At a glance.
- New Russophone threat actor conducts corporate espionage against Russian targets.
- Fifty-five Apple vulnerabilities identified and patched.
- PoetRAT continues targeting Azerbaijan.
- New RAT targets vulnerable Oracle WebLogic Servers.
- Sophisticated hacker-for-hire group identified.
New Russophone threat actor conducts corporate espionage against Russian targets.
Kaspersky has discovered a previously unknown malware toolset that's been "used in highly targeted industrial espionage attacks dating back to 2018." The researchers have dubbed the malware "MontysThree," and they believe the threat actor behind it is newly discovered. Based on language artifacts in the code, Kaspersky thinks the group is Russian-speaking, despite the presence of apparent false flags pointing to a Chinese threat actor. The actor also appears to be focused on Russian-speaking targets, since the malware is configured to run on Windows systems using Cyrillic language settings. Additionally, some of the phishing lures referred to a Russian medical lab.
The malware appears to be built from the ground up, with a mixture of both amateurish and shrewd features. The researchers do note that "the amount of code and therefore effort invested, in MontysThree is significant," although the "overall campaign sophistication doesn’t compare to top notch APT actors in terms of spreading, persistence method."
MontysThree exfiltrates information about the infected system, as well as a list of recently used documents. It can also download data from Google Drive and Dropbox. To achieve persistence, the malware modifies the LNK shortcut files in the Windows Quick Launch panel so that the malicious loader is executed whenever the user opens an application via one of these shortcuts.
Fifty-five Apple vulnerabilities identified and patched.
A group of five white-hat hackers identified and disclosed fifty-five vulnerabilities under Apple's relatively new bug bounty program and have so far received more than $288,000 for their efforts (with more payments expected in the coming months). Eleven of the vulnerabilities were rated "Critical" and twenty-nine were deemed "High-severity." One of the researchers, Sam Curry, wrote in a detailed blog post that the vulnerabilities could have "allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources."
While Curry acknowledged to CyberScoop that parts of the bug bounty process were "a bit confusing and maybe a little frustrating," the researchers concluded that Apple is moving in the right direction:
"Overall, Apple was very responsive to our reports. The turn around for our more critical reports was only four hours between time of submission and time of remediation. Since no-one really knew much about their bug bounty program, we were pretty much going into uncharted territory with such a large time investment. Apple has had an interesting history working with security researchers, but it appears that their vulnerability disclosure program is a massive step in the right direction to working with hackers in securing assets and allowing those interested to find and report vulnerabilities."
PoetRAT continues targeting Azerbaijan.
Cisco Talos says an unnamed threat actor is targeting Azerbaijani government entities and individuals with new versions of PoetRAT. The attackers are using spearphishing attacks to trick victims into downloading malicious documents and enabling macros. The subjects of the phishing lures relate to the conflict between Armenia and Azerbaijan over the disputed territory of Nagorno-Karabakh. The researchers write, "As the geopolitical tensions grow in Azerbaijan with neighbouring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbaijani government departments."
New RAT targets vulnerable Oracle WebLogic Servers.
Bitdefender has observed a new remote access Trojan that exploits a remote code execution vulnerability (CVE-2019-2725) on exposed and unpatched Oracle WebLogic Servers. The malware is written in Golang and appears to be in early development. The researchers believe the malware is connected to the PowerGhost cryptomining botnet, but they haven't observed the new RAT installing additional malware or performing other actions after it infects a device. Still, Bitdefender concludes that "the fact that it lets attackers download and run any binary they choose should be worrisome enough."
Sophisticated hacker-for-hire group identified.
BlackBerry has published a report on Bahamut, a threat actor believed to be an unusually sophisticated and patient group of hackers-for-hire. The group makes use of "a vast empire of fake news websites, social media accounts, and personas," as well as custom-made and publicly available malware, above-average social engineering tactics, and an in-house zero-day exploit developer. Bahamut displays "truly impressive operational security," and its operations are marked by extensive reconnaissance, concentration on particular targets, and attention to detail.
Bahamut was first noticed (and named) by Bellingcat in 2017 as the actor behind a series of spearphishing emails in English and Farsi directed to human rights activists in the Middle East, and BlackBerry ties the group to multiple other reports by different security companies.
While the group's sophistication is on par with nation-state espionage services, "the lack of discernible pattern or unifying motive moved BlackBerry to confirm the group is likely acting as Hack-for-Hire mercenaries." Bellingcat noted in 2017 that the dissimilarity in targeting "only grew with the further enumeration of other targets, describing a broad targeting across the Middle East without wholly implicating any particular interest, despite clear political intent."