MULTI#STORM campaign uses RATs to target India and the U.S.

SISA Weekly Threat Watch - 03 July 2023

The cybersecurity landscape continues to witness emerging threats and sophisticated attack techniques employed by various threat actors. Recent discoveries have shed light on campaigns orchestrated by state-sponsored hackers, remote access trojans (RATs), malvertising campaigns, and USB-driven self-propagating malware. These incidents underscore the need for organizations to stay updated on emerging threats and implement comprehensive security measures to mitigate the risks posed by these malicious activities.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Chinese hacker group Flea deploys Graphican malware

Foreign affairs ministries in the Americas were subjected to a cyber-attack campaign by a Chinese state-sponsored actor named Flea. The campaign involving a newly discovered backdoor called Graphican took place between late 2022 and early 2023. What sets Graphican apart is its utilization of the Microsoft Graph API and OneDrive to acquire its command and control (C2) infrastructure addresses in an encrypted format. This approach grants the malware versatility and makes it more resistant to takedowns.

Graphican disables Internet Explorer 10’s wizard, accesses the internet, authenticates with Microsoft Graph API, enumerates OneDrive files, and registers with a C&C server, while regularly checking for new commands. Notably, the group also employs an updated version of the EWSTEW backdoor to extract sent and received emails from compromised Microsoft Exchange servers. Organizations must prioritize advanced threat detection, regular security assessments, employee training, and robust incident response strategy to effectively mitigate the risks posed by such state-sponsored cyber threats.

2. MULTI#STORM campaign uses Remote Access Trojans to target India and the United States

A new phishing attack codenamed MULTI#STORM is targeting India and the U.S. by leveraging JavaScript files to deliver remote access trojans (RATs) on compromised systems. The multi-stage attack chain starts when a receiver of an email opens an embedded link leading to a password-protected ZIP file (“”) stored on Microsoft OneDrive with the password “12345.” When the ZIP file is extracted, a highly obfuscated JavaScript file named “REQUEST.js” is revealed.

Double clicking this file triggers the infection by running two PowerShell scripts that are responsible for downloading and running two different payloads from OneDrive. One of the two files is a decoy PDF document that is displayed to the victim while the second file, a Python-based executable, runs covertly in the background. The attack chain ends with the victim machine infected with multiple unique RAT malware instances, such as Warzone RAT and Quasar RAT. It is recommended to avoid opening any unknown attachments, implement an application whitelisting policy, and monitor publicly writable directories to stay protected from such attacks.

3. PindOS JavaScript dropper distributing Bumblebee and IcedID malware

A new strain of JavaScript dropper named PindOS has been observed delivering next-stage payloads like Bumblebee and IcedID. PindOS is described as a “surprisingly simple” loader that is primarily designed to download malicious executables from a remote server. It utilizes two URLs, with the second URL serving as a fallback in case the first URL fails to fetch the DLL payload. The retrieved payloads are generated pseudo-randomly on demand, resulting in a unique hash for each fetched payload.

The DLL files are executed using rundll32.exe, a legitimate Windows tool, adding an extra layer of camouflage to the malicious activities. While the future adoption of PindOS by Bumblebee and IcedID operators remains uncertain, researchers anticipate that its success may result in its integration as a permanent tool in their malware arsenals, potentially appealing to other threat actors in the process. To prevent from being a victim of such malware campaigns, it is recommended to stay updated on emerging threats, enhance detection capabilities, regularly patch and update software, and educate employees about the risks associated with malicious emails.

4. Anatsa banking trojan exploits malvertising in sophisticated attack

A recent discovery by security researchers has revealed a concerning ongoing attack called Anatsa, which specifically targets around 600 financial applications used by various global banking institutions. The malware is cleverly hidden within seemingly innocent apps, such as PDF viewers, editor apps, office suites, and add-ons for existing applications. The attack commences by infecting users’ devices with malware designed to steal information. This malicious software then proceeds to collect and extract user credentials.

The stolen credentials serve as valuable assets for further malicious activities, including phishing attacks or unauthorized transactions. Anatsa the banking trojan is capable of collecting sensitive financial information such as bank account credentials, credit card details, and payment information. It achieves this by utilizing phishing pages that overlay legitimate banking applications and employing keylogging techniques. Organizations can enhance their security by implementing strong antivirus solutions, keeping software up to date, utilizing ad-blockers, deploying web protection applications, and exercising caution when downloading apps.

5. Camaro Dragon hackers strike with USB-driven self-propagating malware

A malware strain designed to propagate through USB drives has been observed affecting networked storage devices, as reported by researchers. The malware is believed to originate from a group known as Camaro Dragon, which exhibits similar campaign patterns to China’s Mustang Panda and LuminousMoth. The identified malware tools, including WispRider and HopperTick, were associated with other tools employed by the same threat actor. One such tool was TinyNote, a backdoor that was written in the Go programming language.

The infection process initiates when an unsuspecting victim executes a malicious Delphi launcher, which is present on an infected USB flash drive. This action triggers the activation of a backdoor, leading to the installation of malware onto other drives whenever they are connected to the compromised machine. To stay protected, it is recommended to implement strict USB device usage policies within the organization, deploy robust endpoint security solutions that include advanced threat detection capabilities, and segment the network infrastructure to isolate critical systems and sensitive data from the rest of the network.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider