Malware Activity
New Details Discovered that Connect iOS Surveillanceware Tool "LightSpy" to Android Spyware Variants "DragonEgg" and "WyrmSpy"
UPDATE: Researchers have discovered connections between the Android spyware "DragonEgg" and the iOS surveillanceware tool "LightSpy". LightSpy is described as a "fully-featured modular surveillance tool set with a strong focus on victim private information exfiltration such as fine location data (including building floor number) and sound recording during VOIP calls." LightSpy is known to have the ability to exfiltrate payment data from WeChat Pay backend infrastructure as well as hook WeChat audio-related functions to record victims' VOIP conversations. Researchers reviewed the attack chain of LightSpy, which includes the use of a trojanized Telegram app that downloads a second-stage payload. Researchers then identified that the second stage is configured to download a third component called "TI" (also called "Core" in the second stage and a set of fourteen (14) plugins that are responsible for the exfiltration of data. Two (2) of the discovered plugins unveiled previously undisclosed tactics, techniques, and procedures (TTPs). LightSpy and AndroidControl (otherwise known as "WyrmSpy") are noted as sharing the same infrastructure, believing that AndroidControl may be a successor of LightSpy, and five (5) aspects make researchers believe both DragonEgg and LightSpy were developed by the same actor. The aspects include unique ID, the word light in both source codes, the configuration patterns, the runtime structures and plugins, and their C2 configurations. It is currently suspected that potential targets of the threat group behind LightSpy could be in the Asia-Pacific region. Technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
QakBot Threat Actors Stay Active Despite Law Enforcement Disruption
Researchers have observed the continuance of a phishing campaign linked to the QakBot threat actors despite law enforcement's disruption to its infrastructure in late August 2023. The threat actors' phishing campaign has been ongoing since as early as August 2023 and associated with "Ransom Knight" (otherwise known as "Cyclops") ransomware as well as the "Remcos" remote access trojan (RAT). The seizure of the infrastructure and cryptocurrency caused significant damages to the group's operations, and while there is no evidence that the threat actors have distributed their malware loader since the infrastructure takedown, it seems as though the attempted disruption only impacted their command-and-control (C2) servers while leaving their spam delivery infrastructure unaffected. The Ransom Knight malware still poses a threat even while the C2 server is down and based on the threat actors remaining active post-takedown, they may be choosing to rebuild their infrastructure to resume full capabilities. Activity associated with the group before the takedown consisted primarily of phishing emails containing malicious LNK files that begin the infection and likely deploy Ransom Knight ransomware. Beyond the LNK files stored within the ZIP archive, an additional file has been identified that likely propagates the Remcos RAT, which facilitates persistent backdoor access to the endpoints. Researchers have also observed file names written in Italian, which may point to Italy as the target region for this threat actor. CTIX analysts will continue to monitor QakBot activity and provide additional QakBot campaign details when available.
Vulnerabilities
Cisco Emergency Responder Vulnerability Allows Attackers to Take Control of the Root User Account
Cisco has released an urgent security patch to its Emergency Responder product that fixes a critical vulnerability that could be exploited by unauthenticated threat actors to gain access to vulnerable systems. Cisco Emergency Responder enhances the existing emergency 9-1-1 functionality offered by the Cisco Unified Communications Manager product. It ensures that Cisco Unified Communications Manager sends emergency 9-1-1 calls to the appropriate Public Safety Answering Point (PSAP). It ensures that the PSAP can correctly identify the caller's location and return the call if necessary. The system also tracks and updates changes to equipment, allowing service providers to ensure effective compliance with legal or regulatory obligations, reducing the risk of liability related to emergency calls. The flaw, tracked as CVE-2023-20101, stems from the default presence of static user credentials for the root account, which cannot be changed or deleted. If exploited, a threat actor could log in to an affected device using the root account, which would allow them to execute arbitrary commands as the root user. Cisco discovered the vulnerability during their internal security testing operations. This is a severe vulnerability, receiving a CVSS score of 9.8/10; however, there is currently no indication that the flaw is being actively exploited in-the-wild. CTIX analysts recommend that all Cisco Emergency Responder administrators ensure that they update their systems if they are still vulnerable.
