At a glance.
- Examining Cycldek's operations.
- Higaisa spearphishing.
- Tycoon ransomware deployed in targeted attacks.
- eCh0raix and Zorab ransomware campaigns.
- Ad fraud in the Google Play Store.
- A hack-for-hire operation.
Examining Cycldek's operations.
Kaspersky published new findings on the China-associated Cycldek threat actor (also known as APT27 or Goblin Panda), which has been conducting cyberespionage against governments in Southeast Asia for the past two years. Based on Cycldek's targeting and patterns of behavior, Kaspersky determined that "the group consists of two operational entities that are active under a mutual quartermaster."
The researchers came to this conclusion after noticing that the group was using two different variants of the NewCore remote access Trojan, which they dubbed "RedCore" and "BlueCore," respectively. By looking at the targeting of each variant, the researchers found that "while all targets were diplomatic and government entities, each cluster of activity had a different geographical focus. The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018." In some cases, the two group's activities overlapped, and they infected the same machines.
Perhaps most notably, Kaspersky found that the operators using the RedCore variant have been deploying a previously unreported malware Kaspersky calls "USBCulprit," which has apparently been used in the wild from 2014 up until at least the end of 2019. This malware is designed to be deployed from an infected USB drive, most likely to exfiltrate data from airgapped systems. USBCulprit doesn't have any network functionality and it can only transfer data to and from removable media. Interestingly, the malware doesn't trigger automatically when the infected USB drive is plugged in, and the researchers believe this may suggest that the malware's operators were physically present while the drives were plugged in.
Malwarebytes has observed an attack that appears to be part of a campaign run by Higaisa, an APT believed to be operating out of the Korean peninsula. Higaisa is known for targeting government officials, human rights organizations, and entities related to North Korea. In this case, the group used malicious LNK files disguised as CVs and International English Language Testing System exam results, which were presumably distributed via spearphishing. The LNK file would trigger the infection process, but the command-and-control server was down at the time the researchers analyzed the attack, so they weren't able to determine the attacker's end goal. Malwarebytes believes this campaign is related to a Higaisa campaign described by Anomali in March.
Tycoon ransomware deployed in targeted attacks.
BlackBerry's Research and Intelligence Team, working with KPMG's UK Cyber Response Services, has discovered a new ransomware strain that's been targeting Windows and Linux systems since at least December 2019. The malware, dubbed "Tycoon," has been used in a limited number of attacks over the past six months, which may indicate that the attackers are selective in their targeting. The researchers also observed potential connections to the Dharma/CrySIS ransomware.
BlackBerry says Tycoon's operators use "highly targeted delivery mechanisms to infiltrate small to medium sized companies and institutions in education and software industries." The attackers gain access via an Internet-facing RDP server, then establish persistence using Image File Execution Options injection. The Tycoon malware itself is written in Java and is delivered via a Trojanized Java Runtime Environment (JRE). The malware is compiled into the obscure Java image (JIMAGE) file format within the JRE build. BlackBerry notes that this may be the first time a ransomware strain has abused the JIMAGE format to avoid detection.
eCh0raix and Zorab ransomware campaigns.
BleepingComputer reports that the eCh0raix ransomware operators have launched a new campaign targeting QNAP network-attached storage devices. The attackers are exploiting vulnerabilities on unpatched QNAP instances or brute-forcing credentials. BleepingComputer notes that QNAP released patches on Friday for three vulnerabilities that could lead to remote code execution, so users are advised to update promptly.
BleepingComputer also warns that a gang behind another ransomware strain, known as "Zorab," is distributing its own malware via a fake decryptor for the STOP Djvu ransomware. STOP Djvu has actually been 2020's most successful ransomware strain in terms of number of victims, but it's far less reported than other strains because it usually infects home users who are trying to install pirated software. There are legitimate decryptors for older versions of STOP Djvu, and the Zorab operators are taking advantage of this by packaging their ransomware into a fake decryptor. STOP Djvu victims who try to unlock their files with this decryptor will have their data encrypted a second time.
Ad fraud in the Google Play Store.
Researchers at Trend Micro discovered two ad fraud campaigns in the Google Play Store. The first involved two barcode reader apps that had been collectively downloaded more than a million times. These apps worked as barcode readers, but they ran processes in the background that would open and instantly close ads every fifteen minutes, even when the device's screen was turned off. The app would deflect blame from itself by using the names and icons of other apps on the device. The researchers note that most versions of Android have built-in barcode readers, so these apps are unnecessary in the first place.
The second campaign involved five apps that contained the Tekya malware discovered by Check Point earlier this year. These apps would also disguise their activity by changing their names and icons to those of other apps on the infected device. All of these apps have since been removed by Google.
Dark Basin's hack-for-hire operation.
The University of Toronto's Citizen Lab this morning released a report on a hacker-for-hire operation, "Dark Basin," which targeted "advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries." Dark Basin is said to have been especially interested in US not-for-profits, notably climate change and net neutrality advocates. Among the specific groups targeted are the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Center for International Environmental Law, Oil Change International, Public Citizen, the Conservation Law Foundation, the Union of Concerned Scientists, M+R Strategic Services, and 350.org. There were others in what Citizen Lab calls the "same cluster," but the report declined to name them.
"We found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy," Citizen Lab says. They initially thought Dark Basin might have been a state-sponsored group, but concluded instead that they were hired guns working for one side of a "contested legal proceeding, advocacy issue, or business deal." Citizen Lab says it’s been sharing information with Norton LifeLock, whose researchers have been tracking the same outfit under the name of "Mercenary.Armada."
Much of the activity Citizen Lab reports is connected to the climate-change campaign marked with #Exxonknew, and it was keyed to events surrounding both that advocacy campaign and a New York investigation of ExxonMobile. Email compromise and social engineering, with spoofed email and social media accounts, were Dark Basin’s principal methods.
While the targeting of climate change advocacy groups was keyed to events involving ExxonMobile, Citizen Lab is careful to say that it has no evidence that would enable it to identify who hired Dark Basin. Nor is there much to finger the clients who may have hired Dark Basin to pay attention to campaigners for net neutrality, or to short sellers of particular stocks, or to energy or financials services companies, or simply to high-net worth individuals, particularly Eastern European oligarchs.
Citizen Lab says Dark Basin is run by Delhi-based IT and cybersecurity firm BellTroX. BellTroX's director and owner is Sumit Gupta. According to Citizen Lab, he’s the same Sumit Gupta whom the US Attorney for the Northern District of California charged in 2015 with "crimes related to a conspiracy to access the e-mail accounts, Skype accounts, and computers of people opposing" his co-conspirators in civil lawsuits.
Mr. Gupta is still at large in India, and apparently still running BellTroX. The company’s website was up and accessible earlier this morning, but as of 1:00 PM Eastern Time the BellTroX site had been replaced with an "Account suspended" page that included advice to contact your hosting provider. The New York Times says US Federal prosecutors are investigating the latest Dark Basin capers. Citizen Lab draws this lesson from their research: large-scale, commercialized hacking is a serious and growing criminal sector.