At a glance.
- Praying Mantis attacks Windows IIS servers.
- StrongPity APT targets Android devices.
- XCSSET gains improved data-stealing capabilities.
- XLoader can now target macOS.
Praying Mantis attacks Windows IIS servers.
Researchers at Sygnia have described a campaign by a threat actor dubbed "Praying Mantis" that's targeting "prominent organizations in the US" by exploiting internet-facing Windows IIS servers:
"The initial foothold within the network was obtained by leveraging a variety of deserialization exploits targeting Windows IIS servers and vulnerabilities targeting web applications. The activities observed suggest that Praying Mantis is highly familiar with the Windows IIS software and equipped with zero-day exploits.
"Praying Mantis utilizes a completely volatile and custom malware framework tailor-made for IIS servers. The core component loaded on to internet-facing IIS servers, intercepts and handles any HTTP request received by the server. The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks.
"The nature of the attack and general modus operandi of the activities suggest that Praying Mantis is an experienced stealthy actor highly aware of OPSEC (operations security). The malware used shows a significant effort to avoid detection by actively interfering with logging mechanisms, successfully evading commercial EDRs, as well as silently awaiting incoming connections rather than connecting back to a C2 channel and continuously generating traffic. Furthermore, Praying Mantis actively removed all disk-resident tools after using the [malware] – effectively sacrificing persistency for stealth."
Sygnia's researchers note that the activity "strongly correlates" with TTPs that were used in a campaign against Australian organizations last year. The Australian Cyber Security Centre (ACSC) stated at the time, "The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. This activity represents the most significant, coordinated cybertargeting against Australian institutions the Australian Government has ever observed."
StrongPity APT targets Android devices.
Researchers at Trend Micro say the StrongPity APT is developing and deploying Android backdoors for the first time. The threat actor is using compromised websites as watering-holes to trick users into installing malicious Android apps:
"There are no known public reports of StrongPity using malicious Android applications in their attacks at the time of writing. In order to strengthen our confidence in the accuracy of our attribution to StrongPity, we decided to further examine some of their samples that were used to target Microsoft Windows platforms and see if we could identify similar tools, tactics, and procedures (TTPs) in their actions.
"Just as we have seen with the Android apps, the StrongPity group favors repacking benign installers to produce trojanized versions of these applications. Likewise, the main function of these backdoors is to search, harvest, and exfiltrate files from the victim’s computers."
XCSSET gains improved data-stealing capabilities.
Trend Micro has also provided an update on XCSSET, describing how the malware steals information from Telegram, Chrome, Contacts, Evernote, Notes, Opera, Skype, and WeChat. The researchers note, "The changes we’ve encountered in XCSSET do not reflect a fundamental change in its behavior but do constitute refinements in its tactics."
XLoader can now target macOS.
Researchers at Check Point have found that the XLoader information-stealer (previously known as "Formbook") can now operate on macOS. Check Point notes that XLoader/Formbook ranked fourth on a list of the most prevalent malware. The researchers have observed the malware in 69 countries over the past six months, with more than half of the infections in the United States. XLoader's developers have also improved their ability to monetize the malware:
"The malware now features a more lucrative economic model for the authors as compared to Formbook. Customers may only buy the malware for a limited time and are only able to use a server provided by the seller; no panel sources codes are sold anymore. Thus, a 'Malware-as-a-Service' scheme is used. Centralized C&C infrastructure allows the authors to control how the malware is used by the customers."