Search This Blog

Showing posts with label APT. Show all posts

Researchers Spotted Two Android Spyware Linked to Confucius

 

Researchers at cybersecurity firm Lookout have published information on two recently discovered Android spyware families utilized by an advanced persistent threat (APT) group named Confucius. Lookout said that two malware strains, named Hornbill and SunBird, have been linked to Confucius, a group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to assaults against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” 

The team's analysis of the malware recommends that Hornbill is based on MobileSpy, a commercial stalker ware application for remotely observing Android gadgets that were retired in 2018. SunBird, however, seems to have a comparable codebase to BuzzOut, an old type of spyware created in India. Confucius was known to have utilized ChatSpy for surveillance purposes back in 2017, yet it is felt that both Hornbill and SunBird originated before this malware. There doesn't appear to be any new campaigns utilizing SunBird–accepted to have been in active development between 2016 and early 2019; in any case, Hornbill has been found in a rush of assaults dating from December 2020. 

Both malware variations, however, can steal information including gadget identifiers, call logs, WhatsApp voice notes, contact records, and GPS location information. Also, they can request administrator privileges on an undermined gadget, take screenshots and photographs, and record sound both when calls are taking place or just as environmental noise. SunBird's abilities go past Hornbill's as this malware is likewise ready to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and pictures. SunBird will likewise attempt to upload stolen information to a command-and-control (C2) server at more normal spans than Hornbill.

Spy Campaign: SideWinder APT Leverages South Asian Border Disputes


The SideWinder advanced persistent threat (APT) group, which seems to be active since 2012, now has started a new malicious activity, wherein the threat actors are leveraging the rising border disputes between developing states namely India-China, India-Nepal, and Nepal-Pakistan. 

The aim of this phishing and malware initiative is to gather sensitive information from its targets, mainly located in two territories, Nepal and Afghanistan. A recent study says the SideWinder group primarily targets victims in South Asia and its surroundings, interestingly this latest campaign is no exception. 

According to the researchers, this phishing and malware initiative is targeting multiple government and military units for countries in the region. The Nepali Ministries of Defense and Foreign Affairs, the Nepali Army, the Afghanistan National Security Council, the Sri Lankan Ministry of Defense, the Presidential Palace in Afghanistan are its prime targets, to name a few. 

Malicious actors are targeting Webmail login pages aimed at harvesting credentials. Actual webmail login pages were copied from their victims and subsequently are being used for phishing, as per the Trend Micro researchers. For instance, “mail-nepalgovnp[.]duckdns[.]org”,  which appears the legitimate domain of Nepal's government, however, it is just tricking people into believing so. 

The Catch

When the users “log in”, they are either directly sent to the actual login pages or redirected to different news pages, documents, which can be related either to political fodder or COVID-19. Researchers noted that some of the pages also include articles titled “China has nothing to do with India, India should see that. Similarly, many articles are being used which includes hot topics from recent ongoing issues between states. 

Cyber Espionage: No Limits? 

"We also found multiple Android APK files on their phishing server. While some of them are benign, we also discovered malicious files created with Metasploit," researchers wrote on Wednesday. They also identified several Android APK files on the phishing server, some of these files were made using Metasploit. 

Reportedly, SideWinder is a very proactive group that made headlines for attacking mobile devices via Binder exploit. This Year many states were being attacked, namely Bangladesh, China, and Pakistan, using files of Corona Virus. 


Updated Malware: Vietnamese Hacking Group Targeting MacOS Users

 

Researchers have discovered a new MacOS backdoor that steals credentials and confidential information. As cyber threats continue to rise, the newly discovered malware is believed to be operated by Vietnamese hacking group OceanLotus, colloquially known as APT 32. Other common names include APT-C-00, SeaLotus, and Cobalt Kitty. 
 
The nation-state backed hacking group has been operating across Asia and is known to target governments, media organizations, research institutes, human rights organizations, corporate sector, and political entities across the Philippines, Laos, Vietnam, and Cambodia. Other campaigns by the hacking group also focused on maritime construction companies. Notably, OceanLotus APT also made headlines for distributing malware through Apps on Google Play along with malicious websites. 
 
The attackers found the MacOS backdoor in a malicious Word document that supposedly came via an email. However, there is no information regarding the targets that the campaign is focusing on. In order to set the attack into motion, the victims are encouraged to run a Zip file appearing to be a Word document (disguised as a Word icon). Upon running the Zip file, the app bundled in it carrying the malware gets installed; there are two files in it, one is the shell script and another one is the Word file. The MacOS backdoor is designed by attackers to provide them with a window into the affected system, allowing them to steal sensitive data.

"Like older versions of the OceanLotus backdoor, the new version contains two main functions: one for collecting operating system information and submitting this to its malicious C&C servers and receiving additional C&C communication information, and another for the backdoor capabilities," TrendMicro explained in a blogpost. 

In an analysis, Researchers told, “When a user looks for the fake doc folder via the macOS Finder app or the terminal command line, the folder’s name shows ‘ALL tim nha Chi Ngoc Canada.doc’ (‘tìm nhà Chị Ngọc’ roughly translates to ‘find Mrs. Ngoc’s house’).”

“However, checking the original .zip file that contains the folder shows three unexpected bytes between ‘.’ and ‘doc’.”


Microsoft discovers Vietnamese Govt sponsored threat actor deploying cryptocurrancy malware

Microsoft on Monday claimed that Vietnamese government-backed hackers have been behind the cryptocurrency-mining malware campaign.

These state-run cyberspies have started additional activities of gaining financial aid along with running government-backed projects. Similar groups have been already reported from Russia, China, and Korea making it difficult to determine whether the campaign is for intelligence gathering or capital gain.  
Discovered by Microsoft Security Intelligence, Bismuth based in Vietnam also known as APT32 and OceanLotus has been active since 2012 doing backhand work for the government like hacking and data/info gathering for political, economic, and foreign policy matters. But, recently Microsoft observed a transformation in their activities earlier in the year.

 "In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam," Microsoft said in their blog.

Microsoft suspects two theories behind this change: 

One of the reason could be to avoid suspicion and throw light over random crimes like crypto-mining malware and hide their cyber-espionage pursuits. This tactic will help them disguise and decrease security responses. 

Another and the more likely reason Microsoft believes is - it is what it looks like. These groups as they have total immunity from the government are expanding into gaining revenue from the systems they already went through during their spying operations. 

 Crypto-miners usually are suspected to be cybercriminals and not government-sponsored threat actors and are also not taken into account by security in normal routine checkups. But, these APT from the Chinese, Russian, Iranian, and North Korean state have started upside businesses of gaining capital via tactics like crypto-mining. 

 The reason being, since these groups are state-sponsored, they have total immunity. In-home state, they help the government and these countries doesn't have extradition treaties with the US, they can do anything with little or no consequence.

Chinese State-Sponsored Hackers Exploiting Zerologon Vulnerability

 

Chinese state-sponsored threat actors have been observed exploiting the Zerologon vulnerability in a global campaign targeting businesses from multiple industries in Japan and 17 other regions across the world including the United States and Europe. The attacked industries include engineering, automotive, managed service providers, and pharmaceutical. 

According to the information gathered by Symantec’s Broadcom division, these attacks have been attributed to the Cicada group also known as APT10, Cloud Hopper, or Stone Panda. 
 
The attackers are known for their sophistication, in certain cases, they were recorded to have hidden their suspicious acts effectively and remained undetected while operating for around a complete year. Previously, the state-backed actors have stolen data from militaries, businesses, and intelligence, and seemingly, Japanese subsidiaries are their newly found target. 
 
The links between the attacks and Cicada have been drawn based on the similar obfuscation methods and shellcode on loader DLLs to deliver malicious payloads, being used as noticed in the past along with various other similarities like living-off-the-land tools, backdoor QuasarRAT final payloads commonly employed by the hacking group. 
 
"The initial Cloud Analytics alert allowed our threat hunting team to identify further victims of this activity, build a more complete picture of this campaign, and attribute this activity to Cicada," Symantec said in their report. 
 
"The companies hit are, in the main, large, well-known organizations, many of which have links to Japan or Japanese companies, which is one of the main factors tying the victims together," the report further read. 
 
In September, Iranian-sponsored hacking group MuddyWater (MERCURY and SeedWorm) was seen to be actively exploiting Zerologon vulnerability. Another hacking group that exploited Zerologon was the financially-motivated TA505 threat group, also known as Chimborazo.
 
"The affected companies are from manufacturing, construction, and government-related industries, with top victims having around $143 billion, $33 billion and $2 billion yearly revenue," as per a report published by KELA, an Israel based Cybersecurity organization. 

"[M]ore and more threat actors, Advanced APT group and nation-state actors are considering Japanese organizations as valuable targets and are actively attacking them via opportunistic and targeted attacks," KELA further added.

Hackers Use Backdoor to Infiltrate Governments and Companies, Motive, not Money.


According to findings by cybersecurity firms Avast and ESET, an APT (Advanced Persistent Threat) cyberattack targeted companies and government authorities in Central Asia, using backdoors to gain entry into company networks for a long period. The targets involved telecom companies, gas agencies, and one government body in Central Asia. APT attacks, unlike other cyberattacks, don't work for money profits but have different motives.


According to cybersecurity experts, APT attacks are state-sponsored, and their purpose is to get intel on politics and inside information, not money. According to research findings, the hackers responsible for the APT attack in Central Asia is a group from China that uses RAT (Remote Access Tools). The attack was not their first, as experts believe that the same group was responsible for the 2017 cyberattacks against the Russian military and the Belarusian government.

APT attacks remain lowkey 

Unlike ransomware attacks that are famous for infiltrating the company networks, involving some top IT companies, the APT actors like to stay out of the radar and remain unnoticed. The motive of these attacks is not blackmail by having sensitive information. These attacks aim to remain unnoticed for as long as possible, as it allows hackers to have access to the company's network and data. Experts say that they currently don't have substantial evidence about the data that was deleted or manipulated. After the attack, the hackers part away as to avoid any suspicion or identification. Confidential info like Espionage, government policies, and trade, is what these hackers are after.

The cyberattacks are on the rise due to people working from home, giving opportunities to hackers. It has been very tough to protect users from malware attacks in the current times, due to millions of malware. The reason is the COVID-19 pandemic, and the best chance to stay safe from hackers is to be on alert after the pandemic ends. Users should check every link they get, before opening it or passing it to someone else. People working from home should keep their systems and device updated, along with the applications.

China Alleges India for Cyber-attacks Amid the Coronavirus Outbreak. Demands International Cooperation.


China, who is currently battling against the deadly coronavirus epidemic said last Friday that it needs international support from countries across as it is in the midst of an 'exceptional' and 'full-on war' against the deadly virus. The statement arrived after reports of local media claimed that cybercriminals from India had attacked the Chinese hospitals during the coronavirus epidemic. "It appears that Indian hackers had attacked regional health institutes and Chinese hospitals while China was busy fighting the coronavirus epidemic," said a Chinese cybersecurity firm in a statement.


"We have proof that hackers from India attacked Chinese health institutes using 'phishing' e-mails technique," said 360 Technology, a Chinese tech company, in a conversation with a national newspaper, Global Times. In acknowledgment of the comments made, the foreign ministry of China said: "We have to come to this conclusion after considering various reports of local media." "A country which is strictly opposed to cyber hacking of any kind, China, a significant cybersecurity nation, has currently become a victim of hacking," said Hua Chunying, spokesperson, Foreign Ministry of China, last Friday, without mentioning India in the statement.

"It is in these times of misery, that we believe all the countries across the globe should come together as one to fight against this major problem of cyber attacks and hacking. It is only after this would we be able to maintain a safe, secure and helpful cyber world," said Chunying via an e-press conference. She further says: "It is a matter of great concern for China as we are currently amid a crisis of battling a deadly epidemic. Witnessing the current public health emergency, the nations should cooperate to battle this issue."

"Indian hackers have been launching APTs (Advanced Persistent Threat) and attacking Chinese health institutes by sending phishing e-mail schemes," said the company to Global Times. "A suspected group of hackers from India named 'Bitter' have launched APT cyberattacks since March 2019, targeting the Chinese health institutes and research centers, and also the Ministry of Foreign Affairs," said an opinion column from Global Times.

Another Chinese state-sponsored hacking groups discovered - would be the fourth one to be found


A group of cyber security analyst, Intrusion Truth have found their fourth Chinese state-sponsored hacking operation APT 40.
"APT groups in China have a common blueprint: contract hackers and specialists, front companies, and an intelligence officer," the Intrusion Truth team said. "We know that multiple areas of China each have their own APT."
APT stands for Advanced Persistent Threat and is used to describe government supported and sponsored hacking groups. 

Intrusion Truth has previously exposed three government supported APTs, APT3 (believed to operate out of the Guangdong province), APT10 (Tianjin province), and APT17 (Jinan province),  they have now doxed APT40, China's cyber apparatus in the state of Hainan, an island in the South China Sea.

In a blog post, they said they've discovered 13 companies that serve as a front for APT activists. These companies use offline details, overlapping contacts and no online presence except to recruit cyber experts. 

"Looking beyond the linked contact details though, some of the skills that these adverts are seeking are on the aggressive end of the spectrum," the Intrusion Truth team said.

"While the companies stress that they are committed to information security and cyber-defense, the technical job adverts that they have placed seek skills that would more likely be suitable for red teaming and conducting cyber-attacks," they further said. 

APT40 RECRUITMENT MANAGED BY A PROFESSOR

Intrusion Truth was able to link all these companies mentioned above to a single person, a professor in the Information Security Department at the Hainan University.

One of the 13 companies was even headquartered at the university's library. This professor was also a former member of China's military. 

"[Name redacted by ZDNet] appeared to manage a network security competition at the university and was reportedly seeking novel ways of cracking passwords, offering large amounts of money to those able to do so," the anonymous researchers said.Intrusion Truth are pretty credible and have a good track record, US authorities have investigated  two of their three APT expose.