At a glance.
- Transparent Tribe targets Indian government entities.
- North Korean threat actors exploit Chrome vulnerability.
- Purple Fox improves its toolset.
- Chinese-speaking threat actor targets betting companies.
Transparent Tribe targets Indian government entities.
Cisco Talos says Transparent Tribe, a threat actor associated with Pakistan, is targeting Indian government and military entities with CrimsonRAT, alongside two previously unobserved strains of malware:
"Transparent Tribe has been a highly active APT group in the Indian subcontinent. Their primary targets have been government and military personnel in Afghanistan and India. This campaign furthers this targeting and their central goal of establishing long term access for espionage. The use of multiple types of delivery vehicles and file formats indicates that the group is aggressively trying to infect their targets with their implants such as CrimsonRAT. They have continued the use of fake domains masquerading as government and quasi-government entities, as well as the use of generically themed content-hosting domains to host malware. Although not very sophisticated, this is an extremely motivated and persistent adversary that constantly evolves tactics to infect their targets."
North Korean threat actors exploit Chrome vulnerability.
Google's Threat Analysis Group (TAG) observed two North Korean state-sponsored threat actors exploiting a now-patched remote code execution vulnerability in Chrome (CVE-2022-0609) to target companies in the US. The threat actors sent phishing emails posing as job recruiters, and compromised legitimate websites to deliver an exploit kit:
"We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.
"We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit."
Purple Fox improves its toolset.
Trend Micro warns that the Purple Fox threat actor is distributing its malware via malicious software packages disguised as legitimate applications, including Telegram, WhatsApp, Adobe, and Chrome:
"Operators of the Purple Fox botnet are still active and consistently updating their arsenal with new malware, while also upgrading the malware variants they have. They are also trying to improve their signed rootkit arsenal for AV evasion and trying to bypass detection mechanisms by targeting them with customized signed kernel drivers.
"Abusing stolen code signing certificates and unprotected drivers are becoming more common with malicious actors. Software driver vendors should secure their code signing certificates and follow secure practices in the Windows kernel driver development process."
Chinese-speaking threat actor targets betting companies.
Researchers at Avast describe a campaign by a Chinese-speaking threat actor that's targeting betting companies in Southeast Asia, with a particular focus on companies in Taiwan. The researchers observed code overlaps with malware used by other Chinese-speaking groups, but they don't attribute this campaign to any specific threat actor:
"We found notable code similarity between one of the modules used by this APT group (the MulCom backdoor) and the FFRat samples described by the BlackBerry Cylance Threat Research Team in their 2017 report and Palo Alto Networks in their 2015 report. Based on this, we suspect that the FFRat codebase is being shared between several Chinese adversary groups. Unfortunately, this is not sufficient for attribution as FFRat itself was never reliably attributed."