At a glance.
- Charming Kitten uses phone calls to connect with targets.
- Transparent Tribe using new Android malware.
- Apple accidentally approves Shlayer malware as legitimate app.
- Qbot gains new functionalities.
- New threat group launches phishing campaign.
- Another mercenary group conducting corporate espionage.
Charming Kitten uses phone calls to connect with targets.
ClearSky says the Iranian threat actor Charming Kitten (also known as APT35) is using phishing lures impersonating journalists at Deutsche Welle and the Jewish Journal to convince targets to click on malicious links. The attackers are using emails, WhatsApp messages, and LinkedIn profiles to either steal the victim's credentials or trick them into installing malware. This campaign is targeting Israeli academics and US government employees.
In some cases, the attackers set up WhatsApp phone calls with the victims and posed as Persian-speaking journalists to account for their accents. ClearSky notes that this technique is uncommon but not unique to this threat actor; North Korea's Lazarus Group was also recently observed connecting with victims over the phone. The researchers explain that "if the attackers have successfully passed the phone call obstacle, they can gain more trust from the victim, compared to an email message."
In the cases described by ClearSky, the attackers first initiated contact with the target under the guise of an Iranian journalist. They invited the target to participate in a webinar with other journalists and experts (the topic of the webinar would be different depending on the target's field of expertise). They eventually moved the conversation to WhatsApp or LinkedIn and sent them a link to a credential-harvesting page hosted on a compromised domain belonging to Deutsche Welle (akademie.dw[.]de). This phishing page presented options for the user to login with via their email account.
Transparent Tribe using new Android malware.
Kaspersky has published a second report on Transparent Tribe, a threat actor believed to be aligned with the government of Pakistan. The researchers say the actor has been using a new strain of Android malware targeting users in India. The information-stealing malware was disguised as a phony version of a COVID-19 contact-tracing app developed by the Indian government. While Kaspersky refrains from attributing threat actors to specific nation states, the researchers note that the Indian government warned its military personnel in April that Pakistani intelligence agencies were targeting their phones via a malicious app spoofing India's national contract-tracing app.
Apple accidentally approves Shlayer malware as legitimate app.
A Shlayer malware sample used in an adware campaign was inadvertently notarized by Apple, TechCrunch reports. College student Peter Dantini found the adware campaign hosted on a malicious website spoofing the legitimate site of Homebrew, a popular macOS package management system. The malware was served from homebrew[.]sh, while Homebrew's legitimate website is brew.sh. While adware is a common threat facing Macs, in this case the malware was allowed to run on the latest versions of macOS, meaning it had passed Apple's inspection process and was fully approved as a legitimate app. Patrick Wardle of Objective-See says the malicious site would prompt the user to install a Flash update, which would deliver the well-known Shlayer malware. Shlayer would then decode and execute adware on the infected system.
Apple promptly revoked the notarization certificates after the matter was brought to their attention. Two days later, however, on August 30th, Wardle said the site was serving new malicious payloads that were also notarized. Apple has since blocked these payloads as well.
It's not clear what happened on Apple's side that allowed the malware to be notarized. Thomas Reed at Malwarebytes took a look at the Shlayer sample used in the campaign and found that it had only minor differences from older versions of Shlayer.
"This leaves us facing two distinct possibilities, neither of which is particularly appealing," Reed writes. "Either Apple was able to detect Shlayer as part of the notarization process, but breaking that detection was trivial, or Apple had nothing in the notarization process to detect Shlayer, which has been around for a couple years at this point."
Reed concludes that the incident serves as further evidence that "you must be just as careful with what you do with your Apple devices as you would be with your Windows or Android devices."
Qbot gains new functionalities.
Check Point says the Qbot banking Trojan now has the ability to hijack email threads to send phishing emails to the victim's contact list. The malware exfiltrates email threads from the victim's Outlook client and sends them to the attacker, allowing the attacker to craft targeted replies to email threads from the victim's account. The emails contain download links for malicious VBS files. The researchers say Qbot has been undergoing rapid development, and the new capabilities were added just before the malware's operators launched a fresh malspam campaign in August. Most of the targets of this campaign are in the government and military sectors, followed by manufacturing, insurance and legal, and healthcare.
New threat group launches phishing campaign.
Proofpoint identified a new threat actor in March 2020 that's distributing the commodity Trojans Nanocore and AsyncRAT via phishing emails "with colorful images that impersonate local banks, law enforcement, and shipping services." The threat group, which Proofpoint tracks as "TA2719," has sent "low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay." The phishing lures are tailored to the targeted region and purport to come from a real person working at the impersonated organization. The lures aren't particularly sophisticated, but the attackers have evidently put some effort into ensuring that the details are accurate.
Another mercenary group conducting corporate espionage.
Bitdefender has identified another mercenary group that targeted a company "engaged in architectural projects with billion-dollar luxury real-estate developers in New York, London, Australia, and Oman." The group gained entry to the company's networks using maliciously crafted plugin for the widely used 3D computer graphic tool Autodesk 3ds Max. The plugin exploits a recently disclosed vulnerability to deploy a backdoor, which then exfiltrates a list of files based on their extensions. The attackers then "look at the file listings from each of their victims and then compile [an] HdCrawler binary specific to the victim."