At a glance.
- Malibot: an info stealer masquerading as a coin miner.
- Nation-states using Hermit spyware.
- Fabricated evidence planted in computers.
- Authorities take down RSOCKS botnet.
- British Home Secretary signs Assange extradition order.
- Russian influence operations appear to fall short of their objective.
- Hacktivism continues to present a problem for Belarus.
- Exercise Cyber Shield wraps up.
Malibot: an info stealer masquerading as a coin miner.
Researchers at F5 Labs describe "Malibot," an Android malware family capable of exfiltrating personal and financial information, SecurityWeek reports. F5 says the malware can often be found posing on fraudulent websites as popular cryptocurrency mining app “TheCryptoApp,” but may also pose as a Chrome browser or other applications. The malware’s capabilities include support for web injections and overlay attacks, the ability to run and delete applications, the ability to steal cookies, multi factor authentication codes, text messages, and more. Malibot was found to abuse the Android Accessibility API, which permits it to perform actions without user interaction and maintain itself on the system. The use of the Accessibility API also allows for bypass of Google two-factor authentication, as prompts can be validated through the infected device.
Malibot uses the same servers as the ones used to distribute the Sality malware, and shares a Russian IP address with other malicious campaigns. The primary targets of the malware have been customers of Spanish and Italian banks, but the malware could soon branch out to other locations.
"Hermit" spyware used by nation-state security services.
Lookout researchers have discovered a sophisticated Android spyware family, “Hermit,” that appears to have been created to serve nation-state customers. The spyware, currently in use by Kazakhstan’s government against domestic targets, has also been associated with Italian authorities in 2019, and at other times with an unknown actor in Syria’s Kurdish region.
Hermit was developed by the Italian RCS Lab S.p.A. and Tykelab Srl, the latter probably a front company. RCS Lab was previously a reseller for Italian spyware vendor Hacking Team, and worked with military groups in Bangladesh, Chile, Mongolia, Myanmar, Pakistan, Turkmenistan, and Vietnam.
The researchers believe that the Android spyware is being distributed through text messages that claim to be from legitimate sources, and noted that while an iOS version of the spyware exists, researchers were unable to get a sample. The Android spyware is reported to support 25 modules, and 16 of them were able to be analyzed. Many of the modules collect different forms of data, such as call logs, browser data, photos, and location, while others can exploit rooted devices and make and redirect calls. Lookout security researcher Paul Shunk explained to SecurityWeek that the initial application is a framework with minimal surveillance capability, but that it could fetch and activate modules as needed, which allows for the application to fly under the radar during the security vetting process.
Fabricated evidence planted in computers.
Citing updated research by SentinelOne, Wired reports that police in Pune, India, planted incriminating evidence in the computers of journalists, activists, and academics, evidence that was subsequently used to justify their arrest. SentinelOne has, according to Wired, connected the evidence-planting to activity it reported in its February, 2022, study of the ModifiedElephant APT. That report said, "The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests."
US takes down criminal botnet.
The US Attorney for the Southern District of California has announced the takedown of a Russian cyber gang's botnet. Working with partners in Germany, the Netherlands, and the United Kingdom, the US FBI seized RSOCKS, a criminal-to-criminal service that offered access to bots as proxies in the C2C underworld market. The US Attorney explained, "Once purchased, the customer could download a list of IP addresses and ports associated with one or more of the botnet’s backend servers. The customer could then route malicious internet traffic through the compromised victim devices to mask or hide the true source of the traffic. It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages." It cost RSOCKS criminal clientele between $30 and $200 a day to route their traffic through the proxies.
British Home Secretary signs Assange extradition order.
The Telegraph reports that British Home Secretary Priti Patel today signed an order extraditing Wikileaks impresario Julian Assange to the United States, where he faces espionage charges. Mr. Assange's legal team intends to appeal the decision.
Russian influence operations appear to fall short of their objective.
CyberScoop reviews the operation and results of Russian attempts to isolate the portions of Ukraine it's occupied and "canalize" the information they receive. This has been done by routing Internet and telecommunications traffic to and from those regions through Russian providers, controlling content and subjecting comms that transit the network to deep packet inspection. The ability to survey Ukrainians' communications in the occupied regions serves the general goal of controlling the population, but it also serves specific operational security needs, since Ukrainians have regularly reported Russian troop movements and other activities they observe, and that information finds its way to Ukrainian military intelligence.
Content moderation and communications restrictions have other objectives. Victor Zhora, deputy head of Ukraine's SSSCIP, said, "we understand that the objective is to sow disinformation, to sow panic and instability." The propaganda is tailored to the specific audience of each occupied region. “It is to make people understand that they have been forgotten,” Zhora explained, adding that the hopelessness the occupiers seek to instill serves the longer term goal of Russification. “The Ukrainian army is losing their last chance to return to normal life, so please get these Russian passports, continue collaborating, etc.”
Information, while restricted, continues to reach contested regions of Ukraine, and observers give SpaceX's StarLink a good bit of credit for maintaining a degree of connectivity in those areas.
Hacktivism continues to present a problem for Belarus.
Bloomberg BusinessWeek has a summary account of hacktivism in Belarus. Dissidents oppose both the war against Ukraine (in which Belarus has played a soft supporting role) and President Lukashenka's regime. The Belarus Cyber Partisan have formed an alliance with their Ukrainian counterparts, the Ukrainian Cyber Alliance, a connection the Cyber Alliance describes as "natural" given the alignment of the groups' interests. Their activities have concentrated on doxing Russian and Belarusian agencies and companies, and on disrupting Belarusian rail traffic. Belarusian railroads have played a role in delivering logistical support to Russian forces engaged in the invasion of Ukraine.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
Exercise Cyber Shield 2022 wraps up.
National Guard soldiers and airmen, government agency partners, and private partners, converged in Little Rock, Arkansas for Operation Cyber Shield, an annual unclassified cyber training exercise running from June 5-17 this year. The aim of Cyber Shield as described by the National Guard is to “develop, train and exercise cyber forces in the areas of computer network internal defensive measures and cyber incident response.”
A transcript provided by the Illinois National Guard describes the scenario for this year’s Cyber Shield, which was focused on the role the National Guard plays in protecting the US Department of Defense computer networks. “Cyber Shield is a defensive-focused operation. We specifically focus on our internal defensive measures, stuff that we’re doing within the Department of Defense’s own networks,” Illinois Air Army National Guard Lieutenant Colonel Jeffrey Fleming said to the CyberWire. “We train the basics, the basic tenets of cyber, so that whatever network our operators end up on, whether it’s wearing a uniform to support the Governor, active duty side, or taken back to their civilian careers, they have the knowledge and experience to do that wherever we need to operate.”
We'll have more coverage of Cyber Shield when we return next week.