Malware Activity
Two Spyware Variants "WyrmSpy" and "DragonEgg" Recently Attributed to China-Linked Threat Group APT41
Researchers have attributed two (2) new Android spyware variants to the China-linked advanced persistent (APT) group APT41 (otherwise known as Winnti, Wicked Panda, and BARIUM). APT41 has been active since 2012 and historically targeted both public and private organizations, such as "nation-state governments, software development companies, computer hardware manufacturers, telecommunications providers, social media companies, and video game companies," with the goal of financial gain as well as espionage. Researchers noted that it is rare for APT41 to be exploiting mobile platforms, as the group typically exploits web-facing applications and traditional endpoint devices. APT41 has been linked to two (2) Android spyware variants, "WyrmSpy" and "DragonEgg", which are detailed by researchers as having sophisticated data collection and exfiltration capabilities. The two (2) malware variants have been observed with overlapping Android signing certificates and have infrastructure that is shared with APT41 from between May 2014 and August 2020. Researchers also explained that WyrmSpy and DragonEgg have different targeting scopes and are believed with medium confidence to be delivered through social engineering. WyrmSpy primarily disguises itself as a "default operating system app" for Android and is known to escalate its privileges once executed on a victim device. The malware then performs spyware functions, including uploading log files, photos, and device location. The malware also potentially collects audio recordings and SMS messages. DragonEgg disguises itself as "third-party keyboard or messaging apps" and is known to request various permissions from the device. The malware potentially collects device contacts, location, photos, audio recording, SMS messages, and external device storage files. CTIX analysts will continue to monitor emerging spyware and provide campaign details as available. Indicators of compromise (IOCs) and technical details can be viewed in the report linked below.
Threat Actor Activity
FIN8 Actors Shifting to Ransomware
The FIN8 threat organization has begun to shift their modus operandi to include ransomware attacks from several malware families. FIN8, also tracked as Syssphinx, is a well-established financially motivated cybercriminal operation that has been active since early 2016, often targeting retail, insurance, hospitality, technology, financial and chemical outlets. Often employing social engineering and spearphishing as their delivery tactics, FIN8 actors deploy customized malware onto their target’s machine to harvest system information, execute commands, and prepare second-stage malware. Recently, security researchers have observed FIN8 actors using multiple ransomware families in recent attacks including “Ragnar Locker” ransomware from Viking Spider, the “White Rabbit” ransomware, and the “Noberus” ransomware variant often employed by ALPHV/BlackCat. Specific cases in which these ransomwares were deployed go back to June 2021, where FIN8 deployed Ragnar Locker ransomware on a compromised entity within a United States financial institution. More recent FIN8 attacks include deployment of the White Rabbit ransomware on an unclassified entity in early 2022, followed by a Noberus ransomware deployment in late 2022. FIN8 threat actors continue to not only evolve their malware arsenal but continue to change tactics to broaden their attack capabilities. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Critical Vulnerabilities in MegaRAC BMC Pose Threat to Technology Supply Chain
Hardware and software manufacturer American Megatrends International has been made aware of two (2) critical vulnerabilities in their MegaRAC Baseboard Management Controller (BMC) firmware that, if chained together, could allow unauthenticated attackers to bypass authentication, attain root privileges, and conduct remote code execution (RCE). MegaRAC BMC is a popular firmware used by multiple server manufacturers including AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, and ASRock to give administrators full remote hardware control in cloud environments. The first and most severe vulnerability, tracked as CVE-2023-34329, is an authentication bypass with a CVSS score of 9.9/10, and the second flaw, tracked as CVE-2023-34330, is a code injection vulnerability with a CVSS score of 6.7/10. These flaws are exploitable by an unauthenticated attacker who has gained access to the network. Combining the two (2) vulnerabilities is achievable from either a compromised host operating system, or through sending malicious HTTP requests to DMTF’s Redfish, an "API standard for the management of a server’s infrastructure and other infrastructure supporting modern data centers." The chaining of the two (2) vulnerabilities has a combined CVSS score of 10/10 and were discovered by security researchers from Eclypsium after examining AMI source code that was stolen by the RansomEXX ransomware gang during a network breach of GIGABYTE in 2021. According to Eclypsium's report, these vulnerabilities pose a major risk to the technology supply chain underlying cloud computing. If properly exploited, they could allow threat actors to take "remote control of compromised servers, deploy malware/ransomware, as well as "firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (over-voltage/firmware bricking), and indefinite reboot loops that a victim organization cannot interrupt." The flaws have not yet been patched, and Eclypsium has offered mitigation techniques for hardening remote management interfaces, which are linked in the report below. CTIX analysts will continue to follow this matter and will publish updates as necessary.
- The Hacker News: MegaRAC BMC Vulnerabilities Article
- Bleeping Computer: MegaRAC BMC Vulnerabilities Article
- Eclypsium: MegaRAC BMC Vulnerabilities Report
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
