Key Intelligence Signals:
In recent observations, Lazarus Group was involved in a campaign mostly targeting cryptocurrency users and organizations with a variant of the AppleJeus malware. The group registered bloxholder[.]com and converted it into a malicious website whose content was copied from HaasOnline (haasonline[.]com. Bloxholder delivered AppleJeus malware that was bundled as part of a Microsoft Installation (MSI) file. The MSI file is used for installing both malicious and legitimate applications at the time of execution. Its job is to fetch information about the infected system and download the shell code from the command-and-control server. MAC Address, Computer Name, and OS Version is data that is collected. The data is potentially collected for identifying if the infected machine is a virtual machine or sandbox, or if it is a genuine machine. These details are sent back to the Command and Control (C2) and the malware responds to the contained shellcode to execute. Then, the legitimate application loads a legitimate DLL from the “System32” directory, and then that DLL leads to the loading of a malicious DLL from the application’s directory. “CameraSettingsUIHost.exe” executes the “dui70.dll” file from the “System32” directory, then it leads to the loading of the malicious “DUser.dll” file from the application’s directory into the “CameraSettingsUIHost.exe” process, “CameraSettingsUIHost.exe” is used for assisting with the usage of a webcam on the system. The “dui70.dll” file is the “Windows DirectUI Engine” and is part of the operating system.
The Lazarus Group constantly targets cryptocurrency users to fulfill the DPRK’s aim for financial gain.
Despite getting caught with their tactics and techniques, the group has not stopped targeting cryptocurrency users.
The group deployed a new variant of AppleJeus malware which has a few new features like dual DLL-side loading, obfuscated API and String, and a new network protocol.
In light of poor Russian performance on the battlefield in Ukraine this fall, Moscow seems to be stepping up its pressure on the sources of Ukraine’s military and political support, both inside the country and with Ukrainian allies. Outside of the country itself, ramped-up information operations and cyber-attacks are mostly targeting Baltic countries and Poland. A Russian military intelligence cyber unit known as Iridium has been observed attacking Ukraine and Poland in November and analysts expect this group to spearhead Russian attacks, especially on critical infrastructure come this winter.
The group has a strong track record of attacks against civilian infrastructure (notably its disruption of sections of Ukraine’s power grid in 2015 and 2016) and has also shown indifference to potential fallout outside its original targets. Deployment of wiper malware during the present war has had mixed results and has in general fallen short of what the Kremlin probably had hoped for but it still represents an ongoing threat. The group has recently displayed its willingness to target countries that support Ukraine using the Prestige ransomware.
A US Secret Service investigation has attributed a wave of COVID relief fund fraud to APT41, a threat actor that customarily works on behalf of the Chinese government. This marks the first time that the U.S. government has uncovered any kind of fraud related to foreign state-sponsored cybercriminals and their involvement in unemployment funds. Currently, it is not clear to what degree this specific action was sanctioned by the government in Beijing, but it is clear that the Chinese threat actor has a track record of privateering attacks for financial gain and suffered no known consequence from law enforcement in China. Privateering is the practice of utilizing cyber criminals to conduct malicious activities for financial gain, to disrupt informational and economic flows of the enemy, and steal intellectual property by way of private proxy. Privateering has become a lucrative and profitable business for cybercriminals, allowing them to operate with little oversight or regulation in exchange for sanctioned status with the government even though the privateer is breaching international and domestic law. CYFIRMA has recently published a report on the rise of privateering where our analysts predict privateering to become an increasingly large problem in the near term and mid-term future.
The Chinese actor Mustang Panda has been targeting individuals and organizations in different parts of the world with documents related to the Ukrainian conflict as lures. The targets were in Europe, the Middle East, Africa, South and East Asia, and Latin America. The sectors the threat group seems most interested in including Mining, Education, Telecoms, Finances, Internet Security Firms, and Web Hosting Companies. Researchers have characterized the phish bait as well-thought-out and professionally prepared.
A threat actor with links to Russia has been found using a phishing campaign to acquire information from unsuspecting victims. This actor, known to researchers as Callisto Group, COLDRIVER, or SEABORGIUM, has been observed harvesting credentials while impersonating American defense, aerospace, and logistic companies. The companies being impersonated include US firm Global Ordnance, Polish defense company UMO Poland, the not-for-profit Commission for International Justice and Accountability (CIJA), US-based satellite communications company Blue Sky Network, logistics company DTGruelle, and Russia’s Ministry of Internal Affairs. The victimology and list of impersonated actors suggest Russian state actors with an interest in NATO governments, military organizations, and think tanks, clearly working on a nexus of the war in Ukraine. Callisto Group has been associated with Russia’s SVR foreign intelligence service, particularly its information operations.
From the External Threat Landscape Management (ETLM) Perspective CYFIRMA observed Sentenia Systems Inc – provides comprehensive business communications solutions. They have worked with all of the major wireless carriers, Verizon, Sprint, AT&T, and T-Mobile, by upgrading their technologies, troubleshooting antennas, and building new sites – being impacted by the LockBit ransomware group. The ransomware group claimed Sentenia Systems Inc (www[.]sentenia[.]net) as one of their victims by disclosing the update on their dedicated leak site. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. At the time of CTI’s observation, the ransomware group provided a deadline of 14 December 2022 04:21:03 UTC.
A recent analysis of the LockBit ransomware strain revealed new capabilities and usage of elements from BlackMatter, another well-known ransomware. Researchers observed that LockBit ransomware is capable to sabotage the tools that analysts in security operations centers use to monitor suspicious activity in real-time and LockBit 3.0 attackers also used several publicly available tools and utilities, which are now common among ransomware threat actors.
A breach has occurred in the LockBit ransomware operation, with an allegedly disgruntled developer leaking the builder for the gang’s newest encryptor. Other threat actors are now using the leaked LockBit 3.0 ransomware builder for their ransomware operations, as expected. In an attack on a Ukrainian business, for example, the Bl00Dy Ransomware Gang, which previously used Babuk and Conti encryptors, has now switched to a LockBit 3.0 encryptor.
In a recent underground forum discussion, it was observed that LockBit now has an anonymous Pastebin and anonymous file-sharing platform to avoid authorities tracing it back to its network. Adoption of DDoS solution after recent DDoS attack on its DLS and introduction of the new technique in file sharing during the negotiation phase to avoid authorities’ attention indicating that LockBit is adopting changes to improvise its infrastructure to be more effective in its operations.