At a glance.
- Watering-hole campaign in the Middle East.
- Emotet rebuilds.
- Lyceum targets telecommunications companies and ISPs.
- New Golang botnet malware.
Watering-hole campaign in the Middle East.
Researchers at ESET have discovered a large watering-hole campaign targeting users in the Middle East, particularly in Yemen. The researchers believe the campaign is being run by a customer of Candiru, an Israeli spyware firm that was recently sanctioned by the US Commerce Department for selling its products to repressive regimes. ESET has linked the campaign to a threat actor tracked by Kaspersky as Karkadann. The researchers note that the operation appeared to cease in July 2021, following the publication of reports on Candiru by Google, Microsoft, and the University of Toronto's Citizen Lab.
The Emotet Trojan and botnet has resurfaced after its infrastructure was disrupted by Europol earlier this year, BleepingComputer reports. Researchers from Cryptolaemus, GData, and Advanced Intel have observed the Trickbot Trojan dropping an Emotet loader on infected devices. Advanced Intel researcher Vitali Kremez told BleepingComputer, "It is an early sign of the possible impending Emotet malware activity fueling major ransomware operations globally given the shortage of the commodity loader ecosystem. It also tells us that the Emotet takedown did not prevent the adversaries from obtaining the malware builder and setting up the backend system bringing it back to life."
German security firm GData blogged that on Sunday it detected a DLL that appeared to be Emotet; it subsequently confirmed the identification. The Record, which has been in touch with researchers at Cryptolaemus who've been tracking the reappearance of Emotet, writes that the comeback appears to be in its early stages. Emotet isn’t, yet, actively sending out spam, and it appears the operators may be trying to quietly reestablish their infrastructure. “It doesn’t seem too large at this time, and we are not seeing active distribution yet,” the Cryptolaemus researchers said, but the malware’s reappearance will be worth keeping an eye on.
James Shank, Senior Security Evangelist and Chief Architect, Community Services, at Team Cymru, emailed us these comments:
"Emotet was once the 'world's most dangerous malware.' Taken down by collaborative action in January 2021, it appears to now be resurfacing.
"Emotet was different than most access-as-a-service providers. Its design led to a more redundant system than most malware. The first version's takedown required collaboration between many companies and countries. It is too early to tell what this new version of Emotet will look like.
"The relationship between this new variant and the old Emotet shows code overlap and technique overlap. Old signatures written to detect the first version of Emotet also detect this variant, in some cases. There are public reports saying Emotet is being dropped by Trickbot, which has happened before. Emotet samples are back.
"It will take some time to see how Emotet rebuilds, and whether it can become the 'world's most dangerous malware' again. You can be sure that those that helped to take it down the first time are keeping watch. It doesn't come as a surprise that Emotet resurfaced. In fact, more may wonder why it took so long."
Lyceum targets telecommunications companies and ISPs.
Accenture and Prevailion are tracking a campaign by the Iranian cyberespionage group Lyceum (also known as HEXANE or Spirlin) that's targeted telecommunications providers and ISPs in the Middle East and North Africa and an unnamed ministry of foreign affairs (MFA) in Africa:
"ACTI/PACT identified victims within telecommunication companies and ISPs in Israel, Morocco, Tunisia, and Saudi Arabia as well as an MFA in Africa. Telecommunications companies and ISPs are high-level targets for cyber espionage threat actors because once compromised, they provide access to various organizations and subscribers in addition to internal systems that can be used to leverage malicious behavior even further. Additionally, companies within these industries can also be used by threat actors or their sponsors to surveil individuals of interest. MFAs are also highly sought-after targets because they have valuable intelligence on the current state of bilateral relationship and insight into future dealings."
New Golang botnet malware.
AT&T Alien Labs has come across a new botnet malware written in Golang that's targeting routers and IoT devices with 33 different exploits. The malware, dubbed "BotenaGo," bears similarities to the Mirai botnet, but the researchers conclude that there are enough differences to classify BotenaGo as a new strain of malware:
"Some AVs detect these new malware variants using Go as Mirai malware — the payload links do look similar. However, there is a difference between the Mirai malware and the new malware variants using Go, including differences in the language in which it is written and the malware architectures. Mirai is a botnet that initiates its communication with its command and control (C&C). It also has different DDoS functionality. The new malware strains Alien Labs has discovered do not have the same attack functions as Mirai malware, and the new strains only look for vulnerable systems to spread its payload. In addition, Mirai uses a “XOR table” to hold its strings and other data, as well as to decrypt them when needed — this is not the case for the new malware using Go."