At a glance.
- New firmware bootkit.
- Molerats phishing campaign.
- White Rabbit ransomware.
New firmware bootkit.
Kaspersky has discovered the third known UEFI rootkit in the wild, dubbed "MoonBounce," which the researchers attribute to the Chinese threat actor APT41. Mark Lechtik, a senior security researcher with Kaspersky's Global Research and Analysis Team, stated, "[T]his latest UEFI bootkit shows some notable advancements when compared to MosaicRegressor, which we reported on back in 2020. In fact, transforming a previously benign core component in firmware to one that can facilitate malware deployment on the system is an innovation that was not seen in previous comparable firmware bootkits in the wild and makes the threat far stealthier."
Molerats phishing campaign.
Zscaler describes a malware campaign using phishing lures related to the Israeli-Palestinian conflict. The researchers attribute this campaign to the Molerats APT:
"The targets in this campaign were chosen specifically by the threat actor and they included critical members of [the] banking sector in Palestine, people related to Palestinian political parties, as well as human rights activists and journalists in Turkey. ThreatLabz observed several similarities in the C2 communication and .NET payload between this campaign and the previous campaigns attributed to the Molerats APT group. Additionally, we discovered multiple samples that we suspect are related to Spark backdoor. We have not added the analysis of these samples in this blog, but they were all configured with the same C2 server."
White Rabbit ransomware.
Trend Micro is tracking a new ransomware family calling itself "White Rabbit" that was used in an attack against a US bank in December:
"One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.
"White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity. The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password."
The researchers note possible ties to the financially motivated threat actor FIN8, which hasn't typically been known to conduct ransomware operations. Trend Micro says, "Given that FIN8 is known mostly for its infiltration and reconnaissance tools, the connection could be an indication of how the group is expanding its arsenal to include ransomware. So far, White Rabbit’s targets have been few, which could mean that they are still testing the waters or warming up for a large-scale attack. White Rabbit is thus likely still in its development phase, considering its uncomplicated ransomware routine. Despite being in this early stage, however, it is important to highlight that it bears the troublesome characteristics of modern ransomware: It is, after all, highly targeted and uses double extortion methods."