At a glance.
- APT41 campaigns.
- DarkTortilla crypter.
- PyPi malware.
- Bumblebee Loader.
- Iran suspected of cyber operations against four Israeli sectors.
- BlackByte is back, and calling itself BlackByte 2.0.
- New Lazarus Group activity reported.
- Criminal gang targets the travel and hospitality sectors.
- Cozy Bear update.
Group-IB has published a report on four campaigns by the Chinese threat actor APT41 that compromised thirteen organizations in 2021: "In the campaigns that we analyzed, APT41 targeted the following industries: the government sector, manufacturing, healthcare, logistics, hospitality, finance, education, telecommunications, consulting, sports, media, and travel. The targets also included a political group, military organizations, and airlines." The targeted organizations were located in "the US, Taiwan, India, China, Thailand, Hong Kong, Mongolia, Indonesia, Vietnam, Bangladesh, Ireland, Brunei, and the UK."
Researchers at Secureworks have published an analysis of DarkTortilla, "a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015." The malware is distributed via phishing emails, and is primarily used to deliver popular commodity remote access Trojans:
"From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021."
Snyk has discovered twelve strains of malware delivered via the Python Package Index (PyPi). The malware is designed to harvest personal and financial data, including Discord credentials and Roblox payment information:
"These packages utilized PyInstaller to bundle a malicious application and its dependencies into one package. The purpose of PyInstaller here is twofold: to inhibit detection by bundling in dependencies instead of downloading them from a remote server to the host, and to provide an executable that is ready to run without an interpreter.
"This malware targets data that is stored for everyday user applications. Upon execution, it will attempt to steal Google Chrome data (passwords, cookies, web history, search history, and bookmarks)."
Researchers at Cybereason describe the Bumblebee loader, a malware loader used to deliver BazarLoader, Trickbot, IcedID, and other Trojans. Bumblebee usually precedes ransomware deployment, and is distributed via phishing emails: "The majority of the infections with Bumblebee we have observed started by end-users executing LNK files which use a system binary to load the malware."
James McQuiggan, security awareness advocate at KnowBe4, cautions that the Bumblebee Loader incident is another case of criminal cooperation: “Cybercriminals constantly evolve their software to infiltrate organizations and their infrastructure. The Bumblebee loader is another development of the cybercriminals to share resources to gain access, steal data and eventually launch a ransomware attack. Organizations need to ensure their users have proper awareness training to effectively spot phishing emails used by cybercriminals to gain access and have the ability to report them to the appropriate people. With the continued cyberattacks and data breaches occurring daily, organizations must be enabling their users to have security top of mind and working to improve their security culture to reduce the risks of attacks and the potential of a data breach.”
Iran suspected of cyber operations against four Israeli sectors.
Mandiant reports that UNC3890, "a cluster of activity targeting Israeli shipping, government, energy and healthcare organizations via social engineering lures and a potential watering hole," is playing a role in the low-level naval conflict currently observed between Iran and Israel. The attribution of UNC3890 to Iran is in part circumstantial, but Mandiant advances that attribution with "moderate confidence." The evidence falls into four categories:
- Linguistic. UNC3890 developers use Farsi words in their strings.
- Targeting. A focus on Israeli targets is consistent with Iranian interests.
- Program database (PDB) path. This is the same as has been observed in activity by UNC2448, attributed to the Islamic Revolutionary Guard Corps (IRGC), which itself is linked to APT35 (Charming Kitten).
- C2 framework. UNC3890 uses the NorthStar C2 Framework, which has been an Iranian favorite.
The threat actor's initial approach has typically been via social engineering. Its interests seem so far to have involved intelligence collection, but this could be used in subsequent operations that go beyond espionage. "While we believe this actor is focused on intelligence collection," Mandiant says, "the collected data may be leveraged to support various activities, from hack-and-leak, to enabling kinetic warfare attacks like those that have plagued the shipping industry in recent years."
BlackByte is back, and calling itself BlackByte 2.0.
BlackByte ransomware has reappeared, BleepingComputer reports, and represents an enhanced, double-extortion threat to personal data. The gang has launched a new data dump site with a focus on individual victims. "The data leak site only includes one victim at this time but now has new extortion strategies that allow victims to pay to extend the publishing of their data by 24 hours ($5,000), download the data ($200,000), or destroy all the data ($300,000)," BleepingComputer writes. "These prices will likely change depending on the size/revenue of the victim."
BlackByte hasn't been without problems of its own. In its earlier version the gang's crypter had flaws that permitted white hat researchers to develop and distribute a free decryptor. BlackByte closed that particular hole, and it's unknown whether they're using that improved crypter in BlackByte 2.0. Payment seems to be a problem with the current version of the site. The Bitcoin and Monero addresses offered for victims (whom BlackByte cynically refers to as "customers") to submit payment aren't correctly embedded, which for now at least will impede collection of ransom.
We received comment on the resurgence of BlackByte from both Tenable and Red Canary. Claire Tills, senior research engineer, Tenable, discerns some familiar signs of borrowing from other gangs:
“We often see threat actors borrowing tactics from one another. Most notably was the renaissance of double extortion kicked off by Maze in 2019. Those extortion tactics have continued to expand as threat groups try to find new ways to generate revenue from alternative sources and motivate victims to pay. While members often jump from group to group, it is just as likely that BlackByte operators saw the coverage of LockBit 3.0 and jumped on the wagon.
"KELA also found that the new leak site was broken and didn’t allow BlackByte to receive payments, a not uncommon issue as threat actors change or attempt to escalate their tactics.“
Harrison Van Riper, Senior Intelligence Analyst at Red Canary, sees continuity amid the change:
“Red Canary first observed BlackByte in the wild in 2021, exploiting the ProxyShell vulnerabilities for initial access and subsequently dropping Cobalt Strike beacons. Despite BlackByte's new website and payment options for allegedly stolen data, the operation's extortion tactics remain the same, relying on a public website to identify purported victims and threatening to leak stolen information if the victims fail to pay a ransom in cryptocurrency.
"Typically in these cases, the victim is faced with the binary choice of either paying up or having their information leaked. As a consequence, ransomware operators run the risk of receiving nothing for their work if the victim chooses not to pay. The option to extend the victim's timeline is likely an effort to get at least some sort of payment from victims who may want extra time for a variety of reasons: to determine legitimacy and scope of the data theft or continue ongoing internal discussion on how to respond to name a couple reasons.
"We haven't seen an instance of this new version of BlackByte yet, though we'll certainly be tracking the operation as we have in the past.”
New Lazarus Group activity reported.
ESET offers the latest in its ongoing reports on North Korean Lazarus Group activity. "A signed Mac executable disguised as a job description for Coinbase was uploaded to VirusTotal from Brazil," the company's researchers tweeted yesterday. "This is an instance of Operation In(ter)ception by #Lazarus for Mac."
Criminal gang targets the travel and hospitality sectors.
Proofpoint reports that TA558, a criminal gang the researchers assess as a "financially motivated small crime threat actor targeting hospitality, hotel, and travel organizations" has increased the tempo of its operations in 2022. "Since 2018, this group has used consistent tactics, techniques, and procedures to attempt to install a variety of malware including Loda RAT, Vjw0rm, and Revenge RAT." Its targets have for the most part been in Latin America; its emails generally written in Portuguese or Spanish. "TA558 is an active threat actor targeting hospitality, travel, and related industries since 2018," the report concludes. "Activity conducted by this actor could lead to data theft of both corporate and customer data, as well as potential financial losses. Organizations, especially those operating in targeted sectors in Latin America, North America, and Western Europe should be aware of this actor’s tactics, techniques, and procedures." And Proofpoint has provided a guide to those tactics, techniques, and procedures.
Cozy Bear update.
Mandiant reported on activity it's recently observed by APT29, the Russian SVR operation commonly referred to as Cozy Bear. "Mandiant has observed APT29 continue to demonstrate exceptional operational security and advanced tactics targeting Microsoft 365. We are highlighting several newer TTPs used by APT29 in recent operations." Among its recent tactics has been the disabling of licenses in Microsoft 365 in ways that disable the important security functions performed for the suite by Purview Audit. "Mandiant has observed APT29 disabling Purview Audit on targeted accounts in a compromised tenant. Once disabled, they begin targeting the inbox for email collection." The threat actor has also been observed to conduct successful password-guessing attacks that have enabled it to take over dormant accounts and exploit the access thereby obtained. In all of this Mandiant credits APT29 with an unusually high degree of operational security.