This week @J2CS:
It has been a busy week – we have discovered much and rediscovered old threats dressed as new threat actors…
Korean MalDoc Drops Evil New Year’s Presents
A targeted malware campaign against South Korean users was detected in the wild. The campaign was active between November 2016 and January 2017, targeting a limited number of people. The infection vector is a Hangul Word Processor document (HWP), a popular alternative to Microsoft Office for South Korean users developed by Hancom.
Spear Phishing Techniques Used in Attacks Targeting the Mongolian Government
Sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Microsoft Word document may have been infected with Poison Ivy, a popular remote access tool (RAT) that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more.
The case of getlook23: Using GitHub Issues as a C2
Analysis of a sample we came across on twitter which uses a GitHub issue as a communication channel for the malware. Although the use of free web-services as a C2 channel is not new, the use of a Github issue for a command/response channel was interesting.
Finding Hackingteam code in Russian malware
We are seeing the re-emergence of the threat discovered on Valentine's Day, when BitDefender released a short writeup title, "New Xagent Mac Malware Linked with the APT28". In the writeup, they discussed a new piece of Mac malware, (XagentOSX/Komplex.B) associated with APT28 (aka the 'Russians'). They did not provide much technical detail, but did state, "this modular backdoor with advanced cyber-espionage capabilities is most likely planted on the system via the Komplex downloader."
Analysis of Malware Used in Watering-Hole Attacks Against Polish Financial Institutions
Cyber4Sight has analyzed the malware distributed via the compromised Polish Financial Supervision Authority webpage and used in targeted attacks against several large banks and telecommunication companies.
New(ish) Mirai Spreader Poses New Risks
A cross-platform win32-based Mirai spreader and botnet is in the wild and previously discussed publicly. However, there is much information confused together, as if an entirely new IoT bot is spreading to and from Windows devices. This is not the case. Instead, an accurate assessment is that a previously active Windows botnet is spreading a Mirai bot variant. So, let’s make a level-headed assessment of what is out there. The earliest we observed this spreader variant pushing Mirai downloaders was January 2017. But this Windows bot is not new. The Windows bot’s spreading method for Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute forces a remote telnet connection. So we don’t have a sensational hop from Linux Mirai to Windows Mirai just yet, that’s just a silly statement.
menuPass Returns with New Malware and New Attacks
We have rediscovered an APT threat discovered In 2016, from September through November, the campaign which was known as “menuPass” targeted Japanese academics working in several areas of science, along with Japanese pharmaceutical and a US-based subsidiary of a Japanese manufacturing organizations. In addition to using PlugX and Poison Ivy (PIVY), both known to be used by the group, they also used a new Trojan called “ChChes” by the Japan Computer Emergency Response Team Coordination Center (JPCERT). In contrast to PlugX and PIVY, which are used by multiple campaigns, ChChes appears to be unique to this group. An analysis of the malware family can be found later in this blog.
A new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine has been discovered. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”