Search This Blog

Showing posts with label Cyber Espionage Campaign. Show all posts

Iranian Attackers are Employing a New DNS Hijacking Malware to Target Organizations

 

The Iran-linked Lycaeum cyber espionage group, also known as Hexane or Spilrin, group is employing a new .NET-based DNS backdoor to target firms in the energy and telecommunication sectors.

Lyceum has previously targeted communication service vendors in the Middle East via DNS-tunneling backdoors. 

According to analytics from Zscaler ThreatLabz researchers, the backdoor is based on a DIG.net open-source tool to launch "DNS hijacking" assaults – DNS query manipulation to redirect users to malicious clones of authentic sites – implement commands, drop payloads, and exfiltrate data. 

 Employs Word doc 

The hackers target organizations via macro-laced Microsoft Documents downloaded from a domain named "news-spot[.]live," impersonating a legitimate site. The document is masked as a news report with an Iran Military affairs topic. 

When a victim downloads the file from this site, it asks to enable the macro to view the content. After enabling macros, the DnsSystem.exe backdoor is the DNS backdoor is dropped directly onto the Startup folder for establishing persistence between reboots. 

"The threat actors have customized and appended code that allows them to perform DNS queries for various records onto the custom DNS Server, parse the response of the query to execute system commands remotely, and upload/download files from the Command & Control server by leveraging the DNS protocol." - Zscaler researchers Niraj Shivtarkar and Avinash Kumar explained in a report published last week.

Initially, the malware sets up the DNS hijacking server by securing the IP address of the "cyberclub[.]one" domain and generates an MD5 based on the victim's username to serve as a unique victim ID. Additionally, the malware is well trained to upload and download arbitrary files to and from the remote server as well as implement malicious system commands remotely on the exploited server.

 Evolution of Lyceum 

The Lyceum APT group was first spotted at the beginning of August 2019 attempting to secure access to the organization’s systems via password spraying or brute-force attacks. 

Lyceum primarily focuses on cyber espionage, and this new stealthy and potent backdoor is evidence of its evolution in the field. The Iranian group is expected to continue participating in these data theft campaigns that often include multiple hacking groups from the country. 

"APT threat actors are continuously evolving their tactics and malware to successfully carry out attacks against their targets," the researchers stated. "Attackers continuously embrace new anti-analysis tricks to evade security solutions; re-packaging of malware makes the static analysis even more challenging."

European Organizations Targeted by 'Mustang Panda’ Hacking Group

 

Cybersecurity researchers have unearthed a new campaign by advanced persistent threat (APT) group Mustang Panda targeting European and Russian organizations using topical spear-phishing lures linked to the war in Ukraine. 

Mustang Panda, also known as RedDelta, Bronze President, or TA416 has been active since at least 2012 and over the years has targeted entities in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic organizations, non-governmental organizations (NGOs), religious organizations, telecommunication firms, and political activists.

"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report published this week. 

The hacking group is known for designing its phishing lures based on current scenarios that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. The attacks observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions regarding the security situation in Europe both before and after Russia's invasion of Ukraine. 

Mustang Panda modus operandi 

The PlugX RAT, also known as KorPlug, continues to remain the Mustang Panda's preferred spying tool. is Mustang Panda’s malware of choice. The threat actor has used multiple variants of it for several years, together with other threat actors originating from China. 

Recent attack campaigns spotted this year have primarily phishing messages containing malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto infected devices. 

A similar technique is also used to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan. 

The researchers also spotted Mustang Panda distributing a malicious file containing PlugX with a Russian name referencing the Blagoveshchensk Border Guard Detachment. But similar attacks identified towards the end of March 2022 show that the actors are upgrading their tactics by minimizing the remote URLs used to obtain different components of the infection chain. 

Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft. 

"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers added.

Taiwanese Government Suffers 5 Million Cyber Attacks Per Day

 

The Taiwanese government faces Five Million cyberattacks per day. Nearly half of them are believed to be originated from China. 

Cyber security department director Chien Hung-Wei told parliament representatives on Wednesday that government infrastructure faces “five million attacks and scans a day”. Security experts are working tirelessly to strengthen defensive measures and collect relevant data for examination in a bid to stop the assaults.

Taiwan’s defence ministry warns of an increase in the attacks carried by China-linked actors against its systems. The ministry accused China of ramping up since the 2016 election of President Tsai Ing-wen, who always claimed the independence of the island from Beijing. On the other end, Beijing considers the island as part of its own territory and does not exclude its military occupation in the future. 

According to the report shared by Taiwan’s defence ministry, the ministry of information security and protection centre handled around 1.4 billion “anomalies” from 2019 to August 2021 to prevent potential hacking. Last year in August 2020, Chinese attackers secured access to around 6,000 email accounts belonging to at least 10 Taiwan government agencies. 

Since 2018, the China-linked cyber espionage groups tracked as Blacktech and Taidoor have been targeting government agencies and information service providers. All these cyber assaults are part of a cyber espionage campaign, Taiwan Bureau Cyber Security Investigation Office reported. The Chinese government has increased diplomatic and economic pressure on Taiwan over the years, it also showed the muscles increasing military drills near the country in recent weeks. 

Many defence experts believe that the Chinese cyber warfare department is at least a decade ahead in terms of cyber capabilities and is aiming towards the goal of instantly disrupting or at least weakening the enemy’s computer networks so as to paralyze their decision-making capability at the very commencement of hostilities.

According to a paper titled China’s Cyber Warfare Capability and India’s Concerns, published in the Journal of Defence Studies, the author revealed that Chinese government is training its military personnel in Information Warfare. In 2013, a security firm Mandiant published a detailed report attributing a Chinese Military Unit to cyber espionage. This was perhaps the first time that such technical evidence and analysis linking activities to a government entity had been made public.

Experts Find Kurdish Espionage Campaign Active on Facebook

 

Experts at ESET have probed a targeted espionage mobile campaign towards the Kurdish ethnic group, the campaign is in action since March 2020, disseminating (through dedicated FB accounts) two android backdoors named as SpyNote and 888 RAT, appearing to be genuine apps. The profiles were found presenting android news in Kurdish and news for pro Kurds. Few profiles intentionally sent additional monitoring apps to FB groups (public) with content in Kurd's support. Data downloaded from a website hints that around 1,481 URL downloads were promoted through FB posts.

Live Security said "we identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links."The latest Android 888 Rat was used by the BladeHawk and Kasablanka groups. Both the groups used false names to call out the same Android Rat- Gaza007 and LodaRat respectively. 

The espionage campaign in this article is directly linked to two cases (publicly disclosed) that surfaced in 2020. QiAnXin Threat Intelligence center identified the hacking group behind the BladeHawk campaign, which it has adopted. 

The 2 campaigns were spread through FB, via malware with built-in commercials, samples using the same C&C servers, and automated tools (SpyNote and 888 Rat). Experts found six FB profiles linked to the BladeHawk attack, distributing Android espionage. These were reported to FB and eventually taken down. 

Two FB profiles targeted tech users and the other four disguised as Pro Kurds. The profiles were made in 2020 and soon after, started distributing the fake apps. Except for one account, none of the other profiles have posted any content except Android Rat posing to be genuine applications.

"These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers," reports Live Security.

Chinese Military Unit Linked to Cyber Espionage Campaign Targeting India

 

Recorded Future, a US security firm, revealed a cyber espionage campaign linked to a suspected Chinese state-sponsored threat activity group, named RedFoxtrot. Recorded Future's threat research arm Insikt Group, discovered evidence dating back to 2014 that interconnects RedFoxtrot and Chinese military-intelligence apparatus, the People's Liberation Army (PLA) Unit 69010. 

Before restructuring in 2015, PLA’s cyber-attack unit 69010 was known as the Lanzhou Military Region’s Second Technical Reconnaissance Bureau, and now it has been incorporated into the Network Systems Department of the PLA’s Strategic Support Force (SSF). According to a report published by Recorded Future’s Insikt Group, cybersecurity experts have detected intrusions targeting aerospace, defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan.

“Notable RedFoxtrot victims over the past 6 months include multiple Indian aerospace and defense contractors; telecommunications companies in Afghanistan, India, Kazakhstan, and Pakistan; and several national and state institutions in the region. Activity over this [past six-month] period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC,” analysts explained.

According to the research team, for its attacks, the RedFoxtrot group employs both bespoke and publicly available malware families, including IceFog, ShadowPad, Royal Road, PCShare, PlugX, and web server infrastructure to host and deliver payloads and to collect stolen information. Some of the group’s past campaigns have been previously documented by other security firms under different names in something that has become a common sight in modern-day threat hunting.

“The recent activity of the People's Liberation Army has largely been a black box for the intelligence community. Being able to provide this rare end-to-end glimpse into PLA activity and Chinese military tactics and motivations provides invaluable insight into the global threat landscape. The persistent and pervasive monitoring and collection of intelligence is crucial in order to disrupt adversaries and inform an organization or government's security posture", Christopher Ahlberg, CEO, and Co-Founder of Recorded Future, stated.

Recorded Future researchers were successful in making connections inside this nebula of Chinese state-sponsored hacking activity to RedFoxtrot (and subsequently to PLA Unit 69010) due to lax operational security (OpSec) measures of one of its members. 

“Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy located in Wuhan,” the researchers further stated.