[CyberLand News] Weekly #3 - Threats and Malware
Last news on threats, malware and vulnerabilties in the cyber land
Contents
MQsTTang malware evades AV Detection
BidenCash - 2M Credit Cards for free
SCARLETEEL - Cloud Ops to stole data
Cryptocurrency companies targeted by Parallax RAT
RIG Exploit Kit is always among us
MQsTTang malware evades AV Detection
Recently, ESET researchers thoroughly analyzed MQsTTang, a newly crafted custom backdoor, which has been linked to the notorious Mustang Panda APT group. The experts identified the source of this malware after conducting an extensive investigation.
This ongoing campaign, which started in early January 2023, is connected to the newly discovered backdoor. The Mustang Panda APT group, also known as TA416 and Bronze President, has a reputation for carrying out global data theft attacks using customized versions of the PlugX malware.
As an advanced persistent threat (APT) group, their primary goal is to pilfer sensitive information from targeted organizations.
The latest malware introduced by Mustang Panda APT group, MQsTTang, appears to be an original creation and not derived from any previous malware. This suggests that the hackers deliberately designed it to evade detection and avoid being traced back to their group.
The malware is designed to persist on the system by creating a new registry key during system startup. It uses the MQTT protocol for communication with its command and control (C2) server, making it less detectable than other commonly used C2 protocols. The malware is also able to detect the presence of debugging or monitoring tools and adapt its behavior to avoid detection.
The Mustang Panda APT group, known for global data theft attacks, is responsible for this ongoing campaign, but it is unclear whether MQsTTang will be used in the group's long-term arsenal or was created solely for a specific operation. This new malware underscores the group's advanced persistent threat capabilities and their efforts to evade detection by security defenders.
More details in MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
BidenCash - 2M Credit Cards for fee
A carding marketplace called BidenCash has leaked a database of 2,165,700 debit and credit cards to celebrate its first anniversary. Instead of keeping it a secret, the threat actors publicized the leak on an underground cybercrime forum to reach a wider audience and gain as much attention as possible.
According to researchers from Cyble who discovered the leak, the data is extensive and includes details on at least 740,858 credit cards, 811,676 debit cards, and 293 charge cards. While there are tens of thousands of duplicates, there are still 2,141,564 unique cards
More details in Cyble - Over 2 Million Cards Leaked By BidenCash
More details in Card Shop Threat Landscape: BidenCash Dumps 2.1M Stolen Credit Cards
SCARLETEEL - Cloud Ops to stole data
The Sysdig Threat Research Team recently uncovered a highly sophisticated cloud-based attack, named SCARLETEEL, that resulted in the theft of proprietary data from a customer's environment. The attacker exploited a containerized workload to gain access to an AWS account and then escalated privileges to steal confidential software and credentials. They also attempted to spread their reach throughout the organization using a Terraform state file to pivot into other connected AWS accounts.
This attack was particularly advanced as it started from a compromised Kubernetes container and extended to the victim's AWS account. The attackers had knowledge of AWS cloud mechanics, including Elastic Compute Cloud (EC2) roles, Lambda serverless functions, and Terraform. The motive for this attack was not just for cryptomining but for the theft of confidential software.
Cloud-based cyberattacks have increased by 56% over the past year, with motives ranging from obtaining persistence in the cloud, exfiltrating sensitive data, and creating new resources for cryptomining. However, there are also more espionage-focused motives that can have a significant impact on an organization's cloud bills. Attackers can use cloud resources for purposes beyond cryptomining.
More details in SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft (SysDig)
Cryptocurrency companies targeted by Parallax RAT
A new campaign is targeting cryptocurrency companies with the Parallax RAT, a remote access trojan that can evade detection by using injection techniques to hide within legitimate processes. Once injected, attackers can communicate with their victim through Windows Notepad. The malware allows attackers to remotely access the victim's machine, upload and download files, and record keystrokes and screen captures. Parallax RAT has been in use since early 2020 and was previously distributed using COVID-19-themed lures. In February 2022, a cluster of activity dubbed TA2541 was identified, targeting industries such as aviation, aerospace, transportation, manufacturing, and defense, and using different RATs, including Parallax.
The malware uses a Visual C++ as the first payload and then uses the process hollowing technique to inject Parallax RAT into pipanel.exe, which is a legitimate Windows component. Parallax RAT can not only gather system metadata but also access the clipboard data and remotely reboot or shut down the compromised device.
Interestingly, the attackers are using the Notepad utility as a communication channel to interact with victims and instruct them to connect to a Telegram channel controlled by the threat actor. This technique allows attackers to maintain stealth and avoid detection.
More details in Cryptocurrency Entities at Risk: Threat Actor Uses Parallax RAT for Infiltration
RIG Exploit Kit is always among us
The RIG Exploit Kit has been experiencing its most successful period yet, attempting around 2,000 intrusions daily with a success rate of approximately 30%, the highest in its long history of operation. The kit exploits older vulnerabilities in Internet Explorer and has been found to distribute various malware, including Dridex, SmokeLoader, and RaccoonStealer.
According to a detailed report by Prodaft, which gained access to the backend web panel of the service, the RIG EK remains a significant threat to individuals and organizations on a large scale. Currently, the kit targets 207 countries and launches an average of 2,000 attacks daily, with a success rate of 30%. This rate increased from 22% when the kit resurfaced with two new exploits, as reported by Prodaft.
The heatmap in the report shows that the countries most impacted by RIG EK are Germany, Italy, France, Russia, Turkey, Saudi Arabia, Egypt, Algeria, Mexico, and Brazil. However, there are victims worldwide. The highest success rate is achieved using the following vulnerabilities:
CVE-2021-26411 - with a 45% exploitation ratio
CVE-2016-0189 - with 29% exploitation ratio
CVE-2019-0752 - with 10% exploitation ratio
CVE-2021-26411 is a high-severity memory corruption flaw in Internet Explorer, which Microsoft fixed in March 2021, triggered by viewing a malicious website. The CVE-2016-0189 and CVE-2019-0752 vulnerabilities are also in Internet Explorer, allowing remote code execution in the browser.
At present, RIG EK is mainly focused on distributing malware that is capable of stealing data and providing initial access to compromised systems. The most frequently distributed malware is Dridex, accounting for 34% of cases, followed by SmokeLoader at 26%, RaccoonStealer at 20%, Zloader at 2.5%, Truebot at 1.8%, and IcedID at 1.4%.
More details in RIG Exploit Kit: In-Depth Analysis (by Prodaft)
A.I. support for text and images