Malware Activity
New Malware Tied to APT34 Targets the Iraqi Government
Researchers have discovered a new set of malware used in attacks against Iraqi entities allegedly including the Prime Minister’s Office and the Ministry of Foreign Affairs. The malware dubbed “Veaty” and “Spearal” have ties to malware families used by APT34, a cyber group affiliated with the Iranian Ministry of Intelligence and Security also known as “OilRig”. The malware identified in the campaign is bespoke and along with the techniques deployed, resembles custom backdoors such as “Karkoff” and “Saitama” previously associated with APT34. While the original infection pathway is unknown, the initial files used to kick-off the campaign were likely delivered to victims through social engineering. These initial files use double extensions to appear legitimate. Examples of file names include “Avamer.pdf.exe” and “Protocol.pdf.exe”. These files execute PowerShell or Pyinstaller scripts to deploy the “Veaty” and “Spearal” malware payloads and configuration files and maintain persistence by modifying the Windows registry under “\CurrentVersion\Run”. The “Spearal” malware is a .NET backdoor that uses DNS tunneling using a custom Base32 encoding scheme for command-and-control (C2) communication. “Spearal” can execute PowerShell commands, read file contents, retrieve data from the C2 server, and send data back to the C2 server. The “Veaty” malware is also a .NET-based malware which uses compromised email accounts in the victim organization for C2 communications. In the malware sample analyzed by researchers, the malware used email accounts at the gov-iq[.]net domain to execute commands. The malware can upload and download files, execute commands, and run scripts through specific mailboxes. Researchers also identified an XML configuration file capable of setting up an SSH tunnel which the threat actor likely used as a third backdoor. The tactics, techniques, and procedures used in this campaign suggest that APT34/OilRig is responsible. The use of custom C2 mechanisms is notable among these newly identified backdoors. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Emerging Threat Actor CosmicBeetle Using New Ransomware to Target Small Businesses
CosmicBeetle, an emerging ransomware group also known as NONAME, has developed a new ransomware strain called ScRansom, targeting small and medium-sized businesses (SMBs) across Europe, Asia, Africa, and South America. Active since at least 2020, the group is considered relatively immature in the ransomware landscape, even sometimes relying on the reputations of more established threat actors like LockBit to coerce victims into paying ransoms. Despite its lack of sophistication, ScRansom has caused significant damage to various industries, including pharmaceuticals, healthcare, technology, hospitality, and financial services. ScRansom first appeared in March 2023, with researchers noting a continuous development of the ransomware over its lifespan. To gain access to target systems, CosmicBeetle employs brute-force methods and exploits old vulnerabilities in software commonly used by SMBs, which often lack robust patch management processes. The group also uses a variety of tools, such as Reaper, Darkside, and RealBlindingEDR, to terminate security-related processes before deploying ScRansom. CosmicBeetle's connection to RansomHub, a ransomware gang active since March 2024, has been observed through the deployment of both ScRansom and RansomHub payloads on the same machines within short timeframes. This affiliation is likely an attempt to leverage RansomHub's more established reputation and tools to compensate for the group's own technical shortcomings. CosmicBeetle has also been observed experimenting with the leaked LockBit builder, further indicating its reliance on the tools and reputations of more sophisticated ransomware groups. Additionally, the group has utilized various vulnerabilities to infiltrate networks, including CVE-2017-0144 (EternalBlue) and CVE-2020-1472 (ZeroLogon). The ransomware's encryption scheme is complex, involving multiple key exchanges, which sometimes introduce errors that complicate the decryption process and can result in permanent data loss for victims, even if they pay the ransom. CosmicBeetle has been using RansomHub's EDR killer tool to disable security agents on compromised devices, further solidifying its affiliation with RansomHub. CosmicBeetle's emergence and activities highlight an evolving threat. CTIX analysts recommend heightened vigilance, particularly from SMBs in the sectors and geographical areas this threat actor has been known to operate in.
- The Record: CosmicBeetle Article
- The Hacker News: CosmicBeetle Article
- Bleeping Computer: CosmicBeetle Article
Vulnerabilities
Ivanti Patches Multiple Critical Vulnerabilities in their Endpoint Management Solution
Ivanti has released critical security patches for multiple vulnerabilities across its Endpoint Manager, Cloud Service Appliance, and Workspace Control products. Among the most severe is a remote code execution (RCE) vulnerability, tracked as CVE-2024-29847 in Endpoint Manager. This flaw is caused by deserialization of untrusted data, which could allow unauthenticated attackers to gain access to the core server. This vulnerability has been patched in Endpoint Manager 2024 and 2022 Service Update 6 (SU6), with no current evidence of exploitation in the wild. Ivanti also fixed nearly two dozen additional critical and high-severity vulnerabilities across its products, including SQL injection flaws that could be exploited by administrators, as well as OS command injection, and local privilege escalation vulnerabilities in Workspace Control and Cloud Service Appliance. Ivanti attributes the rise in detected vulnerabilities to improved internal scanning, manual testing, and a stronger vulnerability disclosure process. Although past zero-day vulnerabilities in Ivanti’s VPN appliances have been exploited, the company has no evidence of current vulnerabilities being exploited and continues to improve its security measures for its extensive global customer base. CTIX analysts recommend that all Ivanti customers ensure that they are running the most secure version of software for their products to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
