At a glance.
- New Kimsuky malware.
- DoNot APT malware uses Google Firebase Cloud Messaging for C&C.
- APT trends.
- Ransomware against hospitals.
- Turla uses updated malware against European government entity.
New Kimsuky malware.
Cybereason says that the US Cybersecurity and Infrastructure Security Agency's (CISA's) recent alert concerning the Kimsuky APT led the security firm to uncover two new strains of malware being used by the North Korean threat actor. The first is a "modular spyware suite dubbed KGH_SPY that provides Kimsuky with stealth capabilities to carry out espionage operations." The second is the CSPY Downloader, which the researchers assess to be "a sophisticated tool with extensive anti-analysis and evasion capabilities, allowing the attackers to determine if “the coast is clear” before downloading additional payloads." Cybereason also identified the infrastructure used by the new tools, and says two of the phishing documents connected to this infrastructure referenced human rights violations in North Korea (a subject used in previous Kimsuky operations, and DPRK intelligence services have an obvious interest in human rights critiques of its notorious regime).
DoNot APT malware uses Google Firebase Cloud Messaging for C&C.
Cisco Talos says the DoNot APT is using a new Android malware loader dubbed "Firestarter," which uses Google Firebase Cloud Messaging (FCM) "as a mandatory communication channel with the malware." DoNot is known for its interest in India and Pakistan, and this campaign focuses on individuals and non-profits connected to the disputed Kashmir region.
The researchers explain, "This new loader provides at least two important features to the attackers. First, it allows them to decide who receives the payload, being able to verify the victim before sending the payload. Thus, they can prevent the payload from falling into researchers' or law enforcement's hands. Second, it provides them with a powerful off-band persistence mechanism."
This off-band persistence is achieved by using Google Firebase Messaging to send the location of new command-and-control servers to an infected device. As a result, the attackers can reestablish contact if the original C&C server is taken offline. Talos notes that "only Google has the capability to effectively stop the malware, since it's the only institution that could disable the Google FCM mechanism on the victim's device."
Kaspersky has published its view of APT trends in the third quarter of 2020, concluding, "Among the most interesting APT campaigns this quarter were DeathStalker and MosaicRegressor: the former underlining the fact that APT groups can achieve their aims without developing highly sophisticated tools; the latter representing the leading-edge in malware development." In the case of DeathStalker, Kaspersky notes that the actor appears to be a mercenary group conducting cyberespionage in the financial sector.
Ransomware against hospitals.
FireEye's Mandiant unit has been tracking increased ransomware activity against healthcare institutions. The malware families facilitating these attacks are tracked by Mandiant as KEGTAP, SINGLEMALT, and WINEKEY (also known as BazarLoader or Team9), which CISA says were likely developed by the Trickbot gang. Mandiant's researchers say they are "directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment."
Mandiant adds, "The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life." Charles Carmakal, SVP and CTO of Mandiant, commented that the Eastern European gang behind Ryuk in particular is "one of most brazen, heartless, and disruptive threat actors I’ve observed over my career."
The US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Health and Human Services (HHS) last week issued a joint statement warning that healthcare organizations are under an "increased and imminent" threat from ransomware. The strains deployed are usually Conti and (especially) Ryuk; the perpetrators are Russophone gangsters, not spies. NBC News reports that at least twenty hospitals have been hit in a recent wave of ransomware, with at least six occurring this past week. Many of the attacks were preceded by infestations of Trickbot or the related strain BazarLoader.
The majority of these incidents have been attributed to an Eastern European gang tracked as "Wizard Spider" or "UNC1878," which operates the Ryuk ransomware. Recorded Future's Allan Liska told Reuters, "This appears to have been a coordinated attack designed to disrupt hospitals specifically all around the country. While multiple ransomware attacks against healthcare providers each week have been commonplace, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor."
Cisco Talos offered a similar view of the landscape, stating, "In the last 90 days, roughly 20 percent of incident response engagement this quarter that have involved threats affecting the healthcare sector." Talos notes that Ryuk isn't the only one going after hospitals: the Vatet loader was spotted in at least two of these incidents since July, and one ongoing case involved either Vatet or Defray. Microsoft observed in April that Vatet's operators seem "particularly intent on targeting hospitals, as well as aid organizations, insulin providers, medical device manufacturers, and other critical verticals."
Turla uses updated malware against European government entity.
Researchers at Accenture say the Russian cyberespionage group Turla is using updated custom malware to target government organizations. The threat actor used its HyperStack backdoor and remote access Trojans Kazuar and Carbon to compromise an unnamed European government entity. Accenture says the group has been using some of these tools for more than a decade and it "will likely continue to maintain and rely on this ecosystem, and iterations of it, as long as the group targets Windows-based networks." HyperStack is a newer tool, first spotted in 2018. It's a "remote procedure call (RPC)-based backdoor" that's used for moving laterally and communicating with other systems on the local network.
The Estonian government and others have associated Turla with Russia’s Federal Security Service (FSB), according to CyberScoop. Accenture observes that, like other threat actors, Turla is abusing legitimate web services for command-and-control. In this case, Turla used a Pastebin project to serve commands to its Carbon RAT. BleepingComputer notes that Turla is known for its resourcefulness; in the past, the group has used comments on Britney Spears's Instagram photos to point to its command-and-control server.
CISA also this week issued Malware Analysis Reports on two strains of Russian state-sponsored malware. One concerns ComRAT, a PowerShell backdoor and infostealer currently being used by Turla, while the other describes Zebrocy, a backdoor that BleepingComputer says has been attributed to the Russian GRU's APT28 (also known as Fancy Bear).