At a glance.
- APT27 continues targeting the gambling industry.
- New APT34 activity.
- Malicious code in APKPure app store.
- Malware campaign abuses contact forms.
- New Lazarus backdoor.
New APT34 activity.
Check Point says the Iranian threat actor APT34 (also known as OilRig) has targeted a Lebanese entity with a new backdoor dubbed "SideTwist." The threat actor delivered the malware via a Microsoft Word document that purported to describe job opportunities at a US-based cloud database company. The researchers say the SideTwist malware "provides functionality which is simple and similar to other C based backdoors utilized by the group: DNSpionage and TONEDEAF and TONEDEAF2.0." They add that "APT34’s backdoors DNSpionage and TONEDEAF are known to receive commands from the servers by searching for specific pattern hidden inside the HTML content of a legitimate looking website. In our case the attackers utilized a Flickr lookalike page, while in previous campaigns GitHub, Wikipedia, and Microsoft lookalikes were used."
APT27 continues targeting the gambling industry.
Trend Micro outlines new activity by the Chinese threat actor Iron Tiger (also known as LuckyMouse, Emissary Panda, and APT27). The threat actor targeted a Philippine-based gambling company for eighteen months, as well as "governments, banks, telecommunication providers, and even the energy sector in the Middle East and Southeast Asia." The targeted countries include Afghanistan, India, Jordan, Kuwait, Mongolia, the Philippines, Saudi Arabia, Turkey, and the United Arab Emirates.
Iron Tiger is using an updated version of its SysUpdate malware, as well as a new rootkit that operates at the kernel level. The researchers add that "[t]he different campaigns with different versions of the same tools concurrently being used suggest that there might be subgroups for this threat actor, or multiple groups with access to the builders of these tools."
Malicious code in APKPure app store.
Researchers at Kaspersky discovered malicious code in version 3.17.18 of the popular APKPure app store client. The code functioned as adware, but could also install additional executables and in one case downloaded a Trojan. The researchers explain, "APKPure users with current Android versions mostly risk having paid subscriptions and intrusive ads appear from nowhere. Users of smartphones who do not receive security updates are less fortunate: in outdated versions of the OS, the malware is capable of not only loading additional apps, but installing them on the system partition. This can result in an unremovable Trojan like xHelper getting onto the device."
APKPure quickly fixed the issue after Kaspersky notified them on April 8th. Android users of APKPure are urged to ensure that their app is updated to version. 3.17.19
Malware campaign abuses contact forms.
Researchers at Microsoft are tracking a campaign in which attackers are abusing contact forms on websites to send malicious links to website owners. The attackers use the contact forms to send phony legal threats concerning a copyright claim by a photographer or artist. The messages have a link to a sites.google.com page that will download a malicious ZIP file resulting in the installation of the IcedID banking Trojan. The researchers note, "This campaign is not only successful because it takes advantage of legitimate contact form emails, but the message content also passes as something that recipients would expect to receive. This creates a high risk of attackers successfully delivering email to inboxes, thereby allowing for 'safe' emails that would otherwise be filtered out into spam folders."
They add, "When run, IcedID connects to a command-and-control server to download modules that run its primary function of capturing and exfiltrating banking credentials and other information. It achieves persistence via schedule tasks. It also downloads implants like Cobalt Strike and other tools, which allow remote attackers to run malicious activities on the compromised system, including collecting additional credentials, moving laterally, and delivering secondary payloads."
New Lazarus backdoor.
Researchers at ESET describe "Vyveva," a previously undiscovered backdoor attributed to North Korea's Lazarus Group. The malware was discovered on two servers belonging to a South African freight logistics company and has been in use since 2018, although its delivery mechanism is still unknown.
The researchers explain, "The backdoor features capabilities for file exfiltration, timestomping, gathering information about the victim computer and its drives, and other common backdoor functionality such as running arbitrary code specified by the malware’s operators. This indicates that the intent of the operation is most likely espionage."
ESET attributes the backdoor to Lazarus "with high confidence," stating, "Vyveva shares multiple code similarities with older Lazarus samples that are detected by ESET products as the NukeSped malware family. However, the similarities do not end there: the use of fake TLS in network communication, command line execution chains, and the way of using encryption and Tor services all point towards Lazarus."