At a glance.
- Malware droppers posing as video game cheats.
- Bahamut may be behind new cyberespionage campaign.
- North Korea continues targeting security researchers.
- Charming Kitten is phishing for medical professionals.
- Malicious PDFs on the rise.
Malware droppers posing as video game cheats.
Video game company Activision has published research describing a malware dropper that poses as a cheat tool for Call of Duty: Warzone. The dropper's developer began advertising the tool on hacking forums in March 2020, and the dropper has since made appearances on cheat sites and YouTube.
The researchers explain, "While there likely are hundreds of guides covering RAT distribution methods this one relies not on sophisticated tactics but on the victim’s willingness to disable several security settings on their own systems. The actor’s suggested method for convincing the victims to disable their protections is made significantly easier by advertising their RAT as a video game cheat. It is common practice when configuring a cheat program to run it with the highest system privileges. Guides for cheats will typically ask users to disable or uninstall antivirus software and host firewalls, disable kernel code signing, etc." They add, "The dropper itself is a .NET application that downloads and executes an arbitrary executable. Unless already disabled, UAC (User Account Control) will prompt the user to agree to allow the downloaded executable to run with administrative privileges."
And researchers at Cisco Talos describe a new malware crypter that's being used to obfuscate malware that masquerades as video game cheats, mods, or patches. The researchers have observed the crypter being used in multiple different malware campaigns. Talos writes, "This threat used a complex VisualBasic-based cryptor to hide its final payload. The dropper injected code into a new process to hide its final payload against simple anti-malware tools."
Bahamut may be behind new cyberespionage campaign.
Anomali suspects "with low confidence" that the hacker-for-hire cyberespionage group Bahamut is responsible for a campaign targeting entities in the Middle East and South Asia. The threat actor used spearphishing emails to deliver malicious Word files, beginning in June 2020 through at least February 2021. One of the phishing lures appears to refer to Pakistan’s National Counter Terrorism Authority (NACTA). The researchers conclude, "While we have identified many consistencies between this most recently discovered campaign and previously reported activity attributed to Bahamut, and the targeting appears to be consistent with Bahamut’s assessed interests, due to the lack of enough unique indicators of compromise or tactics, techniques, and procedures (TTPs) we can only assess with “low confidence” that Bahamut may be behind this activity."
North Korea continues targeting security researchers.
Google's Threat Analysis Group (TAG) has published an update on a North Korean cyberespionage campaign targeting security researchers. TAG warned in January that a threat actor was messaging researchers on various social media platforms asking to collaborate on vulnerability research. They also set up a watering hole site that posed as a phony research blog, using an Internet Explorer zero-day.
Now, Google says the actor is using a new website and social media profiles posing as a fake company called "SecuriElite." TAG writes, "The attacker’s latest batch of social media profiles continue the trend of posing as fellow security researchers interested in exploitation and offensive security. On LinkedIn, we identified two accounts impersonating recruiters for antivirus and security companies. We have reported all identified social media profiles to the platforms to allow them to take appropriate action." Google also believes the attackers are using more zero-days.
Charming Kitten is phishing for medical professionals.
Proofpoint reports that an Iran-linked threat actor, TA453 (also known as Charming Kitten or Phosphorous), is running a phishing campaign against "senior medical professionals who specialize in genetic, neurology, and oncology research in the United States and Israel." The operation, dubbed "BadBlood," used spearphishing emails with URLs that led to spoofed Microsoft 365 and OneDrive login pages.
The researchers state, "At this time, Proofpoint cannot conclusively determine the motivation of actors conducting these campaigns. As collaboration for medical research is often conducted informally over email, this campaign may demonstrate that a subset of TA453 operators have an intelligence requirement to collect specific medical information related to genetic, oncology, or neurology research. Alternatively, this campaign may demonstrate an interest in the patient information of the targeted medical personnel or an aim to use the recipients' accounts in further phishing campaigns."
Proofpoint also notes that the operation demonstrates a (possibly temporary) shift in targeting for Charming Kitten: "While TA453 has consistently demonstrated a desire to collect and exfiltrate the email mailbox contents belonging to typical intelligence targets of the Iranian government like the Iranian diaspora, policy analysts, and educators, this TA453 campaign demonstrated a desire to target medical researchers and providers. Further detection and analysis of TA453 campaigns will likely determine whether this targeting is an outlier or if targeting has evolved to support the medical sector becoming a consistent intelligence requirement and target for TA453."
Malicious PDFs on the rise.
Palo Alto Networks' Unit 42 observed a 1,160% increase in malicious PDF files between 2019 and 2020. Unit 42 saw 411,800 malicious PDFs in 2019, compared to 5,224,056 in 2020. The researchers note that "PDF files are an enticing phishing vector as they are cross-platform and allow attackers to engage with users, making their schemes more believable as opposed to a text-based email with just a plain link." The most popular of these PDF scams uses a fake CAPTCHA image with a "Continue" button that leads to a malicious website.