At a glance.
- Fancy Bear targets Ukrainian entities.
- Camaro Dragon spreads malware via USB drives.
- Anatsa Trojan's new capabilities.
- Transparent Tribe resurfaces against Indian military and academic targets.
- Proof-of-concept: Microsoft Teams as potential attack vector.
Fancy Bear targets Ukrainian entities.
The Record by Recorded Future reports that Russia's BlueDelta threat actor is targeting Ukrainian government and military entities. Ukraine’s computer emergency response team (CERT-UA) has attributed the campaign to APT28 (also known as "Fancy Bear"), a threat actor associated with the Russian GRU. Recorded Future says the threat actor is exploiting vulnerabilities in the open-source webmail software Roundcube:
"The BlueDelta campaign used spearphishing techniques, sending emails with attachments exploiting vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) in Roundcube to run reconnaissance and exfiltration scripts, redirecting incoming emails and gathering session cookies, user information, and address books. The attachment contained JavaScript code that executed additional JavaScript payloads from BlueDelta-controlled infrastructure. The campaign displayed a high level of preparedness, quickly weaponizing news content into lures to exploit recipients. The spearphishing emails contained news themes related to Ukraine, with subject lines and content mirroring legitimate media sources."
Camaro Dragon spreads malware via USB drives.
Check Point Research has published a report on a USB-propagated malware campaign that it attributes to the Chinese-based espionage group Camaro Dragon. Check Point's researchers discovered the malware while investigating an incident in a European hospital earlier this year. “The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drives.” Patient Zero, as CPR calls the first victim, initially received the infection while attending a conference in Asia and connecting a USB drive to a colleague's already infected computer.
Anatsa Trojan's new capabilities.
The Android banking Trojan Anatsa has expanded its targeting to new banks in the US, the UK, and Germany, according to researchers at ThreatFabric. Anatsa is delivered via malicious apps in the Google Play Store, and it’s been downloaded more than 30,000 times during the present, ongoing campaign. "Once the device is infected, Anatsa is able to collect sensitive information (credentials, credit card details, balance, and payment information) via overlay attacks and keylogging," ThreatFabric says. "This information will be later used by the criminals to perform fraud. Anatsa provides them with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing actions (transactions) on the victim’s behalf. Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that [it] is very challenging for banking anti-fraud systems to detect it."
Transparent Tribe resurfaces against Indian military and academic targets.
SideCopy, a subdivision of the Pakistan-aligned threat actor Transparent Tribe, is targeting the Indian army and the education sector, PGurus reports. Researchers at Seqrite said in their report on the activity, “There are three infection chains with themes utilized: DRDO’s ‘Invitation Performa,’ which is part of its Defence Procurement Procedure (DPP), a honeytrap lure, and also the Indian Military with ‘Selection of Officers for Foreign Assignments’ theme. The ongoing campaign came to light after a senior DRDO scientist was arrested for leaking sensitive information to Pakistani agents who honey trapped him.”
Proof-of-concept: Microsoft Teams as potential attack vector.
Researchers at Jumpsec have discovered a way to use Microsoft Teams as a vector for malware delivery, BleepingComputer reports. Researcher Max Corbridge explains, “Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request.” Corbridge adds, “When sending the payload like this, it is actually hosted on a Sharepoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.”
Microsoft acknowledged the vulnerability, but told Jumpsec that it “did not meet the bar for immediate servicing.”