At a glance.
- Iranian threat actor exploits MSHTML vulnerability.
- WIRTE targets countries in the Middle East.
- Yanluowang ransomware attacks.
- Ransomware actor rebrands as "Sabbath."
Iranian threat actor exploits MSHTML vulnerability.
Researchers at SafeBreach have observed an Iranian threat actor exploiting a Microsoft MSHTML remote code execution vulnerability (CVE-2021-40444) to target Farsi-speaking victims with a PowerShell stealer dubbed "PowerShortShell." The researchers state that "in only ~150 lines, it provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment." The attackers deliver the exploit via spearphishing emails with malicious Word documents. Microsoft released a patch for the vulnerability on September 14th, explaining that "[a]n attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document."
SafeBreach believes the attackers are targeting the Iranian diaspora:
"Almost half of the victims are located in the United States. Based on the Microsoft Word document content - which blames Iran’s leader for the 'Corona massacre' and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran's Islamic regime. The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran's threat actors like Infy, Ferocious Kitten, and Rampant Kitten."
The researchers note that the use of exploits is notable in this case, since Iranian threat actors typically rely on pure social engineering.
WIRTE targets countries in the Middle East.
Kaspersky describes a spearphishing campaign targeting "diplomatic and financial institutions, government, law firms, military organizations, and technology companies" in Middle Eastern countries, including Armenia, Cyprus, Egypt, Jordan, Lebanon, Palestine, Syria, and Turkey. The researchers attribute this campaign "with high confidence" to a threat actor tracked as WIRTE. The researchers note similarities to the Iranian threat actor MuddyWater, but they believe it's more likely that WIRTE is linked to the Gaza Cybergang (also known as the Molerats) due to their use of Palestine-related phishbait:
"We assess with low confidence that WIRTE is a subgroup under the Gaza Cybergang umbrella. Although the three subgroups we are tracking use entirely different TTPs, they all occasionally use decoys associated with Palestinian matters, which we haven’t seen commonly used by other threat actors, especially those operating in the Middle East region such as MuddyWater and Oilrig....WIRTE operators use simple and rather common TTPs that have allowed them to remain undetected for a long period of time. If our assessment of associating WIRTE with Gaza Cybergang proves to be correct in the future, it may signal a change in the group’s motivation. Gaza Cybergang is politically motivated and therefore primarily targets governmental and political entities; it is unusual for such groups to target law firms and financial institutions. Despite the targeting of these latter spheres, the majority of victims still fall within the government and diplomatic categories."
Yanluowang ransomware attacks.
Researchers at Symantec are tracking a threat actor that's been using the Yanluowang ransomware to attack US organizations since at least August 2021. The researchers state that the attackers "have been heavily focused on organizations in the financial sector but have also targeted companies in the manufacturing, IT services, consultancy, and engineering sectors." Symantec notes possible connections to the Thieflock ransomware-as-a-service, stating that these attacks are likely being carried out by a former Thieflock affiliate:
"There is a tentative link between these Yanluowang attacks and older attacks involving Thieflock, ransomware-as-a-service developed by the Canthroid (aka Fivehands) group. Several TTPs used by these attackers overlap with TTPs used in Thieflock attacks, including:
- "Use of custom password recovery tools such as GrabFF and other open-source password dumping tools
- "Use of open-source network scanning tools (SoftPerfect Network Scanner)
- "Use of free browsers, such as s3browser and Cent browser"
Ransomware actor rebrands as "Sabbath."
Mandiant has published a report on a ransomware-as-a-service operation dubbed "Sabbath," which the researchers believe is a rebranding of the group behind the Arcane and Eruption ransomware operations. Mandiant tracks this group as UNC2190, explaining that the threat actor "uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is stolen as leverage, and the threat actor actively attempts to destroy backups." The group set up a new data leak extortion site on October 21st:
"Sabbath first came to light in October 2021 when the group publicly shamed and extorted a US school district on Reddit and from a now suspended Twitter account, @54BB47h. During this recent extortion, the threat actor demanded a multi-million-dollar payment after deploying ransomware. Media reporting indicated that the group took the unusually aggressive step of emailing staff, parents and even students directly to further apply public pressure on the school district."