Executive Summary
The Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Wrap-Up is a collection of high-level cyber intelligence summaries pertaining to current or emerging cyber events in September 2024, originally published in CTIX FLASH Updates throughout September. This publication includes malware threats, threat actor activity, and newly identified vulnerabilities impacting a wide range of industries and victims. The CTIX FLASH Update is a semi-weekly newsletter that provides a timely snapshot of cyber events, geared toward cyber professionals and end users with varying levels of technical knowledge. The events published in the FLASH typically occurred close in time to publication of the report.
To stay up to date on the latest cyber threat activity, sign up for our weekly newsletter: the Ankura CTIX FLASH Update.
MALWARE ACTIVITY
Cicada3301 Ransomware: An Evolution of BlackCat?
Reported in the September 4th, 2024, FLASH Update
- Cicada3301 ransomware is attacking companies in North America and Europe with a sophisticated form of ransomware resembling BlackCat. Cicada3301 is a ransomware-as-a-service (RaaS) operation which emerged in June 2024, shortly after the ALPHV/BlackCat ransomware group performed an exit scam in March 2024 after stealing a $22 million ransom from one of their affiliates. Cybersecurity researchers believe that Cicada3301 may be an offshoot of the BlackCat group based on the similarities in techniques between the two (2) threat actors. Both forms of ransomware are written in Rust, use the encryption algorithm, perform identical virtual machine (VM) shutdown and snapshot-wiping commands, use intermittent encryption on larger files, and use the same file naming convention and ransom note decryption method. Cicada3301's ransomware includes both Windows and Linux/VMware ESXi encryptors. Cicada3031 is also distinguished from BlackCat's ransomware in many ways: its encryption process is more customizable, it uses stolen credentials on the fly to automatically feed into psexec for privilege escalation and lateral movement, and it is delivered behind an EDR-bypassing tool "EDRSandBlast". In addition, the threat actors behind Cicada3301 have been improving obfuscation capabilities so that the malware evades detection by antivirus and security products. Similar to BlackCat, Cicada3301 ransomware appends encrypted files on victim machines with a random seven-character extension and leaves a ransom note named "RECOVER-[extension]- DATA.txt". According to Cicada3301's leak site, they have compromised 21 companies in the past few months. The threat group's victims have been concentrated in North America and Europe, and the majority have been small businesses. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
MacroPack Red Teaming Tool Abused by Threat Actors Globally
Reported in the September 6th, 2024, FLASH Update
- Content Researchers have discovered that MacroPack – an attacker emulation software – is being abused by multiple cyber threat actors. MacroPack is a proprietary tool leveraged by red and purple teams to test prevention and detection mechanisms. Security researchers discovered its use for nefarious purposes by analyzing document submissions made to VirusTotal from around the globe. Submissions from the United States, China, Russia, and Pakistan indicate that MacroPack had been used to craft malicious VBA code delivered via Microsoft Office documents to spread final malware payloads such as Havoc, Brute Ratel, and PhantomCore. The documents analyzed all contained VBA subroutines embedded in the documents which indicate they had been created using MacroPack. Researchers believe that multiple different threat actors are behind these campaigns given the variation of lures and targets related to the identified documents. MacroPack includes advanced features that threat actors can abuse, such as antimalware bypass techniques, code obfuscation, and undetectable VB scripts. Once a victim opens an infected document, MacroPack decodes a shellcode stage which then kicks off a DLL payload that connects to a command-and-control (C2) server. Final payloads observed include postexploitation C2 tools such as Havoc and Brute Ratel and Remote Access Trojan (RAT) Phantom Core. Brute Ratel is a post-exploitation attack framework much like Cobalt Strike. CTIX analysts recommend that organizations utilize Endpoint Detection and Response (EDR) and NextGeneration Anti-Virus (NGAV) to prevent and detect these types of threats, and to ensure the Indicators of Compromise (IOCs) related these campaigns are blocked. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Lazarus Group Continues Campaign Against Developers and IT Professionals
Reported in the September 10th, 2024, FLASH Update
- Researchers at Group-IB have recently released a new report on ongoing and new threats posed by Lazarus Group's financially-motivated campaign against job seekers. CTIX analysts discussed the emergence of this campaign in our April 30, 2024 flash. Since then, Lazarus has expanded its capabilities and has introduced new malware targeted at MacOS to steal information and cryptocurrency from job seekers in the IT and Software Development fields. The campaign is rooted in a fictitious job posting and interview process that tricks seekers into downloading a "Node.js" project containing malware. Researchers have observed updated versions of the major forms of malware used in this campaign dubbed BeaverTail and InvisibleFerret. BeaverTail is a JavaScript or Python-based InfoStealer with the ability to steal credentials stored in browsers and vaults as well as data from browser extensions and cryptocurrency wallets. InvisibleFerret is Python-based malware that acts as a backdoor, keylogger, and infostealer. Both forms of malware are under active development. The recent Python versions of BeaverTail are delivered via a simple JavaScript downloader and fetches a bundle of scripts called CivetQ to modularize the malware's capabilities. Researchers have also noted that Lazarus has included additional job search platforms in their campaign in an apparent attempt to target professionals skilled in Blockchain. This tactic could have been introduced to increase the attackers' likelihood of infecting a victim with cryptocurrency on their machine. Platforms added to their campaign beyond LinkedIn include WWR, Moonlight, and Upwork. They have also started using fraudulent video conferencing applications to spread the initial BeaverTail loader as an alternative initial infection vector to the fake "Node.js" project. Researchers discovered a cloned website of a legitimate free conferencing software application which hosts the fake video conference application "FCCCall". Installers for both Windows and MacOS were discovered by researchers. CTIX analysts urge individuals to remain vigilant online and to vet potential employers prior to engaging in the job interview process. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
New Malware Tied to APT34 Targets the Iraqi Government
Reported in the September 13th, 2024, FLASH Update
- Researchers have discovered a new set of malware used in attacks against Iraqi entities allegedly including the Prime Minister's Office and the Ministry of Foreign Affairs. The malware dubbed "Veaty" and "Spearal" have ties to malware families used by APT34, a cyber group affiliated with the Iranian Ministry of Intelligence and Security also known as "OilRig". The malware identified in the campaign is bespoke and along with the techniques deployed, resembles custom backdoors such as "Karkoff" and "Saitama" previously associated with APT34. While the original infection pathway is unknown, the initial files used to kick-off the campaign were likely delivered to victims through social engineering. These initial files use double extensions to appear legitimate. Examples of file names include "Avamer.pdf.exe" and "Protocol.pdf.exe". These files execute PowerShell or Pyinstaller scripts to deploy the "Veaty" and "Spearal" malware payloads and configuration files and maintain persistence by modifying the Windows registry under "\CurrentVersion\Run". The "Spearal" malware is a .NET backdoor that uses DNS tunneling using a custom Base32 encoding scheme for command-and-control (C2) communication. "Spearal" can execute PowerShell commands, read file contents, retrieve data from the C2 server, and send data back to the C2 server. The "Veaty" malware is also a .NET-based malware which uses compromised email accounts in the victim organization for C2 communications. In the malware sample analyzed by researchers, the malware used email accounts at the gov-iq[.]net domain to execute commands. The malware can upload and download files, execute commands, and run scripts through specific mailboxes. Researchers also identified an XML configuration file capable of setting up an SSH tunnel which the threat actor likely used as a third backdoor. The tactics, techniques, and procedures used in this campaign suggest that APT34/OilRig is responsible. The use of custom C2 mechanisms is notable among these newly identified backdoors. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Malware Locks Browser in Kiosk Mode, Frustrating User into Entering Credentials
Reported in the September 17th, 2024, FLASH Update
- A recent malware campaign has been identified that traps users in their browser's kiosk mode on Google's login page, compelling them to enter their Google credentials out of annoyance. The malware locks the browser, disabling the "ESC" and "F11" keys, which prevents users from easily exiting kiosk mode. Kiosk mode is a specialized setting in web browsers or apps that allows them to operate in full-screen mode without standard user interface elements such as toolbars, address bars, or navigation buttons. This mode is intended to restrict user interactions to specific functions, making it perfect for public kiosks. However, in the case of this attack, kiosk mode is misused to confine user actions to the Google login page, presenting the sole option of entering account credentials This tactic aims to frustrate users into entering their credentials and "unlocking" the computer, which are then stolen by the StealC information-stealing malware. This attack method has been active since at least August 22, 2024, and is mainly utilized by Amadey, a malware loader known for information theft and system reconnaissance. Amadey deploys an AutoIt script that scans for available browsers and launches one in kiosk mode directed to Google's change password page. This creates an opportunity for users to reenter and save their credentials, which StealC subsequently steals. If users find themselves trapped in kiosk mode, they should avoid entering any sensitive information and try alternative hotkeys like 'Alt + F4' or 'Ctrl + Shift + Esc' to exit the browser. If these methods fail, performing a hard reset and running a full antivirus scan in Safe Mode is recommended to remove the malware.
New SambaSpy Malware Targeting Italian Users in Phishing Campaign
Reported in the September 20th, 2024, FLASH Update
- A newly discovered malware dubbed SambaSpy is exclusively targeting Italian users through a phishing campaign led by a suspected Brazilian Portuguese-speaking threat actor. The attack begins with phishing emails containing HTML attachments or embedded links that initiate the malware infection process. The HTML attachment opens a ZIP archive that deploys a downloader or dropper to launch the remote access trojan (RAT) payload. SambaSpy's infection chain is elaborate, redirecting users to either legitimate invoices or malicious web servers based on specific criteria such as browser type and language settings. Users meeting these criteria are served a malicious JAR file from MediaFire, leading to the deployment of the RAT, which is capable of extensive remote-control functions such asfile management, keylogging, webcam control, and more. The malware also steals credentials from various web browsers and can load additional plugins to enhance its capabilities. Evidence indicates that the threat actor may expand its operations to Brazil and Spain, reflecting a broader trend of Latin American cybercriminals targeting European countries with related languages. This development comes alongside a surge in banking trojan campaigns in Latin America, employing sophisticated phishing scams to steal sensitive banking credentials and execute unauthorized transactions. These campaigns utilize advanced evasion techniques, such as obfuscated PowerShell scripts and malicious ISO files, to avoid detection.
To view the full article, click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.