At a glance.
- Chinese cyberespionage campaign in the Middle East.
- New tools used by Lebanon-based threat actor.
- Amateurish ransomware acts as a wiper.
- Heliconia framework described.
Chinese cyberespionage campaign in the Middle East.
Bitdefender has published a report describing a Chinese cyberespionage operation targeting telecom providers in the Middle East. The threat actor gained initial access by exploiting the ProxyShell vulnerability in Microsoft Exchange Server:
“The attack started with an email, but this was not a traditional phishing attack. The malicious payload was included as an attachment, and once this email was received and processed by the Exchange server, the vulnerability was exploited (without anyone clicking on the attachment or even seeing the email). The subject of the email and the attachment name suggests that a public proof of concept for ProxyShell exploit was used.”
After gaining access, the threat actor deployed multiple tools to establish persistence, move laterally, and escalate privileges. These include the Irafau and Quarian backdoors and the Pinkman Agent.
BackdoorDiplomacy is a China-linked APT that was discovered last year by researchers at ESET, who noted that the group primarily targets Ministries of Foreign Affairs in the Middle East and Africa, and less frequently, telecommunication companies. Bitdefender attributes this campaign to BackdoorDiplomacy based on the domains used for command-and-control:
“The attribution is based on infrastructure and TTPs common to the current operation and others known to the public. For instance, the already-known IP address 43.251.105[.]139 was used as C&C by a sample of Quarian variant built on 2022-04-11. The domains uc.ejalase[.]org and mci.ejalase.org pointed to IP addresses related to other domains used by BackdoorDiplomacy in the past. One such domain we believe is support.vpnkerio[.]com as other subdomains of vpnkerio[.]com are connected to the mentioned threat actor.”
New tools used by Lebanon-based threat actor.
Deep Instinct describes three newly discovered tools being used by the Lebanese threat actor tracked as "Polonium," which exclusively targets companies in Israel. The researchers note that the threat actor "is using small components to make investigation more difficult, as well as a multi-step attack flow to make it harder to detect." Polonium was first observed by Microsoft in June 2022, and ESET analyzed the group's malware arsenal in October.
Amateurish ransomware acts as a wiper.
Fortinet outlines a poorly constructed strain of ransomware called "Cryptonite" that unintentionally acts as a wiper by failing to send the victim a decryption key. The researchers note that unlike other wipers that were deliberately disguised as ransomware by state-sponsored actors, the problem in this case seems to be a lack of quality assurance. Fortinet states, "there is no way to run the program in a ‘decryption-only’ mode. Every time it is executed, it re-encrypts everything with a different key before offering the decryption to the victim." Additionally, the ransomware operators themselves never receive the true decryption key.
Heliconia framework described.
Google’s Threat Analysis Group (TAG) has published a report on a commercial spyware framework developed by a Barcelona-based company, Variston IT. The framework, called “Heliconia,” exploited vulnerabilities in Chrome, Firefox, and Microsoft Defender. While the vulnerabilities have since been patched, TAG says “it appears likely these were utilized as zero-days in the wild.”