"DarkTortilla" Crypter Malware Used to Drop Information Stealers, RATs, Ransomware
Researchers from Secureworks Counter Threat Unit (CTU) released a report detailing a malware they have been tracking since January 2021. Dubbed "DarkTortilla", the malware is a "complex and configurable .NET-based crypter" that has been active since at least August 2015. Crypters are malware that use encryption, obfuscation, and code manipulation to evade detection software and drop other malware. DarkTortilla delivers popular information stealers and remote access trojan malware such as “AgentTesla”, “AsyncRat”, “NanoCore”, and “RedLine Stealer” and has been known to drop ransomware in some cases. DarkTortilla has been observed being deployed using malicious spam campaigns. The phishing emails typically use a logistics lure and includes the malicious payload in a malicious document or an archived attachment with the file types .iso, .zip, .img, .dmg, and .tar. The CTU researchers discovered emails written in multiple languages including English, German, Romanian, Spanish, Italian, and Bulgarian. When a victim executes the initial payload, DarkTortilla grabs the "core processor" from a public paste site. This core processor provides the main functionality for the malware such as establishing persistence and injecting the dropped malware into memory. CTU researchers identified ninety-three (93) unique DarkTortilla samples out of the 10,000 total samples; only nine (9) of the samples were used to drop ransomware. The researchers were unable to determine where or how DarkTortilla is being sold. CTIX analysts are continuing to monitor this malware and will provide updates for new developments.
Thirty-Five Malicious Android Apps Serving Adware Discovered in Google Play Store
Cybersecurity technology company Bitfinder identified a new malware campaign that involves thirty-five (35) malicious Android applications uploaded to the Google Play Store. Researchers employed a real-time behavior-based analysis method that identified the campaign and discovered that the applications have been installed over 2 million times on victims' mobile devices. The mobile applications lure users by offering fraudulent "specialized functionality" but once installed, immediately change their names and icons in order to conceal their presence and make the uninstall process more difficult. The app developers also push updates to the apps to advance their persistence abilities. The apps then serve the victims various intrusive advertisements by abusing "WebView", which generates "fraudulent impressions and ad revenue for their operators." The apps offer advertisements to their users via their own frameworks which also allow malware to be served. Researchers noted one example of a "GPS Location Maps" app that, once installed, changes its name to "Settings", declared an alias launcher, and immediately shows additional websites in WebViews as well as an advertisement. Once the icon is clicked, the alias launcher renders this activity with "a "0" size in a corner, then launches the settings page for the phone, tricking the user into thinking that the real settings button was pressed." This app has zero (0) reviews and over 100,000 downloads. Other applications disguise themselves as Motorola, Oppo, and Samsung system apps. Various functionalities, such as heavy code obfuscation, encryption, and excluding the app from the devices' "Recent apps" list, are present to bypass detection and complicate reverse engineering efforts. As of August 18, 2022, three (3) of the thirty-five (35) applications are still available in Google Play Store: "Walls light - Wallpapers Pack", "Animated Sticker Master", and "GPS Location Finder". A full list of malicious applications as well as a deeper dive into the technical aspects of this campaign can be viewed in Bitdefender's report linked below.
Threat Actor Activity
Threat Profile: TA558
In a recent reporting from Proofpoint, a small threat group tracked as TA558 has been targeting several corporations throughout the hospitality, travel, and hotel industries over the past four (4) years. TA558 has launched several campaigns and deployed several malicious payloads with the overall goal of significant financial gain for the threat group. Throughout 2022, TA558 has conducted roughly fifty (50) social engineering campaigns attempting to deliver malicious payloads through various methods: twenty (20) via file attachments, twenty-six (26) via infected URL hyperlinks, and some phishing emails combining both malicious URL's and file attachments. Much like other recent campaigns, TA558 has shifted from utilizing macro-infected malware to infected ISO images and ZIP archives which contain payloads to be deployed on the compromised device. Other malicious tools and payloads that TA558 has utilized previously include the Revenge RAT, Loda, Vjw0rm, and the Async RAT. Research shows that TA558 threat actors favor the use of Spanish and Portuguese language in their campaigns, with very little social engineering emails scribed in English. With the extensive number of campaigns from TA558 threat actors and a clear financial motive, CTIX believes that this activity will continue to persist and evolve in the weeks to come.
APT41 Compromises Thirteen Organizations in the Past Year
Threat actors from the widely known APT41 threat group have compromised thirteen (13) organizations worldwide over the past year, including breaching six (6) government infrastructures in six (6) US states. APT41, also tracked as Wicked Panda and Winniti, is one of the oldest known Chinese-backed espionage organizations which focuses heavily on financially-motivated operations. Historically, APT41 has targeted corporations within the technology, gaming, telecommunications, and healthcare industries across over a dozen countries. In recent campaigns by APT41, threat actors initialize their reconnaissance phase by scanning the target with port scanners, network mappers, and vulnerability scripts such as Nmap, Sublist3r, and Acunetix, followed by exploiting web applications susceptible to SQL injection attacks. Once breached, APT41 actors have the ability to execute arbitrary code via the server command shell and begin communications between target and command-and-control (C2) servers. Furthermore, threat actors continue to execute payloads on the compromised systems establishing persistence, escalating privilege rights, masking communications to avoid detection, and deploying espionage scripts to gather data across the enterprise and exfiltrating data to APT41 C2 servers. APT41 has been a significant player in the threat landscape since 2007 and is predicted to continue to be so in the near future. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Amazon Patches Vulnerability Exposing Ring Smart Doorbell Cameras
In May, Amazon patched a high-severity vulnerability in their Android application for Ring smart doorbell cameras which if exploited, could expose sensitive user data. The exposed data would include the full name of the user, their email and phone number, geolocation data and street address, as well as the camera video recordings. Researchers from the application security firm Checkmarx first reported this to Amazon via their Vulnerability Research Program. On May 27, 2022, Amazon released a fix for both the Android and iOS Ring applications. The flaw was identified after Checkmarx researchers investigated the Android Ring APK manifest and found an exposed program component known as an "activity" which could be launched by any application installed on the device. To successfully exploit this vulnerability, attackers could install a malicious application that launches the exposed activity and redirects it to an actor-controlled command-and-control (C2) web server. A researcher from Checkmarx stated that by exploiting this vulnerability, it was possible to use Ring’s APIs to extract the customer’s personal and device data. Once they had extracted the video data, the researchers were able to use Amazon's own machine learning image and video analysis service, known as Amazon Rekognition, to parse through hours of recordings until finding the data that would be considered valuable. At this point, an attacker could use the data to access other parts of the victim network, extort the victim, and spy on their day-to-day activity. At this time there is no evidence that Ring customers were exploited in-the-wild. Amazon was very quick to patch this vulnerability and did not publicly disclose it until a working patch and full report was available. There are over 10 million downloads of the Ring application, and smart doorbells are just one of millions of new IoT devices that represent fresh attack-vectors for threat actors. The Checkmarx report will be published in the coming weeks, and CTIX analysts recommend any Ring customers verify that the software version of their device is up to date to prevent any exploitation attempts.
- The Record: Ring Vulnerability Article
- Bleeping Computer: Ring Vulnerability Article
- The Hacker News: Ring Vulnerability Article
Google Patches Zero-Day Allowing for the Execution of Arbitrary Code
Google has released a patch for a critical zero-day vulnerability in their Chrome browser that has been actively exploited in-the-wild. The flaw, tracked as CVE-2022-2856, is an insufficient validation of untrusted input in Intents vulnerability. If exploited, the vulnerability could allow attackers to perform arbitrary code execution. Input validation is a technique for verifying if inputs are potentially dangerous to process or not; an attacker could exploit a flaw in input validation by maliciously crafting inputs that aren't expected by the application, altering the order in which a computer executes statements in a script. This could allow for the attacker to take complete control of resources to conduct follow-on actions or execute arbitrary code. This flaw was identified in July 2022 by Google's own Threat Analysis Group (TAG) and at this time, the specifics of the exploit are being withheld from the public to allow as many Chrome users as possible to update their vulnerable browsers. This patch addresses ten (10) other vulnerabilities, and the specific information can be found in the linked Google advisory. CTIX analysts recommend all Chrome users ensure they have installed the patch. If noteworthy exploit information is disclosed about this flaw in the near future, CTIX will publish an update to this piece.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed and the CTIX team (email@example.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.