Malware Activity
Latest Earth Lusca Activity Involves New Linux Backdoor "SprySOCKS"
"SprySOCKS", a new Linux backdoor, has been observed in Earth Lusca's latest activity, involving the targeting of government agencies in various countries. Earth Lusca is a Chinese espionage-focused threat group that has been active in the first half of 2023, typically targeting "key government entities focused on foreign affairs, technology, and telecommunications in Southeast Asia, Central Asia, the Balkans, and worldwide." Researchers noted that Earth Lusca has been recently targeting victim organizations' public-facing servers by exploiting known n-day vulnerabilities, including Fortinet flaws (CVE-2022-40684 and CVE-2022-39952), Microsoft Exchange ProxyShell flaws (CVE-2021-34473, CVE-2021-34523v, and CVE-2021-31207), and more. Once the threat group infiltrates the victim's networks through the server vulnerabilities, a web shell is deployed, and Cobalt Strike is installed for lateral movement purposes. The group then exfiltrates documents and email account credentials, as well as deploys backdoors. Researchers detailed that SprySOCKS originates from the open-source Windows malware "Trochilus" but appears to be a mixture of different malware strains. "RedLeaves" (a Windows malware) is suspected to be involved due to the similarity in command-and-control (C2) communication protocols. SprySOCKS is also suspected to be derived from "Derusbi" (a Linux malware) due to the similarity in the implementations of the interactive shell in each malware. Researchers believe that SprySOCKS is currently under development and only used by Earth Lusca as of September 18, 2023. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Initial Access Broker, Gold Melody, Selling Compromised Access to Follow-On Attackers
Gold Melody, also known as Prophet Spider or UNC961, is being watched by researchers due to their unique angle in the cybercriminal marketplace as an initial access broker (IAB). The threat actor has been conducting opportunistic attacks since at least 2017, by compromising organizations, exploiting vulnerabilities in unpatched internet-facing servers and then selling access to those compromised organizations for other adversaries to conduct follow-on attacks. Gold Melody has had an expansive victimology footprint ranging from organizations in North America, Northern Europe, and Western Asia, including strikes on the retail, health care, energy, financial transactions, and high-tech sectors. The group has been observed employing cost-effective approaches to gain initial access by using publicly available exploit codes to exploit recently disclosed vulnerabilities. Gold Melody has attacked countless flaws to obtain initial access and is known to employ remote access trojans (RATs) and tunneling tools to execute arbitrary commands, gather system information, and establish a reverse tunnel with a hard-coded IP address. After a successful foothold has been established and persistence is gained, the deployment of ransomware often follows, signaling the presence of the follow-on threat actor. The financially motivated group's unique position as an IAB that relies on exploiting vulnerabilities of unpatched internet-facing servers for initial access highlights the importance of robust patch management.
Vulnerabilities
Trend Micro Patches Actively Exploited RCE Flaw in Apex One and Worry-Free Business Security Products for Windows
Trend Micro has released an emergency hotfix to patch an actively exploited critical remote code execution (RCE) vulnerability in their Apex One and Worry-Free Business Security solutions for Windows. Apex One is an enterprise endpoint protection solution for large businesses, and the Worry-Free Business Security suite is tiered for small and medium businesses. The flaw, tracked as CVE-2023-41179, exists in a third-party antivirus uninstaller module that is bundled along with the Apex One and Worry-Free Business Security software. An attacker that has gained administrative access to the console could exploit this flaw by manipulating the module to run arbitrary code on the vulnerable instance. At this time, Trend Mico has stated that it has "observed at least one active attempt of potential exploitation of this vulnerability in the wild." CTIX analysts recommend that any administrators responsible for these solutions ensure they are running the most recent versions to prevent future exploitation. If the patches cannot immediately be implemented due to the negative effect it would have on critical business processes, Trend Mico suggests limiting access to the administrative console.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
