IT threat evolution Q3 2019

[harlan4096]

Contents

• Targeted attacks and malware campaigns
  
• Mobile espionage targeting the Middle East
  
• APT33 beefs up its toolset
  
• New FinSpy iOS and Android implants found in the wild
  
• Turla revamps its toolset
  
• CloudAtlas uses new infection chain
  
• Dtrack banking malware discovered
  
• Other security news
  
• Sodin ransomware attacks MSP
  
• The impact of web mining
  
• Mac OS threat landscape
  
• Smart home vulnerabilities
  
• Security of smart buildings
  
• Smart cars and connected devices
  
• Personal data theft
  

Targeted attacks and malware campaigns

Mobile espionage targeting the Middle East

At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the malware has been in development since late 2016, but the main distribution began at the end of 2017. The attackers used two methods to install these implants: they backdoored legitimate apps, injecting malicious Smali code; and they built an open-source legitimate ‘Conversations’ messenger that included the malicious code. You can read more about Operation ViceLeaker here.

APT33 beefs up its toolset

In July, we published an update on the 2016-17 activities of NewsBeef (aka APT33 and Charming Kitten), a threat actor that has focused on targets in Saudi Arabia and the West. NewsBeef lacks advanced offensive capabilities and has previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. In previous campaigns, this threat actor has relied heavily on the Browser Exploitation Framework (BeEF). However, in the summer of 2016, the group deployed a new toolset that included macro-enabled Office documents, PowerSploit, and the Pupy backdoor. The most recent campaign uses this toolset in conjunction with spear-phishing emails, links sent over social media and standalone private messaging applications, and watering-hole attacks that use compromised high-profile websites (some belonging to the Saudi government). The group has changed multiple characteristics year over year – tactics, the malicious JavaScript injection strategically placed on compromised websites, and command-and-control (C2) infrastructure. Subscribers to our private intelligence reports receive unique and extraordinary data on significant activity and campaigns of more than 1009 APTs from across the world, including NewsBeef.

New FinSpy iOS and Android implants found in the wild

We recently reported on the latest versions of FinSpy for Android and iOS. Governments and law enforcement agencies across the world use this surveillance software to collect personal data. FinSpy implants for iOS and Android have almost identical functionality: they are able to collect personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers. The Android implant includes functionality to gain root privileges by abusing known vulnerabilities. The iOS version doesn’t provide infection exploits for its customers and so can only be installed on jailbroken devices – suggesting that physical access is required in order to install the implant. During our latest research we detected up-to-date versions of these implants in almost 20 countries, but we think the actual number of infections could be much higher.

Turla revamps its toolset

Turla (aka Venomous Bear, Uroboros and Waterbug), a high profile Russian-speaking threat actor with a known interest in cyber-espionage against government and diplomatic targets, has made significant changes to its toolset. Most notably, the group has wrapped its notorious JavaScript KopiLuwak malware in a new dropper called Topinambour, a new.NET file that is being used by Turla to distribute and drop its JavaScript KopiLuwak through infected installation packages for legitimate software programs such as VPNs for circumventing internet censorship. Named by the malware authors, Topinambour is an alternative name for the Jerusalem artichoke. Some of the changes the threat actor has made are intended to help it evade detection. For example, the C2 infrastructure uses IP addresses that appear to mimic ordinary LAN addresses. Further, the malware is almost completely ‘fileless’: the final stage of infection, an encrypted Trojan for remote administration, is embedded into the computer’s registry for the malware to access when ready. The two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan – are used for cyber-espionage. We think the threat actor deploys these versions when the computers of the targets are protected with security software capable of detecting KopiLuwak. All three implants are able to fingerprint targets, gather information on system and network adapters, steal files, and download and execute additional malware. MiamiBeach is also able to take screenshots. You can read more here.

CloudAtlas uses new infection chain

Cloud Atlas (aka Inception) has a long history of cyber-espionage operations targeting industries and government bodies. We first reported this group in 2014 and we have continued to track its activities. During the first half of this year, we identified campaigns focused on Russia, Central Asia and regions of Ukraine with ongoing military conflicts. Cloud Atlas hasn’t changed its TTPs (Tactics, Techniques and Procedures) since 2018 and continues to rely on existing tactics and malware to compromise high value targets. The threat actor’s Windows intrusion set still uses spear-phishing emails to target its victims: these are crafted with Office documents that use malicious remote templates – whitelisted per victim – hosted on remote servers. Previously, Cloud Atlas dropped its ‘validator’ implant, named PowerShower, directly, after exploiting the Microsoft Equation vulnerability (CVE-2017-11882) mixed with CVE-2018-0802. In recent months, we have seen a new infection chain, involving a polymorphic HTA, a new and polymorphic VBS implant aimed at executing PowerShower, and the Cloud Atlas second stage modular backdoor that we disclosed in 2014.

Dtrack banking malware discovered

In summer 2018, we discovered ATMDtrack, a piece of banking malware targeting banks in India. We used YARA and the Kaspersky Attribution Engine to try to uncover more information about this ATM malware; and we found more than 180 new malware samples of a spy tool that we now call Dtrack. All the Dtrack samples we initially found were dropped samples, as the real payload was encrypted with various droppers – we were able to find them because of the unique sequences shared by ATMDtrack and the Dtrack memory dumps. Once we decrypted the final payload and used the Kaspersky Attribution Engine again, we saw similarities with the DarkSeoul campaign, dating back to 2013 and attributed to the Lazarus group. It seems that they reused part of their old code to attack the financial sector and research centers in India. Our telemetry indicates that the latest DTrack activity was detected in the beginning of September 2019. This is a good example of how proper YARA rules and a solid working attribution engine can help to uncover connections with established malware families. In this case, we were able to add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack. You can find our public report on Dtrack here.
...

Continue Reading