Malware Activity
New Report Details Activity of Previously Unknown Threat Actor "Sandman" and Associated "LuaDream" Backdoor
Researchers have observed new activity by a previously unknown threat actor targeting telecommunication providers in the Middle East, Western Europe, and the South Asian subcontinent in August 2023. The actor, dubbed Sandman, is currently not attributed to a specific origin and has been identified using a modular backdoor, now named "LuaDream", that is believed to be under active development. LuaDream is based on the LuaJIT platform, which is the "just-in-time compiler for the Lua scripting language." The malware's focus is to exfiltrate system and user data as well as manage actor-provided plugins. Although researchers interrupted the observed attack chain before plugins were deployed, they suspect that LuaDream has additional capabilities to do further damage. LuaDream is believed to be a variant of a new malware strain called "DreamLand"; researchers stated that "the use of Lua-based malware is something of a rarity in the threat landscape, having been previously observed in only three different instances since 2012." Researchers explained that the latest Sandman activities are "characterized by strategic lateral movement to specific targeted workstations and minimal engagement", which suggests that the actor is using a specific approach to minimize the risk of detection. While the initial access vector is currently unclear, administrative credentials have been observed being exfiltrated and reconnaissance has been conducted to breach targeted machines as well as deploy LuaDream. Technical details as well as indicators of compromise (IOCs) associated to Sandman and LuaDream can be viewed in the report linked below.
Threat Actor Activity
Iranian Nation-State Actor Targeting Israeli Organizations
An Iranian nation-state hacker dubbed OilRig is being further analyzed for two (2) different campaigns they carried out in 2021 and 2022 targeted at Israeli organizations. OilRig has been assigned a multitude of names by different security researchers, all of whom affiliate themselves with Iran's Ministry of Intelligence and Security (MOIS). The threat actor has been active since 2014, known to use a wide range of tools to perform information theft attacks, primarily targeting telecommunications, government, defense, oil and financial services verticals in the Middle East. The two (2) campaigns against Israeli organizations, called Outer Space and Juicy Mix, used two (2) previously documented first-stage backdoors ("Solar" and "Mango") to siphon out sensitive information from major browsers and the Windows Credential Manager. Researchers have observed the group's unique ability to use simple back doors to steal users' credentials while also having the flexibility to write new malware by researching the customer environments and levels of access. They are notable for their adaptability, being seen continuously innovating to create new implants with backdoor capabilities and finding new ways to execute commands on remote systems. Their deployment of custom post-compromise tools to collect credentials, cookies, and browsing history is also notable. Researchers' latest findings show the group's continued focus on Israel, using spear-phishing methods to trick potential targets into installing malware via booby-trapped attachments. There have also been cases where the threat actor has delivered updated versions of "SideTwist", a variant of a backdoor capable of file download/upload and command execution, as part of phishing attacks targeting US businesses. CTIX analysts will continue to monitor Iranian threat group activity and provide details of new campaigns are they are disclosed.
Vulnerabilities
Apple Patches Flaws Exploited to Deliver "Predator" Spyware
Apple has released an emergency security update that patches three (3) critical zero-day vulnerabilities, exploited to deliver the Cytrox-owned "Predator" spyware suite to monitor the iPhone of an Egyptian opposition politician, and former member of Parliament named Ahmed Eltantawy. The first flaw, tracked as CVE-2023-41993, is a remote code execution vulnerability in the Webkit browser engine impacting the Safari browser, which could be exploited via maliciously crafted webpages. The second vulnerability, tracked as CVE-2023-41991, is a Proxy Auto-config (PAC) flaw in the iOS Security framework, which could be exploited by attackers to bypass signature validation via the use of malicious applications. The third flaw, tracked as CVE-2023-41992, is a local privilege escalation (LPE) vulnerability in the XNU Kernel Framework, which is responsible for providing APIs, kernel extensions, and driver support. These vulnerabilities were exploited to allow the targeting of Eltantawy's iPhone with SMS and WhatsApp messages carrying malicious Predator spyware links. When Eltantawy clicked the malicious links in the messages, he was automatically redirected to the malicious website hosting the Predator spyware. At this time, the activity has not been attributed to a specific entity. The vulnerabilities have been patched and all iPhone users should ensure that they are running the latest version of iOS to prevent exploitation.
- Bleeping Computer: iOS Zero-days Article
- The Hacker News: iOS Zero-days Article
- The Record: iOS Zero-days Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
