Experts at AT&T’s Alien Labs recently discovered an ongoing campaign conducted by StrongPity threat actor that abuses malicious WinBox installers to infect victims.
AT&T’s Alien Labs experts recently discovered an ongoing campaign conducted by
The activity of the group was initially uncovered in 2016 when experts at Kaspersky observed the
The new campaign started in the second half of 2018, attackers used once again tainted version of popular software like WinRAR to compromise victims’ systems.
The new malware samples analyzed in July 2019 appear to have been
One of the samples employed by the hackers in the recent campaign is a malicious installer for the WinBox, which is the management console for MikroTik’s RouterOS software.
The installer implements all of the features of the legitimate software, but it installs the StrongPity malware on the
The malware operates similarly to previously reported variants, it implements spyware capabilities and allows the attacker to get remote access to the compromised machine. The malicious code communicate with the command and control (C&C) infrastructure over SSL.
“The malicious WinBox installer drops the StrongPity sample into the Windows Temporary directory as %temp%\DDF5-CC44CDB42E5\wintcsr.exe. Similar to previous reports of StrongPity, the malware communicates with the C2 server over SSL.” Alien Labs notes.
“Reviewing the compilation timestamps of the identified malware, various clusters of individual campaign start times can be noticed, stretching back into the previous reports of early 2018,”
The APT group used also newer versions of tainted WinRAR software, as well as a tool called Internet Download Manager (IDM).
Experts were not able to exactly determine the delivery mechanism of the tainted installers, however
The choice of using installers for software like WinRAR, WinBox, and IDM suggests that the StrongPity is continuing to target technically-oriented victims.
“Overall, the identified TTPs, newer versions of StrongPity, and the legitimate software used to deliver it operate in ways similar to how the adversary has historically operated.” concludes the report. “This is likely due to the high amounts of operational success for the adversary with minimal modification to evade detection following public reporting over the years.”
(SecurityAffairs – StrongPity, APT)
The post Experts detailed new StrongPity cyberespionage campaigns appeared first on Security Affairs.
Kaspersky researchers revealed that since earlier this year, Russia-linked APT group Turla used new variants of the KopiLuwak Trojan in targeted attacks.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2007 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America and former Soviet bloc nations.
The list of previously known victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.
In the past months, security experts reported the APT group has been updating its arsenal. In May, ESET experts revealed that Turla has been using a sophisticated backdoor, dubbed LightNeuron, to hijack Microsoft Exchange mail servers.
Now Kaspersky published a detailed analysis of a new modular tool dubbed Topinambour (aka Sunchoke – the Jerusalem artichoke). Kaspersky researchers also found .NET and PowerShell versions of the KopiLuwak Trojan that was involved in targeted attacks since the beginning of this year.
“Using this and SMB shares on rented virtual private servers (VPS), the campaign operators spread the next-stage modules using just “net use” and “copy” Windows shell commands. It’s hard to believe, but SMB still works through public networks.” reads the analysis published by Kaspersky.
“These campaign-related VPSs are located in South Africa. Interestingly, their external IP addresses start with “197.168”. Possibly these first two bytes are there to mimic LAN addresses that start with “192.168”
The dropper sample analyzed by the experts is able to deliver the payload to a specific location, gain persistence for the malicious code with a scheduled task that starts every 30 minutes, and drop the original application the dropper tries to mimic.
Hackers also used a PowerShell Trojan tracked as
“The reason behind the development of KopiLuwak’s PowerShell and .NET analogues may be simply to minimize detection of the
“Using the Windows system registry to store encrypted data that
(SecurityAffairs – Turla APT, Topinambour)
The post Turla APT group adds Topinambour Trojan to its arsenal appeared first on Security Affairs.
After several months of activity, the actors behind the “Sea Turtle” DNS hijacking campaign are not slowing down. Cisco Talos recently discovered new details that suggest they regrouped after we published our initial findings and coverage and are redoubling their efforts with new infrastructure. While many actors will slow down once they are discovered, this group appears to be unusually brazen, and will be unlikely to be deterred going forward.
Additionally, we discovered a new DNS hijacking technique that we assess with moderate confidence is connected to the actors behind Sea Turtle. This new technique is similar in that the threat actors compromise the name server records and respond to DNS requests with falsified A records. This new technique has only been observed in a few highly targeted operations. We also identified a new wave of victims, including a country code top-level domain (ccTLD) registry, which manages the DNS records for every domain uses that particular country code, that access was used to then compromise additional government entities. Unfortunately, unless there are significant changes made to better secure DNS, these sorts of attacks are going to remain prevalent.
Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software.
This incident, by definition, involves an "insider threat." Tan was an employee who appears to have copied information that was outside the scope of his work responsibilities, resigned from his employer, and was planning to return to China to work for a competitor, having delivered his former employer's intellectual property.
When I started GE-CIRT in 2008 (officially "initial operating capability" on 1 January 2009), one of the strategies we pursued involved insider threats. I've written about insiders on this blog before but I couldn't find a description of the strategy we implemented via GE-CIRT.
We sought to make digital intrusions more expensive than physical intrusions.
In other words, we wanted to make it easier for the adversary to accomplish his mission using insiders. We wanted to make it more difficult for the adversary to accomplish his mission using our network.
In a cynical sense, this makes security someone else's problem. Suddenly the physical security team is dealing with the worst of the worst!
This is a win for everyone, however. Consider the many advantages the physical security team has over the digital security team.
The physical security team can work with human resources during the hiring process. HR can run background checks and identify suspicious job applicants prior to granting employment and access.
Employees are far more exposed than remote intruders. Employees, even under cover, expose their appearance, likely residence, and personalities to the company and its workers.
Employees can be subject to far more intensive monitoring than remote intruders. Employee endpoints can be instrumented. Employee workspaces are instrumented via access cards, cameras at entry and exit points, and other measures.
Employers can cooperate with law enforcement to investigate and prosecute employees. They can control and deter theft and other activities.
In brief, insider theft, like all "close access" activities, is incredibly risky for the adversary. It is a win for everyone when the adversary must resort to using insiders to accomplish their mission. Digital and physical security must cooperate to leverage these advantages, while collaborating with human resources, legal, information technology, and business lines to wring the maximum results from this advantage.