At a glance.
- Android spyware targeting Uyghurs.
- NetWire deployed against Indian activists and journalists.
- German COVID-19 task force hit by spearphishing campaign.
- Thanos ransomware builder incorporates RIPlace.
- Gamaredon Group is noisy but effective.
Android spyware targeting Uyghurs.
Trend Micro has discovered a previously undocumented Android spyware strain that's targeting Tibet, Turkey, and Taiwan, with a particular focus on Uyghur Muslims. The researchers have dubbed the malware "ActionSpy," and they've tied it to the China-associated Earth Empusa APT (also known as POISON CARP or Evil Eye). The group is using watering hole tactics and phishing attacks to lure victims to spoofed websites that will install the malware. The researchers note that these tactics are similar to those used in Operation Poisoned News, another recent campaign that targeted iOS users in Hong Kong.
The ActionSpy malware is related to a series of watering hole attacks discovered by Google last year that used five iOS exploit chains to compromise visitors' phones. TechCrunch reported at the time that those attacks were directed at Uyghurs, and were most likely conducted by Chinese state security services. Volexity and the University of Toronto's Citizen Lab have also observed the threat actor targeting the Uyghur community with mobile exploits.
NetWire deployed against Indian activists and journalists.
Amnesty International and Citizen Lab have published a joint report on a spyware campaign that targeted nine Indian activists, lawyers, academics, and journalists between January and November of 2019. Eight of the nine people targeted were involved in campaigns to free eleven activists who were imprisoned after the Bhima Koregaon violence in 2018. The ninth person targeted was working to free GN Saibaba, a jailed academic. At least three of these people had also been targeted with NSO Group's Pegasus spyware via WhatsApp last year.
The attackers in this case sent phishing emails with malicious attachments that would install NetWire, a commodity spyware tool designed for use against Windows machines. The attachments were Windows programs that appeared to be PDFs, and they would open a real, decoy PDF while installing the malware in the background. The dropper files were very large (up to 300 MB) in order to avoid detection by antivirus solutions.
The researchers don't attribute the campaign to any particular actor, although they call for the Indian government to conduct "a full, independent and impartial investigation into these attacks, including by determining whether there are links between this spyware campaign and specific government agencies."
German COVID-19 task force hit by spearphishing campaign.
Researchers at IBM X-Force have identified an ongoing large-scale spearphishing campaign directed against a German corporation that's working with the German government to procure medical gear for COVID-19. The campaign has targeted "more than 100 high ranking executives in management and procurement roles within this organization and its third-party ecosystem," which included a total of around forty organizations. The attackers are sending links to credential-harvesting phishing pages that spoof Microsoft login portals. It's not clear how many of the attacks were successful.
The researchers conclude that the operation "represents a precision-targeting campaign exploiting the race to secure essential PPE. Based on our analysis, attackers likely intended to compromise a single international company’s global procurement operations, along with their partner environments devoted to a new government-led purchasing and logistics structure."
Thanos ransomware builder incorporates RIPlace.
Recorded Future's Insikt Group has spotted a new ransomware-as-a-service family called "Thanos" being sold on criminal forums. Thanos's developer, who goes by "Nosophoros," is offering the malware under an affiliate model. The ransomware is growing in popularity, which the researchers attribute to its ease-of-use.
Thanos isn't particularly complex or sophisticated, but the malware is notable due to its use of the "RIPlace" method to bypass some ransomware protections used by Windows 10 and many antivirus products. RIPlace was discovered and disclosed by researchers at Nyotron late last year, and Insikt Group says that Thanos is "the first ransomware family to advertise use of the RIPlace technique, demonstrating a real instance of underground actors weaponizing proofs of concept originating from security research." Recorded Future summarizes RIPlace as "a process to encrypt a target file by leveraging symbolic links through an MS-DOS device name to copy an encrypted version of the file to the original file location."
The researchers note that due to a design flaw in the current versions of Thanos, the encryption key is sometimes stored within the binary itself, so it's possible that some victims may be able to decrypt their data without paying the ransom. This won't work in every case, however, and the flaw will most likely be patched in the future after the developers realize their mistake.
Gamaredon Group is noisy but effective.
ESET says the Gamaredon threat group is using previously undocumented tools in its hacking campaigns, including a VBA macro for Outlook that's designed to send spearphishing emails to the contact lists of compromised accounts. The researchers point out that "[w]hile abusing a compromised mailbox to send malicious emails without the victim’s consent is not a new technique, we believe this is the first publicly documented case of an attack group using an OTM file and Outlook macro to achieve it."
Gamaredon primarily targets Ukrainian organizations, and although its goal appears to be espionage, ESET observes that the "group seems to make no effort in trying to stay under the radar. Even though their tools have the capacity to download and execute arbitrary binaries that could be far stealthier, it seems that this group’s main focus is to spread as far and fast as possible in their target’s network while trying to exfiltrate data."