Tag Archive for: actor’

Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware

/in


Adware and other unwanted and potentially risky applications continue to represent the biggest threat that users of mobile devices currently face. But that doesn’t mean attackers aren’t constantly trying to deploy other sophisticated mobile malware as well.

The latest example is “SandStrike,” a booby-trapped VPN application for loading spyware on Android devices. The malware is designed to find and steal call logs, contact lists, and other sensitive data from infected devices; it can also track and monitor targeted users, Kaspersky said in a report this week.

The security vendor said its researchers had observed the operators of SandStrike attempting to deploy the sophisticated spyware on devices belonging to members of Iran’s Baha’i community, a persecuted, Persian-speaking minority group. But the vendor did not disclose how many devices the threat actor might have targeted or succeeded in infecting. Kaspersky could not be immediately reached for comment.

Elaborate Social Media Lures

To lure users into downloading the weaponized app, the threat actors have established multiple Facebook and Instagram accounts, all of which purport to have more than 1,000 followers. The social media accounts are loaded with what Kaspersky described as attractive, religious-themed graphics designed to grab the attention of members of the targeted faith group. The accounts often also contain a link to a Telegram channel that offers a free VPN app for users wishing to access sites containing banned religious materials.

According to Kaspersky, the threat actors have even set up their own VPN infrastructure to make the app fully functional. But when a user downloads and uses SandStrike, it quietly collects and exfiltrates sensitive data associated with the owner of the infected device.

The campaign is just the latest in a growing list of espionage efforts involving advanced infrastructure and mobile spyware — an arena that includes well-known threats like NSO Group’s notorious Pegasus spyware along with emerging problems like Hermit.

Mobile Malware on the Rise

The booby-trapped SandStrike VPN app is an example of the growing range of malware tools being deployed on mobile devices. Research that Proofpoint…

Source…

North Korean cyberespionage actor Lazarus targets energy providers with new malware

/in


Detecting of a malware. Virus, system hack, cyber attack, malware concept. 3d rendering.
Image: Adobe Stock

Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.

Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.

The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.

SEE: Mobile device security policy (TechRepublic Premium)

Attack modus operandi

Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).

Figure A

lazarus cyber kill chain list according to cisco talos
Image: Cisco Talos. Full attack scheme from the current Lazarus operation.

In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.

Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.

Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.

Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.

Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.

The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.

At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for…

Source…

“Unpatchable” hardware flaw. Nation-state conflict in cyberspace. Threat actor Aoqin Dragon has been operating since 2013.

/in


Dateline

Ukraine at D+106: Cyber ops and escalation. (The CyberWire) An artillery war in the Donbas. Russia warns that Western, especially US, “aggression and encouragement of banditry” in cyberspace risks escalation into full combat, and that Washington can be sure that Moscow will retaliate. Beijing issues a similar warning, with special mention of the risks small countries assume when they accept American cybersecurity aid. Canada is on “high alert” for Russian cyberattacks. And Mr. Putin identifies with Tsar Peter the Great.

Live updates | Ukraine: Russia still attacking eastern city (AP NEWS) The Ukrainian army says Kyiv’s forces continue to frustrate Russian attempts to take the fiercely contested eastern city of Sievierodonetsk. “The occupiers, with the help of motorized rifle units and artillery, conducted assault operations in the city of Sievierodonetsk.

‘Dead Cities’ Become the Flashpoint for the Fierce War in the East (New York Times) President Volodymyr Zelensky has framed the battle in Sievierodonetsk as pivotal to the broader fight for the Donbas. Amid relentless Russian attacks, Ukraine holds on and waits for Western weapons.

Key city’s fate in balance as fighting rages in east Ukraine (AP NEWS) Russian forces pounded an eastern Ukrainian city Thursday and the two sides waged pitched street battles that Ukrainian President Volodymyr Zelenskyy said could determine the fate of the critical Donbas region.

UK says Mariupol at risk of cholera outbreak (Reuters) Ukraine’s southern city of Mariupol is at risk of a major cholera outbreak as medical services are likely already near collapse, Britain’s defence ministry said on Friday.

We’re almost out of ammunition and relying on western arms, says Ukraine (the Guardian) Exclusive: Deputy head of military intelligence says it’s an artillery war now and ‘everything depends on what the west gives us’

Live Updates: Ukraine’s Pleas Grow Louder as Soldiers Are Outgunned and Putin Talks of Empire (New York Times) As Ukrainian soldiers try to hold on in the besieged city of Sievierodonetsk, President Volodymyr Zelensky said that his country must not be forced to stay in a “gray zone” and that it needed more weapons…

Source…

Chinese threat actor targets Nepal, the Philippines, and Taiwan. New malware delivery technique. New Trojan can livestream victim’s screen.

/in


At a glance.

  • Chinese threat actor targets Nepal, the Philippines, and Taiwan.
  • SideCopy goes after Indian entities.
  • New malware delivery technique.
  • New Trojan can livestream victim’s screen.

Chinese threat actor targets Nepal, the Philippines, and Taiwan.

Recorded Future’s Insikt Group is tracking a suspected Chinese government threat actor that’s “targeting telecommunications, academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and more historically, Hong Kong.” Specifically, the campaign targeted the Industrial Technology Research Institute (ITRI) in Taiwan, Nepal Telecom, and the Department of Information and Communications Technology in the Philippines. The researchers emphasize the significance of targeting the ITRI:

“In particular, the targeting of the ITRI is notable due to its role as a technology research and development institution that has set up and incubated multiple Taiwanese technology firms. According to the ITRI’s website, the organization is particularly focused on research and development projects related to smart living, quality health, sustainable environment, and technology, many of which map to development priorities under China’s 14th 5-year plan, previously highlighted by Insikt Group as likely areas of future Chinese economic espionage efforts. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs.”

SideCopy goes after Indian entities.

Cisco Talos is watching a campaign by the SideCopy APT targeting Indian government personnel. The threat actor, whose activity resembles that of Transparent Tribe (APT36), has incorporated new custom and commodity malware into its operations:

“Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware “CetaRAT.” SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT. “Recent activity from the group, however, signals a boost in…

Source…