Malware Watch - W/E - 101218
Gallmaker Threat Group Uses "Live Off the Land" Methods to Hit Governments, Militaries (10/10/2018)
Government and military entities, including overseas embassies in one Eastern European nation and military and defense groups in the Middle East, have been targeted by a new threat campaign called Gallmaker. This threat group, which has been identified by Symantec, has been active since December 2017 but its activities ramped up in June. The campaign shows Gallmaker using "living off the land" tactics. A malicious Office document is delivered to the victim via phishing. Once the victim opens the lure document, a warning appears asking victims to "enable content." Should a user enable this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim's system. By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.
Government and military entities, including overseas embassies in one Eastern European nation and military and defense groups in the Middle East, have been targeted by a new threat campaign called Gallmaker. This threat group, which has been identified by Symantec, has been active since December 2017 but its activities ramped up in June. The campaign shows Gallmaker using "living off the land" tactics. A malicious Office document is delivered to the victim via phishing. Once the victim opens the lure document, a warning appears asking victims to "enable content." Should a user enable this content, the attackers are then able to use the DDE protocol to remotely execute commands in memory on the victim's system. By running solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities difficult to detect.
Hijacked Emails, Ongoing Conversations Infiltrated to Drop Ursnif Malware (10/09/2018)
A spam campaign that Trend Micro analysts observed uses hijacked email accounts to send malware as part of or as a response to an existing email thread. The payload is the Ursnif malware and the campaign has been concentrated on North America and Europe, although similar attacks were detected in Asia and Latin America. The method of using an ongoing thread to taint systems makes the malware difficult to detect.
A spam campaign that Trend Micro analysts observed uses hijacked email accounts to send malware as part of or as a response to an existing email thread. The payload is the Ursnif malware and the campaign has been concentrated on North America and Europe, although similar attacks were detected in Asia and Latin America. The method of using an ongoing thread to taint systems makes the malware difficult to detect.
KeyBoy Threat Uses Office Exploits to Push Out Malware (10/11/2018)
The KeyBoy threat actor, first spotted in 2013 targeting governments in Southeast Asia, has exploited Office bugs to target India's ambassador to Ethiopia, the researchers at AlientVault have observed. The actor used a phishing email with a malicious document attached to execute a script that installs the final payload. KeyBoy has also been testing another exploit generator but did not change the default settings, which enabled AlienVault to review the metadata. That exploit generator intended to drop the TSSL malware family.
The KeyBoy threat actor, first spotted in 2013 targeting governments in Southeast Asia, has exploited Office bugs to target India's ambassador to Ethiopia, the researchers at AlientVault have observed. The actor used a phishing email with a malicious document attached to execute a script that installs the final payload. KeyBoy has also been testing another exploit generator but did not change the default settings, which enabled AlienVault to review the metadata. That exploit generator intended to drop the TSSL malware family.
MuddyWaters Ramps Up Its Malicious Campaign to Victimize New Targets (10/10/2018)
Attacks from the MuddyWaters threat group have escalated and have started targeting government bodies, military entities, telecommunications organizations, and educational institutions in Jordan, Turkey, Azerbaijan, and Pakistan, the researchers at Kaspersky Lab say. MuddyWaters has continued to attack targets in Iraq and Saudi Arabia and has ramped up to also hit victims in Mali, Austria, Russia, Iran, and Bahrain through spear phishing campaigns. This group was first identified in 2017 and uses a wealth of sophisticated tools for victimization purposes.
Attacks from the MuddyWaters threat group have escalated and have started targeting government bodies, military entities, telecommunications organizations, and educational institutions in Jordan, Turkey, Azerbaijan, and Pakistan, the researchers at Kaspersky Lab say. MuddyWaters has continued to attack targets in Iraq and Saudi Arabia and has ramped up to also hit victims in Mali, Austria, Russia, Iran, and Bahrain through spear phishing campaigns. This group was first identified in 2017 and uses a wealth of sophisticated tools for victimization purposes.
Researchers Connect Dots from BlackEnergy to NotPetya to Exaramel Malware (10/11/2018)
ESET has connected a malware called Exaramel to the Industroyer industrial control system malware that caused blackouts in Ukraine in December 2016 after hitting an electrical substation. Exaramel is a backdoor that is delivered by a dropper, which has configuration data that is similar to Industroyer. The Industroyer malware has ties to the Telebots threat group - which used a backdoor to begin the spread of the NotPetya ransomware attacks in the spring of 2017 - and also to the BlackEnergy malware that attacked the Ukrainian energy sector in 2015. ESET said in a blog post, "The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags - or a coincidental code sharing by another threat actor - should always be kept in mind when attempting attribution, in this case we consider it unlikely."
ESET has connected a malware called Exaramel to the Industroyer industrial control system malware that caused blackouts in Ukraine in December 2016 after hitting an electrical substation. Exaramel is a backdoor that is delivered by a dropper, which has configuration data that is similar to Industroyer. The Industroyer malware has ties to the Telebots threat group - which used a backdoor to begin the spread of the NotPetya ransomware attacks in the spring of 2017 - and also to the BlackEnergy malware that attacked the Ukrainian energy sector in 2015. ESET said in a blog post, "The strong code similarity between the Win32/Exaramel backdoor and the Industroyer main backdoor is the first publicly presented evidence linking Industroyer to TeleBots, and hence to NotPetya and BlackEnergy. While the possibility of false flags - or a coincidental code sharing by another threat actor - should always be kept in mind when attempting attribution, in this case we consider it unlikely."
Turla, Sofacy Threat Groups Share Malware Code and Targeted Entities (10/08/2018)
Turla, the Russian-speaking threat actor, has been using the KopiLuwak malware which is delivered to victims using code nearly identical to that used previously by the Zebrocy operation, a subset of the Sofacy (also known as Fancy Bear and APT28) threat entity. Additionally, Kaspersky Lab found target overlap between the two threat actors, centered on geopolitical hotspots in central Asia, as well as sensitive government and military entities. KopiLuwak was first discovered in November 2016 delivering documents containing malware and with macros enabled that dropped new, heavily obfuscated JavaScript malware designed for system and network reconnaissance. In mid-2018, KopiLuwak was observed hitting targets in Syria and Afghanistan. Turla used a new spear-phishing delivery vector with a Windows shortcut (.LNK) files. Analysis showed that the LNK file contained PowerShell to decode and drop the KopiLuwak payload. This PowerShell was almost identical to that used in Zebrocy activity a month earlier.
Turla, the Russian-speaking threat actor, has been using the KopiLuwak malware which is delivered to victims using code nearly identical to that used previously by the Zebrocy operation, a subset of the Sofacy (also known as Fancy Bear and APT28) threat entity. Additionally, Kaspersky Lab found target overlap between the two threat actors, centered on geopolitical hotspots in central Asia, as well as sensitive government and military entities. KopiLuwak was first discovered in November 2016 delivering documents containing malware and with macros enabled that dropped new, heavily obfuscated JavaScript malware designed for system and network reconnaissance. In mid-2018, KopiLuwak was observed hitting targets in Syria and Afghanistan. Turla used a new spear-phishing delivery vector with a Windows shortcut (.LNK) files. Analysis showed that the LNK file contained PowerShell to decode and drop the KopiLuwak payload. This PowerShell was almost identical to that used in Zebrocy activity a month earlier.