An updated piece of information-stealing malware is being used against targets in Ukraine by the Nodaria spy organization, also known as UAC-0056. The malware was created in Go and is intended to gather a variety of data from the infected computer, including screenshots, files, system information, and login passwords.
The two-stage threat known as graphiron consists of a downloader and a payload. The downloader has the addresses of command-and-control (C&C) servers hardcoded in. It will look for active processes when it is executed and compare them to a blacklist of malware analysis tools.
If no processes on the blacklist are discovered, this will connect to a C&C server, download the payload, and then decrypt it before adding it to autorun. The downloader is set up to run only once. It won't try again or send a signal if it is unable to download and run the payload.
Graphiron shares several characteristics with earlier Nodaria tools like GraphSteel and GrimPlant. Advanced features allow it to execute shell commands, gather system data, files, login passwords, screenshots, and SSH keys. Further, it uses port 443 to communicate with the C2 server, and all communications are encrypted using an AES cipher.
Attacks against Georgia and Kyrgyzstan have been carried out by Nodaria since at least March 2021. The recognized tools used by the group include WhisperGate, Elephant Dropper and Downloader, SaintBot downloader, OutSteel information stealer, GrimPlant, and GraphSteel information stealer.
The Threat Response Unit (TRU) of eSentire has been monitoring one of the most effective and covert malware families, Golden Chickens, for the past 16 months. The malware of choice for FIN6 and Cobalt, two of the most established and prosperous online crime organizations in Russia, who have collectively stolen an estimated $1.5 billion US, is Golden Chickens.
The creator of a comprehensive toolkit that includes SKID, VenomKit, and Taurus Loader is Golden Chickens, widely known as VENOM SPIDER. Since at least 2012, the adversary has participated actively in Russian underground forums under the alias 'badbullzvenom,' where they have developed tools for exploiting vulnerabilities as well as for getting and retaining access to victim machines and ticketing services.
Yanluowang ransomware Gang has published Cisco Systems' stolen data on the dark web and following the data leak, Cisco confirmed that the data was stolen from its network during an intrusion that took place in May.
Cisco Security Incident Response (CSIRT) conducted an investigation wherein it was found that the attackers acquired control of a personal Google account that had the credentials saved in the browser. The threat actors compromised these credentials to launch voice phishing attacks. The idea behind the attacks was to lure the targeted employee into accepting the MFA notification.
Cisco revealed in a report published in August that the firm's networks had been infiltrated by the Yanluowang ransomware after hackers gained access to an employee's VPN account. The company further asserted that the only information taken was employee login information from Active Directory and non-sensitive files saved in a Box account.
Once the threat actors obtained the employee's Cisco credentials, the hackers employed social engineering and other techniques to get beyond multi-factor authentication (MFA) and gather more data.
After gaining initial access, the hackers registered a list of new devices for MFA, authenticated effectively to the Cisco VPN, and dropped multiple tools in the victim network including RATs such as LogMeIn, TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket, as per Security Affairs.
Over the weekend, Cisco said in an update that "the content of these files matched what we have detected and released. We continue to see no effect on the business, including Cisco goods or services, confidential customer data or sensitive employee data, copyrights, or supply chain activities, which is consistent with our previous examination of this incident."
The researchers at the cybersecurity firm eSentire linked Yanluowang with "Evil Corp" (UNC2165), the Lapsus$ gang, and FiveHands malware (UNC2447).
The hacked Google account of an employee that had enabled password synchronization through Google Chrome and saved their Cisco details in the browser allowed the thieves to initially access the Cisco VPN.
The leader of Yanluowang ransomware told BleepingComputer that they had stolen thousands of files totaling 55GB from a cache that contained sensitive information including technical schematics and source code. The hacker did not offer any evidence. The only thing they provided was a screenshot showing access to what seemed like a development system.
Erich Kron, security awareness advocate at security awareness training company KnowBe4 implies that it goes unsaid that Cisco decided against paying the ransom demanded by the ransomware group, which resulted in the stolen data being posted.
As part of the cybercrime gang's illegal surveillance and data theft operations, Microsoft claims to have banned accounts used by the Seaborgium troupe, which has ties to Russia, to spam and exploit login information.
In order to identify employees who work for the victims, the hackers exploited bogus LinkedIn profiles, email, OneDrive, and other Microsoft cloud services accounts.
Microsoft is keeping tabs on the cluster of espionage-related activities under the chemical element-themed moniker SEABORGIUM, which it claims is associated with a hacker organization also known as Callisto, COLDRIVER, and TA446.
Coldriver, alias Seaborgium, was accused of running a hack-and-leak campaign resulting in the publication of documents that were purportedly obtained from high-ranking Brexit supporters, including Richard Dearlove, a former British agent.
Targets &Tactics
Microsoft reported that it had seen "only very modest changes in their social engineering tactics and in how they deliver the initial malicious URL to their targets."
The main targets are think tanks, higher education institutions, non-governmental and intergovernmental organizations (IGOs), defense and intelligence consulting firms, and to a lesser extent, nations in the Baltics, Nordics, and Eastern Europe.
Former secret services, Russian affairs experts, and Russian nationals living abroad are further subjects of interest. It is estimated that more than 30 businesses and individual accounts were infected.
The process begins with the reconnaissance of potential targets using fictitious personas made on social media sites like LinkedIn, and then contact is established with them through neutral email messages sent from recently registered accounts that have been set up to match the names of the fictitious subjects.
If the target falls prey to the malicious code tactic, hackers launch the attack sequence by sending a weaponized message that contains a PDF document that has been compromised or a link to a file stored on OneDrive.
According to Microsoft, "SEABORGIUM also abuses OneDrive to host PDF files that contain a link to the malicious URL. Since the start of 2022, The actors have included a OneDrive link in the email body that, when clicked, takes the subscriber to a PDF file held within a SEABORGIUM-controlled OneDrive account."
Additionally, it has been discovered that the adversary conceals its operational network using open redirects which appear to be innocent to drive visitors to the malicious server, which then asks them to input their credentials in order to view the material.
The last stage of the attack involves leveraging the victim's email accounts with the stolen login information, exploiting the illegal logins to exfiltrate emails and attachments, setting up email forwarding rules to assure ongoing data gathering, and executing other key work.
Caution
According to Redmond, "SEABORGIUM has been spotted in a number of instances employing their impersonation accounts to encourage dialog with certain people of interest and, as a result, were involved in conversations, sometimes unintentionally, involving several users."
The enterprise security firm Proofpoint noted the group's propensity for reconnaissance and skilled impersonation for the delivery of malicious links. Proofpoint records the actor under the moniker TA446.
As per Microsoft, there are steps that may be taken to counter Seaborgium's strategies. This entails turning off email auto-forwarding and configuring Office 365 email settings to stop fake emails, spam, and emails containing viruses.
The security team also suggests utilizing more secure MFA techniques, such as FIDO tokens or authenticator tools with number matching, in place of telephony-based MFA and demanding multi-factor authentication (MFA) for all users from all locations, even those that are trusted.