于是把这个组织称为Confucius。可见攻击者持续攻击中国过程中,也对中国的文化进行了研究。
在安天CERT发现的本次攻击活动中,该组织主要伪装成巴基斯坦政府工作人员向目标投递鱼叉式钓鱼邮件,通过钓鱼邮件内容诱骗目标下载、打开嵌入恶意宏代码的文档,从而向目标机器植入开源木马QuasarRAT、自研C++后门木马、C#窃密木马以及JScript下载者木马。
目前,该起攻击活动已引起巴基斯坦政府相关部门注意,其中巴基斯坦国家电信和信息技术安全委员会(NTISB)多次发出全国网络威胁预警[2][3],称攻击者正在向政府官员和公众发送模仿巴基斯坦总理办公室的虚假网络钓鱼电子邮件,因此要求政府官员和公众保持警惕,不要通过电子邮件和社交媒体链接提供任何信息。 本报告对从2021年至今的Confucius组织攻击活动、手法和工具做一定程度的总结,整体活动的特征可简要总结如下表:表1‑1 整体攻击活动特征总结
攻击时间
2021年至今
攻击意图
持续控制、窃密
针对目标
巴基斯坦
针对行业/领域
政府、军事机构
攻击手法
鱼叉邮件、钓鱼网站、利用第三方云存储服务存放恶意载荷
目标系统平台
Windows
诱饵类型
诱饵PDF文件、恶意宏文档、恶意RTF文件、恶意快捷方式等
开发语言
C++、VBScript、C#以及JScript
武器装备
C++后门木马,C#窃密木马、C#下载者木马、开源木马QuasarRAT、JScript下载者木马
02 活动分析从2021年下半年至今,安天CERT陆续捕获到Confucius组织针对巴基斯坦进行攻击的样本文件,捕获样本的攻击时间线如下: 2021年6月份利用巴基斯坦军队牺牲者名单有关内容的恶意RTF文档进行攻击; 2021年8月份利用巴基斯坦军方关于Pegasus间谍软件警告内容的宏文档进行攻击; 2021年8月份利用巴基斯坦联邦税务局税务申报有关内容的宏文档进行攻击; 2022年2月份利用伪装成图片文件的恶意快捷方式文件进行攻击; 2022年2月份利用巴基斯坦政府员工COVID-19疫苗接种状态表、数字资产审计表等有关内容的宏文档进行攻击; 2022年5月份利用巴基斯坦总理办公室员工职位申请表有关内容的宏文档进行攻击; 2022年6月份利用巴基斯坦外交部有关内容的恶意宏文档进行攻击。 在此次攻击活动中,攻击者主要以巴基斯坦政府工作人员的名义向目标投递鱼叉式钓鱼邮件,钓鱼邮件的内容大多数与巴基斯坦政府有关,例如,以巴基斯坦总理办公室的名义要求政府工作人员更新COVID-19疫苗接种情况。图2‑1 钓鱼邮件
攻击者在钓鱼邮件的正文中、附件PDF文件中嵌入了不同类型的恶意链接,当目标查阅钓鱼邮件后便会被攻击者精心设计的邮件正文、PDF文件内容诱骗,从而点击恶意链接下载具有恶意宏代码的文档。 攻击者使用的恶意链接主要分为以下三种:
仿冒政府网站的钓鱼网站访问链接:攻击者利用HTTrack等网站克隆工具,搭建仿冒政府部门官网的钓鱼网站(如巴基斯坦总理办公室、巴基斯坦国防大学学报、巴基斯坦联邦税务局),当目标通过钓鱼网站访问链接访问钓鱼网站时,攻击者通过网站内容诱骗目标下载携带恶意宏的文档。
表2‑1 仿冒域名域名
仿冒对象
pmogov.info…
Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 continuously hunts for new and unique malware samples that match known advanced persistent threat (APT) patterns and tactics. On May 19, one such sample was uploaded to VirusTotal, where it received a benign verdict from all 56 vendors that evaluated it.…