At a glance.
- Iranian cyberespionage activities.
- New BlackTech shellcode.
- Malicious extension abuses Chrome's cloud syncing.
- Barcode scanner app turns into adware.
- Online fraud trends.
- Tracking ICS vulnerability disclosures.
Iranian cyberespionage activities.
Researchers at Check Point are tracking the activities of "Domestic Kitten," an Iranian threat actor known for conducting "extensive surveillance operations against Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more." The researchers have found four campaigns that are currently active. The actors use compromised websites, Telegram channels, and SMS messages to trick their victims into installing malware. Domestic Kitten's malware, dubbed "FurBall," is capable of "collecting device identifiers, grabbing SMS messages and call logs, surround recording with the device microphone, call recording, stealing media files (such as videos and photos), obtaining a list of installed applications, tracking the device location, stealing files from the external storage, and more." The vast majority of Domestic Kitten's victims were located in Iran, with some in the US, Pakistan, Afghanistan, the UK, and Turkey.
Check Point and SafeBreach Labs also describe "Infy," another threat actor attributed to Iran. In the latest campaign, the researchers say the Infy was able to "fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities." Infy is using malicious macros in Word documents to deliver new versions of its Foudre malware. Notably, none of the known victims in the latest campaign are located in Iran. In the past, the majority of Infy's victims were Iranian. The researchers speculate that the actor "had the DNS records in Iran changed preemptively" to prevent the Iranian victims from being discovered.
New BlackTech shellcode.
Palo Alto Networks' Unit 42 discovered a new piece of shellcode dubbed "BendyBear" that the researchers attribute to the Chinese threat actor BlackTech, which is active against East Asian government entities. BendyBear displays significant similarities to BlackTech's WaterBear malware family. Unit 42 says BendyBear is more sophisticated and larger than most pieces of shellcode, and "uses its size to implement advanced features and anti-analysis techniques, such as modified RC4 encryption, signature block verification, and polymorphic code." The researchers note that this level of functionality isn't generally found in shellcode.
Malicious extension abuses Chrome's cloud syncing.
The SANS Internet Storm Center found a malicious Chrome extension that used Chrome's Sync feature to exfiltrate data and receive commands. Rather than placing the extension in the Chrome Web Store and waiting for users to install it, the attackers dropped it locally onto machines they had already compromised. The extension masqueraded as Forcepoint's browser extension, and its purpose was to "manipulate data in an internal web application that the victim had access to."
The researchers explain that since the extension uses Chrome's Sync save feature rather than storing data locally, the extension's data "will be automatically synced to Google’s cloud by Chrome, under the context of the user logged in in Chrome. In order to set, read or delete these keys, all the attacker has to do is log in with the same account to Google, in another Chrome browser (and this can be a throwaway account), and they can communicate with the Chrome browser in the victim’s network by abusing Google’s infrastructure!"
Barcode scanner app turns into adware.
Malwarebytes says an Android barcode scanner app with more than ten million users turned into adware after a malicious update in early December. The update appears to have come from the app developer itself, since it was signed with the same certificate as earlier versions of the app. Google has pulled the app from the Play Store, but users will have to manually delete the app or use a malware scanner to remove the adware. Malwarebytes provides a link to the barcode scanner in question, since there are many similar barcode apps in the Play Store (this one is developed by LavaBird LTD).
Josh Bohls, CEO of Inkscreen, thinks apps are sufficiently difficult to build that any free app should receive due scrutiny before it's adopted. "Building and maintaining apps is costly and time-consuming, even for relatively simple apps like a barcode scanner," he said. "I would be suspicious of any free app that does not have a clear monetization strategy such as advertisements, premium subscriptions, or tie-in to some other legitimate revenue model."
Online fraud trends.
Arkose Labs' Fraud and Abuse report for the first quarter of 2021 says there was an "explosion" of credential stuffing attacks in the second half of 2020. These attacks more than doubled in Q4 compared to Q3, and increased by 90% compared to Q1. The second half of Q4 saw the most fraud attacks of the year. The researchers say this is partially due to Black Friday and the holiday season, although they note that these attacks extended beyond online retail and affected the finance, technology, and media sectors.
Tracking ICS vulnerability disclosures.
Claroty's ICS Risk & Vulnerability Report for the second half of 2020 found that 72% of disclosed ICS vulnerabilities are remotely exploitable, and 76% do not require authentication. Additionally, the number of vulnerabilities disclosed increased by 25% in 2020 compared to 2019. The majority of disclosed vulnerabilities affected products by Schneider, Mitsubishi, and Siemens, although the researchers note that this is due to market share, and not an indicator that these companies' products are less secure than other vendors'.