New "Process Manager" Spyware Application Identified Targeting Android
Lab52 researchers recently identified a new Android spyware application disguised as a service called “Process Manager.” The service is displayed as a gear-shaped icon and targets software development kits (SDK) Android 14 through Android 21. Upon running, the application requests nine (9) permissions to be granted: erase all data, change the screen lock, set password rules, monitor screen unlock attempts, lock the screen, set the device global proxy, set screen lock password expiration, set storage encryption, and disable cameras. The application requests an additional nine (9) permissions that are hidden from the user, including access to phone location, view WiFi information, "take pictures and videos from the camera," read contact information, read SMS stored on the SIM card, prevent the device from locking/hibernating, and more. After requesting permissions, the Process Manager icon is then removed from the applications screen and "runs in the background," which is shown in the notifications bar. Once all desired content is collected by the spyware, the application contacts a command-and-control (C2) server that identifies “the device by its model, version, id and manufacturer" and the application sends all collected data. At this step in the process, the spyware also attempts to download an application called "Rozdhan." "Rozdhan" is found on Google Play and is used to "earn money," via a "referral system that is abused by the malware." CTIX analysts will continue to monitor for the actor responsible for this Android spyware. In-depth technical analysis as well as indicators of compromise (IOCs) can be reviewed in the Lab52 report linked below.
Emerging Triple Threat RAT "Borat" Discovered
"Borat," an emerging remote access trojan (RAT), has been recently discovered by Cyble researchers and observed providing ransomware and distributed denial-of-service (DDoS) services alongside the typical RAT functionality. Borat's author, who is currently undisclosed, revealed that the main capabilities of the RAT are as follows: keylogging, ransomware, DDoS, audio recording, webcam recording, remote desktop, reverse proxy, gaining device information, process hallowing, browser credential stealing, discord token stealing, and remote activities. Additional feature categories include remote hVNC, remote “harrassment”, remote system, stub features, password recovery, and RAT+HVNC. Further details of these capabilities can be viewed in Cyble's report linked below. Researchers described this RAT as "a potent and unique combination of Remote Access Trojan, Spyware, and Ransomware, making it a triple threat to any machine compromised by it." CTIX analysts will continue to monitor Borat as it evolves, and indicators of compromise (IOCs) can be reviewed in the Cyble report linked below.
Threat Actor Activity
FIN7 Grows its Arsenal & Ransomware Ties
FIN7, a top-tier threat organization comprised of members from various threat groups, has been discovered showing signs of collusion with ransomware organizations while also increasing its arsenal of malicious programs and payloads. FIN7 is a financially motivated cybercriminal group that commonly targets United States-based entities within the hospitality, restaurant, and retail industries and has been in operation since at least 2015. In a recent campaign, FIN7 compromised the integrity of a digital product shopping website and redirected the download links to an Amazon S3 bucket, which downloaded a malicious Atera agent, leading to the infection from the new PowerPlant malware. Furthermore, FIN7 continues to evolve payloads it already possessed, such as using new versions of the BirdWatch downloader dubbed CrowView and FowlGaze. Based on indicators from recent ransomware compromises, security researchers assess ransomware organizations, such as REvil and ALPHV, appear to be working alongside each other. Further analysis of FIN7 determined that the threat organization likely conducted reconnaissance and intrusion tactics against its targets, which was promptly followed by ransomware infection. Researchers at Mandiant noted a code signing certificate utilized by FIN7 which also signed multiple DarkSide ransomware strains. With the increase in activity from FIN7 and threat actors worldwide, CTIX analysts encourage security teams to ensure their infrastructure is up-to-date and protected by security controls to lessen the chance for threat actor compromise.
Mailchimp Compromise, Threat Actor Targets Crypto Platforms
An unknown threat actor has compromised the internal infrastructure of the email marketing firm Mailchimp via a successful social engineering phishing attack. The phishing attack allowed the threat actor to steal a Mailchimp employee's credentials and intrude into the network. The threat actor was then able to gain access into 319 Mailchimp accounts for companies within the finance and cryptocurrency industries. Notably, the actor was only able to export audience data from around 32% of those accounts. In one such case, one of the compromised accounts was tied to the Trezor cryptocurrency app. The threat actor utilized Trezor's Mailchimp account to contact users of the platform to download a fake platform update, which allowed the actor to gather cryptocurrency seed information and close the associated accounts. It is unclear how many of these users are currently affected or have lost their cryptocurrency wallets. CTIX continues to urge users to verify the integrity of emails prior to downloading any attachments or visiting any hyperlinked addresses.
Critical Log4j-like Vulnerability Spring4Shell Allows Unauthenticated Attackers to Perform Remote Code Execution
The exploitation of two (2) critical zero-day vulnerabilities in the Spring Core Java application framework known as "Spring4Shell" could allow unauthenticated attackers to remotely execute arbitrary code. Spring is a very popular framework with Java developers, because it allows them to easily code enterprise-level features into their applications, which can then be deployed on servers as stand-alone packages. The "Spring4Shell" vulnerability, tracked as CVE-2022-22965, is one (1) of two (2) disclosed remote code execution (RCE) vulnerabilities. The less severe bug is tracked as CVE-2022-22963 and exists in the Spring Cloud function. Both vulnerabilities have associated Proof-of-Concept (PoC) exploits, demonstrating the successful exploitation of "Spring4Shell" due to the unsafe deserialization of passed arguments. These vulnerabilities affect Spring MVC and Spring WebFlux apps running on JDK 9+. This is a very dangerous bug due to its popularity and because it is being compared to the infamous "Log4Shell" vulnerability, but it only exists on specific configurations of the Spring framework where Tomcat is run on the application as a WAR deployment. Therefore, it is less likely to be exploited en masse in the same way that "Log4Shell" was. "Spring4Shell" has been patched, and users are urged to upgrade to Spring Boot version 2.6.6, and Spring Cloud Function 3.1.7/3.2.3 immediately. In addition, VMware has also released mitigations for situations where the patch cannot be downloaded. The Ankura CTIX analysts will continue to report on critical development-based vulnerabilities, and we recommend that any users running Spring ensure that the Advanced Exploit Prevention and Network Attack Blocker features are enabled as a best practice.
Trend Micro Remote Code Execution Vulnerability Has Been Exploited In-the-Wild
Antivirus software firm Trend Micro has patched a critical arbitrary file upload vulnerability affecting the Apex Central web-based management console, that if exploited could allow attackers to perform remote code execution (RCE). Apex Central offers administrators and security personnel the ability to manage their Trend Micro frameworks and tools from a single console. The vulnerability, tracked as CVE-2022-26871, stems from a weakness in the file handling module and has been exploited In-the-Wild, according to a Trend Micro spokesperson. Details of the successful exploits will not be disclosed at this time due to the confidential nature of their customers, so the full extent of the impact of this flaw won't be known until that information is made public. The Cybersecurity and Infrastructure Security Agency (CISA) has released an order stating that all federal civilian agencies have until April 21, 2022, to patch their systems, or face fines for failing to do so. The Ankura CTIX also recommends that private users of Trend Micro antivirus patch their vulnerable products, to decrease their exposure to active exploitation as threat actors look for attack vectors and potential victims.
Largest Darknet Marketplace, Hydra, Seized by German Authorities
Russian-speaking darknet market, Hydra Market, believed to be the world’s largest, was seized by German authorities on April 5, 2022. Hydra Market, a darknet market known for its sale of drugs and money laundering, was targeted by Germany's Federal Criminal Police Office (BKA) and Central Office for Combating Cybercrime (ZIT) due to its prevalence on the dark web. In joint research conducted by Flashpoint and Chainalysis, they estimated that Hydra Market accounted for over 75% of darknet market revenue worldwide throughout 2020. It is estimated that Hydra's annual transaction volumes exceeded $1.6 billion in 2021. Hydra Market also included a Bitcoin Bank Mixer, a service that allows "tumbling" of Bitcoin by adding a layer of obfuscation to trades, making it difficult to track. German BKA was able to attribute and seize 543.3 BTC, which at the time of publication is close to $25 million, during the raid on the marketplace. This raid on Hydra Market is the latest in a wave of law enforcement actions taken against underground marketplaces since the start of 2022. Action against Hydra Market was possible after a "lengthy investigation," of administrators and other operators on the platform. The investigation of Hydra Market is still ongoing, and no arrests have been made as of yet. Due to the investigation against the administrators, however, it is likely German authorities will ultimately be able to identify individuals connected to Hydra Market.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (email@example.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.