New SEO Poisoning Campaign Utilizing "Gootkit" Malware Loader Targets the Australian Healthcare Sector
- Bleeping Computer: Gootkit Campaign Article
- The Hacker News: Gootkit Campaign Article
- Trend Micro: Gootkit Campaign Report
Threat Actor Activity
Threat Profile: Dark Pink
An emerging threat organization has shown their presence after targeting military and government organizations throughout Europe and the Asia-Pacific region. Tracked as Dark Pink, this organization has been reportedly active since mid-2021 and is currently not attributed to any other threat affiliates. Activity from Dark Pink actors significantly increased through the back half of 2022 and seven (7) cyber espionage related attacks have been uncovered so far. These espionage attacks targeted two (2) military clusters in Malaysia and the Philippines, a religious organization in Vietnam, and government agencies throughout the region. Tactics, techniques, and procedures (TTPs) observed thus far show that Dark Pink actors utilize social engineering tactics to deliver malicious payloads to victims. Through phishing correspondence(s) posing as an individual applying for an internship, threat actors embedded a hyperlink which brings the victim to a file sharing platform where malicious payloads are downloaded. Prior to infection, the downloaded file(s) communicated back to GitHub and downloaded further malicious scripts to further the infection. As it stands, the same GitHub repository was utilized throughout the cyberespionage attacks. Malicious payloads utilized by the group include “Ctealer”, “Cuck Stealer”, and “KamiKaKaBot”, which were used to infect and exfiltrate sensitive information, capturing audio recordings, and other data from messaging platforms. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
CISA Adds Windows EOP Vulnerability to the KEV
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Microsoft zero-day vulnerability to the Known Exploited Vulnerabilities (KEV) Catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaw no later than January 31, 2023. The vulnerability, tracked as CVE-2023-21674, is a Windows Advanced Local Procedure Call (ALPC) elevation of privilege (EOP) vulnerability. ALPC is an inter-process message-passing protocol allowing applications to access APIs and services, as well as make Remote Procedure Calls (RPC), requesting services from programs located in another system on a network. If successfully exploited, an attacker could perform a sandbox escape, escalating their local privileges to SYSTEM, giving them the permissions they need to carry out follow-on attacks. Once an actor has escalated their privileges, they could make configuration changes, view sensitive data, and create more privileged user accounts, as well as download malicious programs. EOP vulnerabilities are usually exploited in tandem with malware, as well as other vulnerabilities like remote code execution (RCE). This flaw affects millions of organizations across the world, and due to its low complexity, it can be exploited without any victim user interaction. CTIX analysts urge all Windows users to update to the most recent secure patch immediately to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.