At a glance.
- Supply chain attack compromises Android emulator.
- Tracking criminal infrastructure-as-a-service.
- LogoKit makes phishing easy.
- Lebanese Cedar conducting cyberespionage.
- New Trickbot campaign.
Supply chain attack compromises Android emulator.
Researchers at ESET have uncovered a cyberespionage-focused supply chain attack that compromised the update mechanism of NoxPlayer, an Android emulator with more than 150 million users. The emulator is primarily used to play mobile games on PCs and Macs. The researchers say the campaign is focused on stealing information and there's no evidence the attackers are interested in financial gain. ESET adds that the operation is "particularly interesting due to the targeted vertical, as we rarely encounter many cyberespionage operations targeting online gamers." ESET first noticed the activity in September 2020, and the campaign is currently ongoing.
The operation is extremely targeted so far, with the attackers manually selecting their victims. Over 100,000 of ESET's customers have NoxPlayer installed on their computers, but only five of these were selected to receive the malicious update. The five victims were located in Taiwan, Hong Kong, and Sri Lanka.
ESET notes, "We spotted similarities in loaders we have been monitoring in the past with some of the ones used in this operation, such as instances we discovered in a Myanmar presidential office website supply-chain compromise on 2018, and in early 2020 in an intrusion into a Hong Kong university." In the most recent cases, the loaders delivered the PoisonIvy remote access Trojan.
ESET has notified BigNox, the Hong Kong-based company that owns NoxPlayer, but the company has denied being affected.
Update, 2.3.21. Nox Limited contacted us today to say that they'd reached an agreement with ESET to address the selective exploitation of Nox's BigNox Android emulator in an apparent cyberespionage campaign. They intend to work together on the apparent security issue and will provide further information as it becomes available.
Tracking criminal infrastructure-as-a-service.
Microsoft describes a "sprawling" criminal email infrastructure that the company says "is robust enough to seem legitimate to many mail providers, while flexible enough to allow the dynamic generation of new domain names and remain evasive." The infrastructure is apparently filling a vacuum in the criminal infrastructure-as-a-service market created by the disruption of the Necurs botnet in March 2020. The researchers' investigation into the new infrastructure led them to the following conclusions:
- "Tracking an email infrastructure surfaces patterns in attacker activity, bubbling up common elements in seemingly disparate campaigns.
- "Among domains that attackers use for sending emails, distributing malware, or command-and-control, the email domains are the most likely to share basic registration similarities and more likely to use DGA.
- "Malware services rely on proxy providers to make tracking and attribution difficult, but the proxies themselves can provide insights into upcoming campaigns and improve our ability to proactively protect against them.
- "Gaining intelligence on email infrastructures enables us to build or improve proactive and comprehensive protections like those provided by Microsoft Defender for Office 365 to defend against some of the world’s most active malware campaigns."
LogoKit makes phishing easy.
RiskIQ has come across a phishing kit, dubbed "LogoKit," that automatically generates a tailored phishing page for each target based on the user's email address. The researchers explain, "Unlike many other phishing kits, the LogoKit family is an embeddable set of JavaScript functions designed to interact within the Document Object Model (DOM), the site's presentation layer. Integrating with the DOM allows for the script to dynamically alter the visible content and HTML form data within a page, all without user interaction. This capability gives attackers a wide range of options for visually deceiving their victims by easily integrating it into existing HTML pretext templates or building fake forms to mimic corporate login portals."
RiskIQ has identified seven hundred domains hosting this kit over the past month. The phishing kit is versatile, easy to use, and creates convincing phishing templates for many services including "SharePoint, Adobe Document Cloud, OneDrive, Office 365, and Cryptocurrency exchanges."
Lebanese Cedar conducting cyberespionage.
ClearSky researchers describe cyberespionage activity by Lebanese Cedar, a threat actor tied to the Lebanese government and aligned with Hezbollah. The researchers agree with Check Point's 2015 assessment that the group is politically and ideologically motivated.
The threat actor is using a new version of its custom-made Trojan dubbed "Explosive" as well as their Caterpillar WebShell. The group uses publicly available tools like Shodan to scan for vulnerable web servers, and exploits 1-day vulnerabilities such as CVE-2019-3396 in Atlassian Confluence Server, CVE-2019-11581 in Atlassian Jira Server and Data Center, and CVE-2012-3152 in Oracle 10g 11.1.2.0. The researchers have identified 254 servers compromised by the group. Most of the victims were telecommunications, IT, and hosting companies, with the primary targets located in the Middle East:
"Our report reveals a partial list of the companies that the group has attacked. The target companies are from many countries including: The United States, the United Kingdom, Egypt, Jordan, Lebanon, Israel, and the Palestinian Authority. We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years."
ClearSky notes that Lebanese Cedar's patience and stealthiness has allowed it to operate nearly unseen for at least five years. The group was first noticed by Check Point and Kaspersky in 2015.
New Trickbot campaign.
Menlo Security says the Trickbot botnet is running a phishing campaign using bogus traffic violations as phishing lures. This campaign has "exclusively targeted legal and insurance verticals in North America." The researchers note that the botnet seems to be functioning normally again following a series of disruptions by US Cyber Command and the private sector late last year.
Separately, researchers at Kryptos Logic report that Trickbot is using a new module called "masrv" that incorporates the Masscan IP port scanner. The researchers conclude that "[t]his new module is an indication of the actor’s continued investment in improving their network reconnaissance toolkit, even after recent disruption efforts."