Operation Triangulation Targets iOS Devices with Zero-Click Exploit in iMessage Service

Reported in the June 2nd, 2023, FLASH Update

  • Researchers have published a new report on a campaign dubbed Operation Triangulation that began in 2019 and involves a previously unknown advanced persistent threat (APT) group. This campaign is targeting iOS devices by utilizing zero-click exploits, which is when "the receipt of the message triggers the vulnerability without requiring user interaction in order to achieve code execution." iOS devices have been observed receiving a message through iMessage that contains an exploit-embedded attachment. The exploit is configured to gain additional payloads in order to conduct the privilege escalation and drop the final stage malware. The malware is received from a command-and-control (C2) server that researchers note is a "fully-featured APT platform." The malware has the ability to harvest sensitive data, such as microphone recordings, geolocation, photos from instance messengers, and more, as well as "run code downloaded as plugin modules." Despite the initial message received on the infected device being deleted during the final stage, traces of the attack are left behind on the device. The researchers emphasized that persistence is not supported in this campaign, so it is likely that multiple devices have been reinfected after rebooting. Operation Triangulation is an ongoing campaign, and the most recent infected devices were seen running iOS 15.7. Russia's Federal Security Service (FSB) has released an advisory detailing the United States intelligence agencies are responsible for the hacking of "several thousand" Apple devices as part of a "reconnaissance operation." Apple has since stated that the company has "never worked with any government to insert a backdoor into any Apple product and never will." Researchers are seeking additional information on the campaign from fellow researchers, and CTIX analysts will provide updates as more information is released. Additional technical details as well as indicators of compromise (IOCs) can be found in the report linked below.

US Aerospace Contractor Attacked with New PowerShell-based Malware "PowerDrop"

Reported in the June 6th, 2023, FLASH Update

  • The US aerospace defense industry has been targeted by a new malware known as "PowerDrop", a PowerShell based malware script. This new malware was discovered on a US defense contractor's network in May 2023 by Adlumin. PowerDrop is executed by Windows Management Instrumentation (WMI) using WMI event filters and consumers named "SystemPowerManager", which itself is created by the malware using the "wmic.exe" command line application. Although WMI is typically used for legitimate users to leverage PowerShell in remote or local computers, it is also commonly used to execute PowerShell commands in an unauthorized manner. Upon activation, PowerDrop sends a message back to the designated command-and-control (C2) server and once a connection is established, an additional encrypted payload that contains PowerShell commands is uploaded to the infected machine. This backdoor allows the threat actor to execute malicious PowerShell queries as an administrator on infected devices through what are usually legitimate Windows services. Additionally, use of WMI allows PowerDrop to avoid leaving malicious files on the device's hard drive, reducing the effectiveness of signature-based detection methods. CTIX will continue to monitor PowerDrop as it evolves and will provide updates as needed.

"Stealth Soldier" Malware Observed Using Surveillance Capabilities Against Libyan Organizations

Reported in the June 9th, 2023, FLASH Update

  • Researchers have observed a previously undisclosed custom multi-stage backdoor dubbed "Stealth Soldier" involved in a wave of highly targeted espionage attacks against North Africa. The Stealth Solider malware strain is known to primarily operate "surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information." The first version of Stealth Soldier was first compiled in October 2022 and the most recent version was likely delivered in February 2023. Researchers note that the command-and-control (C2) servers in this ongoing campaign have been observed mimicking sites belonging to the Libyan Ministry of Foreign Affairs. It was also explained that there are indications that the C2 servers are a part of a larger infrastructure set and related to various domains, which have in part been utilized for spear-phishing campaigns against government entities. As of June 8, 2023, this campaign, based on the phishing website themes and submitted samples, is believed to be targeting Libyan organizations. The attack begins with the victims triggering a fraudulent downloader, currently believed to be delivered through social engineering. Six (6) files are downloaded from the C2 server with the main three (3) being "Loader", "Watchdog", and "Payload". A decoy empty PDF is downloaded and opened as well. Researchers emphasized that the malware uses various types of commands during its attack-chain, including plugins that are downloaded from the C2 and modules that are included in the malware already. Stealth Soldier typically uses XOR encryption with two (2) hardcoded strings that are used to masquerade as legitimate strings in order to make detection more difficult. Infrastructure similarities between Stealth Soldier and "Eye of the Nile", a campaign targeting journalists and human rights activists in Egypt in 2019, were identified by researchers, who emphasized that Stealth Soldier may potentially be the first re-appearance of this threat actor since the 2019 campaign. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.

Researchers Begin Publishing Report Series on the Fully Undetectable Malware Obfuscation Engine "BatCloak"

Reported in the June 13th, 2023, FLASH Update

  • Researchers have released the first report of a three (3) part series about "BatCloak", a fully undetectable (FUD) malware obfuscation engine that has been used to deploy malware strains since September 2022. FUD refers to "a type of malicious software designed to evade antivirus and security solutions" that may make use of combined techniques such as encryption, obfuscation, and polymorphism. Researchers emphasized that the identified samples of BatCloak grant actors "the ability to load numerous malware families and exploits with ease through highly obfuscated batch files," and noted that 80% of the 784 reviewed samples had zero (0) detections from security solutions. The BatCloack engine is noted to be the most fundamental part of an open-source batch file loader called Jlaive. Jlaive was previously available on GitHub and GitLab in September 2022 and has the main capabilities of bypassing Antimalware Scan Interface (AMSI) and compressing and encrypting the primary payload in order to evade security detection. Since its removal from GitHub/GitLab, actors have cloned and modified the tool. Researchers explained that "Jlaive uses BatCloak as a file obfuscation engine to obfuscate the batch loader and save it on a disk." Additional technical details of BatCloak's capabilities and history can be viewed in the report linked below.

Successful Ransomware Attack Against Microsoft 365's Sharepoint Online Observed

Reported in the June 16th, 2023, FLASH Update

  • Researchers have recently observed a successful ransomware attack against SharePoint Online (Microsoft 365). This attack was conducted through a Microsoft Global Software-as-a-Service (SaaS) administrator account and is currently speculated to have been conducted by the 0mega ransomware operation due to the account name, additional observables, and infrastructure that were created and used. 0mega launched in May 2022 and has been observed targeting organizations around the globe with double-extortion attacks. Few victims have been posted to the group's leak site and a sample of the ransomware has yet to be reviewed as of June 7, 2023. The researchers shared that the actor created a new Active Directory (AD) user called "Omega" with escalated privileges, which included Global Administrator, SharePoint Administrator, Exchange Administrator, Teams Administrator, and site collection administrator capabilities to various SharePoint collections and sites. It was noted that the actor also removed over 200 existing administrators in just a two (2) hour period. The observed attack exfiltrated files, did not encrypt files on the victim machine, and uploaded thousands of "PREVENT-LEAKAGE.txt" text files. This upload is believed to be for notifying the victim of the exfiltration that occurred and to provide a communication method for negotiating a ransom. Researchers stated that "the attacker invested the time to build automation for this attack, which implies a desire to use this capability in the future," and emphasized that this type of attack will continue to occur because "there are few companies with a strong SaaS security program, whereas many companies are well invested in endpoint security products." CTIX analysts will continue to monitor for attacks against SharePoint Online as well as confirmation of the threat group responsible for the observed attack.

