Category Archives: APT

APT – Advanced Persistent Threat groups

New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict

Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic.

In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.

Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.

Malicious ZIP archive (Source Kaspersky)

Kaspersky attributes the attack to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad magic.

The experts noticed that TTPs observed during this campaign have no direct link to any known campaigns.

PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.

“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.

The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.

Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

Kaspersky analyzed two plugins respectively used to capture screenshots every three seconds and collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors.” concludes the report. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CommonMagic)

2022 Zero-Day exploitation continues at a worrisome pace

Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022.

Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks in the wild.

Most of the zero-day vulnerabilities were in software from Microsoft, Google, and Apple.

The figures show a decrease from 2021, but experts pointed out that they represent almost triple the number from 2020.

The majority of the zero-day vulnerabilities were exploited by China-linked threat actors as part of their cyberespionage campaigns.

The researchers reported that only four zero-day vulnerabilities were exploited by financially motivated threat actors, with 75% of these instances linked to ransomware attacks.

“Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6). ” reads the report published by Mandiant.

According to the report, 13 zero-days in 2022 were exploited by cyber espionage groups, a figure that is consistent with 2021. Seven zero-days (CVE-2022-24682CVE-2022-1040CVE-2022-30190CVE-2022-26134CVE-2022-42475CVE-2022-27518, and CVE-2022-41328) were exploited in attacks in the wild by China-linked cyberespionage groups, while two zero-day vulnerabilities were exploited by suspected North Korea-linked APT groups.

“We identified four zero-day vulnerabilities for which we could attribute exploitation by financially motivated threat actors, a quarter of the total 16 zero-days for which we could determine a motivation for exploitation. 75% of these instances appear to be linked to ransomware operations, consistent with 2021 and 2019 data in which ransomware groups exploited the highest volume of zero-day vulnerabilities compared to other financially motivated actors.” continues the report. “However, the overall count and proportion of the total of financially motivated zero-day exploitation declined in 2022 compared to recent years.”

Multiple China-linked APT groups exploited the vulnerability CVE-2022-30190, aka Follina, while the exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328 was observed in particularly notable campaigns in 2022.

Mandiant believe that there is a shared development and logistics infrastructure behind the attacks.

Mandiant also observed two instances of Russian state zero-day exploitation. A first campaign carried out by the Russia-linked APT28 group exploited the CVE-2022-30190 flaw (aka Follina) in early June 2022. A second activity is related to a months-long campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

The experts explained that increased focus on disrupting Russian cyber operations since Russia’s invasion of Ukraine may have discouraged Russia-linked groups from widely using zero-day exploits for access they expected to lose quickly. This implies that the exploitation of the CVE-2022-30190 flaw was likely opportunistic.

“Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives. While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited.” concludes the report. “Alternatively, elevated privileges and code execution can lead to  lateral movement across networks, causing effects beyond the initial access vector.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

China-linked APT likely linked to Fortinet zero-day attacks

An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328).

A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks aimed at government organizations.

A few days ago, Fortinet researchers warned of an advanced threat actor that is targeting governmental or government-related entities.

The unknown threat actor is exploiting a vulnerability in Fortinet FortiOS software, tracked as CVE-2022-41328, that may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The CVE-2022-41328 vulnerability (CVSS score: 6.5) is a path traversal issue in FortiOS can can result in arbitrary code execution.

“A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.” reads the advisory published by Fortinet.

The vulnerability impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. The company addressed the vulnerability with the release of versions 6.4.12, 7.0.10, and 7.2.4 respectively.

Fortinet launched an investigation into the attacks after the FortiGate devices of one customer suddenly halted and failed to reboot. The devices halted displaying the following error message:

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”

The failure of the integrity test blocks the reboot of the device to protect the integrity of the network.

Mandiant researchers linked a series of attacks that took place in mid-2022 to a China-linked threat actor tracked as UNC3886 by the security firm.

“a suspected China-nexus threat actor likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments.” reads the report published by Mandiant. “This involved the use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) and deployment of multiple custom malware families on Fortinet and VMware systems.”

The attackers exploited the CVE-2022-41328 zero-day to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access, then they maintained persistent access with Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.

Threat actors also bypassed the firewall rules active on FortiManager devices with a passive traffic redirection utility. The attackers also used a custom API endpoint created within the device to maintain persistence ùon FortiManager and FortiAnalyzer, then disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.

Once compromised the Fortinet devices, the threat actors established backdoor access using two previously undocumented malware, a Python-based Thincrust backdoor disguised as legitimate API calls and the ICMP port-knocking Castletap passive backdoor.

Once obtained access to the Fortinet devices, the attackers targeted ESXi servers to deploy malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors. This allowed the attackers to maintain persistent access to the hypervisors and execute commands on guest virtual machines.

When FortiManager was not exposed to the Internet, the threat actors deployed a traffic redirector (Tableflip) and a passive backdoor (Reptile) to circumvent the new ACLs.

“many network appliances lack solutions to detect runtime modifications made to the underlying operating system and require direct involvement of the manufacturer to collect forensic images. Cross organizational communication and collaboration is key to providing both manufacturers with early notice of new attack methods in the wild before they are made public and investigators with expertise to better shed light on these new attacks.” concludes Mandiant.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Russia-linked APT29 abuses EU information exchange systems in recent attacks

Russia-linked APT29 group abused the legitimate information exchange systems used by European countries to target government entities.

Russia-linked APT29 (aka SVR groupCozy BearNobelium, and The Dukes) was spotted abusing the legitimate information exchange systems used by European countries in attacks aimed at governments.

In early March, BlackBerry researchers uncovered a new cyber espionage campaign aimed at EU countries. The hackers targeted diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.

The attack chain commences with a spear-phishing email containing a weaponized document, which contains a link leading to the download of an HTML file.

The HTLM files are hosted on a legitimate online library website that was likely compromised by the threat actors sometime between the end of January 2023 and the beginning of February 2023.

“One of the lures appeals to those who want to find out the Poland Ambassador’s schedule for 2023. It overlaps with Ambassador Marek Magierowski’s recent visit to the United Statesp; specifically, his talk on February 2, where he discussed the war in Ukraine at the Catholic University of America Columbus School of Law, also known as the Catholic Law, which is based in Washington, DC.” reads the analysis published by BlackBerry.

The APT29 group also abused multiple legitimate systems, including LegisWrite and eTrustEx, which are used by EU nations for exchanging info and data in a secure way.

LegisWrite is an editing program used by governments within the European Union, this means that threat actors used it in the malicious lure to target state organizations within the EU specifically.

The malicious HTML file employed in the attack is a version of NOBELIUM’s dropper tracked as ROOTSAW (aka EnvyScout). EnvyScout uses the HTML smuggling technique to deliver an IMG or ISO file to the victim’s system.

To maintain persistence, a new registry key is created under “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DsDiBacks”.

The BugSplatRc64.dll file allows cyber spies to collect and exfiltrate information about the infected system.

The nation-state actor abuses the API the note-taking application Notion for C2 communication, a choice that allows avoiding detection.

“NOBELIUM actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland’s Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.” concludes the report. “Furthermore, our initial analysis of weaponized LNK files shows that the threat actor behind this campaign used anti-forensic techniques to wipe out personal metadata to remove information connected to its operations systems.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

YoroTrooper APT group targets CIS countries and embassies

A new APT group, dubbed YoroTrooper, has been targeting government and energy organizations across Europe, experts warn.

Cisco Talos researchers uncovered a new cyber espionage group targeting CIS countries, embassies and EU health care agency since at least June 2022.

The APT group focuses on government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). The experts reported that the group hacked accounts from at least two international organizations, a critical EU health care agency and the World Intellectual Property Organization (WIPO). Talos reported that the threat actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.

Data stolen by the threat actors includes credentials from multiple applications, browser histories and cookies, system information and screenshots.

YoroTrooper’s arsenal includes Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. The group also employed commodity malware in its campaign, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.

The attack vectors are phishing emails with an attached archive containing two files, a shortcut file and a decoy PDF file.

The malicious LNK files acts as downloaders that uses mshta.exe to download and execute a remote HTA file on the infected endpoint.

“The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands.” continues Talos.

Talos states that there are some similarities in their TTPs and victimology between PoetRAT and YoroTrooper groups.

Some evidence collected by the experts suggests the threat actor is Russian-speaking, such as the presence of telegram messages in Russian and Cyrillic snippets in the source code of the malware used by the actor.

“YoroTrooper has been consistently introducing new malware into their infection chains in this campaign, including both custom-built and commodity malware. It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware.” concludes the report that also includes Indicators of Compromise (IoCs). “This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, YoroTrooper)

Dark Pink APT targets Govt entities in South Asia

Researchers reported that Dark Pink APT employed a malware dubbed KamiKakaBot against Southeast Asian targets.

In February 2023, EclecticIQ researchers spotted multiple KamiKakaBot malware samples that were employed by the Dark Pink APT group (aka Saaiwc) in attacks against government entities in Southeast Asia countries.

The activity of the group was first detailed by Group-IB in January 2023, the group used custom malware such as KamiKakaBot and TelePowerBot.

The Dark Pink APT is active in the ASEAN region and has been active since at least mid-2021. The group focuses on military and government organizations to steal sensitive information, including confidential data and intellectual property.

The main difference between the January campaign and the attacks spotted by EclecticIQ is that the threat actors have improved the malware’s obfuscation routine to avoid detection.

The researchers noticed overlaps in malware delivery and adversary techniques between Earth Yako and Dark Pink APT groups, including the use of Winword.exe for DLL Hijacking.

The KamiKakaBot malware spreads via phishing emails that contain a malicious ISO file as an attachment. The ISO image file contains a WinWord.exe which is legitimately signed by Microsoft, which is used to launch DLL side-loading attack, a loader (MSVCR100.dll), and a decoy Microsoft Word document. Upon clicking on WinWord.exe, the loader is executed in the memory of WinWord.exe.

The malware gain persistence via a registry key into HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell used to abuse features of Winlogon (Windows component).

“The ISO file also contains a decoy Word document that has an XOR-encrypted section. The KamiKakaBot loader uses this section to decrypt the XOR-encrypted content from the decoy file then writes the decrypted XML KamiKakaBot payload into the disk (C:\Windows\temp) and executes it via a living-off-the-land binary called MsBuild.exe.” reads the analysis published by EclecticIQ.

The attackers employed different lures in each decoy Word document to trick their victims into opening the attachment.

“Before the execution of the decrypted XML payload, KamiKakaBot loader writes a registry key into HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell to abuse features of Winlogon (Windows component) for establishing persistent access.”

KamiKakaBot can steal data stored in popular web browsers, including Chrome, MS Edge, and Firefox. Then the stolen data is sent to the attackers’ Telegram bot channel in a compressed ZIP format.

The malware also supports an update mechanism and can perform remote code execution on the targeted device. The C2 communication relies on a Telegram bot controlled by the threat actor.

The experts believe the Dark Pink APT group is likely a cyber espionage threat actor that focuses on the relationship between ASEAN and European nations to create phishing lures.

“The result of the analysis showed that the threat actors are still utilizing the same adversary tactics, techniques, and procedures (TTPs) to deliver and execute the KamiKakaBot malware, with only small changes made to the obfuscation routine to increase the infection rate and evade anti-malware solutions.” concludes the report. “Based on the TTPs used in this campaign, EclecticIQ researchers strongly believe that the Dark Pink APT group is very likely a cyber espionage-motivated threat actor that specifically exploits relations between ASEAN and European nations to create phishing lures during the February 2023 campaign.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dark Pink APT)

SonicWall SMA appliance infected by a custom malware allegedly developed by Chinese hackers

Alleged China-linked threat actors infected unpatched SonicWall Secure Mobile Access (SMA) appliances with a custom backdoor.

Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access.

The analysis of a compromised device revealed the presence of a set of files used by the attacker to gain highly privileged and available access to the appliance. The malicious code is composed of a series of bash scripts and a single ELF binary identified as a TinyShell variant.

The researchers believe that the threat actors have a deep understanding of the appliance.

The malware is well tailored to the system to provide stability and maintain persistence, even in the case of installation of firmware upgrades.

“The primary purpose of the malware appears to be to steal hashed credentials from all logged in users. It does this in firewalld by routinely executing the SQL command select userName,password from Sessions against sqlite3 database /tmp/temp.db and copying them out to the attacker created text file /tmp/syslog.db.” reads the report published by Mandiant. “The source database /tmp/temp.db is used by the appliance to track session information, including hashed credentials. Once retrieved by the attacker the hashes could be cracked offline.”

At this time it is unclear how the attackers gained initial access to the unpatched SonicWall Secure Mobile Access (SMA) appliance. Mandiant experts believe the threat actors may have exploited a known vulnerability that the targeted appliance.

Mandiant believes that the malware, or a predecessor of it, was likely first installed in 2021 giving attackers persistent access.

Developing malware for a managed appliance is very complex and request a deep knowledge of the target. Mandiant pointed out that vendors typically do not enable direct access to the Operating System or filesystem for users, instead offering administrators a graphical UI or limited Command Line Interface (CLI) with guardrails preventing anyone from accidentally breaking the system. The lack of access, makes it very hard to develop such kind of custom malware.

“First and foremost, maintaining proper patch management is essential for mitigating the risk of vulnerability exploitation. At the time of publishing this blog post, SonicWall urges SMA100 customers to upgrade to 10.2.1.7 or higher, which includes hardening enhancements such as File Integrity Monitoring (FIM) and anomalous process identification.” concludes the report. “A SonicWall blog post describing the patch features is available (New SMA Release Updates OpenSSL Library, Includes Key Security Features) and the patch itself can be found here: Upgrade Path For SMA100 Series.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

China-linked APT Sharp Panda targets government entities in Southeast Asia

China-linked APT group Sharp Panda targets high-profile government entities in Southeast Asia with the Soul modular framework.

CheckPoint researchers observed in late 2022, a campaign attributed to the China-linked APT group Sharp Panda that is targeting a high-profile government entity in the Southeast Asia.

The state-sponsored hackers used a new version of the SoulSearcher loader, which eventually loads a new version of the Soul modular framework. 

The researchers pointed out that this is the first time the Soul malware framework is attributed to a known cluster of malicious activity, although it was previously used in attacks targeting the defense, healthcare, and ICT sectors in Southeast Asia. The researchers cannot exclude that the Soul framework is utilized by multiple threat actors in the area.

“The connection between the tools and TTPs (Tactics, Techniques and Procedures) of Sharp Panda and the previously mentioned attacks in Southeast Asia might serve as yet another example of key characteristics inherent to Chinese-based APT operations, such as sharing custom tools between groups or task specialization, when one entity is responsible for the initial infection and another one performs the actual intelligence gathering.” reads the analysis published by the experts.

CheckPoint researchers first identified Sharp Pands’s activity at the beginning of 2021, at the time the APT group was targeting Southeast Asian government entities with spear-phishing attacks.

The attackers used a Word document with government-themed lures that relied on a remote template to download and run a malicious RTF document, weaponized with the infamous RoyalRoad kit.

Upon gained a foothold in the target system, the malware starts a chain of fileless loaders, including a custom DLL downloader called 5.t Downloader and a second-stage loader that delivers the final backdoor.

The last stage payload used in Sharp Panda campaigns at the time was the custom backdoor VictoryDll.

The experts detailed multiple campaigns aimed at entities in Southeast Asian countries, such as Vietnam, Indonesia, and Thailand. Across the yeats, the initial part of the infection chain (the use of Word documents, RoyalRoad RTF and 5.t Downloader) remained the same, but in early 2023 the VictoryDll backdoor was replaced with a new version of SoulSearcher loader.

In order to target only organization in Southeast Asia, the attackers used a geo-fenced C&C server. The SoulSearcher loader is used for downloading, decrypting, and loading in memory other modules of the Soul modular backdoor.

The main module of the Soul malware is tasked of communicating with the C&C server and its primary purpose is to receive and load in memory additional modules. One of the most interestingly features supported by the backdoor is the “radio silence,”which allows threat actors to specify specific hours in a week when the backdoor is not allowed to communicate with the C2 server.

The most recent sample of the backdoor (compiled on 29/11/2022 02:12:34 UTC) is quite different from the samples that were previously analyzed by the experts. The new version of SoulBackdoor implements a new custom C2 protocol and a new set of API endpoints. The researchers noticed that the C&C requests contain additional HTTP request headers. The C2 commands supported with the newer variant primarily focused on loading additional modules, while lack any type of common backdoor functionality like manipulating local files, sending files to the C&C, and executing remote commands.

“The later stages of the infection chain in the described campaign are based on Soul, a previously unattributed modular malware framework. While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities. Based on the technical findings presented in our research, we believe this campaign is staged by advanced Chinese-backed threat actors, whose other tools, capabilities, and position within the broader network of espionage activities are yet to be explored.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sharp Panda)

MQsTTang, a new backdoor used by Mustang Panda APT against European entities

China-Linked Mustang Panda APT employed MQsTTang backdoor as part of an ongoing campaign targeting European entities.

China-linked Mustang Panda APT group has been observed using a new backdoor, called MQsTTang, in attacks aimed at European entities.

The hacking campaign began in January 2023, ESET researchers pointed out that the custom backdoor MQsTTang is not based on existing families or publicly available projects.

The researchers targeted entities in Bulgaria, Australia and a governmental institution in Taiwan. However, the decoy filenames used by the threat actors suggest that have also targeted political and governmental organizations in Europe and Asia. 

Mustang Panda is known for its customized Korplug backdoor (aka PlugX), but the recent discovery demonstrates that the group is expanding its arsenal.

Some of the attack infrastructure used in this campaign also matches the network fingerprint of infrastructure used by Mustang Panda in the past.

“One of the servers used in the current campaign was running a publicly accessible anonymous FTP server that seems to be used to stage tools and payloads. In the /pub/god directory of this server there are multiple Korplug loaders, archives, and tools that were used in previous Mustang Panda campaigns.” reads the analysis published by ESET.

MQsTTang supports common backdoor capabilities, one of its hallmarks is the use of the MQTT protocol for C&C communication. The MQTT protocol is typically used for communication between IoT devices and controllers, the experts noticed that hasn’t been used in many publicly documented malware families.

The encoding scheme used by the threat actors is the same for every communication. The MQTT message’s payload is a JSON object with a single attribute named msg. The value of this attribute is generated by first encoding in base64 the actual content, then it is XORed with the hardcoded string nasa, and base64 encoded again.

The backdoor is distributed in RAR archives containing only a single executable. The attackers used executables having names related to Diplomacy and passports such as “CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe”, “Documents members of delegation diplomatic from Germany.Exe”, “PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE”, “Note No.18-NG-23 from Embassy of Japan.exe.”

The researchers noticed that the MQsTTang backdoor has only a single stage and doesn’t use any obfuscation techniques.

The malware maintains persistence using a specific task to create a new value qvlc set to c:\users\public\vcall.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools.” concludes the report. “It remains to be seen whether this backdoor will become a recurring part of the group’s arsenal, but it is one more example of the group’s fast development and deployment cycle.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mustang Panda)

ENISA and CERT-EU warns Chinese APTs targeting EU organizations

A joint report published by ENISA and CERT-EU warns of Chinese APTs targeting businesses and government organizations in the European Union.

The European Union Agency for Cybersecurity (ENISA) and CERT-EU warn of multiple China-linked threat actors targeting businesses and government organizations in the EU.

The joint report focus on cyber activities conducted by multiple Chinese Advanced Persistent Threat (APT) groups, including APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda.

“The EU Cybersecurity Agency (ENISA) and the CERT for the EU institutions, bodies and agencies (CERT-EU) would like to draw the attention of their respective audiences on particular Advanced Persistent Threats (APTs), known as APT27, APT30, APT31, Ke3chang, GALLIUM and Mustang Panda. These threat actors have been recently conducting malicious cyber activities against business and governments in the Union.” reads the joint report. “These threat actors present important and ongoing threats to the European Union. Recent operations pursued by these actors focused mainly on information theft, primarily via establishing persistent footholds within the network infrastructure of organisations of strategic relevance.”

The European agencies are calling for all public and private sector organisations in the EU to apply the recommendations provided in the alert. The alert urges organizations to improve their cybersecurity posture and increase their resilience to cyberattacks.

The alert provides recommendations for prevention, detection, and response.

To prevent such attacks the agencies recommend:

  • Follow the security best practices proposed by vendors to harden their products and manage high privileged accounts and key assets.
  • Strive to maintain current physical and virtual asset inventories.
  • Block or severely limit egress Internet access for servers or other devices that are seldom rebooted.
    Implement best practices for identity and access management.
  • Adopt a backup strategy.
  • Ensure tight and proper access controls for end users and, most crucially, external third-party
    contractors with access to internal networks and systems.
  • Use network segmentation to isolate critical systems, functions, or resources – specifically implement
    isolation in regards of interconnections with Internet and third parties.
  • Secure your cloud environments before moving critical assets there.
  • Implement a resilient email policy that includes adequate mechanisms for filtering and scrutinising malicious content. A secure email gateway can further enhance the protection of the recipients.
  • Consider preventing attacks based on the so-called Pass-the-Ticket technique on Active Directory environments.
  • Invest in cybersecurity education.

To detect malicious cyber activities, the European agencies recommend:

  • Implement robust log collection and regularly review alerts triggered by security components.
  • Monitor the activities of devices in your network with appropriate tools.
  • Use carefully curated cyber threat intelligence to proactively search your logs for possible signs of
  • compromise.
  • Detect traces of compromise in your network through well-conceived, regular threat hunting based, for example, on the MITRE ATT&CK® framework.
  • Use intrusion detection signatures and NetFlow to spot suspicious traffic at network boundaries and detect conditions that may indicate software exploitation or data exfiltration.
  • Invest in detecting lateral movements which exploit NTLM and Kerberos protocols in a Windows
  • environment.
  • Train your users to immediately report any suspicious activity to your local cybersecurity team.

The report also provides recommendations to improve the response to the incident. Organizations are urged to create and maintain an incident response plan and assess the incident severity.

The document also includes an overview of the China-linked threat actors that are targeting EU organizations.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese APTs)