Key Intelligence Signals:
Suspected Threat Actors: Mustang Panda
Summary:
In a recent observation, Mustang Panda was seen aggressively using spear-phishing attacks. The threat actor in their month-long cyber-attack targeted Myanmar, Australia, the Philippines, Japan, and Taiwan. The decoy documents were written in Burmese, and most of the topics in the documents were controversial issues between countries and contained words like ‘Secret’ or ‘Confidential.’ This indicates these recent attacks were on Myanmar government entities as their first entry point.
The threat actor was seen creating fake google accounts to distribute the malware through spear-phishing attacks, malware was zipped and delivered through Google Drive links. Users are then manipulated into downloading and executing. The threat actor used techniques like code obfuscation and custom exception handlers to bypass detections. The threat actor used the stolen documents as decoys to manipulate the victims working with Myanmar government offices into downloading and executing the malware.
The Mustang Panda has their loaders and PlugX along with Cobalt Strike are available in its arsenal to compromise the victims. Upon successful breach the group infiltrates into the targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions.
Insights:
The TONESHELL malware was the primary backdoor deployed in this campaign. The campaign is an espionage campaign with the possible intent of stealing sensitive information.
The actors used the same email address to deploy decoyed malicious documents in Google Drive and used the same email address to deliver the phishing email. Indicators of Compromise
The Caribbean Island of Guadeloupe which is a French overseas territory has been hit by a cyber-attack that disrupted government services. The authorities have shut down all its computer networks to protect data and are now working on restoring the service. So far details of the attack have not been published besides the local authorities characterizing the attack as large-scale.
Guadeloupe is the latest French region to be hit by a cyberattack in recent months. In August, a large hospital nearby Paris was hit by a ransomware attack that effectively halted its operations when the hospital refused to pay a multimillion-dollar ransom and patient data have been subsequently released by the attackers. By late September, the port city of Caen in Normandy was hit while the departments of Seine-Maritime and Seine-et-Marne were targeted in October and November respectively.
Retired US General Ben Hodges, former Commander of US Army Europe has recently argued that cybersecurity is as important to NATO logistics as missile defense. In support of his thesis, he noted that five years ago the Russian NotPetya campaign against Ukraine spilled over into the transportation sector and disrupted port and shipping operations. The global leader in maritime logistics Maersk was hit especially hard by this Russian attack. The General specifically pointed out the importance of the German ports of Hamburg and Bremerhaven in NATO logistical chains. Cyber-enabled interference with port operations in these two cities would have a significant effect on the Alliance’s ability to sustain operations in Central and Eastern Europe. The Russian military has so far not been able to repeat the success of the NotPetya campaign, but the example of this campaign demonstrates the ability of determined advanced actors to cause harm in supply chains using tools not dissimilar to today’s ransomware attacks.
According to media reports, the forthcoming revision to the 2018 US Department of Defense (DoD) National Security Policy Memorandum is expected to give the ministry expanded authority to conduct offensive cyber operations. The revision is said in large part to address roles and missions, with the State Department playing a consultative role. Successful US Cyber Command operations have gained the DoD a good reputation with policymakers who are, according to the reports, likely to authorize advances in the ministry’s authority to give Pentagon more flexibility in active cyber operations to be able to react faster to developments in the cyber domain.
Virginia Farm Bureau Mutual Insurance Company Impacted by Royal Ransomware
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Virginia Farm Bureau Mutual Insurance Company (www[.]vafb[.]com) – which was founded to protect the lives and livelihoods of Virginia’s farmers. The ransomware group leaked Virginia Farm Bureau Mutual Insurance Company data on their dedicated leak site on 17 November 2022. As per Royal Ransomware, leaked data contains Company operation documents, financial, and HR documents.
Insights:
Royal is a January 2022 operation that consists of vetted and experienced ransomware actors from previous operations. Unlike most active ransomware operations, Royal is a private group with no affiliates and does not operate as a Ransomware-as-a-Service.
When Royal ransomware first started its operation, it used the encryptors of other ransomware operations, such as BlackCat. Soon after, the cybercrime enterprise began using its own encryptors, the first of which was Zeon (Sample), which generated ransom notes that were strikingly similar to Conti’s. However, the ransomware gang has rebranded to ‘Royal’ and is using that name in ransom notes generated by a new encryptor since the middle of September 2022.
The Royal group employs targeted callback phishing attacks in which they impersonate food delivery and software providers in emails disguised as subscription renewals. These phishing emails contain phone numbers that the victim can call to cancel the alleged subscription, but it is a number to a service that the threat actors have hired to compromise victims’ systems using social engineering techniques.
Recently, researchers discovered that the DEV-0569 group is distributing various payloads, including the Royal ransomware, via Google Ads. Malvertising campaigns are carried out to spread links to a signed malware downloader disguised as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.
Royal ransomware is targeting businesses all over the world. However, 86% of victim organizations are from the United States, Canada, Malaysia, and Germany.