This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 7 minutes read

Ankura CTIX FLASH Update - July 19, 2022

Ransomware/Malware Activity

Roaming Mantis Conducting Smishing Campaign Against French Android and iOS Users

An ongoing smishing campaign has recently been observed targeting Android and iOS users in France with the "MoqHao" (aka "XLoader" for Android) malware. This campaign is attributed to Roaming Mantis, a Chinese financially motivated threat group with a history of targeting the United States, the United Kingdom, Japan, South Korea, Taiwan, and Germany. Researchers at SEKOIA.IO detailed that the campaign's lure contains a malicious URL as well as a message about a package that must be reviewed. Once a French user clicks the link, an iOS user is redirected to an Apple credential harvesting webpage. Android users are redirected to a site that delivers the installation file for a malicious Android Package Kit (APK). The APK, which corresponds to the XLoader malware, then executes and mimics a Chrome installation, which prompts the user for risky permissions that allow "SMS interception, making phone calls, reading and writing storage, handling system alerts, retrieving an accounts list, and more." The malware then communicates back to the main command-and-control (C2) server. In order to bypass detection, the C2 configuration is retrieved from hardcoded Imgur profile destinations that are encoded in base64. If a user outside France attempts either of these paths, a “404” error is shown and the attack ends. Overall, this campaign has the potential to provide Roaming Mantis with "access to data from the local system, SD card, applications, messages or contact list, iCloud backups, iMessage, call history, as well as allowing remote interaction." Researchers also noted that approximately 90,000 unique IP addresses have requested XLoader from the hardcoded C2 server, and it is currently unknown the number of iOS users that have submitted their login credentials on the phishing webpage. A further in-depth analysis of Roaming Mantis' smishing campaign as well as indicators of compromise (IOCs) can be viewed in SEKOIA.IO's report linked below.

New "CloudMensis" Spyware Targets MacOS Systems

Researchers from cybersecurity firm ESET discovered a new and previously undocumented spyware targeting MacOS systems. The malware, which the researchers dubbed "CloudMensis," exfiltrates documents, logs keystrokes, and captures screenshots on the victim device. CloudMensis is written in Objective-C, a programming language created by Apple for use with MacOS. The researchers could not find an initial infection vector or how it gained administrator privileges. However, they did find a component in the malware that appeared to clean up after a Safari sandbox escape exploit, though the functions were never called in the current version of the malware. Through further research, the researchers linked the component to four Safari vulnerabilities discovered and patched in 2017, indicating that previous versions may have used them as a distribution technique. Once it is installed on a victim device and given administrator access, the malware initiates a two (2) step process to retrieve the final payload. The first stage of the download utilizes cloud storage providers pCloud, Yandex, and Dropbox to download stage two (2) through an access token, allowing the download to be hosted privately rather than using a public link. The second stage is installed as a "system-wide" daemon and a configuration file is loaded into it, allowing victim-specific settings such as which cloud storage provider to use or file extensions that may be of interest to the malware operator. CloudMensis communicates to its command-and-control (C2) server using the previously mentioned cloud hosting services and uses a custom encryption method created by the developer. The malware's operator can run up to thirty-nine (39) different commands on a victim’s machine, allowing the following functionality: changing CloudMensis configuration values, list running processes, start a screen capture, list email messages, view files from removable storage, run shell commands, and download and execute files. Some of these commands are normally protected by a system called "Transparency, Consent, and Control" (TCC) that was implemented in MacOS Mojave to prevent sensitive inputs from being accessed without a user’s permission. CloudMensis uses a vulnerability tracked as CVE-2020-9934 to bypass this protection mechanism. By utilizing the access tokens used by the malware to interact with cloud service providers, the researchers were able to create a timeline of the various CloudMensis infections. This timeline indicates CloudMensis is used in very targeted attacks and, though it is a threat to Mac users at large, it is likely only used against targets of interest to the operator. CloudMensis has not been attributed to a threat actor or geographical area and little is known about the targets of the malware. Due to the malware using old vulnerabilities, CTIX analysts recommend users and organizations ensure their MacOS devices are up to date and not vulnerable to the exploit used by CloudMensis.

Threat Actor Activity

Cloaked Ursa Pivots to DropBox/Google Drive to Mask Attack Vectors

Russian-backed state hackers have begun to shift to online storage services to mask their attacks from detection. These actors, tracked as Cloaked Ursa, APT29, and Cozy Bear, have incorporated services such as DropBox and Google Drive into their campaigns. With the utilization of such popular online services backed by millions, it allows threat actors to gain trust with their victims (prior to infection) and makes it harder for security practitioners to trace the compromise. Recently, an extremely targeted spear-phishing campaign utilized a malicious PDF document with Dropbox hyperlinks. These hyperlinks were crafted to direct the user to download the malicious payload EnvyScout, which is capable of conducting reconnaissance on the infected system, communicating back to actor-controlled command-and-control (C2) servers, and establishing persistence on the system. In other campaigns, Cloaked Ursa actors utilized politically themed phishing emails to deliver similar malicious payloads via Dropbox hyperlinks. These payloads also allowed for the communication between the infected system and threat actors through the Google Drive API, granting access for uploads and downloads from the compromised system. With phishing campaigns continuing to be on the rise throughout 2022, CTIX analysts urge users to validate the integrity of all email communications prior to opening any attached documentation or embedded links.

FBI Issues Warning for Crypto Investors, Millions Stolen by Threat Actors

The Federal Bureau of Investigation has issued an alert for United States crypto investors, stating evolving threats against the industry. Specifically, the warning states that threat actors are utilizing fraudulent cryptocurrency applications to harvest investments from users into their personal digital wallets. Thus far, there have been 244 accounted victims from this malicious activity with approximate losses equating to around $43 million. Three (3) campaigns have been observed conducting such activities dating back to mid-late 2021. Since October 2021, threat actors have been operating an application called “YiBit” and have compromised the digital assets of four (4) individuals, stealing around $5 million in cryptocurrency. Another similar campaign occurred in November 2021, where threat actors maliciously convinced two (2) individuals to download their crypto-stealing platform “Supay” and deposit funds to their accounts which were promptly stolen. One (1) of these individuals was held for a $900k ransom with the threat actor claiming there was a minimum balance to pay or risk all assets being frozen. A more recent campaign defrauded around thirty (30) individuals and stole roughly $3.7 million in crypto assets. In this case, threat actors convinced a broader range of people to download a cryptocurrency application mimicking a United States financial institution. When victims attempted to withdraw funds from their wallets on the platform, they received emails stating that the transaction was denied and that significant taxes must be paid prior to withdraw. Even after victims paid the supposed tax, they were still unable to withdraw funds and lost their assets to these actors. With cryptocurrency continuing to be an evolving market and a valuable asset for underground cyber criminals, threats against the industry are expected to continue rising for months to come. CTIX analysts continue to monitor threat activity across the cryptocurrency landscape and will provide further update accordingly.


Lenovo Discloses Vulnerabilities Affecting Approximately Seventy Models

Lenovo has issued a security advisory disclosing three (3) medium severity vulnerabilities tracked as CVE-2022-1890, CVE-2022-1891, and CVE-2022-1892. The UEFI firmware used in several laptops manufactured by Lenovo is vulnerable to three (3) buffer overflow vulnerabilities that, if exploited, could enable attackers to hijack the startup routine of Windows installations. The first flaw is an issue in the ReadyBootDxe driver used in some Lenovo notebook products. The additional two (2) flaws are buffer overflow bugs in the SystemLoadDefaultDxe driver. The SystemLoadDefaultDxe driver is used in various Lenovo product lines, including Yoga, IdeaPad, Flex, ThinkBook, V14, V15, V130, Slim, S145, S540, and S940, and impacts approximately seventy (70) individual models. According to ESET researchers, an attacker could leverage the bugs to hijack the operating system execution flow and disable security features. UEFI firmware attacks are extremely dangerous as threat actors are able to run malware early in an operating system's boot process, which is prior to Windows’ built-in security protections being activated.  When threat actors have this level of access, the potential to bypass or disable OS-level security protections, evade detection, and persist even after a disk is formatted are present. To address these security risks, users of the affected devices are recommended to download the latest available driver version for their specific products found on Lenovo's official software download portal.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cyber response, cybersecurity & data privacy, data & technology, data privacy & cyber risk, f-risk, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with