At a glance.
- Lazarus Group launches supply chain attacks.
- Pay2Key ransomware targets Israeli companies.
- Malvertising campaign turns to social engineering.
- CostaRicto hacks for hire.
- ICS-focused threat activity in the manufacturing sector.
- Updates on Trickbot disruption efforts.
Lazarus Group launches supply chain attacks.
ESET says North Korea's Lazarus Group ("Hidden Cobra," as some call it) has been abusing a legitimate installation program on South Korean websites to trick users into installing malware. The researchers begin by explaining how South Korean government and banking websites use security software:
"To understand this novel supply-chain attack, you should be aware that South Korean internet users are often asked to install additional security software when visiting government or internet banking websites. WIZVERA VeraPort, referred to as an integration installation program, is a South Korean application that helps manage such additional security software. With WIZVERA VeraPort installed on their devices, users receive and install all necessarily software required by a specific website with VeraPort (e.g., browser plug-ins, security software, identity verification software, etc.). Minimal user interaction is required to start such a software installation from a website that supports WIZVERA VeraPort. Usually, this software is used by government and banking websites in South Korea. For some of these websites it is mandatory to have WIZVERA VeraPort installed for users to be able to access the sites’ services."
ESET believes the Lazarus Group compromised legitimate websites that used VeraPort and replaced the file delivered by the software with malware. (The researchers emphasize that VeraPort itself wasn't hacked; the software's functionality was simply abused on certain hacked websites.) The attackers used stolen code-signing certificates to sign their malicious binaries, and changed the malware's filename and metadata to pose as legitimate software. The final payload of the attack is a remote access Trojan that can download additional Lazarus Group tools.
Pay2Key ransomware targets Israeli companies.
Check Point describes a new strain of ransomware dubbed "Pay2Key" that's being used in targeted attacks against Israeli companies. The researchers suspect the attackers are Iranian citizens, since the ransom payments end up in wallets hosted by the legitimate but Iranian-only cryptocurrency exchange Excoino.
The attackers appear to gain initial access to victims' networks via RDP ports. The ransom note claims the attackers have exfiltrated data during the attack, and the actor apparently isn't bluffing. Three non-paying victims have had their data published on the attackers' newly established leaking site.
The ransomware itself seems to be custom-made, with no observable connections to other strains. The malware is well-crafted, but it doesn't use obfuscation and contains debug logs that allowed Check Point to thoroughly analyze its functionality.
Malvertising campaign turns to social engineering.
Malwarebytes says the "malsmoke" malvertising campaign has shifted to using social engineering rather than a browser exploit kit to compromise users. Malsmoke's malicious ads generally lurk on high-traffic adult websites. In this case, the malicious pages attempt to trick users into installing a phony Java update in order to view a saucy video. Installing this file will result in a ZLoader infection.
The researchers note that the shift from exploit kit to social engineering greatly expands malsmoke's target pool: "Instead of targeting a small fraction of visitors to adult sites that were still running Internet Explorer, they’ve now extended their reach to all browsers."
CostaRicto hacks for hire.
Researchers at BlackBerry have been tracking a hack-for-hire group dubbed "CostaRicto," which uses previously unobserved custom malware to launch sophisticated cyberespionage attacks against a wide range of targets, many of which are in the financial sector. BlackBerry says CostaRicto's "targets are scattered across different countries in Europe, Americas, Asia, Australia and Africa, but the biggest concentration appears to be in South Asia (especially India, Bangladesh and Singapore), suggesting that the threat actor could be based in that region, but working on a wide range of commissions from diverse clients." CostaRicto gains access to victims' networks using stolen credentials, then installs its custom remote access Trojan, dubbed "SombRAT."
Interestingly, one of the threat actor's domains was mapped to an IP address previously used in a campaign attributed to APT28 (Fancy Bear, a unit of Russia's GRU). The researchers believe the overlap is either coincidental or caused by APT28's outsourcing some of its work to this mercenary group. They deem it "highly unlikely" that CostaRicto is directly connected to APT28, and conclude that the group is a mercenary actor based on its wide-ranging victimology.
ICS-focused threat activity in the manufacturing sector.
Dragos sees an increase in cyber threat activity targeting the manufacturing sector, although the security firm hasn't seen this sector subjected to the types of sophisticated, destructive attacks that have targeted the energy sector. The researchers conclude that ransomware with ICS-focused capabilities represents the largest threat to the manufacturing sector (and they note that the use of ransomware isn't always restricted to criminal actors). Intellectual property theft by nation-state actors and malicious insiders is also a major problem in this sector.
At least five threat actors associated with nation-states have exhibited interest in this vertical. These groups are CHRYSENE (APT34 or Helix Kitten), MAGNALLIUM (APT33 or Elfin), PARISITE (Fox Kitten or Pioneer Kitten), WASSONITE (linked to the Lazarus Group), and XENOTIME (best known for launching the dangerous TRISIS attack against a Saudi oil and gas facility). Dragos, as a company policy, doesn't offer attribution, but others have associated CHRYSENE, MAGNALLIUM, and PARISITE with Iran, WASSONITE with North Korea, and XENOTIME with Russia.
Updates on Trickbot disruption efforts.
Intel 471 outlines how the gang behind Trickbot has managed to work around disruption efforts launched by US Cyber Command and Microsoft, but the researchers conclude that those efforts did have a visible and possibly lasting effect on Trickbot itself:
"Between Oct. 28, 2020 and Nov. 6, 2020, we have not seen any new Trickbot infection campaigns in our monitoring nor in open source reporting. We observed the number of active and working Trickbot control servers being reduced over time and we were unable to identify any working Trickbot control servers as of Nov. 6."
The researchers note that ransomware operators, particularly those behind Ryuk, have continued launching targeted attacks using BazarLoader (a different Trojan associated with the Trickbot gang), but they conclude that, "At the very least, this disruption activity caused the actors behind Trickbot to spend time and effort setting up new infrastructure instead of impacting and ransoming victims." Intel 471 did spot a new version of Trickbot being distributed on November 9th, but the firm says it's still not clear if the gang will shift back to using Trickbot or if they'll simply stick with BazarLoader as their tool of choice from now on.