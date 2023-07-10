MALWARE ACTIVITY
Operation Triangulation Targets iOS Devices with Zero-Click Exploit in iMessage Service
Reported in the June 2nd, 2023, FLASH Update
- Researchers have published a new report on a campaign dubbed
Operation Triangulation that began in 2019 and involves a
previously unknown advanced persistent threat (APT) group. This
campaign is targeting iOS devices by utilizing zero-click exploits,
which is when "the receipt of the message triggers the
vulnerability without requiring user interaction in order to
achieve code execution." iOS devices have been observed
receiving a message through iMessage that contains an
exploit-embedded attachment. The exploit is configured to gain
additional payloads in order to conduct the privilege escalation
and drop the final stage malware. The malware is received from a
command-and-control (C2) server that researchers note is a
"fully-featured APT platform." The malware has the
ability to harvest sensitive data, such as microphone recordings,
geolocation, photos from instance messengers, and more, as well as
"run code downloaded as plugin modules." Despite the
initial message received on the infected device being deleted
during the final stage, traces of the attack are left behind on the
device. The researchers emphasized that persistence is not
supported in this campaign, so it is likely that multiple devices
have been reinfected after rebooting. Operation Triangulation is an
ongoing campaign, and the most recent infected devices were seen
running iOS 15.7. Russia's Federal Security Service (FSB) has
released an advisory detailing the United States intelligence
agencies are responsible for the hacking of "several
thousand" Apple devices as part of a "reconnaissance
operation." Apple has since stated that the company has
"never worked with any government to insert a backdoor into
any Apple product and never will." Researchers are seeking
additional information on the campaign from fellow researchers, and
CTIX analysts will provide updates as more information is released.
Additional technical details as well as indicators of compromise
(IOCs) can be found in the report linked below.
US Aerospace Contractor Attacked with New PowerShell-based Malware "PowerDrop"
Reported in the June 6th, 2023, FLASH Update
- The US aerospace defense industry has been targeted by a new
malware known as "PowerDrop", a PowerShell based malware
script. This new malware was discovered on a US defense
contractor's network in May 2023 by Adlumin. PowerDrop is
executed by Windows Management Instrumentation (WMI) using WMI
event filters and consumers named "SystemPowerManager",
which itself is created by the malware using the
"wmic.exe" command line application. Although WMI is
typically used for legitimate users to leverage PowerShell in
remote or local computers, it is also commonly used to execute
PowerShell commands in an unauthorized manner. Upon activation,
PowerDrop sends a message back to the designated
command-and-control (C2) server and once a connection is
established, an additional encrypted payload that contains
PowerShell commands is uploaded to the infected machine. This
backdoor allows the threat actor to execute malicious PowerShell
queries as an administrator on infected devices through what are
usually legitimate Windows services. Additionally, use of WMI
allows PowerDrop to avoid leaving malicious files on the
device's hard drive, reducing the effectiveness of
signature-based detection methods. CTIX will continue to monitor
PowerDrop as it evolves and will provide updates as needed.
"Stealth Soldier" Malware Observed Using Surveillance Capabilities Against Libyan Organizations
Reported in the June 9th, 2023, FLASH Update
- Researchers have observed a previously undisclosed custom
multi-stage backdoor dubbed "Stealth Soldier" involved in
a wave of highly targeted espionage attacks against North Africa.
The Stealth Solider malware strain is known to primarily operate
"surveillance functions such as file exfiltration, screen and
microphone recording, keystroke logging and stealing browser
information." The first version of Stealth Soldier was first
compiled in October 2022 and the most recent version was likely
delivered in February 2023. Researchers note that the
command-and-control (C2) servers in this ongoing campaign have been
observed mimicking sites belonging to the Libyan Ministry of
Foreign Affairs. It was also explained that there are indications
that the C2 servers are a part of a larger infrastructure set and
related to various domains, which have in part been utilized for
spear-phishing campaigns against government entities. As of June 8,
2023, this campaign, based on the phishing website themes and
submitted samples, is believed to be targeting Libyan
organizations. The attack begins with the victims triggering a
fraudulent downloader, currently believed to be delivered through
social engineering. Six (6) files are downloaded from the C2 server
with the main three (3) being "Loader",
"Watchdog", and "Payload". A decoy empty PDF is
downloaded and opened as well. Researchers emphasized that the
malware uses various types of commands during its attack-chain,
including plugins that are downloaded from the C2 and modules that
are included in the malware already. Stealth Soldier typically uses
XOR encryption with two (2) hardcoded strings that are used to
masquerade as legitimate strings in order to make detection more
difficult. Infrastructure similarities between Stealth Soldier and
"Eye of the Nile", a campaign targeting journalists and
human rights activists in Egypt in 2019, were identified by
researchers, who emphasized that Stealth Soldier may potentially be
the first re-appearance of this threat actor since the 2019
campaign. Additional technical details as well as indicators of
compromise (IOCs) can be viewed in the report linked below.
Researchers Begin Publishing Report Series on the Fully Undetectable Malware Obfuscation Engine "BatCloak"
Reported in the June 13th, 2023, FLASH Update
- Researchers have released the first report of a three (3) part
series about "BatCloak", a fully undetectable (FUD)
malware obfuscation engine that has been used to deploy malware
strains since September 2022. FUD refers to "a type of
malicious software designed to evade antivirus and security
solutions" that may make use of combined techniques such as
encryption, obfuscation, and polymorphism. Researchers emphasized
that the identified samples of BatCloak grant actors "the
ability to load numerous malware families and exploits with ease
through highly obfuscated batch files," and noted that 80% of
the 784 reviewed samples had zero (0) detections from security
solutions. The BatCloack engine is noted to be the most fundamental
part of an open-source batch file loader called Jlaive. Jlaive was
previously available on GitHub and GitLab in September 2022 and has
the main capabilities of bypassing Antimalware Scan Interface
(AMSI) and compressing and encrypting the primary payload in order
to evade security detection. Since its removal from GitHub/GitLab,
actors have cloned and modified the tool. Researchers explained
that "Jlaive uses BatCloak as a file obfuscation engine to
obfuscate the batch loader and save it on a disk." Additional
technical details of BatCloak's capabilities and history can be
viewed in the report linked below.
Successful Ransomware Attack Against Microsoft 365's Sharepoint Online Observed
Reported in the June 16th, 2023, FLASH Update
- Researchers have recently observed a successful ransomware
attack against SharePoint Online (Microsoft 365). This attack was
conducted through a Microsoft Global Software-as-a-Service (SaaS)
administrator account and is currently speculated to have been
conducted by the 0mega ransomware operation due to the account
name, additional observables, and infrastructure that were created
and used. 0mega launched in May 2022 and has been observed
targeting organizations around the globe with double-extortion
attacks. Few victims have been posted to the group's leak site
and a sample of the ransomware has yet to be reviewed as of June 7,
2023. The researchers shared that the actor created a new Active
Directory (AD) user called "Omega" with escalated
privileges, which included Global Administrator, SharePoint
Administrator, Exchange Administrator, Teams Administrator, and
site collection administrator capabilities to various SharePoint
collections and sites. It was noted that the actor also removed
over 200 existing administrators in just a two (2) hour period. The
observed attack exfiltrated files, did not encrypt files on the
victim machine, and uploaded thousands of
"PREVENT-LEAKAGE.txt" text files. This upload is believed
to be for notifying the victim of the exfiltration that occurred
and to provide a communication method for negotiating a ransom.
Researchers stated that "the attacker invested the time to
build automation for this attack, which implies a desire to use
this capability in the future," and emphasized that this type
of attack will continue to occur because "there are few
companies with a strong SaaS security program, whereas many
companies are well invested in endpoint security products."
CTIX analysts will continue to monitor for attacks against
SharePoint Online as well as confirmation of the threat group
responsible for the observed attack.
