Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 9 Jan 2022

Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 9 Jan 2022

Threat Actor in Focus

BlackTech Using New Flagpro Malware to Target Japan and Others

Suspected Threat Actors: BlackTech

  • Attack Type: Malware Implant, Defence Evasion, Privilege Escalation, Spear phishing, Data Exfiltration
  • Objective: Unauthorized Access, Payload Delivery, Potential Data Theft
  • Target Technology: Microsoft Windows, Email, Microsoft Excel
  • Target Industry: Defense, Media, Communications, and others
  • Target Geography: Japan, Taiwan, and Potentially English-speaking Countries
  • Business Impact: Data Loss, Financial Loss

Researchers have recently spotted the threat actor group BlackTech leveraging Flagpro malware to target multiple Japanese firms across different industries. Researchers observed the use of both English and Chinese language in this activity which indicates, apart from Japanese and Taiwanese, the threat actor groups could also be targeting English-speaking countries. The malware Flagpro – delivered via spear-phishing – is being used in the initial stage of the attack chain to investigate the target environment, download, and execute a secondary payload. The spear-phishing emails are attached with a password-protected archive file that contains malicious macro-laden Excel files. Once the macro is executed, it drops Flagpro malware as an EXE file in the start-up directory. On the next system reboot, the Flagpro malware executes and communicates with the command-and-control server to either receive and execute the command or execute a secondary malware.

The new Flagpro malware spotted in July 2021 referred to as “Flagpro v2.0” by researchers contains the following main functions:

  1. Download and execute a tool
  2. Execute OS commands and send the results
  3. Collect and send Windows authentication information

Insights:

As per researchers, the contents of the spear-phishing email and as well as malicious Excel file are adjusted according to the target. This suggests the threat actor group is carefully researching its targets well before launching an attack.

The researchers highlight that attacks using Flagpro against Japan has been observed since October 2020. While attack techniques have not been changed a lot, BlackTech is using more evading techniques such as adjusting decoy files and file names according to their target and carefully checking the target’s environment. Recently, the groups have been observed leveraging new malware called “SelfMake Loader” and “Spider RAT”. This indicates their efforts to actively develop new malware for their campaign.

Latest Cyber-Attacks, Incidents, and Breaches

New Web Skimmer Campaign Compromise Over 100 Real Estate Websites Through Supply Chain

  • Attack Type: Web skimming (formjacking/ Magecart Attack), Data Exfiltration, Supply Chain Attack
  • Objective: Data Theft, Financial Gains
  • Target Industry: Real State
  • Target Geography: Global
  • Business Impact: Data Loss, Financial Loss

Researchers detected more than 100 real estate websites that were compromised by the same skimmer attack. Post analysis it was revealed that all compromised websites belonged to a single parent company and were importing the same video laced with malicious scripts from cloud video distribution platforms. These websites hosted a form that visitors used to request more information about houses for sale and also had input fields to ask for personal information. Attackers were able to inject malicious code into the player of the cloud video platform since it allowed users to perform JavaScript customization by uploading a JavaScript file to be included in their player. Taking advantage of this function, attackers leveraged a script that could be modified upstream – allowing malicious content after the player was created. Researchers observed the skimmer code was highly obfuscated and designed to detect credit card patterns, verify the credit card numbers, and harvest the card data, and send it to the attackers.

Insights:

The web skimming attacks, allow cybercriminals to inject malicious code to compromise a victim website and essentially take over the functionality of HTML forms pages of the website to collect sensitive information. These attacks tend to be highly polymorphic, elusive and cybercriminals are continuously evolving their strategies. It is one of the fastest-growing forms of cyberattack at present.

As observed in this case, where the blind spot is the source of the supply chain itself, the consequences of such attacks can be large and wide. Therefore, assuming a cloud service is inherently safe without performing proper due diligence and regular checks will put organizations at risk. It becomes all the more important for web administrators to keep their systems, plug-ins, and other component patched at all times, and perform regular integrity checks on web content.

Vulnerabilities and Exploits

New HomeKit ‘doorLock’ Bug Affecting Apple iOS

  • Attack Type: Vulnerabilities & Exploits, DoS
  • Target Technology: iOS 14.7 – 15.2
  • Vulnerability: (Unassigned CVE)
  • Vulnerability Type: Persistent DoS

Researchers have publicly disclosed details about a persistent DoS bug in Apple HomeKit affecting Apple’s iOS mobile operating system that is capable of sending vulnerable devices into a reboot loop upon connecting to an Apple Home-compatible appliance. The vulnerability dubbed as “doorLock” has a trivial exploitation requirement and can simply be triggered by changing the name of a HomeKit device to a string larger than 500,000 characters. Any iPhone or iPad with affected iOS attempting to connect to such a device becomes unresponsive and enters into an indefinite cycle of system failure and restart. This behavior can only be mitigated by restoring the affected device from Recovery or DFU (Device Firmware Update) Mode which erases all the local data. According to the researcher trying to restore the device and signing back into the iCloud account linked to the HomeKit device will again trigger the vulnerability.

Insights:

In a real-world attack scenario, doorLock could be exploited by an attacker by sending a malicious invite to connect to a HomeKit device with an abnormally large string as its name, effectively locking users out of their local data and preventing them from logging back into iCloud on iOS. Researchers highlight that an attacker, using an email address that resembles Apple services or HomeKit products may trick less tech-savvy users into accepting the invitation and then demand payment via email in return for fixing the issue.

Further, HomeKit device names are also stored on iCloud, signing in to the same iCloud account with a restored device will trigger this behavior once again unless the device owner opts to switch off the option to sync HomeKit data.

CYFIRMA Research

Night Sky Ransomware

Night Sky Ransomware recently emerged, on December 28, 2021, to be exact, attacking two large companies, including one of the largest Software companies in East Asia, and another large industrial conglomerate in South Asia.

The ransomware gangs have posted the stolen data on their leak sites and blackmailed the victims to contact them. Night Sky works in a way that we have seen in other groups – if the victim contacts within 3 days of the encryption the ransom amount drops considerably. If the company is not willing to comply with the group’s requests, the stolen data is leaked on the group’s website.

Further research on Night Sky ransomware will be shared.