Malware Activity
"Stealth Soldier" Malware Observed Using Surveillance Capabilities Against Libyan Organizations
Researchers have observed a previously undisclosed custom multi-stage backdoor dubbed "Stealth Soldier" involved in a wave of highly targeted espionage attacks against North Africa. The Stealth Solider malware strain is known to primarily operate "surveillance functions such as file exfiltration, screen and microphone recording, keystroke logging and stealing browser information." The first version of Stealth Soldier was first compiled in October 2022 and the most recent version was likely delivered in February 2023. Researchers note that the command-and-control (C2) servers in this ongoing campaign have been observed mimicking sites belonging to the Libyan Ministry of Foreign Affairs. It was also explained that there are indications that the C2 servers are part of a larger infrastructure set and related to various domains, which have in part been utilized for spear-phishing campaigns against government entities. As of June 8, 2023, this campaign, based on the phishing website themes and submitted samples, is believed to be targeting Libyan organizations. The attack begins with the victims triggering a fraudulent downloader, currently believed to be delivered through social engineering. Six (6) files are downloaded from the C2 server with the main three (3) being "Loader," "Watchdog," and "Payload." A decoy empty PDF is downloaded and opened as well. Researchers emphasized that the malware uses various types of commands during its attack chain, including plugins that are downloaded from the C2 and modules that are included in the malware already. Stealth Soldier typically uses XOR encryption with two (2) hardcoded strings that are used to masquerade as legitimate strings in order to make detection more difficult. Infrastructure similarities between Stealth Soldier and "Eye of the Nile," a campaign targeting journalists and human rights activists in Egypt in 2019, were identified by researchers, who emphasized that Stealth Soldier may potentially be the first re-appearance of this threat actor since the 2019 campaign. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Threat Profile: Asylum Ambuscade
Threat actors from the Asylum Ambuscade group have been observed conducting cybercriminal activity over the past several months. The group, however, has now begun to shift into the cyberespionage realm. Asylum Ambuscade has been active for just over two (2) years and is known for its continued attacks against banks and cryptocurrency outlets across the globe. The group has also shown signs of shifting focus away from cybercriminal activity and focusing more on cyberespionage. Historically, these threat actors were believed to be associated with a phishing campaign against the European Government after compromising email accounts from the Ukrainian Military, as well as using them as decoy accounts to spoof their movements and limit detection. Attacks often conducted by this group follow the same procedures as their previous campaigns, utilizing social engineering to deliver maliciously crafted Excel or Word documents. These documents often contained malicious payloads developed by Asylum Ambuscade actors, including SunSeed and AHKBOT malicious applications. To date, there have been roughly 4,500 victims of the Asylum Ambuscade threat organization on a global scale, most of which were contained within North America. These threat actors continue to make waves throughout the cybercrime and cyberespionage world and will continue to be an active threat for the months to come. CTIX analysts continue to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Full Replacement Required for Compromised Barracuda Networks ESG Devices
UPDATE: On June 6, 2023, network security giant Barracuda Networks added an update to their advisory regarding a now-patched critical vulnerability in their Email Security Gateway (ESG) appliances. The action notice states that all Barracuda Networks ESG appliances must be decommissioned and physically replaced regardless of whether the customer has applied the software patches or not. The flaw tracked as CVE-2023-2868 is a command injection vulnerability that is being exploited by attackers to conduct remote code execution (RCE). The action notice comes as a shock to customers and researchers alike, and although at this time the technical details of the exploit have not been published by Barracuda Networks, it implies that the deployed malware utilized by the threat actor is able to persist on the compromised devices after they have been patched. Researchers state in their blog post that the exploitation attempts go back to at least November of 2022. The advisory makes note of several malware strains identified in this campaign, including trojanized backdoors like “Saltwater,” “SeaSpy,” and “Seaside.” Rapid7's senior manager of vulnerability research stated that there is at least one (1) case of this exploit that indicates the threat actor may have exfiltrated data after compromising ESG appliances. At this time, impacted customers have already been notified that their appliances have been compromised through the software's UI. CTIX analysts recommend that any organizations with impacted Barracuda products should take them offline and fully replace them through Barracuda Networks' support. CTIX will continue to track this matter and may provide updates if further information becomes public.
Honorable Mention
New Sextortion Scheme Implementing Artificial Intelligence and Machine Learning Tools
Sextortionist schemes create millions of dollars in losses for Americans, normally involving threat actors coercing or stealing digital material from victims. New schemes, however, have recently become popular with the help of technological advancements, as sextortionists create AI deepfakes using otherwise benign content posted online to produce sexually explicit images or videos. The scheme of these criminals is similar to normal sextortion methods of demanding payments from victims in exchange for not posting, taking down, or requesting more explicit content. However, by using artificial intelligence and machine learning tools, actors are able to expand their operations, targeting individuals' good-faithed social media content and making it appear in believable images or videos. Deepfakes pose a greater threat, as they are increasingly being used for information campaigns and scams alike but using them for sextortion schemes poses additional risks by publicly exposing non-consenting adults and minor children on social media or explicit websites. The Federal Bureau of Investigation (FBI) recommends reporting any belief of a sextortion case to your local FBI field office and submitting any cases for children under the age of eighteen (18) to the National Center for Missing and Exploited Children which will provide free help based on the Take It Down service. To decrease the chances of being targeted, CTIX analysts recommend that readers engage in online risk mitigation. This includes being cautious of any materials that are publicly posted and avoiding interactions with suspicious strangers in digital environments. In the case of active sextortion, CTIX offers comprehensive intelligence collection and dark web monitoring services to assist clients with identifying the extortionists and other online risks pertaining to the victim.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
