At a glance.
- LuminousMoth targets the Philippines and Myanmar.
- Microsoft and Citizen Lab track spyware vendor.
- Trickbot updates.
LuminousMoth targets the Philippines and Myanmar.
Researchers at Kaspersky are tracking a "large-scale and highly active campaign" launched by a suspected Chinese threat actor primarily active against targets in the Philippines, with some targets in Myanmar. The researchers observed overlaps with the Chinese threat actor Mustang Panda, and they emphasize the malware's ability to spread via USB drives:
"Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.
"Most notably though, we observed the capability of the culprit to spread to other hosts through the use of USB drives. In some cases, this was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems. The sheer volume of the attacks raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering hole or a supply chain attack."
Microsoft and Citizen Lab track spyware vendor.
Microsoft, working in with researchers at the University of Toronto's Citizen Lab, has been tracking activity by a threat actor dubbed "SOURGUM," which Redmond believes is an "Israel-based private-sector offensive actor." Citizen Lab says the threat actor is a Tel Aviv-based company called "Candiru" that sells spyware to government customers. Microsoft notes that the spyware has targeted victims around the world:
"Microsoft has identified over 100 victims of SOURGUM’s malware, and these victims are as geographically diverse as would be expected when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn’t necessarily mean that an agency in that country is a SOURGUM customer, as international targeting is common."
Microsoft adds that the spyware is distributed by links sent via messaging apps, and it used two now-patched Windows exploits to achieve privilege escalation:
"SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.
"During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits."
Trickbot updates.
Researchers at Bitdefender have found that Trickbot is now using a new version of its Virtual Network Computing (VNC) module:
"As of May 12, 2021, our monitoring systems started to pick up an updated version of the vncDll module used by Trickbot against select high-profile targets. This module is known as tvncDll and is used for monitoring and intelligence gathering. It seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes."
And Cofense describes a recent Trickbot phishing campaign that's targeting "companies in the retail, building materials, manufacturing, insurance and construction industries":
"TrickBot is now looking to score a hat trick on SEGs (secure email gateways) by utilizing three new components in its infection chain. This campaign delivers DOCX files that exploit the CVE-2017-0199 vulnerability. Employees are advised to never enable macros when they open Office documents, but this CVE leverages an embedded link that will immediately call out to a DOT payload, bypassing normal security checks. This new file includes a VBS script that will download the final executable."