Ransomware/Malware Activity
Lazarus Group Continues Campaign Against Developers and IT Professionals
Researchers at Group-IB have recently released a new report on ongoing and new threats posed by Lazarus Group’s financially-motivated campaign against job seekers. CTIX analysts discussed the emergence of this campaign in our April 30, 2024 flash. Since then, Lazarus has expanded its capabilities and has introduced new malware targeted at MacOS to steal information and cryptocurrency from job seekers in the IT and Software Development fields. The campaign is rooted in a fictitious job posting and interview process that tricks seekers into downloading a “Node.js” project containing malware. Researchers have observed updated versions of the major forms of malware used in this campaign dubbed BeaverTail and InvisibleFerret. BeaverTail is a JavaScript or Python-based InfoStealer with the ability to steal credentials stored in browsers and vaults as well as data from browser extensions and cryptocurrency wallets. InvisibleFerret is Python-based malware that acts as a backdoor, keylogger, and infostealer. Both forms of malware are under active development. The recent Python versions of BeaverTail are delivered via a simple JavaScript downloader and fetches a bundle of scripts called CivetQ to modularize the malware’s capabilities. Researchers have also noted that Lazarus has included additional job search platforms in their campaign in an apparent attempt to target professionals skilled in Blockchain. This tactic could have been introduced to increase the attackers’ likelihood of infecting a victim with cryptocurrency on their machine. Platforms added to their campaign beyond LinkedIn include WWR, Moonlight, and Upwork. They have also started using fraudulent video conferencing applications to spread the initial BeaverTail loader as an alternative initial infection vector to the fake “Node.js” project. Researchers discovered a cloned website of a legitimate free conferencing software application which hosts the fake video conference application “FCCCall”. Installers for both Windows and MacOS were discovered by researchers. CTIX analysts urge individuals to remain vigilant online and to vet potential employers prior to engaging in the job interview process. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
New Sophisticated Espionage Group Launches Campaign Targeting Taiwanese Drone Makers
A newly identified threat actor, dubbed TIDRONE, is targeting drone manufacturers in Taiwan, with a broader focus on military and satellite-related industrial supply chains. This espionage-driven campaign, which began in early 2024, is believed to have connections to other Chinese-speaking groups. TIDRONE employs sophisticated attack methods, including the deployment of custom malware such as CXCLNT and CLNTEND, often using enterprise resource planning (ERP) software or remote desktop tools like UltraVNC to infiltrate targets. The exact vector for initial access remains unclear, but commonalities among victims suggest a potential supply chain attack. Once inside a network, TIDRONE's attack chain involves three (3) stages designed to escalate privileges, dump credentials, and evade defenses by disabling antivirus software. The malware is typically introduced via sideloading a rogue DLL through the Microsoft Word application, enabling the attackers to collect a wide range of sensitive information. CXCLNT is equipped with basic file upload and download capabilities, trace-clearing functions, and tools for gathering victim information such as file listings and computer names. It can also download and execute additional portable executable (PE) and DLL files. CLNTEND, first detected in April 2024, is a more advanced remote access tool (RAT) supporting multiple network protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445). Analyses highlight that TIDRONE's operations align with other Chinese espionage activities, supported by the consistency in file compilation times and operational patterns. The threat actors have continually updated their toolsets and optimized their attack chains, employing anti-analysis techniques in their loaders to alter execution flows and evade detection. The campaign's reach extends beyond Taiwan, with artifacts from VirusTotal indicating varied targeted countries, prompting a warning from CTIX analysts for global vigilance against this threat.
Vulnerabilities
Progress Software Patches Maximum Severity Vulnerability in LoadMaster and MT Hypervisor
Progress Software has released an emergency fix for a highly critical vulnerability, affecting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. This vulnerability, tracked as CVE-2024-7591, has a maximum CVSS score of 10/10 since it enables unauthenticated attackers to conduct remote code execution (RCE) by exploiting an improper input validation flaw. The attack can be facilitated through a maliciously crafted HTTP request targeting the management interface of affected devices. Once successful, the attacker can gain control over vulnerable systems without needing authentication. The flaw affects all versions of LoadMaster up to 7.2.60.0 and MT Hypervisor up to 7.1.35.11, including Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches. At this time, Progress has confirmed that no reports of active exploitation have been received. Security researcher Florian Grunow is credited with discovering the issue. To mitigate the risk, Progress released a patch that can be installed on any affected version. The fix works by sanitizing user inputs to prevent arbitrary command execution. However, the patch does not apply to the free version of LoadMaster, leaving it exposed to potential exploitation. Progress strongly advises all users to apply the patch immediately by navigating to the system's configuration interface and following their recommended security hardening guidelines. Failing to address this flaw could leave critical infrastructure and network environments vulnerable to remote command injection attacks, posing a significant risk to organizations relying on these solutions for load balancing, traffic management, and application delivery. CTIX analysts urge all administrators of the affected devices to install the patch immediately to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
