Suspected Threat Actors: Gamaredon (aka Armageddon, Armagedon, Shuckworm, UAC-0010)
A new, ongoing campaign attributed to the Russia-linked threat actor group Gamaredon has been identified by researchers that attempts to infect Ukrainian users with info-stealing malware. The phishing emails leveraged in this campaign have Microsoft Office documents laced with remote templates containing malicious VBScript macros as an attachment and lure victims on themes of the Russian invasion of Ukraine. The malicious macros download and open a RAR archive that contains LNK files which subsequently leads to the download and activation of next-stage payload on infected systems. Beyond LNK files, PowerShell, and VBScript enabling initial access, researchers also observed attackers deploying malicious binaries in the post-infection phase. They also used a custom info-stealer implant that, as directed by attackers, exfiltrates victim files of interest and deploys additional malware.
As a result of multiple high-profile incidents, the lawmakers in European Union are aiming to protect journalists against spyware threats from member states.
The proposed European Media Freedom Act (EMFA) will put forth “strong safeguards against the use of spyware against media, journalists and their families” alongside other measures including ownership transparency and editorial independence.
Article 4 of the regulation prohibits member states from attempting to “detain, sanction, intercept, subject to surveillance or search and seizure, or inspect media service providers” and extends to family members, employees or their family members, corporate and private premises. Unless justified on grounds of national security, the regulation prohibits the installation of spyware on any device used by media service providers.
The European Commission’s Vice-President for values and transparency, highlighting recent incidents and the need for such principles to protect journalists as well as media houses, expects the proposal to be resisted by a few of the member states which may find it contrary to their interests.
On the other hand, media groups welcomed the EMFA, however, they cautioned that the measures including those against the surveillance of journalists should be expanded and strengthened.
Researchers have recently observed attackers trying to exploit both recently disclosed and older WebLogic vulnerabilities to deploy crypto-mining malware. One of the older vulnerabilities CVE-2020-14882 – still being actively exploited by attackers – is an RCE due to improper input validation in Oracle WebLogic Server. The CVE-2020-14882 affects versions 10.3.6.0.0, 188.8.131.52.0, 184.108.40.206.0, 220.127.116.11.0, and 18.104.22.168.0, and can be exploited via remote unauthenticated attacker sending a crafted HTTP request to affected servers leading to RCE. According to the researchers, multiple attackers have been observed deploying various malware families and provided technical details about Kinsing malware activity.