SISA Weekly Threat Watch – November 07th, 2022
SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.
Organizations can also opt-in for our free daily threat advisories by subscribing here.
Multiple threat actors have been constantly upgrading and adding new malware and tools, tactics, and techniques (TTPs) to their arsenal in order to carry out effective cyberespionage activities against their target of choice. Many successful attempts to breach networks and exfiltrate critical information have resulted from a variety of attack channels with a high level of expertise. Researchers have also discovered that all threat actors’ TTPs are constantly being improved, which enables them to stay undetected for a longer period.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Hacking group updates Furball Android spyware to evade detection
The Domestic Kitten hacking group, also known as APT-C-50, has been found to be using a new version of the “FurBall” Android spyware to target Iranian citizens during mobile surveillance activities. An Iranian website that offers translated books, journals, and articles is where FurBall is circulated. This website is a duplicate of a real Iranian website. The campaign’s operators employed a variety of threat vectors, including direct messaging, social media posts, emails, SMS, black SEO, and SEO poisoning, to lure victims.
The most recent malware variant uses techniques for code obfuscation, such as obfuscating class names, strings, logs, and server URI routes. This version helps to avoid being detected by security software because it simply requests access to contacts and storage media. It is recommended to turn on the automatic software update feature, use strong passwords, enforce multi-factor authentication (MFA), and implement a Data Loss Prevention (DLP) solution to prevent data compromise through such attacks.
2. WarHawk: The new backdoor in the arsenal of the SideWinder APT Group
The new WarHawk backdoor was launched by SideWinder on the National Electric Power Regulatory Authority (NEPRA), Pakistan, official website. Cobalt Strike is delivered through several malicious WarHawk modules, a few of which use fresh TTPs and track the Pakistan Standard Time zone for successful operations. To trick unsuspecting users into executing the payload, the backdoor appears as legitimate apps.
A kill-chain that deploys WarHawk is set into motion by the SideWinder APT group using a weaponized ISO file that is hosted on NEPRA’s website. Typically, WarHawk poses as ASUS Update Setup and Realtek HD Audio Manager. The system metadata is then exfiltrated to a hard-coded remote server after being executed, while additional payloads are being received from the URL. Organizations in sensitive areas of the target must maintain updated software and deploy suitable threat intelligence solutions to take preventative measures against the threat.
3. A multitude of credit card details stolen using PoS malware
Two point-of-sale (POS) malware variants: MajikPOS and Treasure Hunter, have been used by a threat actor to compromise 77,428 and 90,024 unique payment records, respectively, between February and September 2022. These malwares are designed to brute-force their way into a PoS terminal after confirming if Virtual Network Computing (VNC) and Remote Desktop Protocol (RDP) services exist. RAM-scraping Routine: Conhost.exe is the component responsible for RAM scraping. It uses information from the configuration file for this routine.
MajikPOS checks a sizeable range of cards, such as American Express, Diners Club, Discover, Maestro, Mastercard, and Visa. After verifying the credit card’s track data, the information is sent to the C&C server via HTTP POST, Action=””bin”.” It is recommended to employ endpoint application control or whitelisting to reduce attack exposure. Endpoint solutions that provide both detection and blocking of all the relevant, malicious files and C&C traffic, must also be deployed.
4. Evolved version of Drinik Android malware targets Indian taxpayers
Drinik Android Malware, against which CERT-In had issued a warning earlier in 2021, has once again come to notice due to its upgraded version as an Android banking trojan. It disguises itself as an ‘iAssist.APK‘, which in reality is an application managed by the Income Tax Department, hence deceiving users to believe that it is a legitimate app. Once installed, the malware accesses victim’s SMSs, call log and file storage, which is followed by gaining permissions to the accessibility settings allowing the malware to start screen recording, disable Google Play Protect, execute auto-gestures and capture keystrokes.
The malware then steals user’s credentials by recording the screen and using a keylogger once the actual website of Indian Income Tax is loaded via WebView. Once the requested action is taken by clicking the ‘Apply’ button, the victim is redirected to a phishing page where it is asked to enter the card details. To prevent such attacks, it is advised to enable biometric authentication for apps, confirm the authenticity of the URL of the page before using banking credentials on any website, and limit access permissions for all apps.
5. Microsoft links Raspberry Robin worm to Clop ransomware attacks
According to Microsoft, a threat organization identified as DEV-0950 utilized the Clop ransomware to encrypt a victim’s network after it had already been infected by the Raspberry Robin worm. The malware, which at first propagated through external USB drives, now uses various infection techniques, and has recently joined forces with other malware families in cyberattacks.
Since September, DEV-0950 began infecting targets with Raspberry Robin, which then unleashed the Clop ransomware and other second-stage payloads like IcedID, Bumblebee, and Truebot. The malicious activity of hacking groups FIN11 and TA505, which are notorious for their involvement in Clop ransomware attacks, overlaps with that of DEV-0950. It is recommended to keep software and hardware applications up to date and block the IOCs at perimeter firewalls and any other security solution to stay protected from these ransomware attacks.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.