The various threat intelligence stories in this iteration of the Anomaly Cyber Watch discuss the following topics: Android, APT, DLL Sideloading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware, and Windows. The IOCs associated with these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – Summary charts of IOC. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending cyber news and threat intelligence
Xenomorph V3: New version with ATS targeting more than 400 institutions
(Published: March 10, 2023)
Newer versions of the Xenomorph Android banking trojan are capable of targeting 400 applications: cryptocurrency wallets and mobile banking from around the world, with the most targeted countries being Spain, Turkey, Poland, the US and Australia (in that order). Since February 2022, several campaigns have been detected Xenomorph minors and testers. Its current version Xenomorph v3 (Xenomorph.C) is available in the Malware-as-a-Service model. This trojan was delivered using the Zombinder link service to bundle it into a legitimate currency converter. Xenomorph v3 automatically collects and issues credentials using a framework The ATS (Automated Transfer Systems) command and control traffic is integrated by exploiting the Discord Content Delivery Network.
Analyst Note: Deception chain automation makes Xenomorph v3 a dangerous malware that could significantly increase its prevalence in the threat landscape. Users should update their mobile devices and use mobile antivirus and VPN protection services. Install only apps you really need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are encouraged to use Anomali’s Premium Digital Risk Protection service to discover malicious and malicious apps impersonating your brand that security teams would not normally look for or track.
MITER ATT&CK: [MITRE ATT&CK] T1417.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1417.002 – Input Capture: Gui input capture
Tags: Malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking Trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility Services, Overlay Attack, Discord CDN, Wallet Cryptocurrency, target -industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country: PL, Destination Country:USA, Destination Country:USA, Destination Country:Australia, Destination Country:AU, Malware:Zombinder, Identification:Zombinder.A, Android
Illusion Cobalt poses as an employee of the Atlantic Council
(Published: March 9, 2023)
A new Iran-sponsored Charming Kitten campaign (APT42, Cobalt Illusion, Magic Hound, Phosphorous) has been spotted focusing on Amini shelter protests and researchers documenting the oppression of women and minority groups in Iran. In October 2022, attackers used stolen images to create a fake Twitter persona claiming to work for the Atlantic Council. This fake account engaged in conversations, first sending benign links and documents, then continuing to send a malicious phishing link or document for credentials.
Analyst Note: Politically targeted users should be wary of links and attachments sent to them even if they have had a previous online interaction with the sender. Additional attempts to verify that the online account is authentic and belongs to a real person can save you a compromise. Pay attention to the authenticity of domains when you are asked to log in with your password. All known network indicators associated with this campaign are available on the Anomali platform and customers are advised to block them in their infrastructure.
MITER ATT&CK: [MITRE ATT&CK] T1583.001 – Purchase of infrastructure: domains | [MITRE ATT&CK] T1585.001 – Setting up accounts: Social media accounts | [MITRE ATT&CK] T1204 – User execution | [MITRE ATT&CK] T1598 – Phishing for information
Tags: Player: Illusion Cobalt, Player: Charming Kitten, Player: APT42, Player: Phosphorus, Bonnet Group: Magic Dog, Atlantic Council, Country of Origin: Iran, Country of Origin: IR, Country of Destination: Iran, Country of Destination: IR, Mahsa Amini Protests , opposition, spearphishing, instant messaging, typing, inauthentic behavior, twitter, fake account
IceFire Ransomware is back | Now targeting Linux enterprise networks
(Published: March 9, 2023)
The Windows-only IceFire ransomware has added a new Linux version. The observed attack targeted Linux CentOS, however, this IceFire version is capable of running on other flavors of Linux as well. The transition to the new operating system was also accompanied by a shift in the delivery method from phishing to exploiting public-facing vulnerabilities such as CVE-2022-47986, a vulnerability in IBM’s Aspera Faspex file sharing software. Overall, the IceFire ransomware family is used in two-pronged extortion attacks that primarily target larger technology, media, and entertainment organizations in Iran, Pakistan, Turkey, and the United Arab Emirates.
Analyst Note: At the time of discovery, the IceFire Linux version had zero antivirus detections. CVE-2022-47986 was a vulnerability that recently received a security patch that highlights the need for an ongoing effort to update your public-facing servers to the latest version. Aligning remediation and vulnerability processes to cyber threat intelligence significantly improves the accuracy and priority of managing your security posture against emerging threats from exploited vulnerabilities. Organizations interested in understanding and maintaining a grip on their external attack surface are encouraged to use the Anomali Attack Surface Management service.
MITER ATT&CK: [MITRE ATT&CK] T1190 – Utilization of a public facing application | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1070.004 – Removing an indicator on the host: deleting a file | [MITRE ATT&CK] T1486: Encrypted data for impact
Tags: Malware:IceFire, Identification:IceFire, Malware Type: Ransomware, Double Extortion, Big Game Hunting, target-industry:Technology, target-industry:Media, target-industry:entertainment , target-country:Turkey, target -country :TR, destination country:IRAN, destination country:IR, destination country:Pakistan, destination country:PK, destination country:UAE, destination country:AE, Tor, CVE-2022-47986, IBM Aspera Faspex, type File:ELF, File Type:IFIRE, CentOS, Linux
“FakeGPT”: New version of Fake-ChatGPT Chrome extension steals Facebook ad accounts with thousands of daily installs
(Published: March 8, 2023)
A new campaign promoting a malicious ChatGPT extension had over 2,000 daily installs during March 3-9, 2022. This malicious Google Chrome extension was promoted by bad advertising. Once installed from the official Google Chrome store, it simply connected to the official ChatGPT API while stealing browser information and cookies stored in the background. If a high-profile business Facebook account is detected, the attackers install a malicious Facebook app that gains all possible permissions and steals account credentials. This allows self-propagation of this malicious extension and other malicious activities through promoted Facebook posts created with these stolen accounts and their credit balances.
Analyst Note: Following Guardio’s report, the malicious extension was removed from Chrome’s store, but the risk of similar activity remains high. Malicious actors and criminals are adept at identifying and exploiting popular trends to trap users – the hype surrounding ChatGPT is a prime example. Users, especially those managing business accounts, should avoid unnecessary interactions with promoted content. Don’t install an app if it’s new, from an unknown developer, and if you can get the guaranteed functionality from the base tool without installing the additional app or add-on.
MITER ATT&CK: [MITRE ATT&CK] T1204 – User execution | [MITRE ATT&CK] T1027 – Obscure files or information | [MITRE ATT&CK] T1539 – Cookie theft of internet activation | [MITRE ATT&CK] T1105 – Ingress Tool Transfer
Tags: Malvertising, Facebook, Meta, Google Chrome Store, Malicious extension, Malicious app, ChatGPT, Credential harvesting, Account takeover, declarativeNetRequest, Graph API, Messenger Kids, Infostealer malware, iOS
Do you like fraud or spying? Transparent tribe lures Indian and Pakistani officials
(Published: March 7, 2023)
In July 2022, the Pakistan-sponsored group Mythic Leopard (APT36, Transparent Tribe) registered two domains to distribute Android Trojan applications. The attackers used romantic scam messages to lure victims to websites, install a seemingly secure messaging app and grant it additional requested permissions. The app did provide basic messaging functionality while also providing a new version of the powerful CapraRAT spyware/backdoor. ESET researchers identified over 150 victims in India, Pakistan, Russia, Oman and Egypt (in order of the number of victims).
Analyst Note: Government and military personnel should be aware of romance scam social engineering (honeytrap) attacks. Do not install uncontrolled mobile apps outside the official stores (Google Play Store). Mythic Leopard seems to reuse some of its infrastructure, so it is important to block indicators available on the Anomali platform.
MITER ATT&CK: [MITRE ATT&CK] T1398 – Change OS kernel or boot partition | [MITRE ATT&CK] T1624.001 – Event-Triggered Execution: Broadcast Receivers | [MITRE ATT&CK] T1420 – Discovery of files and directories | [MITRE ATT&CK] T1424 – Discovery process | [MITRE ATT&CK] T1422 – System Network Configuration Discovery | [MITRE ATT&CK] T1426 – Disclosure of system information | [MITRE ATT&CK] T1533 – Data from a local system | [MITRE ATT&CK] T1517 – Access messages | [MITRE ATT&CK] T1512 – capture camera | [MITRE ATT&CK] T1430 – Location Tracking | [MITRE ATT&CK] T1429 – Audio capture | [MITRE ATT&CK] T1513 – Screen capture | [MITRE ATT&CK] T1636.002 – Protected User Data: Call Log | [MITRE ATT&CK] T1636.003 – Protected user data: contact list | [MITRE ATT&CK] T1636.004 – Protected user data: SMS messages | [MITRE ATT&CK] T1616 – call control | [MITRE ATT&CK] T1509 – Uncommonly used port | [MITRE ATT&CK] T1582 – SMS control
Tags: Player:Transparent Tribe, Player:APT36, Bedgroup:Mythical Tiger, Identification:Android/Spy.CapraRAT.A, Malware:CapraRAT, Malware Type:Backdoor, Origin Country:Pakistan, Origin Country:PK, Target- Country :Pakistan, Destination Country:PK, Destination Country:India, Destination Country:IN, Destination Country:Russia, Destination Country:RU, Destination Country:Oman, Destination Country:OM, Destination Country:Egypt, Destination Country:EG, Destination Industry :Military, Target Industry:Politics, Honey Trap, Mobile, Android
How Sys01 Stealer will get your sensitive information on Facebook
(Published: March 7, 2023)
A new and advanced malware known as SYS01 Thief has been active in the wild since May 2022 and expanded its prevalence in November 2022. The attack starts with a URL from a fake or hijacked Facebook profile or advertisement (Facebook, Google) to download a ZIP file that claims to have an app, game, movie, etc. User execution leads to exploiting a version of a benign binary to sideload a DLL. Downloads an Inno-Setup installer which, in turn, downloads and steals the PHP information. The attackers continue to steal browser cookies and steal Facebook account information if the victim was logged in. Different stages and versions of the SYS01 theft infection chain use several programming languages (C#, PHP, Python with the Nuitka Python compiler and Rust) and obfuscation tools (ionCube, SmartAssembly and Zephyr).
Analyst Note: Network defenders can consider restricting users’ rights to download and install programs. Educating users about the social engineering tricks used by adversaries in malvertising. All known SYS01 theft indicators are available on the Anomali platform and customers are advised to block them in their infrastructure.
MITER ATT&CK: [MITRE ATT&CK] T1204 – User execution | [MITRE ATT&CK] T1027 – Obscure files or information | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Sideloading Dll | [MITRE ATT&CK] T1070.004 – Removing an indicator on the host: deleting a file | [MITRE ATT&CK] T1053.005 – Scheduled Task/Position: Scheduled Task | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Internet Protocols | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1539 – Cookie theft of internet activation
Tags: Malware:SYS01, Malware Type: Infostealer, Facebook Business, Google Ads, File Type: ZIP, File Type: EXE, File Type: PHP, File Type: DLL, Inno-Setup Installer, Rust, Python, Nuitka, PHP, C#, SmartAssembly, ionCube, Zephir, sideloading, target-industry:Government, target-industry:Manufacturing, Windows