This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 5 minutes read

Ankura CTIX FLASH Update - May 19, 2023

Malware Activity

Lemon Group Threat Organization Capitalizing on 8.9 Million Pre-Infected Android Devices in Latest Campaign

Researchers have observed the Lemon Group threat organization leveraging previously infected Android devices around the globe to carry out their latest campaign. This activity involves approximately 8.9 million devices that are mainly located in the United States, Mexico, Indonesia, Thailand, Russia, India, the Philippines, South Africa, Angola, and Argentina. Researchers have noted that the infection of Android devices "turns these devices into mobile proxies, tools for stealing and selling SMS messages, social media and online messaging accounts, and monetization via advertisements and click fraud." It is also suspected that threat groups are beginning to utilize additional Android-based Internet-of-Things (IoT) devices, such as smart televisions, television boxes, entertainment systems, and children's watches. Researchers observed the "Guerilla" malware in this latest campaign, which was first documented in 2018 and has been observed previously with the ability to conduct SMS interception, engage in click fraud, and act as a backdoor. In addition to the SMS plugin, Lemon Group's infrastructure involves many other plugins associated with the main Guerilla plugin in this campaign. The plugins include a proxy plugin that allows actors to rent access to the network resources of the impacted device, a cookie plugin to harvest Facebook cookies and profile information, a WhatsApp plugin to hijack sessions, a Splash plugin to serve adware, and a silent plugin to install an APK file and launch the associated application. Researchers noted the overarching goal of the campaign is to "bypass SMS-based verification and advertise bulk virtual phone numbers – which belong to unsuspecting users of the infected Android handsets – for sale to create online accounts." Lemon Group is believed to have a linkage with the Triada malware through previous collaboration with its operators. Technical details of the Lemon Group campaign as well as indicators of compromise (IOCs) can be viewed in the report linked below.

Threat Actor Activity

Threat Profile: OilAlpha

A new espionage campaign against the Arabian Peninsula has exposed OilAlpha threat actors to new media attention. Historically, the OilAlpha threat group has targeted numerous sectors including political figures/officials, media outlets, and journalists through espionage-related campaigns. In their newest campaign, OilAlpha threat actors have changed up some of their targets to include non-governmental organizations, humanitarian, and development industries. Tactics utilized by threat actors in this campaign include the deployment of the remote access tools “SpyNote” and “SpyMax” across mobile devices, often exploiting Arabic-speaking individuals using Android devices. Utilizing social engineering techniques, OilAlpha actors attempted to communicate with journalists and political figures over encrypted chat platforms such as WhatsApp by luring users in with Yemeni-related security and development matters. Should social engineering be successful, the deployed SpyNote and SpyMax malware allows for the continuous collection and exfiltration of the mobile device's network configuration, camera and audio recording, SMS data, contacts list, call logs, and location data. Technical details associated with recent OilAlpha attacks are included in the report below. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.


Another Popular Password Manager "KeePass" is Vulnerable to Exploitation and Account Takeover 

A cybersecurity researcher who goes by "vdohney" has published a proof-of-concept (PoC) exploit for a critical vulnerability in the popular open-source password manager KeePass. If successfully exploited, this flaw could allow threat actors to retrieve a user's secret KeePass account master password in plaintext, allowing them to change it and take complete control of the user's account and password database. Password managers or "wallets" are an efficient way for users to generate and store strong passwords that they do not have to memorize and can access whenever they want from their mobile devices and personal computers. With a password wallet such as KeePass, instead of a user memorizing all of their passwords, they only need to memorize their master password for the KeePass account. The vulnerability, tracked as CVE-2023-32784, stems from the way that KeePass's software processes user input via a custom-developed password entry box known as "SecureTextBoxEx." In this custom text box, when a user enters a password, there are leftover strings leaked through memory that allow a threat actor to reverse engineer the password minus the first or second character(s). This attack could be executed by a threat actor who has gained read access to a user's KeePass filesystem or RAM, through physically or remotely accessing the user's device via the exploitation of a device vulnerability or social engineering. Adding to this vulnerability's severity is the fact that the master password can be retrieved by attackers even if the victim has already closed out or locked the KeePass application. This is not the first time that researchers have uncovered gaps in password manager application security, and in recent months there have been security issues uncovered at LastPass, Bitwarden, Dashlane, 1Password, and Safari's Password Manager. Although this vulnerability poses a significant threat, it is unlikely to be exploited en masse due to the attack being highly targeted, where the threat actor would first have to find and compromise an individual through social engineering. The security patch has been developed and is likely to be deployed in early June 2023. For the time being, CTIX analysts recommend that any KeePass users update their password to have at least fifteen (15) random characters, as well as monitor their account for any signs of exploitation until the official patch is released. Technical details about the PoC can be found in vdhoney's GitHub repository linked below.

Honorable Mention

LayerZero Launches Record Breaking Crypto Bug Bounty Program with Up to $15 Million Payout

LayerZero Labs has teamed up with bug bounty and security services platform Immunefi to launch a record high $15 million bug bounty program for critical smart contract and blockchain vulnerabilities related to the company's protocol. LayerZero Labs is the creator of the LabZero blockchain messaging protocol that facilitates secure communication across thirty (30) different blockchains, having enabled the exchange of 10,000,000 messages. Unlike other messaging platforms like WhatsApp and Telegram, LayerZero eliminates the need for intermediaries, allowing users to send messages between blockchains such as cross-chain interactions. The crypto ecosystem has lost around $9.33 billion to exploits, hacks, and scams. CEO and co-founder, Bryan Pellegrino, said "the security protocol comes before anything else" and that they "have enough money to pay out plenty of bounties." LayerZero is currently valued at $3 billion, having seen transaction volumes of over $15 billion since launching fourteen (14) months ago. The company has set out different payout tiers based on the severity level of the findings and impacted blockchains. For the higher-paying group of discoveries, the maximum payout is $15,000,000 for critical vulnerabilities, $250,000 for high-severity flaws, $25,000 for medium-severity vulnerabilities, and $10,000 for low-severity issues.

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team ( if additional context is needed.

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cyber response, cybersecurity & data privacy, data privacy & cyber risk, memo

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with