Ransomware/Malware Activity
Cuckoo InfoStealer Malware Targets MacOS Systems
Cybersecurity Researchers at Kandji have discovered a Mach-O binary malware built to infect both Intel and ARM-based MacOS systems. Cuckoo is being distributed by websites that claim to provide applications designed to rip music from streaming services into MP3 format. The malicious binary is named “upd” and is not signed with a developer ID, which means victims would need to ignore MacOS’s Gatekeeper security warning to allow execution. Once the malware is allowed to run, it performs a locale check to ensure the infected device is not in Armenia, Belarus, Kazakhstan, Russia, or the Ukraine and then installs LaunchAgent for persistence. This is a technique seen in many previous MacOS malware families. Cuckoo is designed to steal as much information from the victim machine as possible. The malware also leverages osascript to display fake password prompts to trick victims into entering system password information. Cuckoo is capable of taking screenshots and harvesting data from iCloud Keychain, web browsers, cryptocurrency wallets, and applications such as Telegram and Discord. Stolen data is sent back to the attackers’ Command-and-Control (C2) server. This new malware variant serves as a reminder that MacOS systems are not impervious to attacks and that defenders should equip MacOS assets with appropriate security tooling such as next-gen antivirus. In addition, end users should vet software or applications prior to downloading, and organizations should maintain guardrails around end users’ capability to download executables from the internet. CTIX analysts will continue to report on emerging and evolving strains of malware and associated campaigns.
Threat Actor Activity
North Korean-linked APT43 Phishing Campaign Exploits DMARC Email Policies
The U.S. Government, through a collaborative effort between the NSA, FBI, and State Department, has issued a warning about an ongoing cyber espionage campaign orchestrated by the APT43 North Korean-linked threat actors, also known as Kimsuky or Emerald Sleet. APT43, having been around since at least 2012, has links to North Korea’s main military intelligence organization, the US-sanctioned Reconnaissance General Bureau (RGB), and is more properly known for their intelligence collections and espionage activities. The APT43 campaign has been ongoing since the end of 2023, and seeks to exploit vulnerabilities in email security systems, specifically targeting the Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies. By manipulating these security weaknesses, the attackers can send spear-phishing emails that appear to originate from legitimate and trusted sources, giving them the ability to pose as journalists, academics, or other experts in East Asian affairs. Their focus is gathering intelligence related to geopolitical events, foreign policy strategies, and other areas of interest to the Democratic People's Republic of Korea (DPRK). The group employs sophisticated social engineering and impersonation tactics to build trust with their targets over time, as part of a broader strategy to collect sensitive information without necessarily resorting to malware or credential harvesting, often by soliciting opinions or analyses directly from the targets. The campaign's success is partly due to the exploitation of entities that have either not enabled or improperly configured their DMARC policies, allowing these phishing emails to bypass traditional security checks. Per the advisory, CTIX analysts advise organizations to update their DMARC policies so that their email servers quarantine or block emails that fail DMARC checks, especially US or South Korean entities with individuals working on matters related to North Korea, Asia, China, or Southeast Asia, and more specifically individuals who are government officials and military members.
Vulnerabilities
"Dirty Stream" Attack Leaves Billions of Android Devices Susceptible to Compromise
Microsoft researchers have uncovered a new attack named "Dirty Stream" caused by a common security vulnerability affecting numerous Android applications, including some with over 500 million installations each, leaving them susceptible to remote code execution (RCE) attacks and token theft. The weakness lies in Android's file-sharing mechanism, specifically the content provider feature, which doesn't always validate content received from other applications. This oversight allows malicious applications to manipulate filenames, potentially compromising receiving-applications when they process the files. Microsoft has alerted Google, and both have offered guidance to developers on remediation. Xiaomi's File Manager and WPS Office were among the affected applications which have been subsequently patched. Microsoft warns of potentially more vulnerable applications in the future. CTIX analysts urge readers to update their applications and download only from trusted sources.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.