Summary
By
the CyberWire staff
At a glance.
LuminousMoth targets the Philippines and Myanmar.
Microsoft and Citizen Lab track spyware vendor.
Trickbot updates.
LuminousMoth targets the Philippines and Myanmar.
Researchers at Kaspersky are
tracking
a "large-scale and highly active campaign" launched by a suspected Chinese threat actor primarily active against targets in the Philippines, with some targets in Myanmar. The researchers observed overlaps with the Chinese threat actor Mustang Panda, and they emphasize the malware's ability to spread via USB drives:
"Further analysis revealed that the underlying actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda. This is evident in both network infrastructure connections, and the usage of similar TTPs to deploy the Cobalt Strike Beacon as a payload. In fact, our colleagues at
ESET
and
Avast
recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth.
"Most notably though, we observed the capability of the culprit to spread to other hosts through the use of USB drives. In some cases, this was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems. The sheer volume of the attacks raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering hole or a supply chain attack."
Microsoft and Citizen Lab track spyware vendor.
Microsoft, working in with researchers at the University of Toronto's Citizen Lab, has been
tracking
activity by a threat actor dubbed "SOURGUM," which Redmond believes is an "Israel-based private-sector offensive actor." Citizen Lab
says
the threat actor is a Tel Aviv-based company called "Candiru" that sells spyware to government customers. Microsoft notes that the spyware has targeted victims around the world:
"Microsoft has identified over 100 victims of SOURGUM’s malware, and these victims are as geographically diverse as would be expected when varied government agencies are believed to be selecting the targets. Approximately half of the victims were found in Palestinian Authority, with most of the remaining victims located in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore. To be clear, the identification of victims of the malware in a country doesn’t necessarily mean that an agency in that country is a SOURGUM customer, as international targeting is common."
Microsoft adds that the spyware is distributed by links sent via messaging apps, and it used two now-patched Windows exploits to achieve privilege escalation:
"SOURGUM appears to use a chain of browser and Windows exploits, including 0-days, to install malware on victim boxes. Browser exploits appear to be served via single-use URLs sent to targets on messaging applications such as WhatsApp.
"During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits."
Trickbot updates.
Researchers at Bitdefender have
found
that Trickbot is now using a new version of its Virtual Network Computing (VNC) module:
"As of May 12, 2021, our monitoring systems started to pick up an updated version of the vncDll module used by Trickbot against select high-profile targets. This module is known as tvncDll and is used for monitoring and intelligence gathering. It seems to be still under development, since the group has a frequent update schedule, regularly adding new functionalities and bug fixes."
And Cofense
describes
a recent Trickbot phishing campaign that's targeting "companies in the retail, building materials, manufacturing, insurance and construction industries":
"TrickBot is now looking to score a hat trick on SEGs (secure email gateways) by utilizing three new components in its infection chain. This campaign delivers DOCX files that exploit the CVE-2017-0199 vulnerability. Employees are advised to never enable macros when they open Office documents, but this CVE leverages an embedded link that will immediately call out to a DOT payload, bypassing normal security checks. This new file includes a VBS script that will download the final executable."
Selected Reading
TrickBot | Office Macros, VBS & CVEs Highlight TrickBot’s Debut
(
Cofense
) TrickBot is now looking to score a hat trick on SEGs (secure email gateways) by utilizing 3 new components in its infection chain. Learn more.
Thousands of Artists and Customers Exposed in Online Artwork Management Platform Data Breach
(
WizCase
) WizCase’s team of ethical hackers, led by Ata Hakçıl, has found a major breach in online art retail platform Artwork Archive. This breach compromised users’ names, surnames, email addresses, physical addresses, and other sensitive information. Thousands of artists, collectors and their customers were left vulnerable. There was no need for a password or login ...
Brand Phishing Report Q2 2021: Microsoft Continues Reign
(
Check Point Software
) Check Point Research issues Q2 Brand Phishing Report, highlighting the leading brands that hackers imitated in attempts to lure people into giving up
June 2021’s Most Wanted Malware: Trickbot Remains on Top
(
Check Point Software
) Check Point Research reports that Trickbot, often used in the initial stages of ransomware attacks, is the most prevalent malware for the second month
Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus
(
The Citizen Lab
) Candiru is a secretive Israel-based company that sells spyware exclusively to governments. Using Internet scanning, we identified more than 750 websites linked to Candiru’s spyware infrastructure. We found many domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society themed entities.
Protecting customers from a private-sector offensive actor using 0-day exploits and DevilsTongue malware
(
Microsoft Security Blog
) The Microsoft Threat Intelligence Center (MSTIC) alongside the Microsoft Security Response Center (MSRC) has uncovered a private-sector offensive actor, or PSOA, that we are calling SOURGUM in possession of now-patched, Windows 0-day exploits (CVE-2021-31979 and CVE-2021-33771).
Trickbot Activity Increases; new VNC Module On the Radar
(
Bitdefender
) Trickbot has been around since late 2016, when it appeared in the form of abanker and credential-stealing application. Drawing inspiration from Dyre (orDyreza), Trickbot consists of an ecosystem of plugin modules and helpercomponents. The Trickbot group, which has infected millions of computersworldwide, has recently played an active role in disseminating ransomware.We have been reporting on notable developments in Trickbot’s lifecycle, withhighlights including the analysis in 2020 of one
Evade Sandboxes With a Single Bit – the Trap Flag
(
Unit42
) Unit 42 has discovered a specific single bit (Trap Flag) in the Intel CPU register that can be abused by malware to evade sandbox detection.
Remcos RAT delivered via Visual Basic
(
Malwarebytes Labs
) We review a malware distribution campaign via malspam involving the Remcos remote access Trojan.
