At a Glance.
- Barracuda Networks reports 2023 spear phishing trends.
- New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices.
- Kimsuky's tailored reconnaissance tools.
- CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming.
- Legion malware upgraded for the cloud.
- Blacktail, a new ransomware group using recycled ransomware.
- GoldenJackal, an APT quietly active since 2019.
Barracuda Networks reports 2023 spear phishing trends.
Barracuda released its 2023 spear phishing trends report last Friday which described spear phishing as having a disproportionate success rate than other email attacks. The researchers reported “These attacks make up only 0.1% of all email-based attacks according to Barracuda’s data but are responsible for 66% of all breaches. On the other hand, high-volume attacks such as spam and malware, make up 16% of emails but are only responsible for one-third of breaches.” According to the report 50% of the organizations studied had been affected by a spear phishing attack in 2022, with 24% having at least one email account compromised through an account takeover. Researchers explain that when a spear phishing attack is successful, it can have severe effects, “55% of respondents that experienced a spear-phishing attack reported machines infected with malware or viruses; 49% reported having sensitive data stolen; 48% reported having stolen login credentials; and 39% reported direct monetary loss.” Companies with more than a 50% remote workforce seem to be at a higher risk for spear phishing and, when the attacks occur, the mostly remote companies have a harder time mitigating the attack. Additionally, companies with a mostly remote workforce take about 73% longer to respond to attacks. For more information on Barracuda’s spear phishing trend report, see CyberWire Pro.
New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices.
Palo Alto’s Unit 42 discovered a new variant of Mirai that targets IoT devices, using several vulnerabilities to propagate itself and add machines to its botnet. This variant, which Unit 42 calls IZ1H9, exploits four vulnerabilities: CVE-2023-27076 (Tenda G103 command injection vulnerability), CVE-2023-26801 (LB-Link command injection vulnerability), CVE-2023-26802 (DCN DCBI-Netlog-LAB remote code execution vulnerability), and CVE-2023-28771 (Zyxel remote code execution vulnerability). Researchers at Unit 42 explain that the infected machines then become a part of Mirai’s botnet and can be used to conduct such further actions as distributed denial-of-service (DDoS) attacks. The researchers note that this Mirai strain has been seen in several campaigns, and they assess that these were all conducted by the same threat actor. The researchers note that the botnet samples they analyzed all used the same decryption key and infrastructure, and the malware shell script downloaders and client samples were almost identical. Unit 42 recommends that IoT devices be updated as soon as possible once patches are available. They write “The vulnerabilities used by this threat are less complex, but this does not decrease their impact, since they could still lead to remote code execution. Once the attacker gains control of a vulnerable device, they can include the newly compromised devices in their botnet.”
Kimsuky's tailored reconnaissance tools.
SentinelOne has observed North Korea’s Kimsuky using advanced reconnaissance malware. A new piece of custom malware in use by the hackers, RandomQuery, has “the single objective of file enumeration and information exfiltration.” Other observed variants of RandomQuery are much different, having a broader array of capabilities that usually includes keylogging and further malware execution features. RandomQuery is prominent in Kimsuky’s arsenal, and is commonly distributed through phishing attacks. In the present wave of attacks, the hackers claim to be Lee Kwang-baek, the chief executive of Daily NK, a well-known South Korea-based news organization reporting on DPRK affairs. The Hacker News reports that the gang sends a Microsoft Compiled HTML Help (CHM) file, which, if opened, executes “a Visual Basic Script that issues a HTTP GET request to a remote server to retrieve the second-stage payload, a VBScript flavor of RandomQuery.” The malware goes on to harvest system data and transmits them back to the threat actor’s command-and-control (C2) server. The data include “system metadata, running processes, installed applications, and files from different folders.”
Kimsuky is a North Korean advanced persistent threat (APT) that’s operate since 2012, and is based in North Korea. The gang has been seen targeting human rights activists, defector support organizations, and news services.
CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming.
Researchers at Mandiant have discovered a new malware designed to disrupt electricity supply and critical infrastructure. Called CosmicEnergy, the malware specializes in affecting operational technology (OT) and industrial control systems (ICS) by “interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia,” writes Mandiant. CosmicEnergy was uploaded to a public malware scanning utility in 2021 by a user in Russia. The version obtained by Mandiant lacks a built in discovery capability, which means that a user would have to manually identify the IPs of MSSQL servers, MSSQL credentials and target IEC-104 information object addresses. Attribution is inconclusive, but researchers suggest that this malware could have been a Russian red-teaming tool used in exercises to simulate an electric infrastructure attack.
CosmicEnergy was found on VirusTotal, which seems a curious place for a threat actor to park malware, but it's happened before. The researchers explain that it is possible that this malware was developed as a red teaming tool for Rostelecom-solar, a Russian cyber security firm. Mandiant has not been able to attribute this malware to any nation state, but they explain that this could have been used for an exercise in Russia to simulate an attack on power stations. They write, “Although we have not identified sufficient evidence to determine the origin or purpose of CosmicEnergy, we believe that the malware was possibly developed by either Rostelecom-Solar or an associated party to recreate real attack scenarios against energy grid assets. It is possible that the malware was used to support exercises such as the ones hosted by Rostelecom-Solar in 2021 in collaboration with the Russian Ministry of Energy or in 2022 for the St.Petersburg’s International Economic Forum (SPIEF).” They add that it is equally possible that this was created by another actor as there is a lack of conclusive evidence, “Threat actors regularly adapt and make use of red team tools - such as commercial and publicly available exploitation frameworks - to facilitate real world attacks, like TEMP.Veles’ use of METERPRETER during the TRITON attack.” And, of course, even legitimate red-teaming tools can be put to malign purposes. For more on CosmicEnergy, see CyberWire Pro.
Legion malware upgraded for the cloud.
Legion, a commercial malware tool, has been upgraded to target Amazon Web Services whence it extracts credentials for authentication over SSH. Cado Security released a report on the threat emphasizing the progression towards exploiting more cloud services, "It’s clear that the developer’s targeting of cloud services is advancing with each iteration." Regarding the SSH credential harvesting researchers write, “Essentially, the malware hunts for environment variable files in misconfigured web servers running PHP frameworks such as Laravel. Legion attempts to access these .env files by enumerating the target server with a list of hardcoded paths in which these environment variable files typically reside. If these paths are publicly accessible, due to misconfigurations, the files are saved and a series of regular expressions are run over their contents.” Legion’s developers also apparently enabled a previously dormant tool to import a python library called Paramiko, which is an implementation of the SSHv2 protocol which allows them to exploit SSH servers.
Hacker News reports that Legion is known for its use of Telegram as an avenue of exfiltration, and sending spam messages to “dynamically-generated U.S. mobile numbers by making use of the stolen SMTP credentials.” Matt Muir, a Cado Labs researcher, explains that the tool mainly exploits misconfigurations in web applications and thus recommends “developers and administrators of web applications regularly review access to resources within the applications themselves, and seek alternatives to storing secrets in environment files."
Blacktail, a new ransomware group using recycled ransomware.
A new ransomware operation calling itself Buhti has been discovered by researchers at Symantec. The tool uses variants of Lockbit and Babuk ransomware, as well as a custom infostealer which is able to search for and archive specified file types. “Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.” wrote Symantec. The researchers were unable to attribute this new campaign to any known threat actors and thus have dubbed the associated group “Blacktail.” For more information, see CyberWire Pro.
GoldenJackal, an APT quietly active since 2019.
The GoldenJackal APT is a newly described threat actor that’s been in operation since 2019. Kaspersky explains that the group specializes in long-term infection and information collection against targets in South Asia and the Middle East. “We observed the usage of fake Skype installers and malicious Word documents. The fake Skype installer was a .NET executable file named skype32.exe that was approximately 400 MB in size. It was a dropper containing two resources: the JackalControl Trojan and a legitimate Skype for business standalone installer. This tool was used in 2020. The other known infection vector was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability.” The group sports a custom toolkit designed for around collection, pivoting, and persistence. “The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher intended to:
- “control victim machines
- “spread across systems using removable drives
- “exfiltrate certain files from the infected system
- “steal credentials
- “collect information about the local system
- “collect information about users’ web activities
- “take screen captures of the desktop”
Kaspersky as usual offers no attribution. They do, however, note inconclusive circumstantial similarities between GoldenJackal and Turla (generally associated with Russian intelligence services), specifically “a code similarity in the victim UID generation algorithm that overlaps somewhat with that used by Kazuar.” Kaspersky attributes the group’s low profile to its low victim count and precise targeting.