At a glance.
- Pegasus used against activists and journalists in Jordan.
- Lazarus Group distributes Trojanized DeFi wallet.
- Deep Panda exploits Log4Shell.
- Trojan comes bundled with ransomware and DDoS capabilities.
- Redis servers targeted with Muhstik malware.
Pegasus used against activists and journalists in Jordan.
The University of Toronto's Citizen Lab says phones belonging to "four Jordanian human rights defenders, lawyers, and journalists were hacked with NSO Group’s Pegasus spyware between August 2019 and December 2021." The researchers don't attribute this activity to any particular government, but they note that two Pegasus customers appear to be primarily focused on targets in Jordan:
"One of the customers, which we name MANSAF, appears to be spying primarily in Jordan, with limited additional operations in Iraq, Lebanon, and Saudi Arabia. We believe that MANSAF has been operating since December 2018.
"The other customer, which we name BLACKIRIS, appears to be spying almost exclusively in Jordan, and has been active since at least December 2020. An April 2021 report in Axios mentioned negotiations between NSO Group and Jordanian authorities “in recent months,” with one source mentioning a contract had been signed."
Lazarus Group distributes Trojanized DeFi wallet.
Kaspersky says North Korea's Lazarus Group, known for conducting financially motivated operations as well as espionage, is using a Trojanized cryptocurrency wallet app called "DeFi Wallet" to deliver a backdoor. The researchers suspect the malicious app is delivered via spearphishing emails or social media messages. The application functions as a legitimate decentralized finance (DeFi) wallet to avoid suspicion, while executing malware in the background:
"When executed, the app drops both a malicious file and an installer for a legitimate application, launching the malware with the created Trojanized installer path. Then, the spawned malware overwrites the legitimate application with the Trojanized application. Through this process, the Trojanized application gets removed from the disk, allowing it to cover its tracks."
Deep Panda exploits Log4Shell.
Fortinet is tracking a campaign by the Chinese threat actor Deep Panda that's opportunistically exploiting the Log4Shell vulnerability to target organizations in the "financial, academic, cosmetics, and travel industries." The threat actor is using a new rootkit dubbed "Fire Chili" that was digitally signed with a stolen digital certificate. The researchers note that the same stolen certificate was used in other campaigns run by Winnti, another Chinese state-sponsored actor.
Trojan comes bundled with ransomware and DDoS capabilities.
Researchers at Cyble have observed a new remote access Trojan dubbed "Borat" that possesses ransomware and DDoS capabilities in addition to the expected RAT functionalities. Cyble states, "The Borat RAT is a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it. With the capability to record audio and control the webcam and conduct traditional info stealing behavior, Borat is clearly a threat to keep an eye on. The added functionality to carry out DDOS attacks makes this an even more dangerous threat that organizations and individuals need to look out for."
Redis servers targeted with Muhstik malware.
Juniper Networks warns that a threat actor is targeting Redis Servers using a recently patched vulnerability (CVE-2022-0543). The researchers state, "This vulnerability exists in some Redis Debian packages. The attack started on March 11, 2022 from the same threat actor we’ve seen targeting confluence servers back in September 2021 and the same group targeting Log4j back in December. The payload used is a variant of Muhstik bot that can be used to launch DDOS attacks."