Suspected Threat Actors: Tropic Trooper (aka Earth Centaur, KeyBoy)
Through long-term monitoring, researchers disclosed that the Chinese APT groups conducted attackers over the past year and a half. The threat actor group appeared to target organizations in the transportation industry and government agencies related to transportation. Researchers highlight that the group tried to access flight schedules, financial plans, and other internal documents as well as any personal information from the compromised hosts. Their monitoring revealed that the group is proficient in red teaming, able to bypass security controls, keep operations unobstructed, use backdoors with different protocols, bypass network security monitoring by reverse proxy, and developed new backdoors with the help of open-source frameworks.
Researchers found a multi-stage infection process, in which vulnerable IIS and Exchange servers as an initial entry point which were later installed with web shells. Afterward, a .NET loader (detected as Nerapack) and the first stage backdoor (Quasar RAT) were deployed onto the compromised systems. Depending on the victims, the group then dropped different types of second-stage backdoors, such as ChiserClient and SmileSvr. After successfully exploiting the victim’s environments Active Directory was used for reconnaissance and using SMB to spread their tools. At last, using intranet penetration tools the group builds a connection between the victim’s intranet and their command-&-control (C2) servers. Malware and tools observed by researchers include:
Researchers highlight that this APT threat actor group is notably sophisticated and well-equipped. The analysis reveals that the group has an arsenal of tools capable of assessing and then compromising its targets while staying under the radar. The threat actor group uses backdoors with different protocols, which are deployed depending on the victim. In addition, to evade detection in a different environment, the group is capable of developing customized tools.
Researchers suspect the threat actor might expand their targets to other industries that are related to transportation. Therefore, such organizations must review and assess their security posture to protect themselves from any potential damage or compromise.
The Joker malware was once again spotted on Google Play making its way into unsuspecting users’ devices. This time, the malware was wrapped in a mobile application called Color Message offering premium SMS features which has been downloaded more than 500,000 times before it was removed from the store. The malicious app was found to offer enhanced messaging with fun emojis and screen overlays. Attackers behind this malicious app hosted brief terms and conditions on an unbranded one-page blog. As per researchers the malicious app laden with Joker malware stole contact lists over the network, automatically subscribed users to unwanted paid services, and can hide its icons from the home screen.
There have been multiple similar campaigns spotted by various researchers where the Joker malware was being propagated via multiple malicious apps on Google Play. In June 2021, Joker was spotted by researchers in 8 mobile applications which were later removed from Play Store. Similar incidents were reported in May and September making it the most active malware family on Google Play. By doing small changes in its code the malware continues to find new tricks and tactics to stay undetected from Google Play’s security controls.
Lenovo laptops, including ThinkPad and Yoga models, were found vulnerable to a privilege elevation bug in the ImControllerService service that allows attackers to execute commands with administrative privileges. The vulnerabilities tracked as CVE-2021-3922 and CVE-2021-3969 affect the ImControllerService component of all Lenovo System Interface Foundation versions below 126.96.36.199. The particular service is a component of Lenovo System Interface Foundation, which helps Lenovo devices communicate with universal apps like Lenovo Companion, Lenovo Settings, and Lenovo ID. The service is preinstalled by default on numerous Lenovo Models, including Yoga and ThinkPad devices. As per researchers, the service runs as the SYSTEM user and periodically executes child processes that perform system configuration and maintenance tasks. An attacker can elevate their privileges to that of the SYSTEM user from a user that is able to write files to the filesystem.
According to researchers, the vulnerabilities exist due to how the ImControllerService handles the execution of highly privileged child processes which allows an unprivileged attacker with local access to the system to elevate their privileges.
The vulnerable component periodically starts child processes to perform tasks. Each child process immediately opens a named pipe server to which any user on the system can connect.
The first vulnerability is a race condition between an attacker and the parent process connecting to the child process’ named pipe. An attacker using high-performance filesystem synchronization routines can reliably win the race with the parent process to connect to the named pipe.
The second vulnerability is a time-of-check to time-of-use (TOCTOU) vulnerability. When the child process is sent the command to load a plugin it first validates if the plugin is signed by Lenovo. The vulnerability exists because the child process releases all open handles to the file once the validation has succeeded and before the file is loaded. In order to increase the reliability of this attack, the attacker can use opportunistic locking (OpLocks) on a file that is accessed by the child process between the validation and the load operation. This file access is a by-product of the ImControllerService plugin loading process and is also fully under the attacker’s control. Once the OpLock is placed, the attacker can stall the loading process and replace the now validated plugin with a DLL file of the attacker’s choosing. Once the lock is released the child process loads the DLL, leading to escalation of privilege.