At a glance.
- RedFoxtrot linked to PLA Unit 69010.
- New Molerats malware.
- "Vigilante" malware restricts users from visiting piracy sites.
- Attackers take advantage of users abandoning WhatsApp.
RedFoxtrot linked to PLA Unit 69010.
Recorded Future's Insikt Group believes that a China-aligned threat actor dubbed "RedFoxtrot" is tied to Unit 69010 of the People’s Liberation Army (PLA), located in Ürümqi, Xinjiang:
"Unit 69010 is likely the Military Unit Cover Designator (MUCD) for a Technical Reconnaissance Bureau (TRB) within the PLA Strategic Support Force (SSF) Network Systems Department (NSD), an information and cyber warfare branch of the PLA. Due to lax operational security measures employed by a suspected RedFoxtrot operator, Insikt Group linked the threat group to the physical address of Unit 69010’s headquarters. Publicly available procurement and court documents further tied Unit 69010 both to this address and to the SSF. Multiple academic publications also support the hypothesis that this unit has a cyber mission."
The researchers add that "within the past 6 months, Insikt Group detected RedFoxtrot network intrusions targeting 3 Indian aerospace and defense contractors; major telecommunications providers in Afghanistan, India, Kazakhstan, and Pakistan; and multiple government agencies across the region."
New Molerats malware.
Researchers at Proofpoint have observed a malware campaign launched by the Molerats (tracked by Proofpoint as "TA402") that targeted "government institutions in the Middle East and global government organizations associated with geopolitics in the region." The campaign used previously unobserved malware dubbed "LastConn":
"Based on Proofpoint visibility, the campaigns occurred on a weekly basis throughout early 2021 before abruptly stopping in March for a two-month hiatus. TA402, also known as Molerats and GazaHackerTeam, resumed email threat campaigns in early June 2021 with continued use of malware Proofpoint dubbed LastConn. Researchers assess with high confidence LastConn is an updated version of SharpStage malware first reported by Cybereason in December 2020.
"The temporary disruption to email threat operations in March 2021 is interesting and may be due to current tensions in the Middle East region including ongoing violence in the Gaza Strip between Israeli and Palestinian militants or the observation of Ramadan in April through early May 2021, one of the most important religious holidays for Muslims. However, Proofpoint cannot confirm either hypothesis with high confidence."
Proofpoint also "assesses with moderate confidence based on lure topics, targeting, and historic campaigns the activity likely supports military or Palestinian state objectives."
"Vigilante" malware restricts users from visiting piracy sites.
Sophos has come across a strain of malware that blocks infected users from visiting piracy websites by modifying the computer's HOSTS file. The malware poses as pirated software files on services like Discord and BitTorrent:
"We weren’t able to discern a provenance for this malware, but its motivation seemed pretty clear: It prevents people from visiting software piracy websites (if only temporarily), and sends the name of the pirated software the user was hoping to use to a website, which also delivers a secondary payload. The file adds from a few hundred to more than 1000 web domains to the HOSTS file, pointing them at the localhost address, 127.0.0.1....At least some of the malware, disguised as pirated copies of a wide variety of software packages, was hosted on game chat service Discord. Other copies, distributed through Bittorrent, were also named after popular games, productivity tools, and even security products, accompanied by additional files...that make it appear to have originated with a well-known file sharing account on ThePirateBay."
The researchers note that while directing the domains to localhost will prevent the system from visiting those domains, the user can easily reverse this by removing them from the list (provided they know where to look).
Attackers take advantage of users abandoning WhatsApp.
Cybercriminals bought Google Ads that spoofed Signal and Telegram to direct users to malicious sites, according to researchers at eSentire. The researchers believe the attackers were taking advantage of WhatsApp users flocking to alternative encrypted messaging apps following an unpopular update to WhatsApp's terms of services in January:
"[D]uring the first three weeks of January, Signal gained 7.5 million users globally, according to figures shared by the UK parliament’s home affairs committee, and Telegram gained 25 million in the UK. Shortly after, cybercriminals leveraged Signal and Telegram’s resulting market gains to deploy malicious Google Ads. For example, when the victim clicks on the malicious ad for Signal the computer user is taken to an exact replica of Signal’s download page. Using both endpoint and log data, the TRU observed contact with these ad domains preceding the installation and execution of RedLine Stealer. In the case of Telegram, the file name was no more descriptive than 'SETUP', but soon after the incident, the user downloaded a legitimate version of Telegram, supporting the hypothesis that the user was looking for a version of Telegram to download."