At a glance.
- APT-C-23 targets Israeli officials.
- APT10 expands its targeting.
- Denonia malware targets AWS Lambda.
APT-C-23 targets Israeli officials.
Cybereason says the Hamas-aligned threat actor APT-C-23 is targeting Israeli officials with spearphishing attacks to deliver previously unobserved strains of malware:
"While most of the previously reported APT-C-23 campaigns seemed to target Arabic-speaking individuals in the Middle East, Cybereason recently discovered a new elaborate campaign targeting Israeli individuals, among them, a group of high-profile targets working for sensitive defense, law enforcement, and emergency services organizations.
"The campaign operators use sophisticated social engineering techniques, ultimately aimed to deliver previously undocumented backdoors for Windows and Android devices. The goal behind the attack was to extract sensitive information from the victims' devices for espionage purposes.
"Our investigation reveals that APT-C-23 has effectively upgraded its malware arsenal with new tools, dubbed Barb(ie) Downloader and BarbWire Backdoor, which are equipped with enhanced stealth and a focus on operational security. The new campaign that targets Israeli individuals seems to have a dedicated infrastructure that is almost completely separated from the known APT-C-23 infrastructure which is assessed to be more focused on Arabic-speaking targets."
APT10 expands its targeting.
Symantec is tracking a campaign by the Chinese state-sponsored threat actor APT10 (which Symantec tracks as "Cicada"). The threat actor is using its custom information-stealer "Sodamaster" to conduct cyberespionage:
"Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. The wide number of sectors and geographies of the organizations targeted in this campaign is interesting. Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s targeting."
The campaign has targeted organizations in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy, as well as only one victim in Japan, which the researchers say is "notable due to Cicada’s previous strong focus on Japanese-linked companies."
Denonia malware targets AWS Lambda.
Cado Security has observed the first known strain of malware designed to target AWS Lambda, Amazon's serverless computing platform:
"As part of ongoing research, we found the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment. We named this malware Denonia, after the name the attackers gave the domain it communicates with. The malware uses newer address resolution techniques for command and control traffic to evade typical detection measures and virtual network access controls. Although this first sample is fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of potential future, more nefarious attacks. From the telemetry we have seen, the distribution of Denonia so far has been limited."
The researchers aren't sure how the malware is deployed, but they note that it "may simply be a matter of compromising AWS Access and Secret Keys then manually deploying into compromised Lambda environments, as we’ve seen before with more simple Python scripts."