While not particularly sophisticated, this malware is made to take different pieces of data from infected devices that can be used as a foundation for more attacks.
The investigation on the infostealer began when the FortiGuard Lab researchers noticed an archive file named “Табель учета рабочего времени.zip” (English trans. “time sheet”). The zip file included two files immediately identified as “up to no good.”
Both files contain a double extension (.exe followed by a different document-related extension). One of the files is "CMK равила oормлени олнин листов.pdf.exe," which is an executable rather than a document and is labeled "QMS Rules for issuing sick leave" in English. f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494 is the file's SHA2 hash value.
The ThirdEye info stealer has comparatively simpler functionality. It contains a variety of system information based on compromised machines, like BIOS and hardware data. Additionally, it lists ongoing processes, folders and files, and network data. All of this information is gathered by the malware once it has been run, and it then sends it to its command-and-control (C2) server, which is located at (hxxp://shlalala[.]ru/general/ch3ckState). As compared to other infostealers, this one does nothing else.
An interesting string sequence unique to the ThirdEye infostealer family is the “3rd_eye”, which it decrypts and combines with another hash value to identify itself to the C2.
The second file in the archive is the “Табель учета рабочего времени.xls.exe”, which has the same name as its parent file. This file is a variant of the ThirdEye infostealer, created to achieve the same functions as f6e6d44137cb5fcee20bcde0a162768dadbb84a09cc680732d9e23ccd2e79494.
While there is no substantial evidence that could confirm that the ThirdEye infostealer was used in attacks, the malware however is created to steal valuable information from compromised machines, in order to have a better understanding of potential targets, and narrowing them down further. Moreover, there are speculations that the info stealer’s victims will be subject to future cyberattacks.
Since ThirdEye is not yet under the ‘severe’ radar, the FortiGuard investigation found that the threat actors involved have put efforts into strengthening the infostealer, such as recent samples collecting more system information compared to older variants, and it is anticipated to improve further.
The research by Fortinet reveals that more than 90% of the cybersecurity experts agree that the surging frequency of cyberattacks can be reduced if organizations focus on increasing their employees’ cybersecurity awareness.
The report emphasizes the critical role of employees in serving as an organization's first line of defense in defending their firm from cybercrime as it becomes more common for businesses to confront cyber threat incidents.
The report further revealed that among all the organizations surveyed, 81% of them confirmed to have experienced at least one cyber incident, be it malware, phishing or password breach over the course of last year. Most of the attacks were primarily targeted at organization’s employees, who apparently has access to the firm’s systems. This emphasizes how a company's employees could either be its weakest link or one of its strongest defenses.
Nearly 85% of the organization leaders claims that their organization has adequate security awareness and training program provided to its employees. However, 50% believed that their employees, regardless of the training programs still lack a proper cybersecurity knowledge.
This variation shows that the existing training programs may not be as successful as they could be, leading to inconsistent use of appropriate cyber hygiene measures by staff, or that instruction may not be effectively reinforced.
Given the fact that many of these cyber-attacks are targeted to users, it is likely that boards already recognize—or will do so soon—that employee cybersecurity awareness is an essential component of the "defense equation". 93% of businesses said their board of directors often questions them about their cyber security and strategy.
John Maddison, EVP of Products and CMO at Fortinet says, “Our 2023 Security Awareness and Training Global Research Brief underscores the crucial role employees play in preventing cyberattacks. It also highlights the critical need for organizations to prioritize security awareness and training services to ensure employees serve as the first line of defense.”
One of the best solutions to avoid cybersecurity incidents an organization can adopt is by conducting better training program, setting the groundwork for a culture of cybersecurity that is ready and strong. This way, employees would attain a better cyber-risk awareness and further encourage them to defend their organization whenever the situation calls.
Organizations are aware that they require sophisticated cybersecurity solutions and that technological certifications help their IT employees' cybersecurity skills. Employee awareness may not have gotten the full attention it deserves up to this point, but it may become crucial in the years to come in the fight against cybercrime.
Initial evidence collected by Google-owned security firm Mandiant suggests that the exploitation occurred in October 2022, nearly two months before the vulnerability was patched. Targets included a government entity in Europe and a managed services provider in Africa.
According to a report published by Mandiant, the malware appears to have been created by a China-based threat actor that conducts cyber-espionage operations against individuals and groups associated with the government.
It is the most recent instance of attackers from the country attacking firewalls, IPS, IDS, and other technologies used by businesses to secure their networks that are internet-facing.
The attacks involved the use of a sophisticated backdoor known as BOLDMOVE, a Linux variant created especially to run on Fortinet's FortiGate firewalls.
The intrusion vector in question is the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw in FortiOS SSL-VPN that could allow for unauthenticated remote code execution through carefully constructed requests.
Earlier this month, Fortinet revealed that the unidentified hacking groups had taken advantage of the flaw to attack governments and other major institutions with a generic Linux implant capable of delivering additional payloads and carrying out remote server commands.
Mandiant findings also indicate that the hackers managed to exploit the zero-day vulnerability to their advantage, accessing target networks for espionage operations. "With BOLDMOVE, the attackers not only developed an exploit, but malware that shows an in-depth understanding of systems, services, logging, and undocumented proprietary formats," Mandiant added.
The BoldMove Backdoor malware, written in C, is apparently available in both Windows and Linux versions, with the latter being able to read data from a Fortinet-exclusive file format.
Moreover, according to Fortinet’s report, an extended Linux sample comes with a feature that allows attackers to disable and manipulate logging features in order to evade detection. Despite the fact that no copies of the backdoor have been found in the wild, metadata analysis of the Windows variations reveals that they were created as early as 2021.
"The exploitation of zero-day vulnerabilities in networking devices, followed by the installation of custom implants, is consistent with previous Chinese exploitation of networking devices," Mandiant noted.
Meanwhile, Fortinet itself described the malware as a variant of “generic” Linux backdoor designed by threat actors for FortiOS. According to the company's analysis, affected systems may have had the malicious file disguising itself as a part of Fortinet's IPS engine.
According to Fortinet, one of the malware's more advanced features included manipulating FortiOS log-in to avoid detection. The malware can search FortiOS for event logs, decompress them in memory, and search for and delete a specific string that allows it to reconstruct the logs. The malware can also completely disable logging processes.
"The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets," says Fortinet.
Fortinet adds that designing the malware would have required the threat actors to have a “deep understanding” of the FortiOS and its underlying hardware. "The use of custom implants shows that the actor has advanced capabilities, including reverse-engineering various parts of FortiOS," the vendor said.