Whiffy Recon Malware Dropped by Smoke Loader Botnet
A new piece of malware dubbed Whiffy Recon is a Wi-Fi scanning payload being leveraged by threat actors to triangulate the geolocation of compromised devices. Whiffy Recon is being distributed by the threat actors behind the infamous Smoke Loader botnet. The Smoke Loader botnet family is a modular backdoor with a wide range of capabilities, mainly used by threat actors to drop payloads at scale in the early stages of a compromise. The threat actors are using Whiffy Recon to triangulate the positions of infected devices by scanning for nearby Wi-Fi access points, and then using Google's geolocation service API to send the longitude and latitude of the infected devices back to the attackers. By utilizing the nearby Wi-fi access points, Whiffy Recon can triangulate the device location even if the device does not have a GPS system, giving attackers an edge when conducting region-based attacks. The malware maintains persistence on the compromised device by creating a "wlan.Ink" shortcut that points to the Whiffy Recon malware’s location on the system. Although the motive is currently unclear, Whiffy Recon could potentially be utilized by threat actors to conduct mass intimidation campaigns, pressuring victims into meeting the cybercriminals' demands. Researchers have stated that based on the initial POST request to the C2 server, it is likely that the developers of this malware will be upgrading it over time. CTIX continues to report on new and interesting attack techniques and may release an update to this piece in future FLASH reports if novel findings arise.
Threat Actor Activity
APT Group Carderbee Linked to Supply-Chain Attack Utilizing Digitally Signed Malware
A previously unknown advanced persistent threat (APT) group named Carderbee has been linked to a software supply-chain attack that's currently targeting organizations in several regions in Asia, primarily Hong Kong organizations. Researchers have observed the attacks leveraging a trojanized version of the legitimate software Cobra DocGuard Client, which is produced by the China-based company EsafeNet and used to "protect, encrypt, and decrypt software." During the observed attacks, malicious activity was identified in one hundred (100) of the victim organizations' environments while 2,000 organizations had the malicious Cobra DocGuard software installed, which indicated to researchers that the operator was selectively moving further in the attack chain with specific victims. In one case, researchers identified that a downloader was deployed with a digitally signed certificate from Microsoft, which was then used to install the "PlugX" (otherwise known as "Korplug") backdoor, which is known to be widely used among Chinese state-sponsored threat groups. The attack's PlugX sample had the capability to execute commands through the command prompt, review running processes, enumerate files, download files, open firewall ports, and act as a keylogger. At the time of publication, researchers stated that "it was not possible to link this activity definitely to a known group, which is why [they] attributed it to a new group." Carderbee is described as a patient and skilled actor that leverages a supply-chain attack and signed malware to stay under the radar. The origins and goals of Carderbee are currently undocumented. Current technical details of Carderbee's supply-chain attack as well as indicators of compromise (IOCs) can be viewed in the report linked below.
- The Hacker News: Carderbee Supply-Chain Attack Article
- Bleeping Computer: Carderbee Supply-Chain Attach Article
- Symantec: Carderbee Supply-Chain Attack Report
Actively Exploited WinRAR Vulnerability Used to Compromise Financial Trading Accounts
Researchers have uncovered a zero-day vulnerability in the RARLabs WinRAR compression tool that is being actively exploited by threat actors who are suspected to have ties to Russia's financially motivated threat group Evilnum. The flaw, tracked as CVE-2023-38831, is an error in the way WinRAR processes ZIP archive files and is being exploited by attackers who have maliciously crafted ZIP files to deliver a multitude of malware strains (including "DarkMe", "GuLoader", and "Remcos RAT") masquerading as ".jpg," ".txt," and other file formats to victim computers. Threat actors are exploiting the vulnerability to distribute these malicious ZIP archives in online forums for individuals trading fiat and cryptocurrency. Once the victim extracts the archive, the embedded malware will execute on the victim’s machine. The malware then gains access to trading accounts belonging to the victim and executes unauthorized transactions to withdraw funds from the account. As of August 23, 2023, at least 130 victimized devices are still infected with malware. According to the researchers, the threat actors distributed the weaponized ZIP archives on at least eight (8) public forums that online traders use regularly to share information and discuss topics of mutual interest. WinRAR is an extremely popular tool with over 500 million users worldwide. According to the researchers, this flaw may have been exploited as long ago as April 2023. On August 2, 2023, the vulnerability was patched in WinRAR version 6.23. CTIX analysts recommend that any WinRAR users ensure they are running the most up-to-date software to mitigate the risk of compromise through this vulnerability.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.