Lazarus Subsidy

Lazarus Subsidy Seen Directing Attacks Towards South Korea

Target: South Korean corporations and related entities
Attack Vector: Watering hole attacks
Threat Actor: Andariel
Summary: The Lazarus group have been seen carrying out state-sponsored attacks on behalf of the North Korean government for some time. A subsidy of the group, identified as Andariel Group, has now emerged. They have been observed exploiting a zero-day vulnerability in ActiveX and subsequently infecting South Korean targets with malware or to carry out theft of data.
Andariel are a little known state sponsored threat actor and have been active since 2014. The group has historically targeted South Korea, with commercial entities which are widely used within the country also used as an attack vector. The group are known for their use of command and control infrastructure and malware with the March 2013 DarkSeoul attack a notable example of their work.
Risk assessment summary: This threat is assessed as 3e MODERATE. North Korean threat actors have typically shown a high capability in their actions and Andariel are no different. The ability to exploit vulnerabilities and push out malware together, could lead to particularly effective attacks. Currently, North Korean state-sponsored activity is expected to continue at the same level, but recent diplomatic missions in South Korea and the West could change this forecast in the long run.


#OpRussia Resurgence Continues Amidst Ukrainian Tension

Target: Russian governmental and major organisations
Attack Vector: Data leaks. But DDoS attacks and site defacement are also likely in the future
Threat Actor: @AnonyInfo, @SambaCry
Summary: In April BT Security Threat Intelligence observed the return of the #OpRussia campaign targeting the Russian government and major companies. This is largely in relation to events on the ground including Russia’s increasingly aggressive foreign policy. The upcoming FIFA World Cup has been touted as a likely factor in the return of the campaign, with diplomatic relations between Russia and the West currently at a low point.
In late May several attacks were observed by @AnonyInfo_ against various sites. In addition, Russia has been particularly aggressive in recent weeks against Ukraine, a nation which already has been sharing a prickly relationship with Moscow in recent years. With Ukraine becoming increasingly pro-EU, this corrosive relationship could pave the way for further attacks under the #OpRussia banner.
Risk assessment summary: This threat is assessed as 3d MODERATE. Russia has been engaging in increasing cyber espionage campaign activity, with the VPN Filter malware in Ukraine in May a key example which could potentially trigger a response in hacktivist activity. The hacktivist activity observed in May is significant as it signals the #OpRussia campaign is here to stay after resuming, with the World Cup impending in June, further attacks are likely.
The risk is also at a significant level. @AnonyInfo have been seen to carry out DDoS attacks as well as data leaks and much of their capability is still to be displayed in this campaign. The high amount of threat actors active in this campaign means the use of shared resources could lead to damaging compromises of systems and sites.

BackSwap Banking Trojan

BackSwap Banking Trojan’s New Browser Manipulation Technique

Target: Polish online banking users

Attack Vector: Browser address manipulation

Summary: The banking industry may find itself under a new wave of malware attacks after the discovery of a new groundbreaking trojan technique. The trojan is currently able to avoid antivirus detection techniques at browser level and has been dubbed it.

Risk assessment summary: The threat is assessed as 3d MODERATE. If successful, this backdoor Trojan technique installs this malware inside infected systems. Due to the new innovative avoidance techniques used, it can be difficult to detect any changes in system behaviors. Therefore, BackSwap malware can lie undetected and enable an attacker to make bank transfers or complete other transactions against a target. The risk is also heightened as BackSwap malware may be expanded further to target other countries and banking organisations.

MnuBot Trojan

New Banking Trojan MnuBot Discovered

Target: Brazilian online banking users

Attack Vector: A 2 stage download

Summary: A new banking Trojan malware dubbed MnuBot has been observed in the wild. The malware has a number of unique features, most noticeable is that its command and control server is a Microsoft SQL server, a highly uncommon trait. Additionally, the configuration method used to provide the authors with the ability constantly update it is also an unusual feature

Risk assessment summary: This threat is assessed at 3e MODERATE. As an active banking Trojan, the potential financial loss to a victim is high, as this is the aim of the malware. As this has, to date, only been observed active in Brazil, the risk is reduced as most Brazilian malware does not tend to leave the Latam continent However, this malware is sophisticated and there is nothing to suggest the authors would not be capable of disseminating it geographically.

Stealth Mango malware

Pakistan Based APT Targets Multiple Countries During May

Target: High profile individuals in Asian countries as well as Western nations indirectly.
Attack Vector: Watering-hole attack to download Stealth Mango malware.
Threat Actor: Pakistani state-sponsored threat actors, belonging to the Army.
Summary: As more and more countries increase their cyber capability and arm themselves with cyber weapons, new nations are observed joining the main players on the international stage. One of the nations, Pakistan, have been observed involved in various hacktivist based attacks over recent months. They appear to have launched a state-sponsored cyber espionage campaign targeting multiple countries in Asia and are believed to have collected data from Western nations such as the US, Australia, and Britain.
The campaign utilises malware known as Stealth Mango and Tangelo, used on Android and iOS devices respectively, it has the potential to compromise a target phone. The threat actors appear to belong to the Pakistan Army and have targeted individuals in communication with senior officials in the aforementioned nations in order to collect sensitive data. In addition, it appears the group may be related to Op C Major and Transparent Tribe, also active cyber threat actors operating in, or in relation to, Pakistan.
Risk assessment summary: This threat is assessed as 3d MODERATE. Considering the operation has been running for only a short period of time, a large amount of data has been collected. This displays the capability of Pakistan’s state-sponsored cyber espionage teams with over 15 GB worth of data stolen, including sensitive documents. In addition, Pakistan’s placing in the world and the potential allies in a global conflict, alongside their cyber capability, is a concerning combination of factors for the West. However, the availability is limited with the Android application appearing to be a third-party program which can be mitigated against. The iOS app appears to only be a danger to jailbroken iPhones, further limiting the vulnerability.


#OpIslam Activity Observed in Reaction to Events on the Ground

Target: Governmental sites and major corporations in Muslim majority nations.
Attack Vector: Server targeting, DDoS attacks.
Threat Actor: @EZRA; @BLASTER.
Summary: As predicted, #OpIslam has seen an increase in activity towards the end of May. The rise comes with attacks predominantly originating from Israel, the primary nation with an interest in the campaign, as a counter for the #OpIsrael campaign carried out by many pro-Palestinian and Iranian groups against Jerusalem. Israel has countered the rise of attacks seen in May due to Holocaust Remembrance Day, the opening of the US embassy in Israel and the 70th anniversary of the Jewish state. Activity against Israel remained high after this due to Palestinian-Israeli clashe,s as well as tensions between Israel and Iran due to the uncertainty regarding the Iran nuclear deal and the situation in Syria. The response we have been expecting for some weeks has now materialised with targets in Palestine and Iran struck by cyber attacks originating from Israel.
Risk assessment summary: The threat is assessed as 4b LOW. While these attacks under the #OpIslam banner do not directly affect business for Western nations, retaliatory attacks could well do so. The more sophisticated operations such as intelligence gathering could put data at risk for Western nations with much communication between the US and Britain with allies such as Israel and Saudi Arabia. Despite this, the likelihood of this is low from a hacktivist perspective and attacks which affect Western nations are likely to be of a lower sophistication.

Xenotime Hacking Group

US Industrial Safety Systems Targeted by Xenotime Hacking Group

Target: Industries using Triconex safety instrumented systems. Attack Vector: Multi stage download. Summary: Industrial safety systems in the US, used in the oil and electricity industry, have been the victims of a malware attack from a hacker group dubbed Xenotime. This is a new variant of the group’s tailor-made Trisis malware that was used successfully in attacks against critical infrastructure in the Middle East.

Risk assessment summary: This threat is assessed at 3c MODERATE. Although the malware was not successfully executed, it is believed that people are still being targeted. The group are still active and as they are targeting critical infrastructure and safety systems, the result can only be serious damage or loss of life. The risk is further raised as the group are seen to be highly sophisticated and possibly state sponsored, although there is no proof of this yet.

Trickbot Malware

Hidden Desk Top Installed by Trickbot Malware

Target: Online banking users.
Attack Vector: Virtual Desktop in Windows.
Summary: Trickbot malware has seen a recent surge in activity, driven by a the addition of a new module, making it very powerful tool. It allows an attacker to compromise and gain full control of a target machine, in some cases without the victim even being aware. This new module uses a technique more commonly associated with RATs (Remote Access Trojans), called “Hidden VNC” (virtual network computer) and allows attackers to gain full user-level access to a target machine. The new module appears to be still in development and could evolve into a fully working RAT module.
Risk assessment summary: The threat is assessed as 3c MODERATE. If successful, this backdoor Trojan technique installs Trickbot malware inside infected systems. Due to the advanced module, it can be difficult to detect any changes in system behaviors. Therefore, the Trickbot malware can lie undetected and enable an attacker to steal documents. gather information on the connected system, server types, network drives, mac addresses, computer names and IP addresses. The risk is also heightened as the Trickbot malware may be expanded further to have full RAT capabilities.


Scammers Take Advantage of GDPR Rush

Emails from various actors masquerading as legitimate services informing users of an updated privacy policy in line with General Data Protection Regulation (GDPR) has seen a dramatic increase. The regulation came into force on the 25 May and has caused a significant spike in email traffic and related spam activity. This was expected and was part of a National Cyber Security Centre (NCSC) security advisory last week.

Strategic assessment: It is important to note that the majority of these phishing attacks do not technically deviate from the norm. One of the first instances of a GDPR-related phishing attack, which prompted the NCSC security advisory, targeted Airbnb. Reported by Redscan, the phishing email insists that new bookings will not be taken on behalf of the host until a new privacy policy has been accepted. The redirect led to a page where the user is prompted for personal information, including account credentials and payment card information. Another example included targeting Apple users. In this instance, the actors claimed the user’s accounts had been ‘limited’ due to unusual activity. Contained in the body of the email was a link to a website, controlled by the scammers, requesting user details. Although this was not directly linked to GDPR, the actors deliberately timed the emails to hide in the traffic sent from legitimate companies. Interestingly, the phishing technique demonstrated a higher technical ability than previously observed. The actors employed Advanced Encryption Standard protocols when redirecting victims to the scammer-controlled page, this was in order to avoid anti-phishing tools. This is unusual and signifies a more sophisticated actor group is responsible. Across the board, it appears that the actors seeking to leverage GDPR are financially motivated and interested in personal data, as opposed to seeking to infect the target with malware. It is almost certain that GDPR-related scams will decline as the high volume of emails from companies to users reduces. Employees should be encouraged to remain vigilant for suspicious emails during this period, especially from companies they are unfamiliar with or were not expecting contact from.

Turla Group

Turla Group Observed using Open-Source Tools

Target: Eastern European organisations and embassies
Attack Vector: Fake flash loader subsequently loading Metasploit, which executes shellcode and installing a backdoor
Threat Actor: @Turla
Summary: It has been observed that well known Russian based @Turla group has continued its activity over spring, yet their behaviour differs slightly from previously observed methods used. @Turla are known to utilise their own tools such as Skipper to carry out attacks, yet recently, a range of open-source tools have been used instead to achieve these aims, signalling a change of methodology. The group has continued to push its Mosquito backdoor, previously reported on in GTS Issue 5, 16th January 2018, yet instead of using a Fake Flash Installer, Metasploit is used as an initial vector to drop the Mosquito backdoor.
The group have not previously been observed using Metasploit and this change in tactic could provide an opportunity to mitigate against the group’s activities. The malware is generally being directed at Eastern European targets and could escalate tensions with the current relations between Russia and Ukraine.
Risk assessment summary: This threat is assessed as 3d MODERATE. While Mosquito already presents a risk due to its capability to steal information from a target machine and relay it back to a threat actor, this variant increases the likelihood of infection. The use of Metasploit means that the commands which download the malware do not remain on the system, unlike the previous variant which would allow the fake Flash Installer to be examined for its weaponized version of Flash Player. This improvement allows the exploit to have an additional level of covertness, making it difficult to detect post-infection activity.
Anti-Russian sentiment is high in Ukraine where protesters have constantly campaigned for closer ties to the EU, something which does not sit well with Moscow. As long as this situation is maintained, it is likely Ukraine will be a victim of Russian APT activity.