At a glance.
- RedAlpha targets think tanks and humanitarian organizations.
- Golden Chickens operator discovered.
- BlueSky ransomware rapidly encrypts data.
- Bitter APT using Android malware.
RedAlpha targets think tanks and humanitarian organizations.
Recorded Future describes a credential-phishing campaign by the suspected Chinese state-sponsored threat actor RedAlpha that's been targeting "humanitarian, think tank, and government organizations globally" since 2019:
"Over the past 3 years, we have observed RedAlpha registering and weaponizing hundreds of domains spoofing organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan (AIT), and other global government, think tank, and humanitarian organizations that fall within the strategic interests of the Chinese government. Historically, the group has also engaged in direct targeting of ethnic and religious minorities, including individuals and organizations within Tibetan and Uyghur communities."
The researchers add, "RedAlpha is likely attributable to contractors conducting cyber-espionage activity on behalf of the Chinese state. This assessment is based on the group’s consistent targeting in line with the strategic interests of the CCP, historical links to personas and a private company situated in the People’s Republic of China (PRC), and the wider regularly documented use of private contractors by Chinese intelligence agencies.
Golden Chickens operator discovered.
eSentire has published a report on the individual behind Golden Chickens/more_eggs, a sophisticated malware-as-a-service operation used by three of the top cybercriminal groups: FIN6 and Cobalt Group (both based in Russia) and Evilnum (based in Belarus). The threat actor, who goes by the online alias "badbullzvenom," has been involved in cybercrime since at least 2004. He appears to be based in Montreal, Canada, though the researchers believe he's sharing the badbullzvenom account with a partner in either Moldova or Romania.
In addition to documenting his criminal activity since 2013, the researchers have found his "birthdate, home address, his parents and siblings‘ names, friends‘ names, his hobbies, his social media accounts, and one of his side businesses." eSentire has shared this information with US and Canadian law enforcement.
BlueSky ransomware rapidly encrypts data.
Palo Alto Networks' Unit 42 describes a relatively new strain of ransomware called "BlueSky," which "predominantly targets Windows hosts and utilizes multithreading to encrypt files on the host for faster encryption":
"In our analysis, we found code fingerprints from samples of BlueSky ransomware that can be connected to the Conti ransomware group. In particular, the multithreaded architecture of BlueSky bears code similarities with Conti v3, and the network search module is an exact replica of it. However, in another respect, BlueSky more closely resembles Babuk Ransomware. Both use ChaCha20, an algorithm for file encryption, along with Curve25519 for key generation."
Bitter APT using Android malware.
The suspected Indian APT "Bitter" is using the Dracarys Android spyware to target victims in China, India, Pakistan, and other South Asian countries, according to researchers at Cyble:
"Dracarys Android Spyware impersonates genuine applications such as Signal, Telegram, WhatsApp, YouTube, and other chat applications and distributes through phishing sites. During analysis, we observed that one of the phishing sites is still live and distributing Dracarys. The phishing site mimics the genuine Signal site and delivers a trojanized Signal app."