At a glance.
- Phishing campaign impersonates Amnesty International.
- New ransomware operator exploits Confluence vulnerability.
- Hydra Android Trojan targets CommerzBank customers.
Threat actor impersonates Amnesty International.
Cisco Talos warns that a threat actor is impersonating Amnesty International to deliver the Sarwent remote access Trojan. The actor set up a detailed phishing site that appears identical to Amnesty International's website, and purports to offer an antivirus product that can defend against NSO Group's Pegasus spyware:
"Sarwent contains the usual abilities of a remote access tool (RAT) — mainly serving as a backdoor on the victim machine — and can also activate the remote desktop protocol on the victim machine, potentially allowing the adversary to access the desktop directly. We believe this campaign has the potential to infect many users given the recent spotlight on the Pegasus spyware. In addition to Amnesty International's report, Apple also had to recently release a security update for iOS that patched a vulnerability attackers were exploiting to install Pegasus. Many users may be searching for protection against this threat at this time."
The researchers also note that since Pegasus is used by governments, it's possible that a state-sponsored actor is behind this campaign:
"The campaign targets people who might be concerned that they are targeted by the Pegasus spyware. This targeting raises issues of possible state involvement, but there is insufficient information available to Talos to make any determination on which state or nation. It is possible that this is simply a financially motivated actor looking to leverage headlines to gain new access."
New ransomware operator exploits Confluence vulnerability.
Researchers at Sophos outline the activities of "Atom Silo," a newly observed ransomware operator that's exploiting a recently patched flaw in Confluence:
"The sophisticated attack, which took place over two days , was made possible by an earlier initial access leveraging a recently revealed vulnerability in Atlassian’s Confluence collaboration software. While the ransomware itself is virtually identical to LockFile, the intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software."
The researchers note that the threat actor uses Remote Desktop Protocol (RDP) to exfiltrate data before encrypting it:
"On September 24, the ransomware actors began their own discovery and exfiltration efforts, checking the local volumes attached to an important server and then checking its history of Remote Desktop sessions. Using RDP, the ransomware gang then went hands-on-keyboard, dropping and executing the RClone utility to copy data off the server to a Dropbox account from several directories. The process was repeated on another server. Soon after the exfiltration was complete, the intruders connected to the domain controller and dropped their all-in-one attack executable."
Hydra Android Trojan targets CommerzBank customers.
Cyble researchers say that the Android banking Trojan "Hydra" is targeting European customers of Germany's CommerzBank. The malware is installed via malicious APKs posing as CommerzBank's official mobile app. Once installed, the app asks the user to enable Accessibility permissions, which the malware will then use to enable other permissions. The researchers note that Hydra has upgraded its capabilities:
"From our analysis, alongside standard banking trojan behavior such as creating an overlay for stealing credentials, Hydra has evolved. It now incorporates TeamViewer functionality, similar to S.O.V.A. malware, and is also using different encryption techniques to evade detection and using Tor for communication."