At a glance.
- Charming Kitten scrapes email account data.
- MuddyWater exploits Log4Shell.
- NOBELIUM post-compromise technique.
Charming Kitten scrapes email account data.
Researchers at Google's Threat Analysis Group (TAG) have published a report on a new tool dubbed "HYPERSCRAPE" that's being used by the Iranian threat actor Charming Kitten (APT35) to steal data from Gmail, Yahoo, and Microsoft Outlook accounts. Since 2020, the tool has been "deployed against fewer than two dozen accounts located in Iran":
"HYPERSCRAPE requires the victim’s account credentials to run using a valid, authenticated user session the attacker has hijacked, or credentials the attacker has already acquired. It spoofs the user agent to look like an outdated browser, which enables the basic HTML view in Gmail. Once logged in, the tool changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread. After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google. Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file."
MuddyWater exploits Log4Shell.
Microsoft warns that the Iranian APT MERCURY (also known as MuddyWater) is exploiting the Log4Shell in vulnerable SysAid Server instances belonging to Israeli organizations:
"On July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as its initial access vector. Based on observations from past campaigns and vulnerabilities found in target environments, Microsoft assess that the exploits used were most likely related to Log4j 2. The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country."
NOBELIUM post-compromise technique.
Microsoft has also detailed a post-compromise technique being used by the Russian threat actor NOBELIUM (also tracked as Cozy Bear or APT29). The threat actor is using malware called 'MagicWeb":
"MagicWeb is a post-compromise malware that can only be deployed by a threat actor after gaining highly privileged access to an environment and moving laterally to an AD FS server. To achieve their goal of maintaining persistent access to an environment by validating authentication for any user account on the AD FS server, NOBELIUM created a backdoored DLL by copying the legitimate Microsoft.IdentityServer.Diagnostics.dll file used in AD FS operations. The legitimate version of this file is catalog signed by Microsoft and is normally loaded by the AD FS server at startup to provide debugging capabilities. NOBELIUM’s backdoored version of the file is unsigned. The threat actor’s highly privileged access that allowed them to access the AD FS server meant they could have performed any number of actions in the environment, but they specifically chose to target an AD FS server to facilitate their goals of persistence and information theft during their operations."