New Report Detailing "SapphireStealer" Malware Activity in 2023
Researchers have released a new report on the "SapphireStealer" malware, an open-source information stealer that was first released to the public in December 2022. Researchers detailed that "newly compiled versions of SapphireStealer began being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023." Artifacts associated with three (3) samples indicated to the researchers that the malware is currently being used by various threat actors and that SapphireStealer's capabilities are being improved. SapphireStealer was primarily designed to facilitate the exfiltration of browser credential databases and files that potentially contain sensitive user data. Once executed on a victim machine, the malware will attempt to stop any existing browser processes that are running on the system. The malware then attempts to locate and exfiltrate cached browser credentials and files stored on the system that match a predefined list of file extensions. Host information, including IP address, hostname, screen resolution, OS version, CPU architecture, GPU information, and more, is also collected and screenshots are taken of the system. Once all desired information is collected, the data is sent to the operator through Simple Mail Transfer Protocol (SMTP) using pre-defined credentials. In several cases involving new samples, researchers have identified the malware utilizing Discord's webhook API as well as attempting to leverage the malware downloader "FUD-Loader" in its attack chain. Additional technical details of SapphireStealer's activity as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Earth Estries Espionage Campaign Against Government and Technology
Security researchers have discovered an ongoing cyberespionage campaign against government and technology entities believed to be originating from the threat group Earth Estries. This hacker group has been active in the wild since 2020 and possesses similar tactics, techniques, and attack vectors to another group known as FamousSparrow. Earth Estries maintains and deploys a variety of malicious applications in their attacks including the “Zingdoor” HTML backdoor, “TrillClient” infostealer, and the “HemiGate” multi-instance all-in-one payload. Specific to HemiGate, the malware has the distinct capabilities to deploy keyloggers, establish remote command execution, device monitoring, file manipulation and exfiltration, and process monitoring. This recent campaign from Earth Estries actors has exploited companies throughout the United States, Germany, Taiwan, Malaysia, Philippines, and South Africa. Often utilizing DLL sideloading attacks as a form of initial compromise, the threat actors gain administrative access within the compromised infrastructure and deploy Cobalt Strike payloads on the system. Through the use of the SMB protocol and WMI commands, Earth Estries actors deploy one or more of their customized malware variants on the network. At this stage, threat actors have established a foothold in the compromised company and begin conducting espionage-related activities. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Netgear Discloses Presence of High-Severity Vulnerabilities
The network hardware solution manufacturer Netgear has patched two (2) high-severity zero-day vulnerabilities affecting certain routers and their ProSAFE network management system. The first flaw, tracked as CVE-2023-41183, is an authentication bypass vulnerability in the Simple Object Access Protocol (SOAP) API that could allow unauthenticated attackers that have gained an initial foothold in the network to access and exploit Netgear's Orbi 760 routers (RBR760). The second vulnerability, tracked as CVE-2023-41182, is a post-authentication command injection security vulnerability in their ProSAFE NMS300 software which if successfully exploited, could allow an already authenticated attacker to execute arbitrary code on the ProSAFE network management system. Although authentication is required, attackers can bypass the mechanism to exploit this flaw. Currently, there is no indication that either of these vulnerabilities have been exploited in the wild. Both flaws have been patched, and CTIX analysts recommend that all impacted users ensure they have upgraded to the most recent software versions. Instructions can be found in the Netgear advisories linked below.
- The Record: Netgear Vulnerabilities Article
- Netgear: CVE-2023-41183 Advisory
- Netgear: CVE-2023-41182 Advisory
BadBazaar Malware Targeting Android Users via Trojanized Signal and Telegram Apps
Suspected Chinese-linked threat actors are targeting Android users with trojanized Signal and Telegram apps containing “BadBazaar” spyware. The malicious apps, called Signal Plus Messenger and FlyGram, were distrusted through the Google Play store and Samsung Galaxy store but have since been taken out of the Google Play store. The suspected GREF threat actor group has previously used BadBazaar malware to target ethnic minorities in China, but their current campaign targets users in Ukraine, Poland, the Netherlands, Spain, Portugal, Australia, Germany, Hong Kong, the United States, and more. Once installed, BadBazaar collects and exfiltrates a wide range of sensitive user data, including call logs, SMS messages, contact lists, precise locations, and others. If a user enables a specific Cloud Sync feature from the FlyGram trojanized app, it grants the hackers full access to users' Telegram chat backups, which has been activated by at least 13,953 user accounts so far. Additionally, the malicious Signal Plus Messenger app has the ability to bypass the usual Signal QR-code linking process used to connect multiple devices to an account, allowing the threat actor to spy on victims' Signal communications from attacker-controlled devices. Signal users can view and manage all connected devices via the "Linked Devices" setting on the real Signal app in order to check for rogue connections.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.