Malware Activity
North Korean-Tied "RustBucket" Malware Targeting Apple macOS Devices
"RustBucket," a new malware targeting Apple macOS devices, has been observed and attributed to the financially motivated North Korean threat group BlueNoroff, which is a subgroup of the Lazarus Group (APT28). Researchers discovered similarities between the observed campaign and a campaign noted in December 2022 targeting Windows machines. The similarities included "malicious tooling on macOS that closely aligns with the workflow and social engineering patterns of those employed in the campaign." The campaign consists of a stage-one malware containing a suspicious AppleScript file which is contained in an unsigned application called "Internal PDF Viewer.app." From there, the malware executes commands to download the stage-two malware from its command-and-control (C2) server, which is also called "Internal PDF Viewer.app." Researchers noted that the malware is broken up into several stages to make any analysis more complicated, which is a common technique. The stage-two malware does not have an AppleScript file and has a different version, size, and bundle identifier data to appear more legitimate. The application is also signed by an ad-hoc signature. From the user perspective, a PDF viewing application is shown when the malicious application is launched, and the application is functional. A specific PDF must be loaded in the application for the malware to take the next steps and communicate with the operators. Researchers described the PDF as a document that "shows a venture capital firm that is interested in investing in different tech startups" and noted that the PDF is likely the content from the website of a small but legitimate venture capital firm. The stage-three malware in this campaign is an ad-hoc signed trojan written in Rust that communicates with the C2 server for further instructions. CTIX analysts will provide updates regarding this campaign as they become available and will continue to monitor North Korean threat group activities. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
DustSquad Organization Launches Politically Motivated Phishing Campaign
A group of Russian cyberespionage threat actors has begun targeting Tajikistan individuals with a malicious PaperBug campaign. The group is tracked commonly as DustSquad (Nomadic Octopus) and has been a rather quiet threat organization up until now. Specializing in cyberespionage operations, DustSquad primarily targets entities based on political/diplomatic stances and has defaulted to social engineering as the point-of-compromise. The initial point-of-compromise to this recent operation against Tajikistan is unknown; however, DustSquad actors targeted Tajik government bodies, public service providers, and telecommunication companies. Once compromised, DustSquad deployed several toolsets and malicious programs onto the victims’ networks via command-and-control (C2) servers. The main backdoor program that was utilized is called “Octopus” and has the programmatic capabilities to dump Windows system credentials, capture screenshots of the current system, system network information, and send all information back to actor controlled C2 servers. Attacks carried out during this operation were found to be intrusive and non-stealthy with the intention of general intelligence gathering and surveillance. Operation Paperbug had similar tendencies to that of APT28, another Russian threat organization specializing in espionage efforts against telecommunications in Central Asia. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Researchers Attribute the Exploitation of PaperCut Vulnerabilities to Clop Affiliate Lace Tempest
UPDATE: Researchers from Microsoft have attributed the active exploitation of two (2) critical PaperCut vulnerabilities to threat actors linked to the Clop ransomware operation. A proof-of-concept (PoC) exploit was recently published by researchers, breaking down the vulnerability and giving the technical details for exploitation. The first vulnerability, tracked as CVE-2023–27350, is a remote code execution (RCE) flaw that allows unauthenticated attackers to execute malicious code on servers running vulnerable versions of the very popular PaperCut print management solution. The other vulnerability, tracked as CVE-2023-27351, is an authentication bypass vulnerability that works in conjunction with the RCE vulnerability. The researchers attributed the exploitation to a threat actor tracked as "Lace Tempest", a financially motivated Clop affiliate whose tactics, techniques, and procedures (TTPs) overlap with the FIN11 and TA505 threat actors. In this campaign, the Lace Tempest threat group is exploiting the PaperCut vulnerabilities to install a TrueBot (aka Silence.Downloader) malware loader on vulnerable PaperCut servers. TrueBot aims to infect the victim systems, collect information to help triage interesting targets, and deploy additional payloads while sending all relevant intelligence back to an attacker-owned command and control (C2) server. PaperCut produces printing management software for almost every major printer brand, used by government agencies, universities, and large corporations around the world. The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerabilities to their Known Exploited Vulnerabilities (KEV) catalog, mandating that all federal civilian executive branch (FCEB) agencies patch the flaws by May 12, 2023, or face being held accountable by regulators. CTIX analysts will continue to monitor the fallout from this campaign, and further updates may be published if novel findings become public.
Honorable Mention
Google Granted Court Order to Disrupt CryptBot Info Stealer
On Wednesday, a federal judge in the Southern District of New York granted Google a temporary court order to disrupt the distribution and infrastructure of the “CryptBot” info stealing malware. The CryptBot info stealer, which is estimated to have infected approximately 670,000 computers in the past year, has been used to infect Google Chrome users and steal their data, including login credentials, credit card information, cryptocurrency wallet data, and other personal or financial data that can be used for fraudulent intents. The malware is traditionally delivered via fake websites that offer "cracked" versions of various software and video games that, in reality, are maliciously modified versions of popular software packages such as Google Earth Pro or Google Chrome. Google originally filed a lawsuit claiming computer fraud and abuse and trademark infringement, targeting CryptBot's infrastructure and distribution network whose major distributors are believed to be based in Pakistan and operate a worldwide criminal enterprise. The court order will enable Google to take down domains associated with CryptBot distribution that are both active and ones registered after the court order was issued, effectively limiting the malware network's growth and decreasing the influx of new infections. Google's court order comes weeks after a similar court order was granted to Microsoft, in coordination with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), to dismantle servers hosting illegal, legacy copies of Cobalt Strike, signaling an uprise in legal actions that allow companies to take offensive measures against cyber threat actors.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
