At a glance.
- Catalans targeted with Pegasus spyware.
- OldGremlin targets Russian organizations.
- Emotet activity.
Catalans targeted with Pegasus spyware.
Researchers at the University of Toronto's Citizen Lab have found that at least 63 individuals associated with Catalonia were targeted with NSO Group's Pegasus spyware, while four other individuals were hit by Candiru spyware. The researchers don't make a definitive attribution, but they suspect the Spanish government is behind the activity:
"The hacking covers a spectrum of civil society in Catalonia, from academics and activists to non-governmental organisations (NGOs). Catalonia’s government and elected officials were also extensively targeted, from the highest levels of Catalan government to Members of the European Parliament, legislators, and their staff and family members. We do not conclusively attribute the targeting to a specific government, but extensive circumstantial evidence points to the Spanish government."
Citizen Lab notes that Pegasus used a zero-click exploit against a previously undisclosed vulnerability affecting iOS versions before 13.2:
"We have identified signs of a zero-click exploit that has not been previously described, which we call HOMAGE. The HOMAGE exploit appears to have been in use during the last months of 2019, and involved an iMessage zero-click component that launched a WebKit instance in the com.apple.mediastream.mstreamd process, following a com.apple.private.alloy.photostream lookup for a Pegasus email address. The WebKit instance in the com.apple.mediastream.mstreamd process fetched JavaScript scaffolding that we recovered from an infected phone. The scaffolding was fetched from /[uniqueid]/stadium/goblin. After performing tests, the scaffolding then fetches the WebKit exploit from /[uniqueid]/stadium/eutopia if tests succeed."
OldGremlin targets Russian organizations.
Group-IB has observed a Russophone ransomware gang dubbed "OldGremlin" that's targeting organizations in Russia. The group uses spearphishing themed around current events to gain access to their victims' networks:
"After the first attacks, it became clear that OldGremlin prepares their phishing emails with great care and monitors the news agenda closely. Their choices for email subjects included remote work during the pandemic, protests in Belarus, and an interview request from a known financial journalist working for a Russian media outlet, called RBC.
"Another OldGremlin hallmark is that the group conducts multi-stage targeted attacks using sophisticated tactics and techniques. For example, they did not send their TinyCryptor ransomware directly by email; instead they first obtained remote access to the victim's machine. The latter was used as a springboard to conduct reconnaissance, collect data, and then move laterally across the organization's network."
Emotet activity.
Kaspersky describes recent phishing campaigns delivering the Emotet banking Trojan. The researchers found that the malware can now download sixteen additional modules:
"The current set of modules is capable of performing a large set of malicious actions: stealing e-mails, passwords and login data from various sources; sending spam. All these modules, except those for Thunderbird, in one form or another, have been used before by Emotet. However, there are still modules that we have not been able to obtain yet. In addition, our telemetry shows significant growth in the number of attacked users in March."
Check Point has found that Emotet is still the most widely distributed strain of malware, "impacting 10% of organizations worldwide, double that of February." Emotet's numbers were recently bolstered by widespread, Easter-themed phishing campaigns.