Ransomware/Malware Activity
Emerging Clipper Malware "Laplas" Targeting Cryptocurrency Users
An emerging clipper malware dubbed "Laplas" has been targeting cryptocurrency users via the "SmokeLoader" malware. Cyble researchers observed this activity and detailed that SmokeLoader, which is delivered through malicious documents in spear-phishing campaigns, also acts as a carrier for various other malware including SystemBC and Raccoon Stealer 2.0. The Laplas malware is known for hijacking a cryptocurrency transaction by swapping the victim's wallet address with the operator's. This is conducted by monitoring the victim device's clipboard and verifying if any copied data contains a cryptocurrency wallet address. Laplas generates a wallet address that is similar to the victim's so that there is a smaller chance of the victim recognizing the attack. Laslas is advertised in cyber forums with feature details as well as prices for use. The clipper malware can support various cryptocurrency wallets, such as Bitcoin, Ethereum, Litecoin, Dogecoin, Monero, and more, and has various pricing options. 180 samples of Laplas have been identified by researchers within the last two (2) weeks and the rise in infections is expected to grow. Technical details as well as indicators of compromise (IOCs) can be viewed in Cyble's report liked below. CTIX analysts will continue to monitor Laplas clipper activity and report on new incidents involving the malware as they appear.
Threat Actor Activity
Hacktivist Group Killnet Targets Intelligence Websites, Attack Unsuccessful
Killnet threat actors are once again targeting websites in their latest campaign against Eastern Bloc government websites. In previous months, hacktivist group Killnet has launched numerous global DDoS campaigns including attacks against United States airport websites just several weeks ago. Recently, Killnet threat actors listed websites known for intelligence services throughout Poland, Bulgaria, Moldova, Romania, and Estonia in their Telegram channel. Despite their efforts, Killnet actors were unable to keep the websites offline for long and all sites are currently operational. Ivan Demerdzhiev, a Bulgarian internal minister, stated that Killnet utilized an "image attack aimed at creating certain moods and certain results in public attitudes". Killnet has a significant reputation for attacking those not aligned with pro-Russia activities and those who assist the enemy. A few days later, the Federal Bureau of Investigation released a statement on hacktivist groups targeting critical infrastructure with DDoS attacks. The Bureau goes on to state that it recognizes the repeated attempts at hacktivists group DDoS attacks alongside their limited success in keeping these assets down. CTIX will continue to monitor threat groups throughout the landscape and provide additional updates accordingly.
Vulnerabilities
PoC Published for System-crashing macOS Ventura Vulnerability
A security researcher from Hoyt LLC has published a system crashing proof-of-concept (PoC) for a critical vulnerability impacting macOS Ventura which could be exploited by threat actors to execute arbitrary code on vulnerable systems. The flaw, tracked as CVE-2022-26730, is an improper validation of inputs vulnerability that occurs when processing International Color Consortium (ICC) profiles via Mac's ColorSync Utility. An ICC profile is a dataset that characterizes a color input or output device, meaning that a device that displays color can be assigned an ICC color profile, which defines the color gamut being displayed by these devices. A threat actor could exploit this vulnerability by sending a maliciously crafted image to a vulnerable device, leading to memory corruption and the ability to execute arbitrary code. This flaw has been successfully patched, and CTIX analysts recommend any macOS Ventura users ensure they are running the most recent versions of their operating systems. This flaw received a CVSS score of 8.8/10, and the published PoC is only for causing a system crash, so functional PoCs may be released in the future.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
