THREAT ALERT 🚨 WEEKLY THREAD

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a variety of cyber operations across multiple regions around the world.
The threat actor was discovered targeting the Iranian telecommunications and diplomatic sectors with the Turian backdoor.
The backdoor is packed with VMProtect to obfuscate the Application Programming Interface (API), thus making analysis difficult.
The malware contains a wide range of capabilities from spawning reverse shells to executing commands from the command-and-control server.

🚨

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil.
The actor has been active since 2021 deploying variants from the Hello Kitty, Five Hands, and Zeppelin ransomware families.
In late 2022 the adversary developed and deployed their own custom ransomware known as PolyVice.
The malicious software not only encrypts files but also exfiltrates sensitive data and deletes volume shadow copies to hinder recovery.

🚨

US Cert Alert - Alert (AA23-025A) Protecting Against Malicious Use of Remote Monitoring and Management Software

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity.
For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors.
This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors-from cybercriminals to nation-state sponsored APTs-are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).

🚨

EMOTET MALWARE MAKES A COMEBACK WITH NEW EVASION TECHNIQUES

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.
The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.
Two latest additions to Emotes's module arsenal comprise an SMB spreader that's designed to facilitate lateral movement using a list of hard-coded usernames and passwords and a credit card stealer that targets the Chrome web browser.

🚨

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use of the open-source SparkRAT, a relatively new occurrence on the threat landscape.
SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.
Analysts observed that the threat actor behind the DragonSpark attacks uses Golang malware that interprets embedded Golang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms.
This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations.

🚨

PLAY RANSOMWARE

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not been used by any ransomware before.
The malware uses the generic RSA-AES hybrid cryptosystem to encrypt files.
PLAY's execution speed is pretty average since it uses a depth-first traversal algorithm to iterate through the file system.
Despite launching a separate thread to encrypt each file, this recursive traversal hinders its performance significantly.
 

🚨

GAMAREDON ABUSES TELEGRAM TO TARGET UKRAINIAN GOVERNMENT ORGANIZATIONS
The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service to avoid traditional network detection.
The Telegram messaging application was used in several stages, from victim profiling to delivering the final payload.
The initial infection vector was weaponized spear-phishing documents written in the Russian and Ukrainian languages.
The threat actor exploited a remote template injection vulnerability to compromise adversarial infrastructure with malware and bypass Microsoft Word macro protection.
After the malicious document was opened, the malware downloaded a Visual Basic script from a specific address that connected to a Telegram account to get additional instructions.

🚨

NEEDLEDROPPER: A NEW DROPPER-AS-A-SERVICE UNCOVERED

Avast's Threat Research Team has since October 2022 been observing a new strain of dropper malware, which they referred to as "NeedleDropper" due to how it stores the data to be dropped into the victim's device.

Within itself, it stores several files that are used to drop and load the malware and some files to hide its execution.
Furthermore, within the malicious files, it mixes a large amount of unimportant or unused data together with the data necessary for the malicious payload, this is done with the intent of hampering analysis.

Avast's Threat Research Team believes that the developers behind the NeedleDropper adopted the "-as-a-service" business model and are sold in hacking forums as a way for potential buyers to hide their final payload.

🚨

AURORA STEALER LEVERAGES SHAPESHIFTING TACTICS AND POPULAR APPLICATIONS TO TARGET USERS

A threat actor was discovered mimicking legitimate websites to host and deliver the 9002 RAT, also known as Aurora, Hydraq, and McRat.
Binary padding, system checks, and obfuscation were used in an attempt to evade antivirus software detection.
The malicious software exfiltrates a range of data including system information and data from web browsers, crypto wallets, and specific user directories.