At a glance.
- Charming Kitten deploys new backdoor.
- DPRK targets security researchers.
- A new BEC phishing kit.
- More spyware targeting Uyghurs.
- Vulnerability affects booking service.
- A new Agent Tesla variant is out.
Charming Kitten deploys new backdoor.
ESET says the suspected Iranian threat actor (also known as "APT35" or "Charming Kitten") is using a new backdoor dubbed "Sponsor" to target at least thirty-four entities in Brazil, Israel, and the United Arab Emirates. The researchers explain, "Ballistic Bobcat obtained initial access by exploiting known vulnerabilities in internet-exposed Microsoft Exchange servers by first conducting meticulous scans of the system or network to identify potential weaknesses or vulnerabilities, and subsequently targeting and exploiting those identified weaknesses. The group has been known to engage in this behavior for some time. However, many of the 34 victims identified in ESET telemetry might best be described as victims of opportunity rather than preselected and researched victims, as we suspect Ballistic Bobcat engaged in the above-described scan-and-exploit behavior because it was not the only threat actor with access to these systems."
DPRK targets security researchers.
Google’s Threat Analysis Group (TAG) warns that a North Korean threat actor has been targeting security researchers with at least one zero-day for the past several weeks. Google notified the affected vendor, and the zero-day is in the process of being patched.
TAG states, “Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp, or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.”
More spyware targeting Uyghurs.
Kaspersky discovered several malicious Telegram replicates in the Google Play Store that appear to be designed to target Chinese-speaking users, particularly China’s Uyghur population. The apps purport to be faster versions of the legitimate Telegram app, and are “capable of stealing the victim’s entire correspondence, personal data, and contacts.” BleepingComputer notes that the apps have been downloaded more than 60,000 times. Google has since removed the apps from its Play Store.
A new BEC phishing kit.
Researchers at Group-IB are tracking a newly discovered phishing-as-a-service operation called “W3LL” that’s targeted more than 56,000 corporate Microsoft 365 accounts within the past year. “Phishing campaigns involving W3LL tools are highly persuasive and usually involve several W3LL-developed instruments that cover almost the entire killchain of BEC attacks, all the while providing a high level of automation and scalability,” the researchers write. Subscriptions for the W3LL phishing kit have been sold to around five-hundred criminal actors over the past six years. It's become a trusted offering in the C2C souks. "W3LL offers a 3-month phishing kit subscription for $500, with subsequent months costing $150 each. Each copy of W3LL Panel has to be enabled through the token-based activation mechanism, which prevents the kit from being resold or its source code being stolen.” The W3LL kit is highly effective, and has been used to compromise more than 8,000 Microsoft 365 accounts within the past 10 months.
Vulnerability affects booking service.
Researchers at Bitdefender discovered a series of vulnerabilities affecting the IRM Next Generation online booking engine built by Resort Data Processing, Inc: “In November 2022, Bitdefender researchers in the Cyber-Threat Intelligence Lab have started investigating signs of suspicious activity on a server owned by a resort in the United States of America, when files part of the booking engine developed by Resort Data Processing were illegally accessed by a third-party. Our initial assessment revealed the presence on the server of several webshell components, as well as of a variant of MicroBackdoor. We were able to also isolate a malicious IIS native module with backdoor functionalities called XModule, which was specially designed for e-skimming (theft of credit card information and passwords by injecting malicious code in a JavaScript file used by Resort Data Processing’s IRMNg booking engine).”
The researchers identified five vulnerabilities affecting the engine. Three involved the use of hard-coded credentials, and two were related to the improper neutralization of special elements. Bitdefender attempted to notify the vendor multiple times but never received a response. IRMNg remains vulnerable to the flaws.
A new Agent Tesla variant is out.
Fortinet describes a new variant of the Agent Tesla remote access Trojan that’s being distributed via malicious Excel documents. The attackers exploit the long-patched CVE-2017-11882/CVE-2018-0802 vulnerabilities in Excel to execute the malware. Fortinet notes, “Despite fixes for CVE-2017-11882/CVE-2018-0802 being released by Microsoft in November 2017 and January 2018, this vulnerability remains popular amongst threat actors, suggesting there are still unpatched devices in the wild, even after over five years. We are observing and mitigating 3000 attacks per day, at the IPS level. The number of observed vulnerable devices is around 1300 per day.”