At a glance.
- Elephant Beetle steals from Latin American corporations.
- Phishing attacks abuse Google Docs comments.
- New Zloader campaign.
- A look at Dropping Elephant's new interests.
Elephant Beetle steals from Latin American corporations.
Researchers at Sygnia have been tracking a financially motivated threat actor dubbed "Elephant Beetle" that's been targeting the finance and commerce sectors in Latin America. The group is sophisticated and stealthy, and they lurk within a victim's network for months before they begin stealing money:
- "During the first phase, which can span up to a month, the group focuses on building operational cyber capabilities in the compromised victim’s network. The group studies the digital landscape and plants backdoors while customizing its tools to work within the victim’s network.
- "The group then spends several months studying the victim’s environment, focusing on the financial operation and identifying any flaws. During this stage, it observes the victim’s software and infrastructure to understand the technical process of legitimate financial transactions.
- "The group can then inject fraudulent transactions into the network. These transactions mimic legitimate behavior and siphon off incremental amounts of money from the victim, a classic salami tactic. Although the amount of money stolen in a single transaction may seem insignificant, the group stacks numerous transactions to what amounts to millions of dollars before the group moves on.
- "If during its efforts any fraudulent activity is discovered and blocked, they then simply lay low for a few months only to return and target a different system."
Sygnia also notes that "[t]he group is highly proficient with Java based attacks and, in many cases, target[s] legacy Java applications running on Linux-based machines as the means for initial entry to the network. Not only that, the group even deploys their own complete Java Web Application on the victim machine to do their bidding while the machine also runs the intentional application."
Phishing attacks abuse Google Docs comments.
Avanan has observed a "new, massive wave" of phishing attacks abusing Google Docs comments to deliver malicious links to users' inboxes. This technique was discovered in 2020, and allows an attacker to send an email notification to a user by tagging them in comments in a Google Workspace document:
"We primarily saw [the campaign] target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts. There are several ways that make this email difficult for scanners to stop and for end-users to spot. For one, the notification comes directly from Google. Google is on most Allow Lists and is trusted by users. Secondly, the email doesn’t contain the attacker’s email address, just the display name. This makes it harder for anti-spam filters to judge, and even harder for the end-user to recognize."
New Zloader campaign.
Check Point has discovered a new Zloader banking Trojan campaign that's exploiting Microsoft’s digital signature verification to evade detection:
"Evidence of the new campaign was first seen around early November 2021. The techniques incorporated in the infection chain include the use of legitimate remote management software (RMM) to gain initial access to the target machine. The malware then exploits Microsoft’s digital signature verification method to inject its payload into a signed system DLL to further evade the system’s defenses. This evidence shows that the Zloader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis."
The campaign has infected at least 2,170 systems, most of which are located in the US and Canada. The researchers believe the MalSmoke cybercriminal group is behind these attacks.
An APT is bitten by its own RAT.
Malwarebytes reports that an advanced persistent threat (APT) seems to have infected itself with its own remote administration Trojan (RAT), specifically the BADNEWS (Ragnatela) RAT. The APT is PatchWork (also known as Dropping Elephant, Chinastrats, and Quilted Tiger). PatchWork is associated with the Indian Government, and has been observed collecting against targets in Pakistan.
Malwarebytes was able to gain some insight into Dropping Elephant’s interests (as usual we like the animal names for APTs, so we’ll use that one). The agencies the threat actor prospected include: Pakistan’s Ministry of Defense; the National Defense University of Islam Abad; the Faculty of Bio-Science, UVAS University in Lahore, Pakistan; the International Center for Chemical and Biological Sciences, the HEJ Research institute of chemistry, International center for chemical and biological sciences, University of Karachi; and SHU University, with a particular interest in molecular medicine.
The targeting represents, Malwarebytes says, a noticeable shift in the APT’s interests: “While they continue to use the same lures and RAT, the group has shown interest in a new kind of target. Indeed this is the first time we have observed Patchwork targeting molecular medicine and biological science researchers.”`