The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine.
Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210, said the hijacked servers correspond to a variant of a commodity malware called

Cyberespionage / Threat Analysis

The Russian cyberespionage group known as **Turla** has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine.

Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker **UNC4210**, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013.

"UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022," Mandiant researchers said in an analysis published last week.

Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware.

Since the onset of Russia's military invasion of Ukraine in February 2022, the adversarial collective has been linked to a string of credential phishing and reconnaissance efforts aimed at entities located in the country.

In July 2022, Google's Threat Analysis Group (TAG) revealed that Turla created a malicious Android app to supposedly "help" pro-Ukrainian hacktivists launch distributed denial-of-service (DDoS) attacks against Russian sites.

The latest discovery from Mandiant shows that Turla has been stealthily co-opting older infections as a malware distribution mechanism, not to mention taking advantage of the fact that ANDROMEDA spreads via infected USB keys.

"USB spreading malware continues to be a useful vector to gain initial access into organizations," the threat intelligence firm said.

In the incident analyzed by Mandiant, an infected USB stick is said to have been inserted at an unnamed Ukrainian organization in December 2021, ultimately leading to the deployment of a legacy ANDROMEDA artifact on the host upon launching a malicious link (.LNK) file masquerading as a folder within the USB drive.

The threat actor then repurposed one of the dormant domains that were part of ANDROMEDA's defunct C2 infrastructure – which it re-registered in January 2022 – to profile the victim by delivering the first-stage KOPILUWAK dropper, a JavaScript-based network reconnaissance utility.

Two days later, on September 8, 2022, the attack proceeded to the final phase with the execution of a .NET-based implant dubbed QUIETCANARY (aka Tunnus), resulting in the exfiltration of files created after January 1, 2021.

The tradecraft employed by Turla dovetails with prior reports of the group's extensive victim profiling efforts coinciding with the Russo-Ukrainian war, potentially helping it tailor its follow-on exploitation efforts to harvest the information of interest to Russia.

It's also one of the rare instances where a hacking unit has been identified targeting victims of a different malware campaign to meet its own strategic goals, while also obscuring its role.

"As older ANDROMEDA malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims," the researchers said.

"This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities. Further, older malware and infrastructure may be more likely to be overlooked by defenders triaging a wide variety of alerts."

**COLDRIVER Targets U.S. Nuclear Research Labs**

The findings also come as Reuters reported that another Russian state-sponsored threat group codenamed COLDRIVER (aka Callisto or SEABORGIUM) targeted three nuclear research labs in the U.S. in early 2022.

To that end, the digital assaults entailed creating fake login pages for Brookhaven, Argonne, and Lawrence Livermore National Laboratories in an attempt to trick nuclear scientists into revealing their passwords.

The tactics are consistent with known COLDRIVER activity, which recently was unmasked spoofing the login pages of defense and intelligence consulting companies as well as NGOs, think tanks, and higher education entities in the U.K. and the U.S.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

By Waqas
Hackers are using ChatGPT to develop powerful hacking tools and create new chatbots designed to mimic young girls to lure targets, claims Check Point.
This is a post from HackRead.com Read the original post: Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware

In one instance, a hacker shared an Android malware code written by ChatGPT, which could steal desired files, compress them, and leak them online.

Cybercriminals have a new trick up their sleeve involving the abuse of an artificially intelligent (AI) chatbot from OpenAI called ChatGPT. ChatGPT app has become popular since its launching at the end of November 2022, so naturally, scammers are eyeing it for exploitation.

**ChatGPT Abused to Build Hacking Tools**

According to a new report from Israeli security firm Check Point, hackers are using ChatGPT to develop powerful hacking tools and create new chatbots designed to mimic young girls to lure targets.

ChatGPT can also code malicious software that can monitor users’ keyboard strokes and create ransomware. For your information, ChatGPT has been developed by OpenAI as an interface for its LLM (Large Language Model).

However, cybercriminals have somehow figured out a way to make it a threat to the cyber world since its code generation capability can easily help threat actors launch cyberattacks.

On the other hand, Hold Security’s founder Alex Holden stated that he has observed dating scammers exploiting ChatGPT to create convincing personas. Scammers are creating female personas to impersonate girls to gain trust and have lengthier conversations with their targets.

**Potential Dangers**

Check Point Research’s researchers explained in their blog post that an attacker could create an authentic-looking spear-phishing email to run a reverse shell that can accept commands in English.

Many underground hacking forums have posted about incidents where cybercriminals used OpenAI to develop malicious tools, even those having no development skills. In one of the posts that Check Point reviewed, a hacker shared an Android malware code written by ChatGPT, which could steal desired files, compress them, and leak them on the web.

One user shared how they abused ChatGPT by using it to create code-up features of a marketplace on the Dark Web, like Silk Road and Alphabay.

Another tool was posted on the forum that could be used to install a backdoor on a device and upload more malware onto the compromised computer. Similarly, a user-shared Python code capable of file encryption using the OpenAI app.

Posting related to chatGPT on a popular hacker forum

Check Point researchers observed that this was the first tool this user had created. Such codes could be used for malicious purposes and modified to encrypt a device without involving user interaction, just like with ransomware. 

Moreover, scammers can also use ChatGPT to build bots and sites to trick users into sharing their information and launch highly targeted social engineering scams and phishing campaigns.

OpenAI is yet to respond to these findings.

1.  AI-based Model to Predict Extreme Wildfire Danger
2.  Website uses AI to create utterly realistic human faces
3.  Microsoft patent reveals chatbot to talk to dead people
4.  This AI Can Generate Unique and Free Bored Ape NFTs
5.  AI-Powered Smart Glasses Give Deafs Power of Speech
6.  ‘Fawkes’ privacy tool blocks images from facial recognition

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware

Using command-and-control servers from the decade-old Andromeda malware, the group is installing reconnaissance tools and a backdoor on previously infected systems to target Ukrainian victims.

A hacking group — suspected to be the Russia-linked Turla Team — reregistered at least three old domains associated with the decade-old Andromeda malware, allowing the group to distribute its own reconnaissance and surveillance tools to Ukrainian targets.

Cybersecurity firm Mandiant stated in a Thursday advisory that Turla Team APT, also known by Mandiant's designation of UNC4210, took control of three domains that were part of Andromeda's defunct command-and-control (C2) infrastructure to reconnect to the compromised systems. The endgame was to distribute a reconnaissance utility known as Kopiluwak and a backdoor known as QuietCanary.

Andromeda, an off-the-shelf commercial malware program, dates back to at least 2013 and compromises systems through infected USB drives. Post-compromise, it connects to a list of domains, most of which have been taken offline.

There is no relationship between the Turla Team and the group behind Andromeda, making the co-opting of previous infected systems quite novel, says Tyler McLellan, senior principal analyst at Mandiant.

"Co-opting the Andromeda domains and using them to deliver malware to Andromeda victims is a new one," he says. "We've seen threat actors reregister another group's domains, but never observed a group deliver malware to victims of another."

The slow spread of Andromeda allows attackers to wrest control of infected systems for free.

"As older Andromeda malware continues to spread from compromised USB devices, these re-registered domains pose a risk as new threat actors can take control and deliver new malware to victims," Mandiant stated in the advisory. "This novel technique of claiming expired domains used by widely distributed, financially motivated malware can enable follow-on compromises at a wide array of entities."

While the hijacking of another group's infected assets is uncommon, it has happened in the past, with hackers fighting over compromised machines, stealing each other's systems, or using the same vulnerability to infect a system and overwrite a previous infection. In the early 2000s, for example, the MyDoom worm infected systems but left the compromised computers open to further attack, leading to a scramble between hackers looking to increase their stable of exploited systems.

Today, cybercriminals are more likely to compromise systems and then sell those infected machines, or credentials to access those systems, on underground forums and dark markets as part of the initial access broker subeconomy.

****A Slowly Moving Galaxy of Andromeda Infections****

The attack began in December 2021, when an infected USB drive was inserted into a system at a Ukrainian organization and an employee inadvertently clicked on the malicious link. The cyberattack infected the system with a version of Andromeda first seen in March 2013 by the antivirus scanning service VirusTotal, Mandiant stated.

Mandiant first detected the attack in September 2022. Turla is a Russian-based threat group, but it has targeted a wide variety of organizations in some 45 countries over nearly two decades, according to the MITRE ATT&CK page.

While there is no relationship between Turla and Andromeda, using the Andromeda malware to infect other systems has helped keep the Turla operation under the radar, says Tyler McLellan, senior principal analyst at Mandiant.

"Despite Andromeda being old and not likely operational today, we still see a lot of victims," he says. "As a user inserts a clean USB into an already infected system, that new USB can become infected and continue the spread."

****Carefully Selected Targets: A Very Specific Threat****

The attackers attempted to remain as stealthy as possible by profiling systems to determine the most interesting targets and then only attacking a handful of those systems. Mandiant only observed the Turla-controlled servers active for short periods of time, usually a few days, with weeks of downtime, the company stated.

"Mandiant identified several different hosts with beaconing Andromeda stager samples," the company stated in the advisory. "However, we only observed one case in which Turla-related malware was dropped in additional stages, suggesting a high level of specificity in choosing which victims received a follow-on payload."

The Turla Team operation underscores the importance of eliminating vectors of attack and responding to incidents, even if they appear to be low priority, McLellan says.

"Companies should pay attention to what USB's are in their environment and discourage employees from using them where possible," he says. "This incident should also raise concerns of what longer-term malware infections are in your environment, and could a threat actor co-opt that C2 infrastructure to gain access."

Russia-Linked Turla APT Sneakily Co-Opts Ancient Andromeda USB Infections

Categories: News
Tags: WordPress

Tags:  exploit

Tags:  vulnerability

Tags:  plugin

Tags:  theme

Tags:  update

Tags:  linux malware

Tags:  backdoor

It's time to check your website is up to date.



(Read more...)




The post Malware targets 30 unpatched WordPress plugins appeared first on Malwarebytes Labs.

If you make use of plugins on your WordPress site (and you probably do), it’s time to take a good look at what’s running under the hood. Ars Technica reports that unpatched vulnerabilities being exploited across no fewer than 30 plugins.

**A long list of plugin problems**

If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it's used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it's so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.

Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.

Plugins are created by third parties and vary widely in quality. Some are updated frequently while others are unsupported. Some are so popular that they are successful software products in their own right, with paid staff, secure development lifecycles, and millions of users, and others are made by lone hobbyists. And while WordPress will update itself with security fixes by default, automatic updating of pluigns has to be enabled by each website operator.

So, news of a malware campaign targeting plugins with unpatched vulnerabilities is no surprise. In fact researchers suggest the malware used for these attacks may have been in circulation for three years. Ars Technica reports that once a vulnerable website is detected, the attack injects rogue scripts into the pages of the site. The scripts redirect website visitors to malicious websites when they click anywhere on an affected web page.

According to research by Dr Web, attacks rely on unpatched versions of the following plugins or themes:

*   WP Live Chat Support Plugin
*   WordPress – Yuzo Related Posts
*   Yellow Pencil Visual Theme Customizer Plugin
*   Easysmtp
*   WP GDPR Compliance Plugin
*   Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
*   Thim Core
*   Google Code Inserter
*   Total Donations Plugin
*   Post Custom Templates Lite
*   WP Quick Booking Manager
*   Facebook Live Chat by Zotabox
*   Blog Designer WordPress Plugin
*   WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
*   WP-Matomo Integration (WP-Piwik)
*   WordPress ND Shortcodes For Visual Composer
*   WP Live Chat
*   Coming Soon Page and Maintenance Mode
*   Hybrid
*   Brizy WordPress Plugin
*   FV Flowplayer Video Player
*   WooCommerce
*   WordPress Coming Soon Page
*   WordPress theme OneTone
*   Simple Fields WordPress Plugin
*   WordPress Delucks SEO plugin
*   Poll, Survey, Form & Quiz Maker by OpinionStage
*   Social Metrics Tracker
*   WPeMatico RSS Feed Fetcher
*   Rich Reviews plugin

**Plugging the plugin gap**

Time and again, not updating a plugin comes back to haunt WordPress admins in the worst possible way. Cleanup is often not an easy task, and a tiny slice of preventative action can keep you far away from a massive repair operation further down the line.

The following preventative maintenance could save you a lot of trouble:

*   **Update existing plugins**. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to **Dashboard** > **Updates.** (The **Themes** and **Plugins** menu items will also have red circles next to them if any need updating.) Update everything.
*   **Turn on automatic updates for plugins**. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the **Plugins** screen and clicking **Enable auto-updates** next to each plugin.
*   **Remove unsupported plugins**. Go to the **Plugins** screen and click **View details** for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
*   Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company. The last thing you want is a stack of emails some rainy Monday morning telling you that visitors have been drafted into a botnet courtesy of your blog.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malware targets 30 unpatched WordPress plugins

The infamous, FSB-connected Turla group took over other hackers' servers, exploiting their USB drive malware for targeted espionage.

The Russian cyberespionage group known as Turla became infamous in 2008 as the hackers behind agent.btz, a virulent piece of malware that spread through US Department of Defense systems, gaining widespread access via infected USB drives plugged in by unsuspecting Pentagon staffers. Now, 15 years later, the same group appears to be trying a new twist on that trick: hijacking the USB infections of _other_ hackers to piggyback on their infections and stealthily choose their spying targets.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla's hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. As a result, Turla was able to take over the command-and-control servers for that malware, hermit-crab style, and sift through its victims to find ones worthy of espionage targeting.

That hijacking technique appears designed to let Turla stay undetected, hiding inside other hackers’ footprints while combing through a vast collection of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. “Because the malware already proliferated through USB, Turla can leverage that without exposing themselves. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. “They’re piggybacking on other people’s operations. It’s a really clever way of doing business.”

Mandiant’s discovery of Turla’s new technique first came to light in September of last year, when the company’s incident responders found a curious breach of a network in Ukraine, a country that’s become a primary focus of all Kremlin intel services after Russia’s catastrophic invasion last February. Several computers on that network had been infected after someone inserted a USB drive into one of their ports and double-clicked on a malicious file on the drive that had been disguised as a folder, installing a piece of malware called Andromeda.

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. The first, a reconnaissance tool called Kopiluwak, has been previously used by Turla; the second piece of malware, a backdoor known as Quietcanary that compressed and siphoned carefully selected data off the target computer, has been used exclusively by Turla in the past. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

When Mandiant looked at the command-and-control servers for the Andromeda malware that had started that infection chain, its analysts saw that the domain used to control the Andromeda sample—whose name was a vulgar taunt of the antivirus industry—had actually expired and been reregistered in early 2022. Looking at other Andromeda samples and their command-and-control domains, Mandiant saw that at least two more expired domains had been reregistered. In total, those domains connected to hundreds of Andromeda infections, all of which Turla could sort through to find subjects worthy of their spying.

“By doing this you can basically lay under the radar much better. You’re not spamming a bunch of people, you’re letting someone else spam a bunch of people,” says Hultquist. “Then you started picking and choosing which targets are worth your time and your exposure.”

In fact, Mandiant only found that single instance in Ukraine of the hijacked Andromeda infection distributing Turla’s malware. But the company suspects that there were likely more. Hultquist warns there’s no reason to believe the stealthy targeted spying that piggybacked off Andromeda’s USB infections would be limited to just one target, or even to just Ukraine. “Turla has a global intelligence collection mandate,” he says.

Turla has a long history of using clever tricks to hide the control of its malware, and even to hijack the control of other hackers, as Mandiant saw in this most recent case. Cybersecurity firm Kaspersky revealed in 2015 that Turla had taken control of satellite internet connections to obscure the location of its command-and-control servers. In 2019, Britain’s GCHQ intelligence agency warned that Turla had silently commandeered Iranian hackers’ servers to conceal themselves and confuse detectives trying to identify them.

Those innovative techniques have made the group a particular obsession for many cybersecurity researchers, who have traced its fingerprints all the way back to Moonlight Maze, one of the first-ever state-sponsored hacking campaigns, discovered in the late 1990s. Turla’s agent.btz thumbdrive malware represented another historic moment for the group: It resulted in a Pentagon initiative called Operation Buckshot Yankee, designed to vastly upgrade the Defense Department’s cybersecurity after the group’s embarrassing USB-based breach.

Mandiant’s discovery of another, stealthier USB-based hacking technique in Turla’s hands should serve as a reminder that even now, 15 years later, that USB-based intrusion vector has hardly disappeared. Plug an infected drive into your USB port today, it seems, and you may be offering an invitation to not only undiscerning cybercriminals, but also a far more sophisticated breed of operative hiding behind them.

Turla, a Russian Espionage Group, Piggybacked on Other Hackers' USB Infections

The financially motivated threat group, also known as OPERA1ER, demonstrated an evolution in tactics in its compromise of three Francophone financial institutions in Africa, likely adding to its $11 million to-date haul.

A criminal group, which has already stolen nearly $11 million by specializing in targeted attacks against the financial sector, has French-speaking African banks in its crosshairs in a recent campaign that demonstrates an evolution in tactics, researchers have found.

Bluebottle, aka OPERA1ER, compromised three different financial institutions in three separate African nations between mid-July and September, affecting multiple machines in all three organizations, researchers from Symantec revealed in a blog post published on Jan. 5.

Though it's unclear if the group was able to capitalize financially on the activity, it's significant because the different payloads and other tactics that Bluebottle used in the campaign vary from previous offensives by the group, Sylvester Segura, Symantec threat intelligence analyst, tells Dark Reading. 

In particular, Bluebottle used commodity malware GuLoader and malicious ISO files in the initial stages of the attack — which it hasn't done before — as well as abused kernel drivers with a signed driver that has been linked to other attacks such as ransomware, Segura says.

These "all indicate the Bluebottle group is keeping up to date with the tools and techniques that other threat actors are currently using," he says. "They may not be the most advanced, but this latest activity proves they are following attacker trends in tooling and techniques."

Indeed, the use of signed drivers in particular shows that Bluebottle — a financially motivated group first observed in 2019 — is aiming to up its game in this latest spate of activity, forcing enterprises to do the same in terms of defensive maneuvers, Segura says.

"More and more 'less advanced' attackers are aware of the impact they can have by disabling detection solutions through various means such as using signed drivers," he notes. "To prevent the trust we put in software like signed drivers from becoming a single point of failure, enterprises need to employ as many layers of detection and protection as they reasonably can."

**Keeping Up With Bluebottle****

Group-IB first began tracking Bluebottle, which it calls OPERA1ER, in activity that spanned from mid-2019 to 2021. During this period, the group stole at least $11 million in the course of 30 targeted attacks, researchers said in a report published in November. The group typically infiltrates a financial organization and moves laterally, scooping up credentials that it can use for fraudulent transfers and other funds-stealing activity.

The activity that Symantec observed started in mid-July, when researchers spotted job-themed malware on one of the infected systems, which they believe could have been the result of a spear-phishing campaign — though they said they are not certain of the group's initial point of entry.

"These likely acted as lures," researchers wrote in the post. "In some cases, the malware was named to trick the user into thinking it was a PDF file."

Symantec researchers linked the group to the previous OPERA1ER activity reported by Group-1B because it shared the same domain, used similar tools, included no custom malware, and also targeted Francophone nations in Africa, they said.

****Living Off the Land****

After noticing the job-themed malware, researchers then observed the deployment of a downloader before detecting the commercial Sharphound hacktool as well as a tool called fakelogonscreen, researchers said. Then, about three weeks after this initial compromise, researchers saw attackers using a command prompt and PsExec for lateral movement.

"It appears the attackers were 'hands on keyboard' at this point of the attack," researchers wrote in the post, using various dual-use and living-off-the-land (LotL) tools for a number of purposes during their occupation of the network.

These tools included Quser for user discovery, Ping for checking Internet connectivity, Ngrok for network tunneling, Net localgroup/add for adding users, the Fortinet VPN client most likely for a secondary access channel, Xcopy to copy RDP wrapper files, and Netsh to open port 3389 in the firewall, among several others.

As previously mentioned, Bluebottle also used commodity tools GuLoader as well as Mimikatz, Revealer Keylogger, Backdoor.Cobalt, Netwire RAT, and the malicious DLL and driver for killing processes during their activity, along with "multiple other unknown files," the researchers wrote.

Some of the tools — such as GuLoader — were deployed across all three victims; other activity linking the three victims included the use of the same .NET downloader, malicious driver, and at least one overlapping transfer\[.\]sh URL, they said.

Researchers observed the last activity on the compromised network in September; however, the Ngrok tunneling tool remained on the network until November, they said.

****How Enterprises Can Respond****

Since Bluebottle uses mainly commodity RATs and other malware in its activity, enterprises can mitigate attacks from this threat group by ensuring they have good endpoint protection against such threats, Segura says.

"Furthermore, an extended detection and response solution should also help detect their abuse of living off the land tools like PsExec during attempted lateral movement," he says.

Since Bluebottle typically goes after credentials immediately in its attacks for financial gain, multifactor authentication can also go a long way in helping enterprises protect accounts and monitor for suspicious account activity, Segura says.

Other steps enterprises can take to counter activity from Bluebottle specifically include allowing applications that "will help prevent the malicious use of dual-use tools like Ngrok, which they use for hiding their presence," he says.

"Finally, training employees to look out for phishing and other malicious emails is going to be crucial to prevent a group like this from intruding in the first place," Segura adds.

**

Bluebottle Continues Bank Heist Assault With Signed Malware

A financially motivated threat actor tracked as Blind Eagle has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador.
Check Point's latest research offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the

A financially motivated threat actor tracked as **Blind Eagle** has resurfaced with a refined toolset and an elaborate infection chain as part of its attacks targeting organizations in Colombia and Ecuador.

Check Point's latest research offers new insights into the Spanish-speaking group's tactics and techniques, including the use of sophisticated tools and government-themed lures to activate the killchain.

Also tracked under the name APT-C-36, Blind Eagle is notable for its narrow geographical focus and launching indiscriminate attacks against South American nations since at least 2018.

Blind Eagle's operations have been documented by Trend Micro in September 2021, uncovering a spear-phishing campaign primarily aimed at Colombian entities designed to deliver a commodity malware known as BitRAT, with a lesser focus towards targets in Ecuador, Spain, and Panama.

Attacks chains commence with phishing emails containing a booby-trapped link that, when clicked, leads to the deployment of an open source trojan named Quasar RAT with the ultimate goal of gaining access to the victim's bank accounts.

Some of targeted banks consists of Banco AV Villas, Banco Caja Social, Banco de Bogotá, Banco Popular, Bancoomeva, BBVA, Colpatria, Davivienda, and TransUnion.

Should the email recipient be located outside of Colombia, the attack sequence is aborted and the victim is redirected to the official website of the Colombian border control agency, Migración Colombia.

A related campaign singling out both Colombia and Ecuador masquerades as the latter's Internal Revenue Service (SRI) and makes use of a similar geo-blocking technology to filter out requests originating from other countries.

This attack, rather than dropping a RAT malware, employs a more complex multi-stage process that abuses the legitimate mshta.exe binary to execute VBScript embedded inside an HTML file to ultimately download two Python scripts.

The first of the two, ByAV2.py, is an in-memory loader engineered to run a Meterpreter payload in DLL format. mp.py is also a Meterpreter artifact, only it's programmed in Python, indicating that the threat actor could be using one of them as a redundant method to retain backdoor access to the host.

"Blind Eagle is a strange bird among APT groups," the researchers concluded. "Judging by its toolset and usual operations, it is clearly more interested in cybercrime and monetary gain than in espionage."

The development comes days after Qualys disclosed that an unknown adversary is leveraging personal information stolen from a Colombian cooperative bank to craft phishing emails that result in the deployment of BitRAT.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Blind Eagle Hackers Return with Refined Tools and Sophisticated Infection Chain

Grand hack auto

The web applications and APIs of major car manufacturers, telematics (vehicle tracking and logging technology) vendors, and fleet operators were riddled with security holes, security researchers warn.

In a detailed report, security researcher Sam Curry laid out vulnerabilities that run the gamut from information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping the engines of cars. The findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem.

**From web portals to car locks**

Around six months ago, Curry and a few friends stumbled on a vulnerability in the mobile app of a scouter fleet at the University of Maryland, which caused the horns and headlights on all the scooters in the campus to turn on and stay on for 15 minutes. Curry subsequently became interested in doing further investigation along with researchers Neiko Rivera, Brett Buerhaus, Maik Robert, Ian Carroll, Justin Rhinehart, and Shubham Shah.

“We thought it'd be awesome to dump a ton of time into hacking different car companies to see how many ‘horns we could honk’, but it quickly turned into hacking telematics infrastructure and things outside of the telematics APIs,” Curry told The Daily Swig.

The researchers’ findings, detailed on Curry’s blog, highlight an alarming number of critical vulnerabilities across different systems. For example, a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce potentially enabled attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information.

A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools. Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.

DON’T MISS Tell us what you think of The Daily Swig to be in with a chance of winning Burp Suite swag

Elsewhere a vulnerability in Kia’s web portal for dealers could have allowed attackers to create a fake session, register an account, associate it with any arbitrary vehicle VIN number, and gain access to lock, unlock, and remote start/stop mechanisms, as well as vehicle locations and vehicle camera feeds.

A poorly implemented SSO functionality in Ferrari’s web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users or (worse yet) give themselves super-user permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.

Other vulnerabilities granted full remote control over the locks, engine, horn, headlights, and trunk of Hyundai and Genesis vehicles made after 2012. The researchers were also able to obtain full remote access to Honda, Nissan, Infiniti, and Acura vehicles.

**Dangerous bug in telematics portal**

Curry and his colleagues found a SQL injection vulnerability in the admin portal of Spireon, the parent company of several car telematics and fleet management vendors that collectively service 15 million vehicles. Curry described this as their “most alarming finding” because the vulnerability allowed them to gain administrator access to the company’s platform.

“Using our access, we could access all user accounts, devices (vehicles), and fleets,” he said. “Some of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.”

The researchers found they were able to lock starters, unlock vehicles, track vehicles, and send rogue dispatch addresses to vehicles like police cars and ambulances. The researchers further suspect the security shortcomings made it possible to install backdoors and run arbitrary commands on Spireon devices.

**Half-baked**

“There were some car companies where you'd own one, then copy the exact same methodology to another car company and get in with the same vulnerability,” Curry said.

The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functionality for managing vehicles, purchase contracts, and telematic devices.

“From what it seems, car companies really rushed to install these devices,” Curry said. “Currently, these installations mostly have limited functionality so you can only do things like track, unlock, and start the vehicle, but with companies like Tesla and Rivian building more connected vehicles which can actually be controlled remotely, I'm worried that market pressure will force these companies to build half-baked solutions which are open to attack.”

RELATED Schneider Electric fixes critical vulnerabilities in EVlink electric vehicle charging stations

Car companies massively exposed to web vulnerabilities

Researchers who discovered the backdoor Linux malware say it may have been around for more than three years — and it targets 30+ plug-in bugs.

A newly identified Trojan backdoor program exploits some 30 vulnerabilities in WordPress plug-ins and themes in order to breach websites based on the WordPress content management system. It only needs to abuse one of those flaws to execute an attack.

Researchers from Doctor Web who discovered two iterations of the malware — dubbed Linux.BackDoor.WordPressExploit.1 and Linux.BackDoor.WordPressExploit.2 — said sites running outdated or unpatched versions of these WordPress tools are at risk of harboring malicious JavaScripts that redirect site visitors to nefarious websites, and should update those programs ASAP.

And here's a scary twist: "An analysis of an uncovered trojan application, performed by Doctor Web's specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage," the researchers wrote about the malware, which targets 32-bit versions of Linux and also can run on 64-bit versions of the platform.

Among the plug-ins and themes the Trojan's version 1 variant abuses are WP Live Chat Support Plugin; Yellow Pencil Visual Theme Customizer Plugin; Easysmtp; WP GDPR Compliance Plugin; Google Code Inserter; Blog Designer WordPress Plugin; and WP Live Chat. Version 2 exploits other WordPress plugins, including Brizy WordPress Plugin; FV Flowplayer Video Player; WordPress Coming Soon Page; Poll, Survey, Form & Quiz Maker by OpinionStage; and Social Metrics Tracker.

WordPress plug-ins and themes are a popular avenue for cybercriminals looking to take over websites; they can be used for everything from phishing to ad fraud to malware distribution. Vulnerabilities are not uncommon. For instance, in December an SSRF vulnerability in the Google Web Stories plug-in was found that would allow a cyberattacker to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

WordPress Sites Under Attack from Newly Found Linux Trojan

The Evil Corp-linked malware family has undergone an evolution, becoming more obfuscated and "several times more complex," as the group behind it tests how far the worm can be spread.

Hacking groups are using a new version of the Raspberry Robin framework to attack Spanish and Portuguese-language based financial institutions — and it's complexity quotient has been significantly upgraded, researchers said this week.

According to a Jan. 2 report from cybersecurity firm Security Joes, the group has used the same QNAP server for several rounds of attacks — but victim data is no longer in plaintext but rather RC4-encrypted, and the downloader mechanism has been updated with new anti-analysis capabilities, including more obfuscation layers.

Raspberry Robin is a backdooring worm that infects PCs via Trojanized USB devices before spreading to other devices on a target's network, acting as a loader for other malware. Since being spotted nesting in corporate networks in May, it has gone on to rapidly infect thousands and thousands of endpoints — and the species is rapidly evolving.

The threat actor behind the worm is thought to be part of larger ecosystem facilitating preransomware activity and is considered one of the largest malware distribution platforms currently active. Researchers recently linked it to Evil Corp, for instance, thanks to its significant similarities to the Dridex malware loader.

"What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," the research team wrote.

**Upgraded Malware Version Takes Flight

In the latest iteration, the malware protection mechanism has been upgraded to deploy at least five layers of protection before the malicious code is deployed, including a first-stage packer to obscure the code of the next stages of the attack followed by a shellcode loader.

The next three layers include a second-stage loader DLL, intermediate shellcode, and finally the shellcode downloader. This complex framework makes the worm more difficult to detect and simultaneously eases lateral movement through networks, the researchers explained.

The research also indicated Raspberry Robin operators have began to collect more data about their victims than earlier reported.

"Not only did we discover a version of the malware that is several times more complex, but we also found that the C2 beaconing, which used to have a URL with a plain-text username and hostname, now has a robust RC4 encrypted payload," wrote senior threat researcher Felipe Duarte, who led the investigation.

In one case, the research team documented how a 7-Zip file was downloaded from the victim's browser, potentially from a malicious link or attachment that tricked the user into acting.

"Upon inspection, the archive was found to be an MSI installer that, when executed, drops several files onto the victim's machine," the report noted.

In a second case, the malicious payload was hosted on a Discord server, which was used by the threat actors to deliver malware onto the victim's machine, to avoid detection and bypass security controls.

"In the cases we investigated, threat actors decided to implement additional validations on their backend to have a better segmentation and visibility of their targets," the report noted. "This allows them to filter bots running in sandboxes, analyze environments and respond to any other circumstance that could interfere a segment of the botnet operation, to fix it in real-time."

****Raspberry Robin Makes the Rounds**

The threat is flighty, following a pattern of appearing, disappearing, then reappearing with significantly upgraded capabilities.

Security firm Red Canary first analyzed and named Raspberry Robin in May, noting that it was infecting targets via malicious USB drives and worming to other endpoints — but then remaining dormant.

Subsequent reports then found Raspberry Robin worm to have added 10 layers of obfuscation and fake payloads, in order to launch attacks against telecommunications companies and governments across Australia, Europe, and Latin America, according to a December research report from Trend Micro.

Soon after, it came to the attention of other researchers, including IBM Security and the Microsoft Security Threat Intelligence Center (MSTIC); the latter is monitoring the operators of the Raspberry Robin worm under the moniker DEV-0856.

Tag

#backdoor