At a glance.
- Earth Lusca's cyberespionage techniques.
- Iranian cyberespionage campaign: "Peach Sandstorm."
- Cyber threats trending from East Asia.
- Lazarus Group suspected in CoinEx crypto theft.
- Python NodeStealer takes browser credentials.
- MetaStealer targets businesses.
- 3AM is fallback malware.
- Access broker's phishing facilitates ransomware.
Earth Lusca's cyberespionage techniques.
Trend Micro says the China-aligned threat actor “Earth Lusca” is using a new Linux backdoor based on the open-source Windows malware Trochilus. Trend Micro calls the Linux variant “SprySOCKS." The researchers note, "The backdoor contains a marker that refers to the backdoor’s version number. We have identified two SprySOCKS payloads that contain two different version numbers, indicating that the backdoor is still under development. In addition, we noticed that the implementation of the interactive shell is likely inspired from the Linux variant of the Derusbi malware." Earth Lusca has been targeting public-facing servers belonging to "government departments that are involved in foreign affairs, technology, and telecommunications." The threat actor is primarily interested in countries in Southeast Asia, Central Asia, and the Balkans.
Iranian cyberespionage campaign: "Peach Sandstorm."
Microsoft warns that the Iranian state-sponsored actor Peach Sandstorm (which Microsoft formerly tracked as “HOLMIUM”) has been launching password-spraying campaigns against thousands of organizations since February 2023, with a particular focus on the satellite, defense, and pharmaceutical sectors. The goal of the campaign appears to be espionage. In a small number of cases, the threat actor succeeded in breaching organizations and exfiltrating data. Microsoft says, “The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments.”
Cyber threats trending from East Asia.
Microsoft has also described the cyber capabilities of the Chinese and North Korean governments, finding that Chinese influence operations have grown more effective over the past year: “China-aligned social media networks have engaged directly with authentic users on social media, targeted specific candidates in content about US elections, and posed as American voters. Separately, China’s state-affiliated multilingual social media influencer initiative has successfully engaged target audiences in at least 40 languages and grown its audience to over 103 million.”
The researchers note that China’s cyber operations in 2023 have primarily focused on countries surrounding the South China Sea, the US defense industrial base (especially satellite communications and telecommunications infrastructure in Guam), and US critical infrastructure.
North Korean cyber operations have increased in sophistication over the past year, and Microsoft says Pyongyang’s threat actors seem particularly interested in stealing information related to maritime technology research.
Lazarus Group suspected in CoinEx crypto theft.
Researchers at Elliptic believe North Korea’s Lazarus Group is responsible for the theft of $31 million worth of cryptocurrency from CoinEx last week, the Record reports. Elliptic stated, “Elliptic analysis confirms that some of the funds stolen from CoinEx were sent to an address which was used by the Lazarus group to launder funds stolen from Stake.com, albeit on a different blockchain....Elliptic has observed this mixing of funds from separate hacks before from Lazarus, most recently when funds stolen from Stake.com overlapped with funds stolen from Atomic Wallet.”
Python NodeStealer takes browser credentials.
Netskope describes a campaign that’s using Python scripts to steal Facebook business account credentials, along with all available cookies and credentials stored by the browser. The malware is a new version of NodeStealer, distributed via Facebook Messenger: “The new NodeStealer variant we detected was hosted on the Facebook CDN and was sent to victims as an attachment in Facebook messages. Images of defective products were used as bait to convince owners or admins of Facebook business pages to download the malware payload. Unlike previous NodeStealer campaigns, this one uses a batch file instead of an executable as the initial payload.”
MetaStealer targets businesses.
SentinelOne has published an analysis of MetaStealer, a malware family designed to target macOS. The malware is distributed via social engineering with business-themed lures: “This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software.” Once installed, the malware attempts to exfiltrate data, particularly passwords saved in the keychain.
3AM is fallback malware.
The Symantec Threat Hunter Team, part of Broadcom, describes a new ransomware family called “3AM.” So far, the ransomware “has only been used in a limited fashion,” and Symantec’s researchers have “seen it used in a single attack by a ransomware affiliate that attempted to deploy LockBit on a target’s network and then switched to 3AM when LockBit was blocked.” In this attack, Symantec notes, “The use of 3AM was only partially successful. The attackers only managed to deploy it to three machines on the organization's network and it was blocked on two of those three computers.” The researchers add, however, that “the fact that 3AM was used as a fallback by a LockBit affiliate suggests that it may be of interest to attackers and could be seen again in the future.”
Access broker's phishing facilitates ransomware.
A Microsoft report outlines a criminal access broker that sends phishing lures through Microsoft Teams messages. The threat actor, which Microsoft tracks as “Storm-0324,” distributes a variety of malware strains, but primarily focuses on delivering JSSLoader before handing over access to the Sangria Tempest ransomware actor (also known as “FIN7”). Microsoft explains, “Storm-0324’s email themes typically reference invoices and payments, mimicking services such as DocuSign, Quickbooks, and others. Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.”
Storm-0324 is financially motivated, straightforwardly criminal, but its attack methods show considerable sophistication. “The actor’s email chains are highly evasive, making use of traffic distribution systems (TDS) like BlackTDS and Keitaro, which provide identification and filtering capabilities to tailor user traffic. This filtering capability allows attackers to evade detection by certain IP ranges that might be security solutions, like malware sandboxes, while also successfully redirecting victims to their malicious download site.”