At a glance.
- UEFI malware based on Hacking Team tool.
- Iranian APT exploiting Zerologon.
- BlackTech deploys new malware in espionage campaign.
- Fileless attack using Windows Error Reporting.
- Holding coffee for ransom.
UEFI malware based on Hacking Team tool.
Researchers at Kaspersky discovered a modified version of a leaked Hacking Team tool used against two diplomatic targets in Asia, WIRED reports. Hacking Team was a controversial offensive security company based in Italy that suffered a devastating data breach in 2015 that exposed many of its hacking tools. One of these tools, a bootkit dubbed "VectorEDK," served as the basis for the malware found by Kaspersky. The new bootkit differs only slightly from VectorEDK, but it deploys a previously unobserved strain of malware rather than one of Hacking Team's backdoors. This malware is designed to steal data, and is part of a larger malware framework that Kaspersky has named "MosaicRegressor."
BleepingComputer observes that this is only the second UEFI bootkit ever discovered in the wild (the first being LoJax, attributed by ESET to Russia's APT28). This type of malware modifies the device's Unified Extensible Firmware Interface (UEFI)—the firmware that boots up the operating system—so that the device will be reinfected even if the hard drive or operating system is replaced. The researchers don't know how exactly the bootkit is placed on a system, although they note that Hacking Team's VectorEDK relied on an attacker physically plugging a USB key into the target device. They also point out that the malware could have been placed remotely if the attackers were able to compromise the firmware update mechanism, but this remains speculation.
MosaicRegressor, the malware installed by the bootkit, has been used to target "several dozen victims" between 2017 and 2019, all of whom had some connection to North Korea. The victims were diplomatic and NGO targets in Asia, Africa, and Europe. The UEFI bootkit was used against two of these targets. The researchers believe a Chinese-speaking threat actor is behind the attacks, and they estimate "with low confidence" that the actor has previously used a Winnti backdoor.
The researchers conclude, "It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target's SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so. With this in mind, we see that UEFI continues to be a point of interest to APT actors, while at large being overlooked by security vendors."
Iranian APT exploiting Zerologon.
Microsoft has shared more information on attacks leveraging exploits for the Zerologon vulnerability (CVE-2020-1472). The company's security team tweeted that it "has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks." Mercury (also known as "MuddyWater" or "Static Kitten") is thought to be a contractor working on behalf of the Iranian government, according to ZDNet.
Microsoft explains that the threat actor "leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit."
BlackTech uses new malware in espionage campaign.
Symantec has been tracking an espionage campaign run by the China-associated Palmerworm group (also known as "BlackTech"). The campaign began in August 2019 and continued until at least August 2020. The threat actor is using "a brand new suite of custom malware, targeting organizations in Japan, Taiwan, the U.S., and China." The group also deploys dual-use tools and tries to rely on living-off-the-land tactics.
The threat actor appears to be particularly interested in the finance, media, and construction sectors, with a smaller focus on the electronics and engineering industries. In one incident, attackers remained on the network of a Taiwanese media company for a full year.
Fileless attack using Windows Error Reporting.
Malwarebytes has observed an APT group injecting fileless malware into the Windows Error Reporting (WER) service. The threat actor is using the open-source shellcode launcher CactusTorch and a .NET DLL named "Kraken" to carry out the attack, although the researchers still haven't found the final payload. Malwarebytes notes that other malware families have in the past injected shellcode into the WER executable, including the NetWire Trojan and the Cerber ransomware.
In this case, the malware was distributed via a spearphishing attack with malicious Word documents related to employee compensation. The researchers don't attribute the attack to any specific actor, but they're investigating tenuous connections to the Vietnam-associated APT32 (also known as OceanLotus).
Holding coffee for ransom.
Researchers at Avast Threat Labs have demonstrated how to hold a smart coffee maker for ransom by remotely updating its firmware. The attacker needs to have a foothold on the local network, either by compromising a router, tricking a user into installing a malicious mobile app, or having physical access to the machine.
The researchers write, "By using the ARM assembler we created ransomware that when triggered renders the coffee maker unusable and asks for ransom, while at the same time turning on the hotbed, water dispensing heating element, permanently and spinning up the grinder, forever, displaying the ransom message and beeping. We thought this would be enough to freak any user out and make it a very stressful experience. The only thing the user can do at that point is unplug the coffee maker from the power socket."
The vendor in this case began using a more secure configuration in 2017, but Avast notes that "this also shows a general problem we have with abandoned IoT devices."