Key Intelligence Signals:
Unknown Threat Actor Part, of Earth Bogle Campaign Targets Arabic-Speaking Victims
Summary:
In recent campaigns, researchers detected a vishing attack, manipulating Arabic-speaking users, and opening a dropper link. The threat actors leverage the Middle Eastern Geo-political context to lure the victims in the Middle East and Africa. The threat actor uses public cloud storage services such as files .fm and failiem.lv to host malware, while already compromised web servers to distribute NjRat. The malicious file is hidden inside a Microsoft Cabinet (CAB) archive file, disguised as a “sensitive” audio file, named using a geopolitical theme as a lure to entice victims to open it. The distribution mechanism is most probably taking place via social media, file-sharing platforms such as OneDrive, or phishing emails. The malicious CAB file contains an obfuscated VBS (Virtual Basic Script) dropper which leads to the next stage of an attack. Once the malicious CAB file is executed, the obfuscated VBS script runs to fetch the malware from a compromised or spoofed host. It then calls a PowerShell script, responsible for injecting NjRat into the compromised victim’s machine. The NjRat’s payload allows attackers to steal sensitive information, take screenshots, get a reverse shell, process, registry, and file manipulation, upload/download files, and perform other operations.
Insights:
NjRat was first used in 2013, and even after a decade, the RAT is still employed for malicious purposes and cyber espionage, showing threat actors reliability on NjRat.
Researchers have observed a campaign by the Russian hacktivist auxiliary NoName057(16), targeting NATO organizations. The group is known to have been active since March of 2022, and to focus on nuisance DDoS (distributed denial-of-service) attacks. The group typically targets websites it regards as important to countries that have been friendly to Ukraine and/or critical of Russia’s war against its neighbor, in which regard the group’s operations are not dissimilar to those of Killnet (the two groups’ targeting has overlapped in the past).
Researchers have attributed targeting of the Danish financial sector to NoName057(16), a campaign that has been reported recently. The threat group has also this week been active against campaign websites associated with the upcoming Czech presidential election, most notably the site of candidate and favorite of the elections. Petr Pavel; is a former general and former top NATO military official. Pavel has expressed pro-Ukrainian sentiments and supports the policy of the Czech government, which is supplying arms to Ukraine in its defense from the Russian invasion.
According to researchers’ observations, NoName057(16) appears to be a genuine hacktivist auxiliary and not merely a disguise for a Russian state-controlled hacking unit. The group uses public Telegram channels to coordinate a volunteer-based DDoS payment program, a multi-OS supported toolkit, and GitHub. The group has also been paying its most impactful contributors, which seems to give a sign of a slowly emerging trend of for-profit hacktivism.
In reaction to the attacks, GitHub has taken down accounts associated with the group. A GitHub representative has been quoted, “We disabled the accounts in accordance with GitHub’s Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attacks or uses GitHub as a means to deliver malicious executables.”
