At a glance.
- Truebot operators expand.
- Iranian wiper targets the diamond industry.
- MuddyWater deploys new tool.
- Drokbk malware abuses GitHub to resolve C2 server.
Truebot operators expand.
Cisco Talos warns that the operators of the Truebot downloader malware have expanded their distribution methods from phishing to exploiting vulnerabilities and using infected USB drives. Recent Truebot campaigns have resulted in the delivery of the Clop ransomware:
"Post-compromise activity included data theft and the execution of Clop ransomware. While investigating one of these attacks, we found what seems to be a fully featured custom data exfiltration tool, which we are calling 'Teleport,' that was extensively used to steal information during the attack.
"So far, we have identified two different Truebot botnets. One is distributed worldwide, but with particular focus on Mexico, Pakistan, and Brazil. The second, more recent botnet appears to be focused on the U.S. While we don't have enough information to say that there is a specific focus on a sector, we noticed a number of compromised education sector organizations."
Iranian wiper targets the diamond industry.
The Iran-linked threat actor Agrius used a supply-chain attack to deploy a new wiper against organizations in the diamond industry in South Africa, Israel, and Hong Kong, according to ESET: "Victims in Israel include an IT support services company, a diamond wholesaler, and an HR consulting firm. South African victims are from a single organization in the diamond industry, with the Hong Kong victim being a jeweler."
The threat actor compromised the update mechanism in “an Israeli software suite used in the diamond industry” to launch the wiper. The researchers note that unlike Agrius’s previous campaigns, the threat actor in this case didn’t attempt to disguise the wiper as ransomware.
MuddyWater deploys new tool.
Researchers at Deep Instinct are tracking a campaign by the Iranian threat actor MuddyWater (also known as Static Kitten) that's targeting organizations in Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates:
"The most recent MuddyWater campaign was observed by Deep Instinct in the beginning of October and possibly started in the September timeframe. What makes this campaign different from previous waves is the use of a new remote administration tool named 'Syncro.' A new lure in the form of an HTML attachment was observed, along with the addition of other providers for hosting the archives containing the installers of the remote administration tool."
Drokbk malware abuses GitHub to resolve C2 server.
Secureworks describes the Drokbk malware, which is being "operated by a subgroup of the Iranian government-sponsored COBALT MIRAGE threat group." The malware finds its command-and-control server by using GitHub as a dead drop resolver. Drokbk uses the GitHub API to search for a repository with a specific name. The researchers explain, "This approach gives the threat actors a degree of resiliency against shuttering of their GitHub account, as they can create a new account with a matching repository name. It also allows the malware to dynamically update its C2 server by repeating this process."