Blind Eagle and StrongPity hackers use sophisticated attack techniques to deploy malware

SISA Weekly Threat Watch - 16 January 2023

Threat actors have recently been intensifying their efforts to improve their evasion techniques. Though some of these tactics are not entirely novel, researchers report a recent increase, indicating that many threat actors are actively seeking specific entry points for targeted attacks. Last week too, hackers exploited Windows tools, PostgreSQL misconfigurations, and Android apps to bypass security measures and exfiltrate critical data.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Hackers abuse Windows error reporting tool to deploy malware

Hackers are utilizing a DLL sideloading approach to load malware into the Memory of a compromised system by abusing the Windows Problem Reporting (WerFault.exe) error reporting utility for Windows. A phishing email with an ISO attachment served as the launchpad for the virus campaign employing this method. A DLL file, an XLS file, a shortcut LNK file, and the genuine WerFault.exe binary were all included in this ISO file. A scriptrunner.exe process is started when the LNK file is launched, and it is utilized to proxy the WerFault.exe binary’s execution.

The WerFault.exe process sideloads the malicious faultrep.dll, which subsequently opens the accompanying XLS spreadsheet as a ruse and loads a copy of Pupy RAT into memory. Pupy RAT is an open-source piece of malware that gives threat actors complete access to an infected device. All devices within an organization should be kept up to date with proper security endpoint controls, such as an EDR. Implementing and maintaining email security rules, including the capability to block certain file attachments, is also highly advised.

2. Blind Eagle hackers return with refined tools and sophisticated infection chain

A threat actor known as Blind Eagle (APT-C-36) that targets companies in Colombia and Ecuador has reemerged with a sophisticated toolkit and sophisticated infection chain. The starting point of attack chains are phishing emails with a booby-trapped link, which upon clicking, launches an open source trojan called Quasar RAT with the aim of accessing the victim’s bank accounts.

Instead of distributing RAT malware, this attack uses a more complex multi-stage procedure that takes advantage of the legitimate mshta.exe binary to execute VBScript embedded within an HTML file, which then downloads two malicious Python scripts. To protect systems and prevent data loss, it is recommended to block URLs like Torrent/Warez, deploy a Data Loss Prevention (DLP) solution, and keep an eye on the beacon at the network level.

3. PurpleUrchin bypasses CAPTCHA and steals cloud platform resources

Automated Libra is a freejacking organization based in South Africa that primarily targets cloud platforms offering free trials of cloud resources for a brief period to carry out their cryptomining operations. Actors from PurpleUrchin carried out these Play and Run activities by setting up fake accounts by using fraudulent or stolen payment cards.

Additionally, it was discovered that the actors preferred to use cloud services provided by conventional virtual service providers (VSPs). Heroku and Togglebox are a couple of the cloud service providers that provide CAP and AHP services and were attacked by the PurpleUrchin actors. The actor used the tools from the ImageMagick toolbox to complete the CAPTCHA, which asks users to identify spiral galaxies. Such operations by Automated Libra’s can be stopped from continuing in a cloud environment by scanning all containers for vulnerabilities and abuse before deployment and keeping track of their runtime status.

4. Kubernetes clusters hacked by Kinsing malware campaign via PostgreSQL

Kinsing malware is known to target Linux environments for cryptomining. It uses certain unique techniques that target containerized environments, making it also common in Kubernetes clusters. When exploiting image vulnerabilities, the threat actors hunt for remote code execution flaws in PHPUnit, Liferay, Oracle WebLogic, and WordPress that enable them to push their payloads.

‘Trust authentication’ setting is one of the most common misconfigurations the attackers leverage, which instructs PostgreSQL to assume that “anyone who can connect to the server is authorized to access the database.” Even if the IP access configuration is strict, Kubernetes is still prone to ARP (Address Resolution Protocol) poisoning, so attackers could spoof apps in the cluster to gain access. It is recommended to scan all images for vulnerabilities, especially those used in exposed containers. Additionally, minimize access to exposed containers by using IP allow lists and following least privilege principles. In case of misconfiguration in PostgreSQL, remove trust authentication and harden the network access to DB.

5. StrongPity hackers distribute trojanized Telegram app to target Android users

A persistent campaign linked to the StrongPity APT group disseminated a malicious app through a fake Shagle website, which offers random video chats with strangers that are encrypted. Although it appears to be the fake Shagle app, the malicious app is actually a fully functional, trojanized version of the genuine Telegram app. One of the malicious StrongPity app’s modules can exfiltrate communication from 17 apps, including Viber, Skype, Gmail, Messenger, and Tinder, if the victim grants it access to the accessibility services.

The fake Shagle app contains malicious code that implements a straightforward but effective backdoor that StrongPity discovered in a prior mobile campaign. To protect systems against such attacks, it is recommended to avoid installing third party applications on any device and block the IOCs in your perimeter and core network devices.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider