New Report Details Eight-Month Long Campaign Targeting Middle East Government Using Previously Undisclosed Malware
Researchers have published a new report on the recent targeting of an unknown Middle East government in an eight (8) month long campaign by the Iranian Crambus espionage group. Crambus (otherwise known as OilRig, MuddyWater, and APT34) is known for historically targeting various countries, including Saudia Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Albania, the United States, and more, as well as conducting "long-running intrusions for intelligence gathering and spying purposes." This latest campaign ran from February 2023 to September 2023 and involved the deployment of "PowerExchange", a PowerShell backdoor. PowerExchange was used to monitor incoming mail sent from a Microsoft Exchange server to compromised mailboxes to execute commands embedded in malicious emails as well as forward results to the threat group. The malware was observed creating an Exchange rule titled "defaultexchangerules" to filter emails sent by the actor (which contained "@@" in the subject) and move them to the Deleted Items folder. Researchers also observed three (3) additional previously undiscovered malware families: "Tokel", "Dirps", and "Clipog". Tokel is a backdoor used to execute arbitrary PowerShell commands and download targeted files. Dirps is a trojan that enumerates files in a desired directory and executes PowerShell commands. Clipog is an information-stealer that harvests clipboard data and keystrokes. Mimikatz, a credential dumping tool, and Plink, and command-and-control (C2) tool, were also utilized by Crambus in this campaign. Additional details of the attack timeline as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
Lazarus Group's Operation Dream Job Campaign Targets Defense Industry
The North Korean-linked Lazarus Group is back again with continued activity associated to their long-running campaign known as Operation Dream Job, less than a month after their observed spear phishing campaign against a Spanish aerospace company. This recent activity involves the use of trojanized versions of Virtual Network Computing (VNC) applications to target the defense industry and nuclear engineers. The modus operandi of Lazarus' Operation Dream Job involves contacting victims from fake accounts, usually via LinkedIn, Telegram, and WhatsApp, and offering lucrative job opportunities and fake job interviews while attempting to trick the victim into downloading malware, presumably for the purpose of advancing the North Korean nuclear program. The targets of the group's most recent venture include employees at organizations directly involved in defense manufacturing, including radar systems, unmanned aerial vehicles (UAVs), military vehicles, ships, weaponry, and maritime companies. Lazarus and North Korean threat actors in general are known for their continued adaptation and ability to build tailored malware for a range of different platforms. As a part of this latest portion of their campaign, Lazarus has attempted to trick job seekers on social media into opening malicious trojanized VNC apps for fake job interviews. When the app is launched by the victim, the app retrieves additional payloads such as a commonly known Lazarus Group malware called LPEClient that's capable of profiling compromised hosts. There are also instances of an updated version of COPPERHEDGE being used, a backdoor known for running arbitrary commands, performing system reconnaissance, and exfiltrating data. Another aspect of the ongoing campaign is custom malware built specifically for transmitting files of interest to a remote server. CTIX analysts will continue to release updates about developments pertaining to Lazarus Group and associated activity.
U.S. Agencies Warn of Actively Exploited Atlassian Confluence Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Federal Bureau of Investigation (FBI) are all urging network administrators across the public and private sectors to immediately patch an actively exploited critical vulnerability affecting Atlassian Confluence servers that are publicly exposed to the internet. The flaw, tracked as CVE-2023-22515, is a privilege escalation vulnerability impacting instances of Atlassian's Confluence Data Center and Server 8.0.0 and later. The flaw is remotely exploitable and requires no user interaction for the threat actor to successfully conduct the attack. If successfully exploited, threat actors could create administrator accounts, giving them complete control over the vulnerable servers. Exploitation of this flaw was first recognized in mid-September 2023 and was subsequently patched on October 4, 2023. Entities who simply could not apply the patches due to the impact a shutdown would have on critical business processes were urged to isolate their instances from the internet or completely shut them down. Some exploitation has been specifically attributed to the Chinese state-sponsored threat actor tracked by Microsoft as Storm-0062 (otherwise known as DarkShadow or Oro0lxy), who have been exploiting this flaw since at least September 14, 2023. Although the vulnerability is currently not under mass exploitation, that could quickly change in the near future as technical details about the vulnerability itself and working proof-of-concept (PoC) exploits are being released to the public. The instructions for exploitation, coupled with the low complexity of the attack, means that even unsophisticated attackers may attempt exploitation. The flaw was added to CISA's Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies had to patch the vulnerability by no later than October 13, 2023. The agencies urge all network administrators responsible for maintaining these servers to ensure they are running up to date software and conduct internal investigations for any indication that they may have already been exploited. Indicators of compromise (IOCs) for exploitation can be found in the CISA advisory linked below.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.