At a glance.
- Surveillance campaign targets the Uyghur community.
- Noberus ransomware developments.
- Exmatter may signal a shift in data extortion tactics.
Surveillance campaign targets the Uyghur community.
Check Point Research (CPR) describes a surveillance campaign that's been targeting the Uyghur community in China since at least 2015. Check Point attributes this campaign to the suspected Chinese threat actor Scarlet Mimic. The threat actor uses an Android malware strain called "MobileOrder":
"CPR has observed the group using more than 20 different variations of their Android malware, disguised in multiple Uyghur-related baits such as books, pictures, and even an audio version of the Quran, the holy text of the Islamic faith. The malware is relatively unsophisticated from a technical standpoint. However, its capabilities allow the attackers to easily steal sensitive data from the infected device, as well as perform calls or send an SMS on the victim’s behalf and track their location in real-time. Also, it allows audio recording of incoming and outgoing calls, as well as surround recording. All this makes it a powerful and dangerous surveillance tool."
Noberus ransomware developments.
Symantec has published a report on Noberus (also known as BlackCat or ALPHV), a successor to the DarkSide and BlackMatter ransomware families. Threat actors using the Noberus ransomware have been observed deploying two new strains of information-stealing malware, Exmatter and Eamfo, as part of their attacks. Exmatter is a Trojan "designed to steal specific file types from a number of selected directories and upload them to an attacker-controlled server prior to deployment of the ransomware itself on the victim’s network." Eamfo's purpose is to steal credentials stored by the Veeam data backup software:
"Stealing credentials from Veeam is a known attack technique that can facilitate privilege escalation and lateral movement, providing the attackers with access to more data they can potentially exfiltrate and more machines to encrypt."
Exmatter may signal a shift in data extortion tactics.
Researchers at Cyderes and Stairwell have also published reports on Exmatter, noting that the Trojan has the ability to corrupt and destroy files after exfiltrating them. Since the attackers already have a copy of the victim's data, it's much easier to simply destroy the data on the victim's servers rather than encrypting it. After the victim pays the ransom, the attackers can send back the exfiltrated data intact.
Cyderes explains, "The development of capabilities to corrupt exfiltrated files within the victim environment marks a shift in data ransom and extortion tactics. Using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers. Additionally, copying file data from one file to another is a much more benign functionality than sequentially overwriting files with random data or encrypting them."
Stairwell's researchers add, "With such a robust copy of the victim business’s data collected, encrypting the same files on disk becomes a redundant, development-heavy task compared to data destruction. Creating stable, robust ransomware is a far more development-intensive process than creating malware designed to corrupt the files instead, renting a large server to receive exfiltrated files and returning them upon payment."