Tag Archive for: CyberEspionage

Chinese APT group ToddyCat launches new cyber-espionage campaigns

/in


Researchers warn of renewed attacks against high-profile organizations launched by a Chinese APT actor known in the industry as ToddyCat. The group has been refining its tactics as well as malware toolset since 2020 when it was originally discovered.

In a new report this week, researchers from security firm Check Point Software Technologies documented a ToddyCat campaign they dubbed “Stayin’ Alive” that targeted organizations from Asian countries primarily from the telecom and government sectors.

“The Stayin’ Alive campaign consists of mostly downloaders and loaders, some of which are used as an initial infection vector against high-profile Asian organizations,” the Check Point researchers said. “The first downloader found called CurKeep, targeted Vietnam, Uzbekistan, and Kazakhstan. As we conducted our analysis, we realized that this campaign is part of a much wider campaign targeting the region.”

In a separate report this week, researchers from Kaspersky Lab also documented a new generation of malware loaders used by ToddyCat in recent attacks, including some that seem to be tailored for each victim. The Kaspersky researchers originally uncovered ToddyCat activities in late 2020 after the group targeted high-profile Asian and European organizations.

DLL side-loading a favored ToddyCat technique

One of ToddyCat’s favorite techniques of deploying malware on computers is through a technique called DLL side-loading. This involves finding a legitimate executable from an application that searches for a particular DLL file in the same directory and then replacing that DLL with a malicious one.

Because the originally executed file belongs to a legitimate application or service, it’s likely to be digitally signed and whitelisted in some security products. The attackers hope that the subsequent loading of a malicious DLL by a legitimate executable won’t be detected or blocked.

In the past ToddyCat exploited vulnerabilities in publicly exposed Microsoft Exchange servers, but it also delivers malware through spear-phishing emails that have malicious archives attached. These archives contain the legitimate executables together with the rogue…

Source…

Cyber Attack on Cosmos Bank: How Hackers Stole Millions”

/in



North Korean cyberespionage actor Lazarus targets energy providers with new malware

/in


Detecting of a malware. Virus, system hack, cyber attack, malware concept. 3d rendering.
Image: Adobe Stock

Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.

Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.

The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.

SEE: Mobile device security policy (TechRepublic Premium)

Attack modus operandi

Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).

Figure A

lazarus cyber kill chain list according to cisco talos
Image: Cisco Talos. Full attack scheme from the current Lazarus operation.

In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.

Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.

Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.

Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.

Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.

The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.

At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for…

Source…

Meta cracks down on cyberespionage, warns of ‘perception hacking’

/in


Meta said it is focused on continuing to disrupt emerging cybersecurity threats, including “perception hacking” efforts that could attempt to create unjustified fears about the security of U.S. elections.

In its new “Quarterly Adversarial Threat Report” released Thursday, Meta details how it took action on two cyberespionage operations and removed three networks that were engaging in coordinated inauthentic behavior (CIB) — campaigns that seek to manipulate public debate.

Since 2017, the company says it has been able to disrupt the activities of coordinated networks aimed at manipulating users with fake accounts using coordinated inauthentic behavior. The efforts have been successful at driving these networks off of Facebook and have made it harder for other entities to maintain access on the social media platform, Meta says.

Meta says in the report that cyberespionage actors tend to target individuals across the internet in an effort “to collect intelligence manipulate them into revealing information and compromise their devices and accounts.”

Meta’s Facebook took action on two separate cyberespionage operations from South Asia this past quarter, both of which used malware to infect users’ devices. One of the operations was from the hacker group known as Bitter APT, the report says.

The hacker group targeted users with malware in New Zealand, India, Pakistan and the United Kingdom, Meta’s report says.

The report also revealed the company had removed networks promoting misinformation and harassment in India, Indonesia, Greece and South Africa.

Additionally, Facebook removed three networks engaged in coordinated inauthentic behavior, including one network linked to an Israeli public relations firm and two troll farms from Malaysia and Russia.

The Russian operation, the self-proclaimed CyberFront Z, focused on targeting global discourse on the war in Ukraine, the report says.

The pro-Russia operation attempted to mirror the anti-war communities defending Ukraine through the use of fake accounts run by paid posters, the report says. Despite the effort, pro-Ukraine and anti-war comments typically outnumbered the pro-Russia group’s comments.

Ahead of the U.S. midterm elections, a spokesperson…

Source…