At a glance.
- Chinese threat actors targeting telecommunications companies.
- GhostEmperor active in Southeast Asia.
- Android Trojan has screen-recording capability.
- FatalRAT emerges.
Chinese threat actors targeting telecommunications companies.
Cybereason has observed three cyberespionage campaigns by Chinese threat actors against telecommunications companies. The researchers say the actor is targeting "high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the Domain Controllers, Web Servers and Microsoft Exchange servers":
- "Cluster A: Assessed to be operated by Soft Cell, an activity group in operation since 2012, previously attacking Telcos in multiple regions including Southeast Asia, which was first discovered by Cybereason in 2019. We assess with a high level of confidence that the Soft Cell activity group is operating in the interest of China. The activity around this cluster started in 2018 and continued through Q1 2021.
- "Cluster B: Assessed to be operated by the Naikon APT threat actor, a highly active cyber espionage group in operation since 2010 which mainly targets ASEAN countries. The Naikon APT group was previously attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). The activity around this cluster was first observed in Q4 2020 and continued through Q1 2021.
- "Cluster C: A “mini-cluster” characterized by a unique OWA backdoor that was deployed across multiple Microsoft Exchange and IIS servers. Analysis of the backdoor shows significant code similarities with a previously documented backdoor observed being used in the operation dubbed Iron Tiger, which was attributed to a Chinese threat actor tracked by various researchers as Group-3390 (APT27 / Emissary Panda). The activity around this cluster was observed between 2017 and Q1 2021."
GhostEmperor active in Southeast Asia.
Kaspersky describes a sophisticated cyberespionage campaign that "used Microsoft Exchange vulnerabilities to target high-profile victims with an advanced toolset and bore no similarity to any known threat actor":
"GhostEmperor is a Chinese-speaking threat actor that has mostly focused on targets in Southeast Asia, including several government entities and telecom companies. The group stands out because it uses a formerly unknown Windows kernel-mode rootkit. Rootkits provide remote control access over the servers they target. Acting covertly, rootkits are notorious for hiding from investigators and security solutions. To bypass the Windows Driver Signature Enforcement mechanism, GhostEmperor uses a loading scheme involving a component of an open-source project named “Cheat Engine.” This advanced toolset is unique and Kaspersky researchers see no similarity to already known threat actors. Kaspersky experts have surmised that the toolset has been in use since at least July 2020."
Android Trojan has screen-recording capability.
Researchers at ThreatFabric have spotted an Android banking Trojan that has screen-recording capability. The malware, dubbed "Vultur," was delivered via a malicious app in the Google Play Store. Once installed, the app will hide its icon:
"After hiding its icon, Vultur proceeds to start its service responsible for managing the main functionality of the trojan, which is screen recording using VNC (Virtual Network Computing). VNC is a specific software implementation, but it is not uncommon for malicious actors to use the term ‘VNC’ to refer to anything falling under the umbrella of Screen Sharing with remote access (may that be done using a third-party software like VNC or TeamViewer, or through Android internal features, used by for example the Oscorp malware). In the case of Vultur it actually refers to a real VNC implementation taken from AlphaVNC. To provide remote access to the VNC server running on the device, Vultur uses ngrok. ngrok is capable of exposing local servers behind NATs and firewalls to the public internet over secure tunnels."
AT&T Alien Labs describes "FatalRAT," a new Trojan that's delivered via Telegram. The researchers believe the malware is being actively developed:
"The newly identified FatalRat malware has been using techniques like obfuscation, anti-sandbox and antivirus evasion, encrypted configurations, logging user keystrokes, system persistence, login brute force, collection of system data, and encrypted communications with command and control server. Alien Labs has discovered multiple samples in the past few months, with a slight dip in July. However, we expect to continue to see the presence of FatalRat and its variants in our samples in the near future."