Malware Activity
RedEyes Threat Group Observed Using New Malware to Exploit the Ably Service and Wiretap Victims
Researchers have observed RedEyes (also known as APT37 and ScarCruft) using a previously unknown information-stealing malware dubbed "FadeStealer" as well as the "AblyGo Backdoor." RedEyes is a state-sponsored advanced persistent threat (APT) group that has historically conducted cyberattacks aligned with North Korean interests, including against North Korean defectors, human rights activists, and university professors. Researchers explained that the malware is assumed to be delivered through spear-phishing emails with a typical password-protected document and a fraudulent password file attached. A Compiled HTML Help File (CHM) malware is masqueraded as the password file so the campaign victims believe they must execute the disguised malware in order to view the password-protected document. Once executed, the victim can view the password information and an internal script is executed in the background, which causes a script (called MSTHA PowerShell) from RedEyes' command-and-control (C2) server to be executed. The initial malware, which contains a backdoor feature, establishes persistence through an autorun registry key, and the operators were observed carrying out privilege escalation, exfiltration, and malware distribution at a later time. The malware distribution is conducted through AblyGo Backdoor. Ably Backdoor exploits the Ably service, a real-time data transfer and messaging platform that contains publish/subscribe messaging, push notification, real-time query, and state synchronization capabilities. This malware, in combination with the malicious script initially run by the C2 server, then executes the FadeStealer info-stealer. FadeStealer has been noted to contain "wiretapping features" as well as the capabilities to take screenshots, exfiltrate data from removable media devices and smartphones, and conduct keylogging. Users are urged to remain vigilant of emails sent from unknown senders and to refrain from executing attachments prior to verifying the source of the email. Additional technical details of RedEyes' latest campaign as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Threat Profile: APT15
Threat actors from the state-sponsored APT15 organization have resurfaced alongside a new attack campaign that has been ongoing since 2022. The APT15 group, also tracked under the codename Ke3Chang/Mirage, has been operating since 2010 and primarily focuses on exploiting organizations involved with diplomatic missions, defense, and government entities. Operating at a less-aggressive pace than other Chinese nation-state threat groups, APT15 continues to exfiltrate intelligence from its targets to benefit the Chinese state. APT15 has deployed an arsenal of malicious payloads in their tenure, including multiple variants of the “BS2005” backdoor in addition to “TidePool,” “Okrum,” “RoyalDNS,” “RoyalCli,” and several other malware families. In their most recent campaign, APT15 turned its focus to the Americas, primarily exploiting foreign affairs ministries and government financial organizations. APT15 has continued to deploy the “Graphican” backdoor in a majority of this campaign's attacks and advanced further by living off-the-land scripts and tooling. Specific to the Graphican backdoor, this malicious application was built around the “Ketrican” backdoor, an advanced version of the BS2005 backdoor. Graphican has the capabilities of both malware strains but implements a command-and-control (C2) connection stream through the use of Microsoft's Graph API and OneDrive applications. Deeper technical information about the malicious Graphican application can be reviewed in the articles below. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Apple Patches Two Vulnerabilities Exploited to Facilitate the Operation Triangulation Spyware Campaign
UPDATE: Apple has just patched two (2) actively exploited zero-day vulnerabilities that were exploited in the "Operation Triangulation" iOS spyware campaign, which has been operational since 2019. Russia’s Federal Security Service (FSB) has stated that the campaign targeted the iPhone SIM cards of Russian government officials registered with diplomatic missions and embassies both on Russian soil and abroad. The flaws tracked as CVE-2023-32434 and CVE-2023-32439, allowed the still unknown advanced persistent threat (APT) group responsible for the attacks to install zero-click malware on vulnerable iOS devices. The compromised iOS devices of Russian diplomats were all found to have received iMessages containing a malicious attachment that executes on its own and downloads additional payloads from a threat actor-controlled command-and-control (C2) server, described by researchers as a highly sophisticated and robust APT platform. Once the iMessage is received by a victim, the malware executes. From there, the additional payloads enable privilege escalation, allowing the threat actor to secretly have complete access to the device with root permissions. After the device is fully compromised, the malware is designed to delete the entire message conversation and attachment, preventing the device's user from discovering the compromise. This zero-click malware allows the attackers to exfiltrate sensitive data like geolocation, iMessage, SMS, microphone recordings, pictures, notes, and much more. According to FSB, thousands of devices have been compromised, and they allege that groups working for the United States intelligence community are the threat actors behind the campaign. The FSB in a statement said, "The U.S. intelligence services have been using IT giants for decades to collect internet users' personal data without their knowledge […] In this instance, they used the software vulnerabilities of U.S.-made smartphones." They claim that the U.S. National Security Agency (NSA) worked hand-in-hand with Apple to insert backdoors into iOS products; however, this has not been substantiated and an Apple spokesperson made an official statement that the company has "never worked with any government to insert a backdoor into any Apple product and never will." Researchers state that these vulnerabilities are not exploitable on iOS devices running iOS 15.7 and later, and CTIX analysts recommend that all iOS users ensure that their devices are always up to date with the most recent secure software. This matter is very complex given the adversarial relationship between Russia and the United States, and an update to this may be published in future FLASH Updates.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
