Malware Activity
Threat Actors Are Taking Advantage of ChatGPT's Popularity to Spread Windows and Android Malware
Threat actors have been observed spreading malware through ChatGPT-based phishing campaigns as the platform's popularity continues to rise. ChatGPT, a natural language processing chatbot that interacts with users' prompts to provide responses in a human-like text structure, was launched by OpenAI in November 2022 and had over 100 million users by January 2023. Though the platform has been widely used for legitimate purposes, researchers have identified various cases of ChatGPT-based lures and fraudulent phishing websites that focus on distributing malware and exfiltrating victims' credit card information. Some of these websites have been promoted through additional fraudulent sites impersonating OpenAI's social media page. Researchers detailed that one of the observed posts contained a link that leads victims to a typosquatted domain that disguises itself as the official ChatGPT website and promotes "ChatGPT for PC". This domain leads to a fraudulent OpenAI website that has a "Download for Windows" button that, when clicked, downloads a compressed file that contains Windows stealer malware. Several other stealer malware strains, including "Lumma Stealer" and "Aurora Stealer", as well as clipper malware were identified to be distributed by the phishing sites. Fake payment sites were also observed by researchers. Approximately fifty (50) malicious applications have been confirmed, as of February 22, 2023, capitalizing on the platform's icon and name to appear legitimate. Several malware families are involved in the malicious applications, such as adware, spyware, billing fraud, and more. Technical details regarding specific Android applications and phishing pages as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Threat Profile: Clasiopa
Threat actors from a newly discovered threat organization, tracked as Clasiopa, have been targeting research laboratories throughout Asia. Little is known about this threat group, however, recent activity hints at threat actors utilizing brute force methods on public-facing infrastructure as their intrusion method. Additional tactics and techniques of Clasiopa includes checking IP addresses through a singular domain, attempting to disable anti-virus solutions, deployment of numerous malicious backdoors to gather file listings and exfiltrate data, and deletion of operating system event logs. Malicious programs often deployed in Clasiopa include a customized remote access trojan (RAT) dubbed "Atharvan", a modified "Lilith" RAT for remote command execution, a command-and-control (C2) tool called Thumbsender for file exfiltration, and customized proxy scripts. Clasiopa hasn't been officially tied to any one nation, however based on some of the malicious programs the group utilizes and an encrypted ZIP archive with the password "iloveindea1998^_^" suggests an Indian influence. Furthermore, the command-and-control (C2) nodes utilized within the malware point to servers hosted out of South Korea, an uncommon location for these types of servers to communicate to. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
CISA Adds Critical RCE IBM Vulnerability to the KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added an actively exploited critical IBM vulnerability to its known exploited vulnerabilities (KEV) catalog. The flaw, which was patched on January 18, 2023, is tracked as CVE-2022-47986 and affects the IBM Aspera Faspex file transfer tool. Aspera is extremely popular with large enterprises and organizations for transferring large datasets, like "genomics and biomedical research, media production, military signals intelligence, or financial services." In 2014, Aspera won an Emmy award for its work in the media production industry, enabling a boost in industry-wide workflows due to its ability to quickly transfer large media files. This vulnerability exploits an obsolete API call only present in Aspera Faspex versions 4.4.1 and earlier. A threat actor could make a maliciously crafted API call to a vulnerable instance of Faspex, which allows for remote code execution (RCE). This flaw received a CVSS score of 9.8/10 due to its active exploitation, as well as the low complexity of the exploit, coupled with the fact that attackers do not have to authenticate themselves prior to gaining initial access. At this time, Shodan searches indicate that more than 100 IBM Aspera Faspex servers are internet-exposed and may be vulnerable to exploitation. This vulnerability's presence on the CISA KEV mandates that all federal civilian executive branch (FCEB) agencies patch the flaw no later than March 14, 2023, or face financial penalties. This is not the first file transfer tool exploited to wreak havoc against major corporations. Just last week, the Russian-speaking ransomware-as-a-service (RaaS) group Clop claimed responsibility for exploiting the GoAnywhere MFT file-transfer tool, impacting one of the largest healthcare providers in the U.S., affecting more than 1 million patients and employees. CTIX analysts recommend that all organizations who depend on the IBM Aspera Faspex tool, immediately patch this vulnerability by updating their software to the most recent secure version.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.