ARTICLE
10 December 2024

Ankura Cyber Threat Investigations FLASH Wrap-Up [Report]: November 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore Firm Details
Cybersecurity researchers are tracking a new variant of an Android malware dubbed "FakeCall".
United States Technology
Ankura Consulting Group LLC

MALWARE ACTIVITY

FakeCall Android Malware Routes Bank Calls to Attackers

Reported in the November 1st, 2024, FLASH Update

  • Cybersecurity researchers are tracking a new variant of an Android malware dubbed “FakeCall”. The malware is designed to intercept phone calls made to the victim's bank and route the call to an attacker-owned phone number. Built for Android and deployed via an APK (Android Package Kit), the malware reroutes calls by setting itself up as the default call handler during installation. FakeCall displays a convincing UI that mimics Android's call interface, displaying the bank's legitimate phone number while the victim is actually on a call with the attacker. FakeCall is delivered via social engineering attacks, and the attacker's goal is to obtain sensitive banking information from the victim. The FakeCall trojan was first seen in 2022 and is now impersonating over twenty (20) financial organizations. In addition to hijacking calls, the latest versions of FakeCall include a new phone listener service which allows the attacker to issue commands to the device to get the device's location, delete applications, record audio or video, and edit contacts. New commands also allow the attacker to live stream the device's screen content, take screenshots, unlock the device, and delete and upload images. CTIX analysts recommend that individuals refrain from installing applications via APKs and opt for the more secure Google Play store. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Interlock Ransomware Targets FreeBSD Servers

Reported in the November 5th, 2024, FLASH Update

  • ported in the November 5th, 2024, FLASH Update • A new Ransomware operation named “Interlock” has been attacking organizations worldwide, publishing data allegedly stolen from six (6) organizations since September 2024. Researchers have discovered Interlock variants built to encrypt FreeBSD servers, an operating system that is not usually targeted in ransomware operations. Experts speculate that Interlock targets FreeBSD because it is widely utilized in servers and critical infrastructure. Interlock engages in double extortion attacks: both encrypting critical systems and demanding ransom to suppress publication of stolen data. Interlock targets Windows as well as FreeBSD operating systems, clearing Windows event logs and self-destructing after encrypting files. Files encrypted by the ransomware are appended with a “.interlock” extension and a ransom note named “!___README___!.txt” is left in directories instructing victims on how to access a Tor site for payment negotiations. Interlock's operations are relatively new, and there is still much to uncover about the threat actor's tactics, techniques, and procedures. CTIX analysts will continue to report on new and emerging form of malware and associated campaigns. 

SteelFox Infostealer and CryptoMiner Delivered via Cracked Software

Reported in the November 8th, 2024, FLASH Update

  • Researchers have identified a new malicious malware bundle developed for Windows machines that drops both infostealing and cryptomining malware on victim devices. Active since at least February 2023 but just recently discovered, SteelFox is a malware dropper that uses a “bring your own vulnerable driver” technique to establish SYSTEM privileges on the victim Windows machine. SteelFox is delivered via cracked software such as Foxit PDF Editor, JetBrains, and AutoCAD. The software download does indeed contain the cracked version of the software, but it also includes the SteelFox malware. The admin access required to install the software is abused to create a service that runs a version of WinRing0.sys with two known vulnerabilities that are exploited to 6 give the attacker NT\SYSTEM privileges. This driver is also a component of XMRig miner which is used by the attacker for cryptojacking, connecting to a mining pool with hardcoded credentials. The SteelFox malware uses SSL pinning and TLS v1.3 to establish a command-and-control connection. SteelFox is capable of harvesting and exfiltrating data from a wide variety of web browsers to access stored information such as cookies, credit cards, location, and search history. To date, researchers have identified compromised systems primarily in countries including Brazil, China, Russia, and Mexico. CTIX analysts advise organizations and individuals to refrain from downloading software through illegitimate channels. CTIX analysis will continue to report on new and emerging forms of malware and associated campaigns. 

Malicious “Fabrice” PyPI Package with 37,000 Downloads Steals AWS Keys

Reported in the November 12th, 2024, FLASH Update

  • A malicious Python package named “fabrice” has been discovered by security researchers in the Python Package Index (PyPI). Fabrice has been available for download since 2021 and is likely a typosquat of the very popular and legitimate SSH remote server management package “fabric”. It is possible that fabrice was not flagged by the community earlier because advanced scanning tools were available only after its initial submission to PyPI. The malicious package had been downloaded over 37,000 times, and contains code scripted to steal AWS credentials using boto3, the official Python SDK for AWS. Once a boto3 session is initialized, the malicious package collects the AWS credentials associated with the session and exfiltrates the data to a VPN server. Fabrice can operate on both Windows and Linux systems. On Linux systems, it sets up a hidden directory at ‘~/.local/bin/vscode' to store encoded shell scripts that are responsible for executing commands. On Windows, fabrice downloads a VBScript that launches a Python script (d.py) that drops a malicious executable (‘chrome.exe') into a user's Downloads folder. The executable schedules a Windows task to execute every fifteen (15) minutes, maintaining persistence across reboots. CTIX analysts recommend that individuals and organizations check their systems to ensure the package has not been downloaded. CTIX analysts also recommend that organizations employ AWS Identity and Access Management to limit how AWS resources can be used. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

Bitdefender Releases Decryptor for ShrinkLocker Ransomware

Reported in the November 15th, 2024, FLASH Update

  • Bitdefender has delighted ShrinkLocker Ransomware victims by releasing a decryptor for the ransomware variant this week. ShrinkLocker ransomware leverages Windows' built-in BitLocker drive encryption instead of custom encryption implementations commonly used by ransomware. In a ShrinkLocker attack, the ransomware first checks whether BitLocker is enabled on the victim machine and installs BitLocker if not already present. The ransomware generates a random password for the BitLocker encryption using network traffic and memory usage data. Importantly, the ransomware also deletes or reconfigures all BitLocker protectors to hinder recovery of the encryption keys. While lacking the sophistication of most ransomware strains, ShrinkLocker has successfully attacked corporate systems and has targeted organizations in the government, healthcare, and manufacturing sectors in Mexico, Indonesia and Jordan. Bitdefender has identified a way to reverse the sequence ShrinkLocker performs to delete and reconfigure the BitLocker protectors, effectively making it possible to reverse the encryption process and recover 7 encrypted drives. Bitdefender has noted that the decryptor works on Windows 10, 11, and recent Server versions and is most effective when used shortly after the initial attack. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

SVG Attachments Increasingly Popular in Phishing Attacks

Reported in the November 19th, 2024, FLASH Update

  • Cybersecurity researchers have found that Scalable Vector Graphics (SVG) attachments are becoming an increasingly popular way for threat actors to deliver malware or send phishing forms while evading detection. SVG files display images via code instead of using pixels, allowing the vector images to automatically resize without losing quality in different resolutions. SVG files have been used before by threat actors, notably to distribute Qbot malware via HTML smuggling. In recent campaigns, researchers have observed SVG files that display HTML and execute JavaScript, crafted to display phishing forms which can send victims' inputs back to the attacker. SVG attachments can also embed links that when clicked lead to a malware site or use JavaScript to automatically redirect browsers to malicious sites. Due to the nature of SVG files, they can more easily evade detection from security software than other file types. Luckily, SVG files are not commonly used in business, and organizations may choose to block all emails containing an SVG attachment by policy. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Helldown Ransomware Branches into VMware and Linux Systems

Reported in the November 22nd, 2024, FLASH Update

  • A relatively new ransomware group – Helldown – has been expanding its ransomware capabilities to target VMware ESXi environments and Linux systems. The Helldown ransomware strain was first identified by researchers in August 2024, targeting sectors including IT services, telecommunications, manufacturing, and healthcare. The group has attacked over thirty companies since it arrived on the scene just a few months ago. Helldown has been observed exploiting vulnerabilities in Zyxel firewall appliances to initially breach networks, stealing credentials and creating SSL VPN tunnels to maintain access. The Windows variant of the ransomware deletes shadow copies and terminates processes prior to encrypting files and selfdestructing. The ransomware appears to be a variant of the leaked LockBit 3.0 ransomware, and its artifacts share similarities with ransomware group DarkRace or DoNex. Recently, the group has been observed deploying a new Linux version of its ransomware which appears to still be under development. The Linux version lacks obfuscation and anti-debugging mechanisms. Cybersecurity researchers have analyzed one such variant and noted that the ransomware does not appear to have a mechanism for network communication to share a secret or public key, raising the question of how Helldown would be able to provide a decryptor for the ransomware. The group appears to be expanding its capabilities to target virtualized infrastructures, an increasingly common and popular target for ransomware attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

GhostSpider Backdoor Deployed by Salt Typhoon in SE Asia Telecom Attacks

Reported in the November 26th, 2024, FLASH Update

  • Cybersecurity researchers at Trend Micro have recently released an analysis on two (2) campaigns attributed to threat group Salt Typhoon targeting the Taiwanese government and Southeast Asian telecommunications networks. This analysis is released on the heels of recent reports of Salt Typhoon attacks against U.S. telecommunication service providers and U.S. government officials. Salt Typhoon, also known as Earth Estries, FamousSparrow, and GhostEmperor, is a Chinaattributed advanced persistent threat (APT) that primarily targets telecommunications and government entities. In the campaigns analyzed by researchers, initial access was achieved through the exploitation of vulnerabilities including CVE-2023-46805 and CVE-2024-2187 (Ivanti Connect Secure VPN), CVE-2023-48788 (Fortinet FortiClient EMS), CVE-2022-3236 (Sophos Firewall), and CVE 2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 (Microsoft Exchange – ProxyLogon). Researchers highlight three (3) forms of malware leveraged by Salt Typhoon including “Demodex”, “SnappyBee”, and “GhostSpider”. GhostSpider is a newly discovered backdoor that is designed for long-term espionage campaigns. GhostSpider is loaded to the victim system using DLL hijacking and registered as a service via regsvr32.exe. A secondary module loads encrypted payloads into memory which serves as the malware beacon. GhostSpider receives commands sent via HTTP headers or cookies to stealthily blend in with normal network traffic. The backdoor can upload, activate, execute, and remove malicious modules as well as adjust the malware's behavior to evade detection. CTIX analysts recommend that high risk organizations in related industries perform threat hunting based on available IOCs and ensure network assets are updated with the latest patches. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

To view the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Ankura Consulting Group LLC
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More