At a glance.
- APT10 targets Japanese entities.
- Purple Fox gets an upgrade.
- Android malware poses as system update.
- Vulnerable mobile apps.
APT10 targets Japanese entities.
Kaspersky describes a cyberespionage campaign that ran from March 2019 to the end of December 2020. The campaign targeted Japan and entities related to Japan, particularly the country's manufacturing industry. The researchers "assess with high confidence" that China's APT10 is behind the operation. The threat actor gained access by exploiting vulnerabilities in Pulse Connect Secure VPNs or by using previously stolen credentials.
Kaspersky says the actor used a unique loader dubbed "Ecipekac" to deliver fileless malware. The researchers explain, "This campaign introduced a very sophisticated multi-layer malware named Ecipekac and its payloads, which include different unique fileless malware such as P8RAT and SodaMaster. In our opinion, the most significant aspect of the Ecipekac malware is that, apart from the large number of layers, the encrypted shellcodes were being inserted into digitally signed DLLs without affecting the validity of the digital signature. When this technique is used, some security solutions cannot detect these implants. Judging from the main features of the P8RAT and SodaMaster backdoors, we believe that these modules are downloaders responsible for downloading further malware that, unfortunately, we have not been able to obtain so far in our investigation."
Purple Fox gets an upgrade.
Guardicore is tracking a malware campaign dubbed "Purple Fox" that's recently added a new propagation method. The malware was discovered in 2018, and would spread via exploit kits and phishing emails. In late 2020, however, the malware operators began gaining access by brute-forcing exposed SMB services:
"While it appears that the functionality of Purple Fox hasn’t changed much post exploitation, its spreading and distribution methods – and its worm-like behavior – are much different than described in previously published articles. Throughout our research, we have observed an infrastructure that appears to be made out of a hodge-podge of vulnerable and exploited servers hosting the initial payload of the malware, infected machines which are serving as nodes of those constantly worming campaigns, and server infrastructure that appears to be related to other malware campaigns."
The malware can also now deploy a rootkit that's based on the open-source "hidden" project. Additionally, the researchers found a "vast network" of nearly 2,000 compromised servers used to host the malware. Most of these servers were running outdated Microsoft IIS version 7.5 and FTP.
Android malware poses as system update.
Zimperium has discovered a malicious Android app that masquerades as a system update. The app was distributed via a third-party store, and Google says the app was never available from the Google Play Store. The malware is able to "record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more." It can take photos with both the front and back cameras of the phone, and deletes the files it creates immediately after uploading them to the command-and-control server.
The researchers also note, "An aggressive capability of the spyware is to access and steal the contents cached and stored in the external storage. In an attempt to not exfiltrate all the images/videos, which can usually be quite large, the spyware steals the thumbnails which are much smaller in size. This would also significantly reduce the bandwidth consumption and avoid showing any sign of data exfiltration over the internet (assisting in evading detection). When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C&C, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C&C."
Vulnerable mobile apps.
Synopsys has published a report on mobile application security, finding that 63% of popular Android apps "contain open source components with known security vulnerabilities," at an average of 39 vulnerabilities per app. 44% of these vulnerabilities were considered serious, and 94% of them have patches available. The most vulnerable categories were free games, top-grossing games, banking apps, budgeting apps, payment apps, and paid games. The researchers note, "Of the 107 banking applications scanned, 94 contained a vulnerability—that’s 88%, well above the average of 63%. With a total of 5,179 vulnerabilities identified, the average application contained 55 vulnerabilities. Financial applications require some of the most personally sensitive data, making these numbers alarming due to the potential impact of a security breach." The researchers add that 94% of the top-grossing games and 96% of the top free games contain vulnerabilities, which they note is particularly concerning since these apps are often used by children.