Weekly Cyber-Intelligence Trends and Advisory – 12 Feb 2022

Weekly Cyber-Intelligence Trends and Advisory – 12 Feb 2022

Threat Actor in Focus – Palestinian-Aligned Advanced Persistent Threat (APT) Actor Leverages NimbleMamba

Suspected Threat Actors: TA402 (aka Operation Molerats, Gaza Cyber gang, Molerats)

  • Attack Type: Malware Implant, Spear-Phishing
  • Objective: Espionage, Unauthorized Access, Intellectual Property Theft, Malware Implant
  • Target Technology: Microsoft Windows
  • Target Industry: Government
  • Target Geography: Middle East
  • Business Impact: Data Loss

Researchers recently observed a new campaign by the APT group TA402 deploying a new malware implant called as NimbleMamba targeting Middle Eastern countries, state-affiliated airlines, as well as foreign policy think tanks. The APT is Palestine-aligned politically motivated group known for constantly updating its malware arsenal and its delivery methods. This campaign is a sophisticated attack that uses different techniques which includes geofencing and URL redirects to trustworthy sites to bypass detections and use specially crafted spear-phishing emails having malicious links for malware distribution purpose.

Different variants of the attack chain related to this campaign were noticed by the researchers and each variant lead to the malicious RAR file having one or more malicious compressed executables. These executables include a new implant by the TA402 group named as NimbleMamba and sometimes seen dropping an additional trojan BrittleBush. The NimbleMamba is considered as a replacement to the LastConn implant reported in June 2021, which in turn is an updated version of the “SharpStage” malware noticed on Dec 20. To ensure that all victims must be within the group’s attack region NimbleMamba uses the guardrails technique and Dropbox APIs are used for exfiltration as well as for Command and Control. It is written in C#.NET using SmartAssebly Obfusicator to avoid detection and analysis. NimbleMamba has anti-analysis capabilities for both manual and automated analysis including virtual machine checks.

The researchers attribute this campaign specifically to TA402 based on technical indicators as well as the targeted region. TA402 is a Palestine-aligned politically motivated APT group operated since 2012 and mainly targeted the Middle East, Europe, and the US earlier.

Researchers observed three different variants to the campaign, each variant of the attack chain led to a malicious RAR file containing malware implant:

  1. In the first variant observed on Nov 21, TA402 masqueraded the Quora website and used threat actor-controlled Gmail account and domain. Malicious URLs embedded in spear-phishing emails are geofenced to the targeted countries and if the victim’s IP satisfies the condition of the targeted region, the URL is redirected to download a malicious RAR file containing the latest malware implant otherwise URL redirected to the legitimate news site.
  2. Researchers observed the second variant in Dec 2021, wherein TA402 continued to use threat actor-controlled Gmail account but used redirect URLs to Dropbox account to deliver malicious RAR files containing NimbleMamba. They also observed that the Dropbox account was not only used for delivering NimbleMamba but also used for Command & Control.
  3. In the latest campaign, TA402 continue to use specially crafted messages to lure the targeted victims and, in addition, uses a threat actor-controlled WordPress URL which impersonates as a legitimate news aggregator for the news site and the purpose is to redirect the victim to malicious RAR file download site if the victim’s IP is from targeted region.

The researchers note the technical connections between the Dropbox account used to deploy NimbleMamba, to store exfiltrated data by NimbleMamba, and the account used by LastConn malware. There are also code similarities between the two which leads to the conclusion that the same group is behind both malware.

NimbleMamba gathers information and is most probably designed for initial access. It has the capabilities to capture a screenshot and mouse movement. To ensure that the victim is from the target region Nimblemamba uses guardrails.

TA402 continues to be a threat to the Middle East with its highly targeted campaigns and continue to update their malware arsenal, infection chains, and techniques.

ACTINIUM Hackers Group Targeting Government, Military, NGO to Steal Sensitive Data

Researchers have recently announced that a cybersecurity hacking group that is known as Gamaredon is creating a streak of spear-phishing emails. But, in this recent event, it has been detected that the operators of the ACTINIUM hacker group are targeting the following Ukrainian sectors to steal sensitive data:

  • Government
  • Military
  • NGO
  • Judiciary
  • Law enforcement

Actinium’s principal objectives are data collection and establishing persistence within targeted organizations in furtherance of future cyberespionage. It typically gains initial access through phishing. Some of its phishing emails impersonated the World Health Organization.

US Deputy National Security Advisor, on the other hand, has been consulting with NATO allies to organize a coordinated response to cyber threats Russia poses to Ukraine (and by implication to Ukraine’s neighbours and supporters).

Researchers have been warning for weeks and months, both publicly and privately, that cyber-attacks could be part of a broad-based Russian effort to destabilize and further invade Ukraine. The Russians understand disabling or destroying critical infrastructure can augment pressure on the country’s government, military, and population, and accelerate the receding to Russian objectives.

Medusa on the Ride with FluBot over Distribution Network

  • Attack Type: Smishing, Exfiltration
  • Objective: Information and Credential Stealing
  • Target Industry: Banks, Financials
  • Target Technology: Android
  • Target Geography: US, Turkey, Canada, Europe
  • Business Impact: Data Loss, Financial Loss

Researchers observed that the Medusa banking trojan is being distributed through the same smishing infrastructure used by other malware FluBot. Medusa uses exactly similar icons app names and package names as FluBot.

FluBot is propagated through SMS that trick users to install either a flash player or missed package delivery and after compromising the victim, it gains permissions, exfiltrates banking credentials, passwords, and other information. It also sends text messages to the infected user’s contact list, which allows it to spread further. Medusa followed the same steps and infected more than 1500 devices in a single botnet, masquerading as DHL. Medusa recently compromised users from Turkey, the U.S., and Canada. Unlike FluBot which targets predominantly the European region, Medusa is focused on North America and Europe.

Medusa is a banking mobile trojan in actuality and has the capabilities including competitive control over the victim’s device, keylogging activity, video, and audio streaming, execute commands on any app installed on the victim’s device, and other banking trojan activities like stealing credentials. One of the main threats posed by it is semi-ATS (Automated Transfer System) having an Accessibility scripting Engine that empowered the threat actors to perform a set of actions on the victim’s behalf. Medusa receives commands from the C2 server to carry out a wide variety of work which includes sleeping, locking the screen, taking screenshots, clicking on UI elements, opening recent notifications, and accessing the list of installed apps.

Researchers predict that due to FluBot and Medusa’s success, more threat actors have adopted the same distribution strategy and in recent times there has been an uptick in the volume of campaigns with the same tactics.

FluBot also keeps evolving, recently added new features include intercepting notifications and direct reply to push notifications which provides better control over intercepted notifications.

Researchers observed multiple botnets related to Medusa side-by-side campaign with FluBot with tags FLUVOICE, FLUFLASH, and FLUDHL. These botnets are connected to two C2 servers to control bots. The first is fronting C2 to which bots are connected and the second one is the main bot operator panel used by attackers to manage various botnets.

Malware like Medusa is a serious threat for the organizations having mobile banking apps as the victim is open to on-device fraud tactics and the malware can exploit any input field value of any app running on the victim’s device.

With the evolution of malware, the techniques like 2FA might not be a complete solution but require the incorporation of deeper TI in collaboration with other security solutions.