At a glance.
- PLA procures foreign antivirus programs.
- New malware delivered via phishing.
- Moriya rootkit found on public-facing servers.
- Lemon Duck targets Microsoft Exchange Server.
PLA procures foreign antivirus programs.
Recorded Future's Insikt Group has found procurement documents from China's People's Liberation Army (PLA) websites showing that PLA Unit 61419 has purchased antivirus products from several well-known US, European, and Russian security vendors. The researchers believe the PLA's intent is to use the products for testing or to identify vulnerabilities that can be used for compromise. Insikt Group points out that "[t]he focus on English versions of these products is notable because Chinese-language versions would be the more logical choice if the software was intended for legitimate use or to test the potential exposure of private and commercial end-users in China to vulnerabilities in foreign antivirus software." The researchers also note that the Chinese government has banned the use of foreign antivirus products, citing security risks.
Recorded Future believes the PLA is using the products for one or both of the following purposes:
"Insikt Group assesses that the purchase of foreign antivirus software by the PLA poses a high risk to the global antivirus software supply chain. Based on patterns of past campaigns and tactics, two scenarios are most likely for the PLA's exploitation of foreign antivirus software:
"Scenario 1: PLA cyber units and affiliated hacking groups will use foreign antivirus programs as a testing environment for natively developed malware. They will run the malware through foreign antivirus products to test its ability to evade detection, thereby making it more likely to successfully infect its targeted victims.
"Scenario 2: PLA cyber units and affiliated hacking groups will reverse engineer the foreign antivirus software code to find previously undisclosed vulnerabilities. They will then use the newly discovered vulnerabilities in a zero-day attack for initial intrusion."
New malware delivered via phishing.
FireEye has observed a large phishing campaign delivering three new malware families dubbed "DOUBLEDRAG," "DOUBLEDROP," and "DOUBLEBACK." FireEye tracks the threat actor behind the campaign as UNC2529, which they describe as "capable, professional, and well resourced." The actor has targeted many organizations in a wide variety of sectors, with most of its victims located in the United States. The researchers don't know what UNC2529's goal is, but they note that "their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups."
DOUBLEDRAG is a downloader, DOUBLEDROP is a dropper, and DOUBLEBACK is a backdoor:
"[T]he initial infection vector starts with phishing emails that contain a link to download a malicious payload that contains an obfuscated JavaScript downloader. Once executed, DOUBLEDRAG reaches out to its C2 server and downloads a memory-only dropper. The dropper, DOUBLEDROP, is implemented as a PowerShell script that contains both 32-bit and 64-bit instances of the backdoor DOUBLEBACK. The dropper performs the initial setup that establishes the backdoor’s persistence on the compromised system and proceeds by injecting the backdoor into its own process (PowerShell.exe) and then executing it. The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its C2 server and dispatching them. One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines."
Moriya rootkit found on public-facing servers.
Kaspersky describes a new rootkit dubbed "Moriya" that's being used by an unknown threat actor to place backdoors on public-facing servers. The malware was discovered on servers belonging to diplomatic organizations in Asia and Africa. The researchers don't attribute the activity to any known threat actor, but they suspect the actor is associated with China. They note some aspects the malware uses to avoid detection:
"The rootkit has two traits that make it particularly evasive. The packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Secondly, the fact that the rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a C&C address in the malware’s binary or to maintain a steady C&C infrastructure. This hinders analysis and makes it difficult to trace the attacker’s footprints."
Lemon Duck targets Microsoft Exchange Server.
Cisco Talos says the Lemon Duck cryptocurrency mining botnet is targeting unpatched instances of Microsoft Exchange Server. The botnet has been active since late 2018, but Talos says the threat actor recently incorporated new tactics, techniques, and procedures:
"During our analysis of recent Lemon Duck campaigns, we observed that the threat actor is now leveraging new infrastructure, incorporating additional tools and functionality into their attack methodology and workflow, and putting more emphasis on obfuscating various components used throughout the infection process in an attempt to more effectively evade detection and analysis. Additionally, the threat actor is targeting high-profile software vulnerabilities that may allow them to more effectively establish an initial foothold within victim environments."