At a glance.
- Raindrop loader used in Solarigate.
- SideWinder activities.
- Charming Kitten phishing campaign.
- FreakOut botnet targets recently disclosed CVEs.
- Ransomware predictions.
- Classiscam exported from Russia.
Raindrop loader used in Solarigate.
Researchers at Symantec describe "Raindrop," a malware loader used in the Solarigate cyberespionage campaign. Raindrop is very similar to the Teardrop loader analyzed by FireEye and others, but it uses a different packer. Additionally, Symantec states, "While Teardrop was delivered by the initial Sunburst backdoor (Backdoor.Sunburst), Raindrop appears to have been used for spreading across the victim’s network. Symantec has seen no evidence to date of Raindrop being delivered directly by Sunburst. Instead, it appears elsewhere on networks where at least one computer has already been compromised by Sunburst."
Both Raindrop and Teardrop are used to deliver Cobalt Strike Beacon, but with different configurations: "To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol."
AT&T Alien Labs outlines activities by SideWinder, an APT assessed "with low to medium confidence" to be operating in the interests of the Indian government. The actor primarily targets public- and private-sector entities in Southeast and East Asia, with a particular focus on the governments of Pakistan, China, Nepal, and Afghanistan. SideWinder uses spearphishing to deliver malware or steal credentials. The researchers note, "Email lures and their attachments or links are often uniquely crafted to the target organization, which include content that the recipients would often expect to receive or benefit from reading. Since the group has primarily targeted government and military organizations, email lures are often related to political events and/or private documents generally considered standard for such organizations to receive." The actor prefers to use RTF files that exploit CVE-2017-11882 in Microsoft Office.
Charming Kitten's phishing campaign.
Researchers at Certfa Lab describe a recent phishing campaign by the Iranian APT Charming Kitten (also known as APT35). Over the past few weeks, the attackers have targeted the personal and business email accounts of "members of think tanks, political research centers, university professors, journalists, and environmental activists in the countries around the Persian Gulf, Europe, and the US." The threat actor used both emails and text messages, and they repeatedly targeted the same victims with different phishing lures. Based on the breadth of the infrastructure used in this operation, the researchers say "the extent and scale of this campaign is significant in comparison with previous activity of Charming Kitten."
FreakOut botnet targets recently disclosed CVEs.
Check Point has discovered a new Linux botnet, dubbed "FreakOut," that's targeting a series of recently disclosed vulnerabilities in TerraMaster network-attached storage servers, the Zend Framework (used for building PHP web applications), and the open-source web application platform Liferay Portal. The vulnerabilities exploited are CVE-2020-28188 in the TerraMaster operating system, CVE-2021-3007 in the Zend Framework, and CVE-2020-7961 in Liferay Portal.
The researchers note that "Each of the infected devices can be later used as an attacking platform, thus making the attack flow recursive." The botnet is used for DDoS attacks and cryptomining, and Check Point says it's "an ongoing campaign that can spread rapidly."
Saryu Nayyar, CEO of Gurucul, offered the following comments:
"Historically, Linux systems have been reasonably secure and received patches quickly when a vulnerability comes to light. Unfortunately, Linux and Windows share the same problem in that applications that run on those platforms may not be patched as quickly as the underlying OS. The recent FreakOut botnet attack targets multiple recent application vulnerabilities that may not yet be patched on production systems. Fortunately, the botnet is still quite small and relies on Internet Relay Chat (IRC) for command and control. That means that identifying an infection should be relatively straightforward using network monitoring or security analytics tools provided they are in place."
Emsisoft's report on ransomware statistics in 2020 highlights the dramatic increase in data theft incidents over the course of the year. The researchers note, "Of the 60 incidents that occurred in Q1 and Q2, data was stolen and released in only one case; it was, however, stolen and released in 23 of the 53 incidents that occurred in Q3 and Q4." Emsisoft concludes that ransomware operators will continue to leverage data theft, and will focus on making these attacks more devastating to the individual victims' whose information was stolen:
"We anticipate there will be more cases of data theft in 2021 than there were in 2020 – likely, at least twice as many. Like legitimate businesses, criminal enterprises adopt strategies that are proven to work, and data theft has indeed been proven to work. Some organizations which were able to use backups to recover from attacks still paid the ransom simply to prevent their data being published. This resulted in a greater percentage of attacks being monetized and, as a result, better ROI for the cybercriminals.
"We also anticipate that cybercriminals will put stolen data to more use, using it to attack the individuals to which it relates in order to put additional pressure on the organizations from which it was stolen."
Classiscam exported from Russia.
Group-IB says an increasingly popular scam-as-a-service offering dubbed "Classiscam" is targeting users of online marketplaces and classifieds in Europe. The scammers use malicious ads and phishing pages that spoof the "brands of popular international classifieds and marketplaces, such as Leboncoin, Allegro, OLX, FAN Courier, Sbazar, and etc." Classiscam began in Russia in the summer of 2019, and is now being used by more than forty criminal groups across Russia, Eastern Europe, France, and the US.