Stealthy "Lillin Scanner" Botnet Utilizes Both BotenaGo and Mirai Source Code
A new variant of the "BotenaGo" botnet has been discovered by Nozomi Networks security researchers. In October 2021, the original source code to BotenaGo was leaked to the public, allowing security researchers to analyze the underlying code. The original malware has the potential to target millions of IoT devices utilizing over thirty (30) exploits. The newest sample has been stripped of most of the exploit functions, creating a lean, stealthy virus that has gone undetected in VirusTotal and other anti-malware scanners. The variant specifically targets a bug in Lilin security camera DVR devices, which was initially discovered and patched in February 2020. The remote code execution (RCE) vulnerability present in these devices was initially exploited by the Chalubo, Fbot, and Moobot botnets and was also included in the original version of BotenaGo. When the malware is executed, it scans IP addresses collected from Shodan and other mass scanners. If it finds a vulnerable device, it will execute the "infectFunctionLilinDvr" function which attempts to exploit the device by first brute forcing credentials, then crafting an HTTP POST request which allows command execution. Multiple payloads are hosted on the command and control (C2) server targeting ARM, Motorola 68000, MIPS, PowerPC, SPARC, SuperH, and x86 architectures. The payloads contain a Mirai-based botnet which include a larger list of exploits. While not a great threat to organizations due to its targeted exploit, this new campaign shows that even well-known and documented malware can be used to create a botnet that is stealthy and remains undetected.
"Inno Stealer" Malware Spreading Through Fake Windows 11 Update Phishing Sites
Hackers have taken advantage of the release of the newest Windows upgrade, Windows 11, by creating phishing sites hosting a malicious download. The operators of the campaign have begun poisoning search results to advertise a website that is similar to Microsoft's official Windows 11 promotional page. The hosted malware can only be downloaded through a direct connection to the website and will block the user if they are using TOR or a VPN. This info-stealing malware, dubbed “Inno Stealer,” does not appear to have any code similarities to other similar viruses distributed on underground forums. The download file is a .iso, which is typical for operating system installs. Inside the ISO file is an executable named "Windows 11 setup" that launches the setup process for the malware. The malicious program is launched in a new process which then establishes persistence and plants the stealer binary onto the machine. Persistence is achieved by creating a shortcut file in the startup directory, causing Inno Stealer to run when the user logs in to their account. The final part of the malware steals user data from the Desktop, exfiltrates web browser data, and searches for cryptocurrency wallets. The malware uses a multi-threading model to implement these features, allowing all of these functions to happen simultaneously. Interestingly, Inno Stealer can also download additional payloads, but only at night. This is most likely taking advantage of the victim not using the computer during this time. CTIX analysts recommend users ensure they are only downloading operating system updates from Microsoft through Windows Update or other official methods.
Threat Actor Activity
Lazarus Threat Actors Targeting Cryptocurrency Companies
North Korean-backed threat actors from the Lazarus Group have been observed targeting individuals and organizations within the cryptocurrency industry with malware-laced applications. Lazarus threat actors launched a social engineering campaign that successfully persuaded cryptocurrency industry employees to download malicious cryptocurrency applications for both macOS and Windows operating systems. Spear-phishing emails utilized in this campaign were meticulously crafted to lure in IT analysts, system administrators, and other security personnel. These socially engineered correspondences theme themselves around job recruitment for high-paying positions, enticing receiving users to download the infected applications. The applications are trojanized with the "AppleJeus" malware which allows for the theft of cryptocurrency from compromised user's wallets, which is believed to be funding North Korean activities. It is likely that Lazarus and other allied threat organizations will continue to target users, employees, and companies within the cryptocurrency, gaming, and technology industries to generate funds benefiting North Korea and their interests. CTIX analysts continue to urge users to validate the integrity of email/SMS/instant messaging correspondence prior to downloading any attachments or visiting any links embedded in the message to lessen the possibility of threat actor compromise.
Threat Actors Target Russian Companies with Ransomware
Ransomware threat organizations have begun targeting entities and government organizations throughout Russia and surrounding regions. In one attack, "OldGremlin" threat actors unleashed two sophisticated phishing operations against Russian companies, which ultimately lead to the compromise of a Russian mining company. The themed phishing emails were styled around the user's credit/debit card accounts and claimed new sanctions were shutting down their bank services. Once the user opened the malicious file attachment, OldGremlin's newly updated trojan "TinyFluff" was installed onto the compromised device. Once installed, various scripts and ransomware loaders encrypt the entire file system and display a ransom message once the encryption is completed. Another incident targeting Russian organizations involves the Network Battalion 65 (NB65) threat organization, who conducted malicious operations against Russian-owned television and radio broadcasting networks. This attack allowed NB65 to exfiltrate 900,000 email communications and 4,000 files from the computer networks of these companies. Furthermore, NB65 has recently exposed source code from the Conti ransomware gang, stirring up activity from both threat groups. CTIX analysts continue to monitor threat actors worldwide and will provide updates accordingly.
Zero-day, Zero-click iOS Bug Identified as Being a Vector for Pegasus Spyware
A new zero-day, zero-click Apple iMessage exploit has been identified by threat intelligence researchers at Citizen Lab. The exploit allowed deployment of the Israeli NSO Group spyware known as "Pegasus" to vulnerable iOS devices belonging to a number of high-profile Catalan individuals. The vulnerability, coined "HOMAGE," is one of three exploits used to conduct a cyber-espionage campaign against at least sixty-five (65) members of European Parliament from Catalonia between 2017 and 2020. Pegasus spyware compromises mobile devices and is capable of eavesdropping on all communications, including encrypted messages and phone calls, collecting passwords, tracking location, turning on the device's microphone and camera, aggregating application user data, and more. Citizen Labs did not conclusively attribute the attack to a specific threat actor but did say “a range of circumstantial evidence points to a strong nexus with one or more entities within Spanish government.” This recently identified exploit gives credit to just how sophisticated malware can be when leveraging nation state resources, and ironically enough, the only way to deploy this sophisticated spyware, is if the victim is not running the most up-to-date version of their operating system. This specific exploit was for iOS version 13.1.3 and before, so readers who have installed a software update after that version (the latest stable iOS version is 15.4) aren't vulnerable to Pegasus. The CTIX team recommends all readers (especially those in sensitive government positions) regularly ensure that their smartphones and other mobile devices are running the most recent security infrastructure available. This is not an isolated incident, Pegasus is very popular with nation state threat actors, and the CTIX team will continue to monitor new findings concerning Pegasus spyware and NSO Group.
Lenovo Patches Critical Vulnerabilities that Allow Attackers to Execute UEFI Malware
Lenovo has just patched three (3) critical vulnerabilities affecting more than one hundred (100) laptop models that could allow attackers to escalate their local privileges and execute arbitrary code to directly disable BIOS flash protections in order to infect targets with Unified Extensible Firmware Interface (UEFI) Secure Boot malware strains. UEFI cyberattacks are highly effective due to computers not having active memory protections at the hardware level. This exploit is deployed against the target during the boot process, which means that the attackers can potentially bypass security measures that typically only load at the OS boot stage, and reconfigure data, as well as establish persistence within the system. These vulnerabilities were discovered by the security research firm ESET in October 2021 and were responsibly reported to Lenovo. According to Lenovo, the two (2) firmware driver flaws exist due to mistakes from older manufacturing processes. One of the flaws (CVE-2021-3971) was the result of accidentally including a driver in the BIOS image, allowing attackers to potentially modify firmware security with an arbitrary NVRAM variable. The other (CVE-2021-3972) is from a driver that wasn't deactivated during the development of certain Lenovo Notebook devices, and the third (CVE-2021-3970) is what allows for the malware sets to be installed due to an improper input validation that causes SMM memory corruption. The UEFI attacks come in the form of well-known SPI flash implants and ESP implants such as "LoJax," and "ESPecter." Historically, UEFI threats have been less popular due to their perceived complexity, but the rise in UEFI attacks hints that threat actors have identified their value and learned how to execute these complex attacks. These vulnerabilities have been patched, and Lenovo recommends all users upgrade their machines immediately. There are out-of-support legacy Lenovo machines that cannot be patched with this update, and in those cases, users should leverage TPM-aware full-disk encryption software to make UEFI Secure Boot configurations inaccessible.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (email@example.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.