At a glance.
- Rookie ransomware gang operates from Iran.
- Three malware families tied to corporate espionage group.
- GoldenSpy's operators are trying to cover their tracks.
- Crimson RAT receives upgrades.
Rookie ransomware gang operates from Iran.
Group-IB says a new cybercriminal group operating from Iran is using the Dharma ransomware-as-a-service toolkit against companies in Russia, Japan, China, and India. The hackers are thought to be inexperienced (Group-IB calls them "greeners" and "script kiddies"), although their techniques have been effective. They use Masscan to identify hosts with exposed RDP ports and weak credentials, then brute-force their way in with NLBrute. They use additional publicly available tools to perform reconnaissance, move laterally, and disable antivirus software. The hackers then manually deploy the ransomware and demand one to five bitcoins in payment.
While the group is inexperienced, the researchers believe its emergence is significant because it "suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals." Cybercriminal gangs have in the past been primarily associated with Russia and to a lesser extent China.
Three malware families tied to corporate espionage group.
Kaspersky describes a threat actor dubbed "DeathStalker" that appears to be a hacker-for-hire group focused on corporate espionage. The group primarily targets law firms and companies in the financial sector to steal sensitive business information. Notably, Kaspersky suspects that this is the same group that operates the Evilnum malware analyzed by ESET last year.
DeathStalker uses spearphishing emails containing malicious LNK shortcut files disguised as documents. When the shortcut file is clicked, it triggers "a convoluted sequence resulting in the execution of arbitrary code on the victim’s machine." This process leads to the installation of a PowerShell-based backdoor called "Powersing," whose purpose is to install additional malware.
Powersing connects to its command-and-control server by reaching out to one of numerous dead drop resolvers posted publicly on various social media platforms. Each resolver contains a Base64-encoded integer and the AES key required to decode it. The malware divides the decoded integer by a hardcoded constant, and the resulting integer is converted into an IP address.
Kaspersky identified multiple similarities between Powersing, Evilnum, and another malware family called "Janicab." The researchers assess "with medium confidence" that all three malware families are operated by the same threat actor.
The group doesn't limit its activities to any particular region. It's used Powersing against organizations in Argentina, China, Cyprus, Israel, Lebanon, Switzerland, Taiwan, Turkey, the United Kingdom, and the United Arab Emirates. Kaspersky has observed victims of Evilnum in Cyprus, India, Lebanon, Russia, and the United Arab Emirates. The researchers conclude that "any company in the financial sector could catch DeathStalker's attention, no matter its geographic location."
GoldenSpy's operators are trying to cover their tracks.
Trustwave's SpiderLabs reports finding five versions of an uninstaller for the GoldenSpy backdoor carried by tax software whose use is required of companies doing business in China. The uninstaller was dropped by an update module to erase GoldenSpy before deleting itself. Trustwave believes the uninstallers were deployed by those behind the GoldenSpy backdoor to cover their traces. The actors also issued modified versions of the uninstallers which Trustwave says were "specifically designed to evade our YARA rules we published."
One of the variants connected to an IP address that resolved to the website of "Ningbo Digital Technology," a company that says it provides "technical support for professional organizations and technology service companies." The website offers two executable files for download: one is the GoldenSpy uninstaller, and the other is a GoldenSpy dropper. Trustwave believes this entity is involved in the development of the uninstaller.
The researchers conclude that their findings "should serve as a wakeup call for organizations because it proves any actions including implanting and extracting malware can be taken covertly and at the will of the attacker with the help of the updater module without impacting the functionality of the Golden Tax software."
Crimson RAT receives upgrades.
Kaspersky has released a report on Transparent Tribe (also known as ProjectM and Mythic Leopard), the cyberespionage group behind the Crimson RAT. Attribution of Transparent Tribe, which has been active since at least 2013, remains murky, but Palo Alto Networks and others have seen signs of an association with Pakistan. In the past, the group has primarily targeted Indian military and government personnel, but Kaspersky says this recent campaign shows an increased interest in targets in Afghanistan.
Crimson RAT has been upgraded for the current campaign, with server-side management of infected machines and a newly discovered component dubbed "USBWorm" that infects and steals files from removable drives.
USBWorm takes advantage of the fact that Windows hides file extensions by default. When it infects a device, the malware lists all directories on the device and creates copies of itself using the same names as the directories. It then changes all the legitimate directories to "hidden," so they won't be visible to the user. The malware is an executable file that uses the same folder icon used by Windows directories. As a result, someone using a Windows machine with default settings will see the expected list of directories, since the malware's .exe file extension is hidden. Each copy of the malware contains a path to the directory it's impersonating, and it opens this directory when the malware is executed. As a result, there will be nothing amiss from the user's point of view: they click on a folder and the folder opens as expected, while the malware runs silently in the background.