At a glance.
- APT uses cryptominers as distractions.
- OceanLotus macOS backdoor analyzed.
- Bandook Trojan suspected to be maintained by mercenaries.
- Gootkit resurfaces with REvil in tow.
APT uses cryptominers as distractions.
Microsoft says the nation-state actor BISMUTH (associated with Vietnam's OceanLotus or APT32) deployed cryptomining malware in espionage-focused attacks against private-sector and government entities in France and Vietnam. Redmond believes the cryptominers were primarily meant to deflect attention from the group's stealthier actions, since cryptomining activity is generally perceived as more of a nuisance than a grave threat. The coin miners also provided the added benefit of generating revenue for the threat actor: the attackers in this case made more than a thousand US dollars worth of Monero.
The threat actor initially gained access to victims' networks via well-crafted spearphishing attacks. Microsoft explains, "The use of coin miners by BISMUTH was unexpected, but it was consistent with the group’s longtime methods of blending in. This pattern of blending in is particularly evident in these recent attacks, starting from the initial access stage: spear-phishing emails that were specially crafted for one specific recipient per target organization and showed signs of prior reconnaissance. In some instances, the group even corresponded with the targets, building even more believability to convince targets to open the malicious attachment and start the infection chain."
Once the attackers gained a foothold, they used PowerShell scripts to move laterally and install additional tools. They eventually dropped Cobalt Strike to maintain persistence, then installed the cryptominer while using Mimikatz to steal credentials.
Microsoft concludes, "Because BISMUTH’s attacks involved techniques that ranged from typical to more advanced, devices with common threat activities like phishing and coin mining should be elevated and inspected for advanced threats. More importantly, organizations should prioritize reducing attack surface and hardening networks against the full range of attacks."
OceanLotus macOS backdoor analyzed.
Trend Micro discovered a new variant of a macOS backdoor used by OceanLotus. The attackers are targeting Vietnamese-speaking users with malicious ZIP files disguised as Word documents. The ZIP file contains a special Unicode control character between the dot and the "doc" at the end of its filename, to give the appearance of a Word file extension:
"The operating system sees the app bundle as an unsupported directory type, so as a default action the 'open' command is used to execute the malicious app. Otherwise, if the postfix is .doc without special characters, Microsoft Word is called to open the app bundle as a document; but since it is not a valid document, the app fails to open it."
The malware also opens a Word file as part of its installation process in order to avoid arousing suspicion. Once installed, the backdoor itself has two purposes: "one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities."
Bandook Trojan suspected to be maintained by mercenaries.
Researchers at Check Point have identified malware campaigns using digitally signed versions of the thirteen-year-old "Bandook" Trojan. Bandook had been used in a 2015 cyberespionage campaign dubbed "Operation Manul" (believed to be a Kazakhstani government operation) and in a 2017 campaign named Dark Caracal (attributed to the Lebanese government's General Security Directorate). The researchers believe the current campaign is a continuation of Dark Caracal activity. The attacks have targeted a wide range of industries in Singapore, Cyprus, Chile, Italy, the United States, Turkey, Switzerland, Indonesia, and Germany.
The Trojan's code isn't open-source, and Check Point believes Bandook's developer rents the malware out to government customers. The researchers state, "In the latest wave of attacks, we once again identified an unusually large variety of targeted sectors and locations. This further reinforces a previous hypothesis that the malware is not developed in-house and used by a single entity, but is part of an offensive infrastructure sold by a third party to governments and threat actors worldwide, to facilitate offensive cyber operations."
Gootkit resurfaces with REvil in tow.
Malwarebytes reports on a wave of attacks in Germany involving the Gootkit banking Trojan. BleepingComputer notes that the gang behind Gootkit had been quiet since last year, when they accidentally exposed their operations by way of an unsecured MongoDB server.
In the current campaign, Gootkit's loader is being delivered via compromised websites that use "an interesting search engine optimization (SEO) technique to customize a fake template that tries to trick users to download a file." Malwarebytes explains, "The template mimics a forum thread where a user asks in German for help about a specific topic and receives an answer which appears to be exactly what they were looking for." The post with the answer to the question contains the download link.
Interestingly, Gootkit is installed via a "sophisticated" custom loader, which in some cases installed the REvil/Sodinokibi ransomware instead. The researchers note, "The REvil group has very strict rules for new members who must pass the test and verify as Russian. One thing we noticed in the REvil sample we collected is that the ransom note still points to decryptor.top instead of decryptor.cc, indicating that this could be an older sample."