At a glance.
- SolarWinds campaign infrastructure.
- ToxicEye RAT abuses Telegram.
- Mount Locker shifts tactics.
- New cryptojacking botnet.
SolarWinds campaign infrastructure.
RiskIQ has published an analysis of the SolarWinds cyberespionage campaign, finding that the threat actor's infrastructure was much larger than previously thought. The researchers identified eighteen more servers that the attackers used for command-and-control:
"The network infrastructure footprint of the SolarWinds espionage campaign is significantly larger than previously identified in U.S. government and private industry reporting. With high confidence, RiskIQ's Team Atlas detected an additional 18 servers that likely communicated with the targeted, secondary Cobalt Strike payloads via TEARDROP and RAINDROP. This represented a 56% increase in the size of the adversary’s known command-and-control footprint and will likely lead to newly identified targets."
The researchers also detail the measures taken by the threat actor for pattern avoidance, which contributed to the campaign's extraordinary level of operational security:
"The threat actor also gave thought to where the campaign infrastructure was hosted and avoided patterns there, too. RiskIQ's Team Atlas noted that the first-stage infrastructure was hosted entirely in the U.S., a move we assess was likely done to avoid raising suspicion (domestic network traffic is more plausible) as well as to avoid the prying eyes of the NSA, which is restricted by law to taking action only in foreign countries. The second-stage infrastructure was only partially hosted in the U.S. By the third-stage, the campaign’s infrastructure was hosted almost entirely in foreign countries. In this way, the threat actor avoided creating discernible patterns that could be traced while simultaneously making it harder for the U.S. government to investigate."
ToxicEye RAT abuses Telegram.
Check Point describes a new remote access Trojan dubbed "ToxicEye" that uses Telegram for command-and-control and data exfiltration. The malware is delivered via malicious attachments, and has been observed in more than 130 attacks over the past three months. The researchers note that the use of Telegram allows the attackers to evade antivirus and remain anonymous:
"The attacker first creates a Telegram account and a Telegram ‘bot.’ A Telegram bot account is a special remote account with which users can interact by Telegram chat or by adding them to Telegram groups, or by sending requests directly from the input field by typing the bot’s Telegram username and a query. The bot is embedded into the ToxicEye RAT configuration file and compiled into an executable file....Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C&C via Telegram. In addition, this telegram rat can be downloaded and run by opening a malicious document seen in the phishing emails called solution.doc and by pressing on 'enable content.'"
Mount Locker shifts tactics.
Researchers at GuidePoint Security say the Mount Locker ransomware-as-a-service operators are transitioning to using the Astro Locker ransomware, and "this change is paired with an aggressive shift in Mount Locker’s tactics." Mount Locker is among the ransomware gangs that steals data as well as encrypting it, and their malware is now able to disable security measures:
"[I]n recent engagements, it appears Mount Locker is stepping up their game by including scripting and capabilities directly targeting prevention measures. The new batch scripts – designed to disable detection & prevention tools – indicate that Mount Locker is increasing its capabilities and is becoming a more dangerous threat. These scripts were not just blanket steps to disable a large swath of tools, they were customized and targeted to the victim’s environment. In recent engagements threat actors have also begun using multiple Cobalt Strike servers with unique domains, which is an added step not often seen due to the increased overhead in management for attackers. This, combined with the recent shift to AstroLocker, could signal a shift in the group’s overall tactics and an effort to fully rebrand as a more insidious threat."
The researchers have also noticed a "dramatic increase in attacks attributable to the group," with many of the attacks targeting the healthcare and biotech industries.
New cryptojacking botnet.
BleepingComputer reports that a newly discovered Linux botnet, active since December 2020, is infecting Windows and Linux enterprise servers with the XMRig cryptominer. The botnet was discovered by researchers at Lacework Labs and Juniper Threat Labs. The malware uses brute-force attacks as well as a set of exploits to compromise servers.