Last week the United States Cyber Command (USCYBERCOM) uploaded to VirusTotal a malware used by Iran-linked APT33 group in attacks in Dec 2016 and Jan 2017.
Now experts at Kaspersky confirmed that the malware was used in attacks exploiting the CVE-2017-11774 vulnerability, two of the files (MD5: d87663ce6a9fc0e8bc8180937b3566b9, MD5:9b1a06590b091d300781d8fbee180e75) were first seen in 2016.
“USCYBERCOM’s VirusTotal executable object uploads appeared in our January 2017 private report “NewsBeef Delivers Christmas Presence”, an examination of a change in the tactics used in spear-phishing and watering hole attacks against Saudi Arabian targets.” reads a report published by Kaspersky. “Two files uploaded by USCYBERCOM are of particular interest. These were first seen Dec 2016 and Jan 2017: “
At the time, the security firm warned in a private report its customers of the threats. In particular, the researchers attributed the attacks at the NewsBeef threat actor (aka Charming Kitten, Newscaster, Ajax Security Team, and APT35).
The private report issued by Kaspersky in January 2017, titled ” “NewsBeef Delivers Christmas Presence,” analyzed the evolution of TTPs of the NewsBeef group. Experts noticed that the threat actors added new tools to its arsenal, including macro-enabled Office documents, PowerSploit, and the
“
Attackers also carried out spear-phishing campaigns and watering hole attacks, primarily aimed at targets in Saudi Arabia (Government financial and administrative organizations, Government health organizations, Engineering and technical organizations, one British labor-related government organization (targeted multiple times)).
The NewsBeef threat actors were continuing to deploy malicious macro-enabled Office documents, poisoned legitimate Flash and Chrome installers, PowerSploit, and Pupy tools
Experts discovered that the compromised websites infected with an obfuscated JavaScript used to redirect visitors to NewsBeef-controlled hosts that tracked victims and served malware.
The Kaspersky report and the USCYBERCOM uploads confirm that Iran-linked APT groups use to share malware code, the malware has been associated with the COBALT GYPSY threat group, and also associated with the Shamoon.
“Previous reports on the NewsBeef APT noted the group’s reliance on open-source tools to launch
[adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]