United States: Ankura CTIX FLASH Update - June 24, 2022

Ransomware/Malware Activity

Spyware Vendor RCS Labs Observed Infecting Android and iOS users with Commercial Surveillance Tools

Google's Threat Analysis Group (TAG) published a report regarding RCS Labs' activity involving infecting Android and iOS users with commercial surveillance tools. RCS Labs is an Italian spyware company that leveraged Internet service providers (ISPs) to infect users located in Italy and Kazakhstan. The observed campaigns originated with unique links sent to the targets via SMS that rendered a page prompting the user to download and install a malicious application on their Android or iOS device. The SMS message typically included a prompt regarding mobile connectivity issues. Researchers noted the reason behind this specific verbiage may be because "the actors worked with the target's ISP to disable the target's mobile data connectivity." The malicious applications were typically disguised as a mobile carrier application or messaging applications, which would be endorsed through "a made-up support page that claimed to help the potential victims recover their Facebook, Instagram, or WhatsApp suspended accounts." The fraudulent applications were not available in the Google Play or the Apple App Store, and each device type has its own attack method. The iOS application is signed with a certificate from "3-1 Mobile SRL" (a company enrolled in the Apple Developer Enterprise Program) which satisfies all iOS code signing requirements. The app contains a privilege escalation exploit wrapper that is utilized by six (6) exploits: CVE-2018-4344, CVE-2019-8605, CVE-2020-3837, CVE-2020-9907, CVE-2021-30883 (a zero-day vulnerability), and CVE-2021-30983 (another zero-day vulnerability). The app also contained a "minimalist agent capable of exfiltrating interesting files from the device, such as the Whatsapp database." The Android Package Kit (APK) requires the target to have enabled installation of applications from unknown sources and disguises itself as a legitimate Samsung app through its icon. Once the app is launched, it requests various sensitive permissions on the device. The APK does not contain exploits but does have code that suggests exploits could be downloaded and executed if need be. There is also the ability to fetch and run remote modules present that can communicate a range of events to the main application. Google researchers emphasized that "the commercial spyware industry is thriving and growing at a significant rate", in which all Internet users should be concerned and vigilant. An in-depth analysis of recent spyware activity as well as indicators of compromise (IOCs) can be reviewed in Google TAG's report linked below.

• BleepingComputer: Spyware Article
• Google TAG: Spyware Report

Threat Actor Activity

APT28 Uses Nuclear Fear in New Phishing Campaign

A recent social engineering attack by Russian threat actors utilized nuclear war themed phishing emails to lure victims, ultimately leading to compromise of the user's device. The threat organization connected to this campaign is APT28, commonly referred to as Fancy Bear or Sofacy. These threat actors have been active since 2004 with the prime directive of gathering intelligence on behalf of the Russian government. Historically, APT28 has reportedly compromised assets of the World Anti-Doping Agency (WADA), a United States nuclear facility, and several assets of the 2016 United States Presidential election. APT28 recently utilized nuclear threat documents in phishing emails to intrigue its victims to download the malicious email attachment titled "Nuclear Terrorism A Very Real Threat.rtf". Once downloaded, malicious code exploits the Follina vulnerability (CVE-2022-30190), which impacts Microsoft Office applications. This allowed APT28 threat actors to drop a new .Net application which allows for gathering data from the user's browser, including harvesting credentials, and exfiltrating the data to actor-controlled command-and-control (C2) endpoints. With tensions continuing to rise in the Russia/Ukraine conflict, this allows threat actors to use the act of war to socially engineer victims and spread their malicious activities throughout the region. CTIX urges users to verify the integrity of a suspicious email prior to opening any attachments or visiting any embedded links.

• Threatpost: APT28 Article
• Malwarebytes: APT28 Article

Tropic Trooper Actors New Espionage Campaign

Threat actors from the Chinese-backed Tropic Trooper organization have launched a new malware campaign targeting mobile devices. Tropic Trooper is a threat organization first identified in 2011that previously targeted government, transportation, high-tech, and healthcare entities throughout Hong Kong, Taiwan, and the Philippines. In this new campaign, threat actors are utilizing the SMS Bomber tool to deliver their Yahoyah trojan backdoor to mobile devices. The SMS Bomber tool allows threat actors to flood a user's mobile device with a corrupted message, causing system instability within the device. Once established on the system, the Yahoyah trojan variant begins transmitting host-related data to command-and-control (C2) nodes operated by threat actors. Compromised information includes device name, network SSIDs within the device's area, MAC address, OS version, and any anti-virus products on the device. Tropic Trooper has been targeting Russian entities in their recent phishing campaigns, hinting that Russian users could be infected by this new campaign. CTIX continues to monitor threat actor activity worldwide and will provide additional updates as needed.

• Hackread: Tropic Trooper Article

Vulnerabilities

A critical Mitel VoIP Appliance Vulnerability can be Leveraged to Conduct Remote Code Execution

CrowdStrike recently reported a critical zero-day vulnerability in a Linux-based Mitel VoIP appliance that served as the threat actor's entry point to a ransomware victim's network. The flaw, tracked as CVE-2022-29499, was identified and patched in April 2022, and is an incorrect data validation vulnerability within a Mitel MiVoice Connect appliance located on the network perimeter. If exploited, this vulnerability allows threat actors to conduct a novel remote code execution (RCE) attack to gain initial access to the network environment. After a preliminary investigation, CrowdStrike security researchers traced the malicious activity to a single internal IP address assigned to a Mitel MiVoice Connect VoIP appliance. The filesystem of the VoIP device indicated that the threat actors had leveraged anti-forensic techniques to attempt to hide their footprint from investigators by deleting the data from the drive. This proved ineffective however, as the investigators were able to recover the deleted data. The investigation indicated that the exploit was facilitated by two (2) HTTP GET requests for a specific server resource to fetch commands from the actor-controlled command and control (C2) infrastructure. The threat actors used the exploitation of this vulnerability to create an SSL-enabled reverse shell to launch a web shell on the targeted MiVoice appliance and download a proxy tool known as Chisel. The threat actors attempted to execute Chisel to use it as a reverse proxy for pivoting further into the target infrastructure; however, the victim organization's security infrastructure was able to detect the compromise and prevented further lateral movement. At this time, neither the victim nor the threat actor has been publicly identified. CTIX analysts recommend any organizations using Mitel VoIP appliances ensure that they update their infrastructure to the latest stable firmware version available.

• CrowdStrike: CVE-2022-29499 Report

Honorable Mention

Scalpers Book and Sell Israeli Government Appointments Using Open-Source Bot

Researchers from Akamai have discovered a new scalping technique used against MyVisit in Israel that involves scalpers using bots to book appointments for government services then selling those services to paying citizens. MyVisit is an appointment booking service used by many government entities in Israel. The entire situation started with an open-source bot named "GamkenBot" that was created to help Israeli citizens book passport appointments with the Ministry of the Interior. At the time, the ministry had a backlog of over 700,000 applications with new appointments being booked almost immediately. While the bot had made it easier for normal users to book appointments, scalpers quickly exploited it. Less than one (1) week after GamkenBot gained attention, a Telegram channel by the name of "MyVisit Appointments Group" was created. The administrators of the group claimed to have developed a bot to scan and book appointments to various websites. They began selling appointments for not only the Ministry of Interior but also the Population Authority, Israel's Electricity Corporation, the National Insurance, Israel Post, the Ministry of Transportation, and other government services. Appointment slots could be bought for 400 Shekels (around $120 at the time of publishing) with discounts for multiple appointments. While the administrators of this group are currently using the bot for financial gain, Akamai researchers warn that the bot could also be used in a denial-of-service attack. MyVisit attempted to block these bots by utilizing a CAPTCHA service on its booking page, though the developers were able to bypass it days after implementation. The Akamai researchers detailed other mitigation attempts that MyVisit could incorporate, though they note that any anti-bot measure can be bypassed by "a threat actor with enough motivation and resources."

• BleepingComputer: MyVisit Scalpers Article
• Akamai: MyVisit Scalpers Report

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.