At a glance.
- Android spyware targeting Uyghurs.
- New ransomware for Macs.
- FakeSpy Android malware receives upgrades.
- Lazarus group tied to Magecart attacks.
- Critical vulnerability in BIG-IP application delivery controllers.
- Purple Fox exploit kit gets an update.
- Tracking Cosmic Lynx, an ambitious BEC gang.
Android spyware targeting Uyghurs.
Researchers at Lookout have discovered four variants of Android spyware used against China's predominately Muslim Uyghur minority. The researchers say, "These four interconnected malware tools are elements of much larger mAPT (mobile advanced persistent threat) campaigns originating in China, and primarily targeting the Uyghur ethnic minority. Activity of these surveillance campaigns has been observed as far back as 2013." The malware has also been used to a lesser extent against Tibetans. The scope of the campaign reaches beyond China's borders, affecting victims in at least fourteen other countries.
The malware is delivered via Trojanized versions of legitimate Android apps distributed through phishing and fake third-party app stores. Lookout has dubbed the four strains of malware "SilkBean," "DoubleAgent," "CarbonSteal," and "GoldenEagle." The threat actor behind these tools is tied to the China-associated APT15 (also known as Ke3chang, Mirage, Vixen Panda, and Playful Dragon). The actor is known to use at least four other strains of Android spyware, dubbed "HenBox," "PluginPhantom," "Spywaller," and "DarthPusher."
New ransomware for Macs.
Malwarebytes describes a new Mac ransomware variant that's being distributed via malicious versions of pirated macOS applications. The malware (originally dubbed "EvilQuest" but changed by Malwarebytes to "ThiefQuest" due to a naming conflict with a video game) was discovered by researcher Dinesh Devadoss, and Jamf's Patrick Wardle confirmed that it encrypts all files that possess popular file extensions. Notably, Wardle doesn't believe the attacker ever receives a decryption key, and the ransom note only includes a Bitcoin address, so the attacker can't keep track of which victims have paid the ransom. This suggests that the attackers have no intention of unlocking their victims' data, even after the ransom has been paid.
In addition to ThiefQuest's ability to encrypt data, the malware acts as a keylogger, and "supports a small set of (powerful) commands, that afford a remote attacker complete and continuing access over an infected system." It also searches for and exfiltrates valuable data, including certificates, cryptocurrency wallets, and keys.
Wardle also found that the malware is technically a virus since it's able to locally replicate itself by inserting itself into any executables on the infected machine. Because of this, he recommends that victims simply wipe their systems and start over with a fresh install of macOS.
FakeSpy Android malware receives improvements.
Cybereason describes a new campaign that's using an upgraded version of the FakeSpy Android malware to target users around the world. FakeSpy is associated with the Chinese-speaking group "Roaming Mantis," and was first observed in October 2017. While previous FakeSpy campaigns were limited to targeting Japanese- and Korean-speaking users, this campaign expands its focus to Europe, the US, and Taiwan.
The attackers send smishing messages with links to a phishing page that spoofs a postal service in the targeted region. These include the US Postal Service, the British Royal Mail, France’s La Poste, the Deutsche Post, the Japan Post, the Swiss Post, and Taiwan’s Chunghwa Post. The phishing pages ask the user to install an APK that poses as a postal service app. When the app is installed, it requests extensive permissions, including the ability to operate while the phone's screen is turned off.
Notably, the new version of FakeSpy is "significantly more powerful" than earlier variants, with "numerous new upgrades that make it more sophisticated, evasive, and well-equipped." Cybereason says the malware is updated every week with new functionalities, adding that "[t]hese improvements render FakeSpy one of the most powerful information stealers on the market."
Lazarus group tied to Magecart attacks.
Researchers at Sansec present evidence suggesting that North Korea's Lazarus Group (or HIDDEN COBRA) is conducting Magecart card-skimming attacks on the websites of large US stores, including the fashion retailer Claire's, Focus Camera, and Paper Source. The skimming malware was placed on sites that were compromised in attacks attributed to the DPRK during the same timeframe. Each of the Magecart attacks displayed the same unique TTPs, indicating that a single actor was responsible for placing the skimming code. The researchers note the possibility that a separate criminal actor could have coincidentally compromised the same sites at the same time as the Lazarus Group, but they consider this highly unlikely. Sansec concludes that "North Korean state sponsored actors have engaged in large scale digital skimming activity since at least May 2019."
Critical vulnerability in BIG-IP application delivery controllers.
Positive Technologies discovered a flaw in F5 Networks's BIG-IP application delivery controllers that can lead to remote code execution. The vulnerability, CVE-2020-5902, received a CVSS criticality score of 10 out of 10. Threatpost says public exploits for the vulnerability have already been published, and Positive Technologies warned on July 2nd that more than 8,000 vulnerable devices were exposed to the Internet.
Positive Technologies researcher Mikhail Klyuchnikov explained, "By exploiting this vulnerability, a remote attacker with access to the BIG-IP configuration utility could, without authorization, perform remote code execution (RCE). The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network. RCE in this case results from security flaws in multiple components, such as one that allows directory traversal exploitation. This is particularly dangerous for companies whose F5 BIG-IP web interface is listed on search engines such as Shodan. Fortunately, most companies using the product do not enable access to the interface from the internet."
Purple Fox exploit kit gets an update.
Proofpoint says the Purple Fox exploit kit now includes the ability to exploit two Windows vulnerabilities, CVE-2020-0674 and CVE-2019-1458, that were patched in December 2019 and February 2020, respectively. The Purple Fox exploit kit was apparently built by the authors of the Purple Fox Trojan/rootkit as an in-house replacement for the RIG exploit kit. The researchers say the addition of these two exploits shows that Purple Fox's authors "are active malware developers who take a professional approach by looking to save money and keep their product current."
"Cosmic Lynx" and a Russian gang's BEC crimewave.
Agari has described the activities of Cosmic Lynx, a Russian gang responsible for two-hundred business email compromise attacks in forty-six countries over the past year. Tempted as we might be to think that overworked county clerks’ offices and gentle little mom-and-pop small businesses are the natural prey of the BEC scammer, Cosmic Lynx has bigger phish to fry. As Agari puts it, “Unlike most BEC groups that are relatively target agnostic, Cosmic Lynx has a clear target profile: large, multinational organizations. Nearly all of the organizations Cosmic Lynx has targeted have a significant global presence and many of them are Fortune 500 or Global 2000 companies.”
They’re also selective with respect to the people they prospect. Fully three-fourth of them hold the title Managing Director, Vice President, or General Manager.
The gang shows a regular pattern. They use the (bogus) intention of acquiring an Asian company as the pretext of their request. They impersonate the victim company’s CEO in an email, asking them to work with “external legal counsel” to arrange the payments necessary to closing the acquisition. That external counsel is the hijacked identity of a real attorney--Agari says the imposture involves an actual British law firm.
Once the hook is set, the corporate mark is induced to send payments to mule accounts Cosmic Lynx controls. The average Cosmic Lynx ask is $12.7 million, two orders of magnitude larger than the average seen in BEC attacks in general, which normally run around fifty-five grand. The mule accounts are usually in Hong Kong, sometimes in Hungary, Portugal, or Romania, but never in the United States.