The North Korean actor is going after cryptocurrency investors worldwide leveraging a genuine-looking game site and AI-generated content and images.

Source: MAHATHIR MOHD YASIN via Shutterstock

North Korea's infamous Lazarus Group is using a well-designed fake game website, a now-patched Chrome zero-day bug, professional LinkedIn accounts, AI-generated images, and other tricks to try and steal from cryptocurrency users worldwide.

The group appears to have launched the elaborate campaign in February and has since used multiple accounts on X and tricked influential figures in the cryptocurrency space to promote their malware-infected crypto game site.

**Elaborate Campaign**

"Over the years, we have uncovered many \[Lazarus\] attacks on the cryptocurrency industry, and one thing is certain: these attacks are not going away," said researchers at Kaspersky, after discovering the latest campaign while investigating a recent malware infection. "Lazarus has already successfully started using generative AI, and we predict that they will come up with even more elaborate attacks using it," the security vendor noted.

The state-sponsored Lazarus group may not quite be a recognizable name yet, but it is easily among the most prolific and dangerous cyber threat actors in operation. Since making headlines with an attack on Sony Pictures back in 2014, Lazarus — and subgroups such as Andariel and Bluenoroff — have figured in countless notorious security incidents. These have included the WannaCry ransomware outbreak, the $81 million heist at Bank of Bangladesh, and attempts to steal COVID-vaccine-related secrets from major pharmaceutical companies during the height of the pandemic.

Analysts believe that many of the group's financially motivated attacks, including those involving ransomware, card-skimming, and cryptocurrency users, are really attempts to generate revenue for the money-strapped North Korean government's missile program.

In the latest campaign the group appears to have refined some of the social engineering tricks employed in past campaigns. Central to the new scam is detankzone dot-com, a professionally designed product page that invites visitors to download an NFT-based multiplayer online tank game. Kaspersky researchers found the game to be well designed and functional, but only because Lazarus actors had stolen the source code of a legitimate game to build it.

**A Chrome Zero-Day and a Second Bug**

Kaspersky found the website to contain exploit code for two Chrome vulnerabilities. One of them, tracked as CVE-2024-4947, was a previously unknown zero-day bug in Chrome's V8 browser engine. It gave the attackers a way to execute arbitrary code inside a browser sandbox via a specially crafted HTML page. Google addressed the vulnerability in May after Kaspersky reported the flaw to the company.

The other Chrome vulnerability that Kaspersky observed in the latest Lazarus Group exploit is that it does not appear to have a formal identifier. It gave the attackers a way to escape the Chrome V8 sandbox entirely and gain full access to the system. The threat actor used that access to deploy shellcode for collecting information on the compromised system before deciding whether to deploy further malicious payloads on the compromised system, including a backdoor called Manuscrypt.

What makes the campaign noteworthy is the effort that Lazarus Group actors appear to have put into its social engineering angle. "They focused on building a sense of trust to maximize the campaign's effectiveness, designing details to make the promotional activities appear as genuine as possible," Kaspersky researchers Boris Larin and Vasily Berdnikov wrote. They used multiple fake accounts to promote their site via X and LinkedIn along AI-generated content and images to create an illusion of authenticity around their fake game site.

"The attackers also attempted to engage cryptocurrency influencers for further promotion, leveraging their social media presence not only to distribute the threat but also to target their crypto accounts directly," Larin and Berdnikov wrote.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Lazarus Group Exploits Chrome Zero-Day in Latest Campaign

Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie…

Cisco Talos reveals TA866’s (also known as Asylum Ambuscade) sophisticated tactics and its link to the new WarmCookie malware from the BadSpace family. Learn about the threat actor’s persistent attacks, sophisticated tactics, and the advanced tools used to compromise systems.

Cybersecurity researchers at Cisco Talos have revealed new information about the sophisticated operations of TA866, also known as Asylum Ambuscade, a threat actor known for its persistent and adaptable attack strategies. 

TA866 has been active since 2020, focusing on financially motivated malware campaigns and espionage. The group uses numerous tools and techniques, including commodity and custom-built ones as part of its attack.

The group has also adopted a calculated approach, seeking to maintain their presence in compromised environments, carefully assessing the situation, and deploying tools as needed to achieve their objectives.

****The Infection Chain: A Multi-Stage Process****

According to Cisco Talos’ investigation, TA866’s attacks involve a multi-stage infection chain, beginning with the delivery of a malicious JavaScript downloader, which acts as a gateway, retrieving subsequent payloads from attacker-controlled servers. These payloads often take the form of MSI packages, which contain malware such as WasabiSeed.  

WasabiSeed is a crucial downloader component in the infection chain, ensuring persistence by establishing itself on compromised systems using an LNK shortcut. It can continuously poll for additional payloads from attacker-controlled servers, allowing TA866 to deliver subsequent attack stages.

TA866 also uses the Screenshotter malware family to capture periodic screenshots of the infected system. These screenshots provide valuable insights into the victim’s activities and allow TA866 to identify sensitive information or potential targets for further exploitation.  

In addition, TA866 frequently deploys AHK Bot, a modular malware family that uses AutoHotKey scripts to perform various functions such as system enumeration, screenshot capture, domain identification, keystroke logging, credential theft, and more. AHK Bot’s modular nature allows TA866 to customize its capabilities based on the specific needs of each attack.

****WarmCookie and TA866 Connection****

Cisco Talos’ research also highlights connections between WarmCookie malware and TA866, including similar lure themes, overlapping infrastructure, the deployment of CSharp-Streamer-RAT, Cobalt Strike as a follow-on payload, and the use of programmatically generated SSL certificates.

WarmCookie, a notorious malware family also called BadSpace, emerged in April 2024 and has been distributed through malspam and malvertising campaigns. It serves as a backdoor, allowing threat actors long-term access to compromised systems. It offers a wide range of functions like payload deployment, file manipulation, command execution, screenshot collection, and persistence.

> _“We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.”_
> 
> Cisco Talos Research Team

Researchers also revealed how it is consistently used in invoice-related and job agency themes to lure victims to access hyperlinks in email bodies or attached documents like PDFs. A recent WarmCookie campaign used malspam and invoice lures to distribute malicious PDF attachments. These PDFs redirected victims to JavaScript downloaders on servers linked to the LandUpdates808 infrastructure.

Screenshot: Cisco Talos

TA866’s evolution highlights the complex challenges faced by organizations in defending against cyber threats. Organizations need to stay informed about the latest threat intelligence and implement advanced security measures to mitigate the risks posed by this advanced threat actor.

1.  **Fake CAPTCHA Pages Spread Lumma Stealer Fileless Malware**
2.  **Chinese “ChamelGang” Uses Attacks for Disruption, Data Theft**
3.  **Octo2 Malware Uses Fake NordVPN, Chrome Apps in its Attacks**
4.  **Advanced Espionage Malware “Stealth Soldier” Hits Libyan Firms**
5.  **Fake ESET Emails Used to Target Israeli Firms with Wiper Malware**

TA866 Group Linked to New WarmCookie Malware in Espionage Campaign

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.

*   Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor.  
*   The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim’s intervention to trigger the infection chain.  
*   Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT,  as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. 
*   We found a few placeholders for base64 encoded PowerShell scripts in the PowerRAT, indicating that the threat actor is actively developing their tools.  

**Victimology **

Talos assesses with high confidence that the threat actor is targeting Russian-speaking users based on the language used in the Phishing emails, luring contents of Malicious documents, a masqueraded HTML webpage of Vkontake (VK), a popular social media application amongst Russian speakers, especially in Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan, and Azerbaijan.  

 

 

**Actor uses Gophish to send phishing emails **

Our analysis of the malicious hyperlinks embedded in the phishing emails disclosed to us the attacker-controlled hosting domains disk-yanbex\[.\]ru delivered the Malicious Microsoft Word document, and an HTML file embedded with the malicious JavaScript.   

The domain disk-yanbex\[.\]ru resolves to the IP address 34\[.\]236\[.\]234\[.\]165, an AWS EC2 instance with the fully qualified domain name ec2-34-236-234-165\[.\]compute-1\[.\]amazonaws\[.\]com, during our analysis. We also observed that the same server 34\[.\]236\[.\]234\[.\]165 was reverse resolving to another domain e-connection\[.\]ru, which also delivered malicious JavaScript-embedded HTML files. Our further analysis of the server 34\[.\]236\[.\]234\[.\]165 disclosed to us that the actor hosted the Gophish toolkit on the server running at port number 3333. Gophish is an Open-Source easy-to-deploy phishing toolkit that is developed to conduct security awareness training according to the tool’s developer.  

Attacker hosting Gophish.

Talos analysis of the phishing email sample’s header showed us that the email was first delivered from server 34\[.\]236\[.\]234\[.\]165, indicating that the threat actor is misusing the Gophish framework in this campaign to deliver phishing emails to their targets.   

Sample Phishing email header. 

**Multi-modular Campaign delivers PowerRAT and DCRAT  **

The campaign has two initial attack vectors, one based on malicious Word documents and another based on HTML files containing malicious JavaScript. Upon activation, these would lead to the download and activation of PowerRAT or DCRAT depending on the initial vector. Both the attack chains require user intervention to trigger the infections on the compromised machines. 

**Maldoc-based infection delivers PowerRAT **

When a victim opens the Microsoft Word document and enables the view contents button displayed in the document banner, the malicious VB macro program executes.  

The macro program initially executes a function that decodes or translates specific encoded symbols in the lure contents of the Word document into their corresponding characters from another alphabet in Cyrillic, transforming the lure contents into readable form. 

We spotted a base64 encoded data blob on the third page of the Word document and the actor used the text color the same as that of the document's default background color, hiding them from the victim’s view.  

To identify the hidden encoded data, the macro executes a function that searches for specific strings such as “DigitalRSASignature:” and “CHECKSUM” in the content section of the Word document, and when found, it copies the data following the search strings to an array.  

To decode the base64 encoded data blob, the actor uses a custom function called CheckContent() in the macro. It removes any “=” characters which are the padding characters in the encoded data blob and decodes them into two parts in a byte array. The first part is the contents of a malicious HTML application (HTA) file and the second is a PowerShell loader.  

The macro drops the decoded contents of the malicious HTA file to “UserCache.ini.hta” and the PowerShell loader into “UserCache.ini” in the victim machine's current user profile folder.   

The actor has abused the Windows NT current version autorun registry key called “LOAD”. The registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” is used by Windows to automatically launch applications or processes when a user logs into their account. Specifically, this key stores information about programs that are set to load upon user login. It works similarly to other startup mechanisms in Windows (such as the Startup folder or the Run registry keys), but this specific key is less commonly used. The macro after dropping the malicious HTA and the PowerShell loader script in the victim machine user profile folder, it configures the registry key “HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LOAD” with the value “C:\\Users\\<Username>\\UserCache.ini.hta”. 

Finally, the macro checks if there are any headers in the Word documents and deletes the contents of the headers from all sections of the Word document.  

The malicious HTA “UserCache.ini.hta” is executed through the LOAD registry key when a victim logs into the machine. It drops a JavaScript called “UserCacheHelper.lnk.js” in the victim machine user profile folder and writes a single line code embedding with a PowerShell command to execute the dropped PowerShell Loader masquerading as “UserCache.ini” file. The HTA file executes the JavaScript “UserCacheHelper.lnk.js” using the LOLbin “cscript.exe”. 

Sample of malicious HTA file.

The dropped JavaScript “UserCacheHelper.lnk.js” loads the contents of the “UserCache.ini” and executes it using the Invoke-Expression PowerShell command. The PowerShell Loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim’s machine memory.   

Sample PowerShell Loader script embedded with PowerRAT.

**PowerRAT expands the attack vector for further infections  **

Talos discovered a new PowerShell remote access tool as one of the payloads in this campaign we are calling PowerRAT that executes in the victim’s machine memory. It has the functionality of executing other PowerShell scripts or commands as directed by the C2 server, enabling the attack vector for further infections on the victim machine.   

The PowerRAT that executes in the victim machine memory initially checks if the JavaScript “UserCacheHelper.lnk.js” exists in the user profile folder and if not found, it will reinfect the victim machine by performing the actions of the PowerShell loader script described in the previous section. Then it hides the “UserCache.ini” by modifying the file attributes to “Hidden”. 

The PowerRAT performs reconnaissance on the victim’s machine by executing a function GetID() which collects the username, computer name, and the system driver letter through the PowerShell command Get-CimInstance. It also collects the drive serial number through the win32\_volume class of WMIobject.  The collected data is written to memory in the format <Computername\_Username\_drive serial number>. 

After performing the reconnaissance, the PowerRAT attempts to connect to the C2 server by sending the collected data of the victim’s machine using a hardcoded URL through the HTTP GET method.  The C2 servers identified in this campaign are 94\[.\]103\[.\]85\[.\]47 located in Russia with the ASN 48282 of Hosting Technology LTD and 5\[.\]252\[.\]176\[.\]55 also geographically located in Russia with the ASN 39798 of MivoCloud SRL.  

When there is no response from the C2 server, the PowerRAT has a placeholder function called offlineworker() that has the functionality to decode an embedded base64 encoded string of a PowerShell script and executes it using the Invoke-Expression command. The actor has built this functionality to keep the infection alive in the victim machine even if the victim's environment detects the malicious C2 traffic and blocks the connection. We didn’t see any embedded base64 encoded strings in the PowerRAT sample that we analyzed and is likely a placeholder, indicating that the actor is actively developing and updating their tools.  

The PowerRAT generates a random number between 7 - 23 and pauses its execution for (300 + random number) seconds and re-attempts to connect to the C2 server continuously waiting for a response. During our analysis, the C2 servers were not responding, and still, our further analysis of the PowerRAT showed us that the C2 server will likely respond with an XML configuration file having multiple modules with embedded base64 encoded PowerShell commands or scripts.   

The PowerRAT has the functionality to parse the received XML file and search for the sections called config.  It periodically executes the embedded encoded PowerShell commands or scripts, according to their defined intervals and run limits. The PowerRAT continues to run until all commands or scripts in the config sections are executed the required number of times.   

**HTML-based infection delivers DCRAT **

Talos discovered that the threat actor is also using HTML files embedded with malicious JavaScript in this campaign that are delivered to the victims through the malicious links in the phishing email, leading to the infection of the DCRAT payload.  

When a victim clicks on the malicious link in the phishing email, a remotely located HTML file containing the malicious JavaScript opens in the victim machine’s browser and simultaneously executes the JavaScript. The JavaScript has a base64 encoded data blob of a 7-ZIP archive of a malicious SFXRAR executable. It decodes the embedded base64 encoded data blob into binary data blob with the type “application/octet-stream” in the memory. A download URL for the binary data blob is created using the URL.createObjectURL() method and assigned to a variable in memory. It calls the click() method on the URL of the binary data blob which triggers the download of the binary data to a 7-Zip archive file. The malicious 7-Zip archive masquerades as the VK messenger application archive file in one of the malicious HTML files and another with a Russian name. The actor is using this technique in the JavaScript function to masquerade as the actual download activity of a file over the internet through a browser.  

A victim must inflate the 7-Zip archive manually to run the SFXRAR executable which is masquerading as the legitimate VK application executable which leads to DCRAT infection. The SFX RAR executable is packaged with the malicious loader or dropper executables, batch file, and a decoy document in some samples.  

When a victim runs the SFX executable, the SFX script drops the packaged files into a folder and executes the batch file which runs another password-protected SFXRAR with the hardcoded password “riverdD” and runs the DCRAT.   

In another sample, we observed that the SFXRAR drops the GOLoader and the decoy document Excel spreadsheet in the victim machine user profile applications temporary folder and runs the GOLoader along with opening the decoy document.   

Talos observed an overlap of the technique used by the threat actor in this campaign with an earlier SparkRAT attack reported by Hunt researchers in April 2024, indicating that SparkRAT is another payload in the threat actor’s arsenal. 

**GOLoader downloads and runs the DCRAT **

In DCRAT infection, the SFX script runs a malicious Loader executable and simultaneously opens a decoy document. The malicious loader executable we are calling “GOLoader” is compiled in Golang. It modifies the configuration settings for Microsoft Defender Antivirus, specifically by excluding the root directory “C:\\” and the folder “C:\\Users\\$user\\Desktop” in the victim machine by executing the PowerShell commands.  

powershell -Command Add-MpPreference -ExclusionPath 'C:\\Users\\$user\\Desktop'

powershell -Command Add-MpPreference -ExclusionPath 'C:\\'

After configuring the exclusion paths, the GOLoader downloads the DCRAT binary data stream from a remote location through a hardcoded URL and writes it into a dropped executable with the file name “file.exe” in the desktop folder on the victim’s machine. During our analysis, we found that the remote location URL hardcoded in the GOLoader was pointing to a GitHub repository, which was not accessible. However, we found that the hosted payload binary in the GitHub repository is the Dark Crystal RAT (DCRAT) binary based on open-source intelligence data.   

**Threat actor delivers DCRAT **

The payload Dark Crystal RAT (DCRAT) sample that we analyzed in this campaign is a modular RAT associated with plugins to perform the DLL injection and information stealing tasks.  

Key features of the DCRAT sample of this campaign include: 

*   Provides remote control access to the victim machine to the actor who can execute arbitrary commands, manage files, and monitor user activities.  
*   It has the capability of downloading and executing other files on the victim's machine. 
*   With its stealer plugin modules, the RAT can steal sensitive information including credentials, files, and financial information from the victim's machine.  
*   The RAT can take screenshots and capture the keystrokes on the victim's machine. 
*   We found that the RAT creates multiple copies of its binary masquerading as legitimate Windows executables including csrss.exe, dllhost.exe, taskhostw.exe, and winlogon.exe in the folders such as ProgramData, Pictures, Saved Games, and Windows start menu. It drops the embedded modules in the administrator user desktop folder using random file names and with the “.log” file extension.  

C:\\Users\\admin\\Desktop\\zaHrebVC.log

C:\\Users\\admin\\Desktop\\HQLYdHol.log

C:\\Users\\admin\\Desktop\\qJutJUJW.log

C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\taskhostw.exe

C:\\ProgramData\\dllhost.exe

C:\\Users\\Default\\Pictures\\csrss.exe

C:\\Users\\Default\\Saved Games\\winlogon.exe

*   It establishes persistence on the victim machine by creating several Windows tasks to run at different intervals or during the Windows login process. 

Task Scheduler Commands

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /f

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\\Users\\Default\\Saved Games\\winlogon.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /f

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\\Users\\Default\\Pictures\\csrss.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\Public\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\\Users\\Public\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\\Users\\All Users\\dllhost.exe'" /f

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\\Users\\All Users\\dllhost.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /f

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\\Users\\Default\\Start Menu\\taskhostw.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 13 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /f

schtasks.exe /create /tn "file" /sc ONLOGON /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

schtasks.exe /create /tn "filef" /sc MINUTE /mo 9 /tr "'C:\\Users\\admin\\AppData\\Local\\Temp\\file.exe'" /rl HIGHEST /f

*   The RAT communicates to the C2 server through a URL hardcoded in the RAT configuration file as shown in the picture and exfiltrates the sensitive data collected from the victim machine. From other DCRAT samples identified in this campaign, we found another C2 URL “hxxp\[://\]cr87986\[.\]tw1\[.\]ru/L1nc0In\[.\]php”.  

Sample of DCRAT configuration file. 

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 63963 – 63970, 63971 and 301004. 

ClamAV detections are also available for this threat: 

Win.Downloader.RustAgent-10036537-0 

Win.Downloader.RustAgent-10036538-0 

Win.Downloader.RustAgent-10036539-0 

Win.Downloader.GoAgent-10036540-0 

Win.Backdoor.PowershellRAT-10036541-0 

Win.Phishing.VbsAgent-10036542-0 

Win.Phishing.JsAgent-10036543-0 

Win.Loader.PowershellLoader-10036544-0 

Win.Loader.HtaAgent-10036545-0 

Win.Loader.DonutLoader-10036546-0

**IOCs **

IOCs for this research can be found in our GitHub repository here.

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell (SSH) protocol.
The packages attempt to "gain SSH access to the victim's machine by writing the attacker’s SSH public key in the root user’s authorized_keys file," software supply

Vulnerability / Supply Chain

Cybersecurity researchers have discovered a number of suspicious packages published to the npm registry that are designed to harvest Ethereum private keys and gain remote access to the machine via the secure shell (SSH) protocol.

The packages attempt to "gain SSH access to the victim's machine by writing the attacker's SSH public key in the root user's authorized\_keys file," software supply chain security company Phylum said in an analysis published last week.

The list of packages, which aim to impersonate the legitimate ethers package, identified as part of the campaign are listed as follows -

*   ethers-mew (62 downloads)
*   ethers-web3 (110 downloads)
*   ethers-6 (56 downloads)
*   ethers-eth (58 downloads)
*   ethers-aaa (781 downloads)
*   ethers-audit (69 downloads)
*   ethers-test (336 downloads)

Some of these packages, most of which have been published by accounts named "crstianokavic" and "timyorks," are believed to have been released for testing purposes, as most of them carry minimal changes across them. The latest and the most complete package in the list is ethers-mew.

This is not the first time rogue packages with similar functionality have been discovered in the npm registry. In August 2023, Phylum detailed a package named ethereum-cryptographyy, a typosquat of a popular cryptocurrency library that exfiltrated the users' private keys to a server in China by introducing a malicious dependency.

The latest attack campaign embraces a slightly different approach in that the malicious code is embedded directly into the packages, allowing threat actors to siphon the Ethereum private keys to the domain "ether-sign\[.\]com" under their control.

What makes this attack a lot more sneaky is the fact that it requires the developer to actually use the package in their code – such as creating a new Wallet instance using the imported package – unlike typically observed cases where simply installing the package is enough to trigger the execution of the malware.

In addition, the ethers-mew package comes with capabilities to modify the "/root/.ssh/authorized\_keys" file to add an attacker-owned SSH key and grant them persistent remote access to the compromised host.

"All of these packages, along with the authors' accounts, were only up for a very short period of time, apparently removed and deleted by the authors themselves," Phylum said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious npm Packages Target Developers' Ethereum Wallets with SSH Backdoor

Russia-linked hackers have taken aim at Japan, following its ramping up of military exercises with regional allies and the increase of its defense budget.

Source: StudioProX via Shutterstock

Two Russian hacking groups leveled distributed denial-of-service (DDoS) attacks at Japanese logistics and shipbuilding firms — as well as government and political organizations — in what experts believe are attempts to pressure the Japanese government. The attacks came after lawmakers boosted the nation's defense budget, and its military conducted exercises with regional allies.

The two pro-Russian cyberthreat groups — NoName057(16) and the Russian Cyber Army Team — started attacking Japanese targets on Oct. 14, with more than half of the attacks targeting logistics, shipbuilding, and manufacturing firms, according to network-monitoring firm Netscout. The groups, especially NoName057(16), have made a name for themselves by attacking Ukrainian and European targets following Russia's invasion of Ukraine.

In the latest spate of attacks, the groups targeted Japanese industry and government agencies after the Ministry of Foreign Affairs of the Russian Federation expressed concern over the ramp-up of Japan's military, says Richard Hummel, director of threat intelligence for Netscout.

"Japan had their elections last week, and the leader that took over is no fan of Russia and, in fact, has been very vocal about supporting Ukraine and sending aid," he says. "Japan is also working with the US military on joint exercises and ballistics missiles testing — these are the \[regional events\] that NoName057 will go after."

Related:Hong Kong Crime Ring Swindles Victims Out of $46M

With geopolitical rivalries with China and Russia heating up, Japan is in the midst of its largest military buildup since World War II. In December 2022, the nation unveiled a five-year $320 billion plan that includes long-range cruise missiles that could hit targets in China, North Korea, and Russia. The move marked a significant shift away from Japan's self-defense-only policy, with the government continuing the move by increasing military spending by 16% this year.

On Oct. 17, Japan's Deputy Chief Cabinet Secretary Kazuhiko Aoki said the government is investigating the DDoS attacks.

More than half of the attacks targeted the logistics and manufacturing sector, while nearly a third targeted government agencies and political organizations in Japan, Netscout stated in its analysis.

The Russian group "has leveraged every attack capability of the DDoSia botnet, employing a wide range of direct-path attack vectors against multiple targets," the analysis stated. "As of this writing, approximately 40 targeted Japanese domains have been identified. On average, each domain is hit by three attack waves, utilizing four distinct DDoS attack vectors, utilizing approximately 30 different attack configurations to maximize attack impact."

Related:Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

**Hacktivists and the Resurgence of DDoS**

The attacks mark the latest shift in DDoS attacks. In the past, 85% to 90% of such attacks originated in the gaming world, with players targeting other players, Netscout's Hummel says. Over the past few years, while many hacktivism attacks amounted to little more than PR stunts, cybercriminals have increasingly used DDoS attacks to cause outages in business operations to support a cause or monetize a botnet — sometimes, both.

US authorities recently charged two Sudanese brothers — 22-year-old Ahmed Salah Yousif Omer and 27-year-old Alaa Salah Yusuuf Omer — following more than 35,000 DDoS attacks during the past 18 months, which targeted government agencies, a major Los Angeles-area hospital, and technology companies. The US Department of Justice charged one of the two brothers with three counts of damage to a protected computer, and the indictment included his message taking credit for "any damage to the hospital ... and their health systems + any collateral damage," according to a federal indictment.

The impact of a DDoS attack on the ability of connected medical devices to operate means that increasingly they will have physical impacts, Hummel says.

Related:DPRK's APT37 Targets Cambodia With Khmer, 'VeilShell' Backdoor

The brother was "charged with essentially attempted murder, because they were taking down hospital infrastructure where people needed life-saving technology," he says. "If the Internet goes down, then \[these connected medical devices\] stop functioning, they stop checking in."

**Definitively Russian? Nyet**

Both NoName057 and the Russian Cyber Army Team obviously pursue priorities expressed by the Russian government, but that does not necessarily mean they are a military or intelligence agency operation, Hummel says.

Overall, the groups have claimed 60 attacks against 19 different targets in the weeks following the criticism of Japan's accelerated military buildup by Russia's Minister of Foreign Affairs. In a Telegram post, NoName057(16) confirmed the link.

"Particular discontent was caused by the participation of non-regional NATO member countries in the maneuvers, which, in Russia's opinion, increases the threat and is unacceptable," they stated in the Telegram post (machine translated from Russian). "We punish Russophobic Japan and remind you that any measures directed against Russia may end badly."

The groups' attacks against Japan match with previous targeting against any critic of Russia or its strategy, Hummel says.

"I can't say definitively if they are part of the Russian government ... or if any agency is giving them direct instructions," he says. "What I can tell you is that all of the targeting is against groups that are anti-Russia or anti-Muslim. And oftentimes, it's usually going to be in that political sphere when people are vocal about their support of anybody against Russia."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Russia-Linked Hackers Attack Japan's Govt, Ports

Donald Trump's opposition to “woke” safety standards for artificial intelligence would likely mean the dismantling of regulations that protect Americans from misinformation, discrimination, and worse.

If Donald Trump wins the US presidential election in November, the guardrails could come off of artificial intelligence development, even as the dangers of defective AI models grow increasingly serious.

Trump’s election to a second term would dramatically reshape—and possibly cripple—efforts to protect Americans from the many dangers of poorly designed artificial intelligence, including misinformation, discrimination, and the poisoning of algorithms used in technology like autonomous vehicles.

The federal government has begun overseeing and advising AI companies under an executive order that President Joe Biden issued in October 2023. But Trump has vowed to repeal that order, with the Republican Party platform saying it “hinders AI innovation” and “imposes Radical Leftwing ideas” on AI development.

Trump’s promise has thrilled critics of the executive order who see it as illegal, dangerous, and an impediment to America’s digital arms race with China. Those critics include many of Trump’s closest allies, from X CEO Elon Musk and venture capitalist Marc Andreessen to Republican members of Congress and nearly two dozen GOP state attorneys general. Trump’s running mate, Ohio senator JD Vance, is staunchly opposed to AI regulation.

“Republicans don't want to rush to overregulate this industry,” says Jacob Helberg, a tech executive and AI enthusiast who has been dubbed “Silicon Valley’s Trump whisperer.”

But tech and cyber experts warn that eliminating the EO’s safety and security provisions would undermine the trustworthiness of AI models that are increasingly creeping into all aspects of American life, from transportation and medicine to employment and surveillance.

The upcoming presidential election, in other words, could help determine whether AI becomes an unparalleled tool of productivity or an uncontrollable agent of chaos.

**Oversight and Advice, Hand in Hand**

Biden’s order addresses everything from using AI to improve veterans’ health care to setting safeguards for AI’s use in drug discovery. But most of the political controversy over the EO stems from two provisions in the section dealing with digital security risks and real-world safety impacts.

One provision requires owners of powerful AI models to report to the government about how they’re training the models and protecting them from tampering and theft, including by providing the results of “red-team tests” designed to find vulnerabilities in AI systems by simulating attacks. The other provision directs the Commerce Department’s National Institute of Standards and Technology (NIST) to produce guidance that helps companies develop AI models that are safe from cyberattacks and free of biases.

Work on these projects is well underway. The government has proposed quarterly reporting requirements for AI developers, and NIST has released AI guidance documents on risk management, secure software development, synthetic content watermarking, and preventing model abuse, in addition to launching multiple initiatives to promote model testing.

Supporters of these efforts say they’re essential to maintaining basic government oversight of the rapidly expanding AI industry and nudging developers toward better security. But to conservative critics, the reporting requirement is illegal government overreach that will crush AI innovation and expose developers’ trade secrets, while the NIST guidance is a liberal ploy to infect AI with far-left notions about disinformation and bias that amount to censorship of conservative speech.

At a rally in Cedar Rapids, Iowa, last December, Trump took aim at Biden’s EO after alleging without evidence that the Biden administration had already used AI for nefarious purposes.

“When I’m reelected,” he said, “I will cancel Biden’s artificial intelligence executive order and ban the use of AI to censor the speech of American citizens on Day One.”

**Due Diligence or Undue Burden?**

Biden’s effort to collect information about how companies are developing, testing, and protecting their AI models sparked an uproar on Capitol Hill almost as soon as it debuted.

Congressional Republicans seized on the fact that Biden justified the new requirement by invoking the 1950 Defense Production Act, a wartime measure that lets the government direct private-sector activities to ensure a reliable supply of goods and services. GOP lawmakers called Biden’s move inappropriate, illegal, and unnecessary.

Conservatives have also blasted the reporting requirement as a burden on the private sector. The provision “could scare away would-be innovators and impede more ChatGPT-type breakthroughs,” Representative Nancy Mace said during a March hearing she chaired on “White House overreach on AI.”

Helberg says a burdensome requirement would benefit established companies and hurt startups. He also says Silicon Valley critics fear the requirements “are a stepping stone” to a licensing regime in which developers must receive government permission to test models.

Steve DelBianco, the CEO of the conservative tech group NetChoice, says the requirement to report red-team test results amounts to de facto censorship, given that the government will be looking for problems like bias and disinformation. “I am completely worried about a left-of-center administration … whose red-teaming tests will cause AI to constrain what it generates for fear of triggering these concerns,” he says.

Conservatives argue that any regulation that stifles AI innovation will cost the US dearly in the technology competition with China.

“They are so aggressive, and they have made dominating AI a core North Star of their strategy for how to fight and win wars,” Helberg says. “The gap between our capabilities and the Chinese keeps shrinking with every passing year.”

**“Woke” Safety Standards**

By including social harms in its AI security guidelines, NIST has outraged conservatives and set off another front in the culture war over content moderation and free speech.

Republicans decry the NIST guidance as a form of backdoor government censorship. Senator Ted Cruz recently slammed what he called NIST’s “woke AI ‘safety’ standards” for being part of a Biden administration “plan to control speech” based on “amorphous” social harms. NetChoice has warned NIST that it is exceeding its authority with quasi-regulatory guidelines that upset “the appropriate balance between transparency and free speech.”

Many conservatives flatly dismiss the idea that AI can perpetuate social harms and should be designed not to do so.

“This is a solution in search of a problem that really doesn't exist,” Helberg says. “There really hasn’t been massive evidence of issues in AI discrimination.”

Studies and investigations have repeatedly shown that AI models contain biases that perpetuate discrimination, including in hiring, policing, and health care. Research suggests that people who encounter these biases may unconsciously adopt them.

Conservatives worry more about AI companies’ overcorrections to this problem than about the problem itself. “There is a direct inverse correlation between the degree of wokeness in an AI and the AI's usefulness,” Helberg says, citing an early issue with Google’s generative AI platform.

Republicans want NIST to focus on AI’s physical safety risks, including its ability to help terrorists build bioweapons (something Biden’s EO does address). If Trump wins, his appointees will likely deemphasize government research on AI’s social harms. Helberg complains that the “enormous amount” of research on AI bias has dwarfed studies of “greater threats related to terrorism and biowarfare.”

**Defending a “Light-Touch Approach”**

AI experts and lawmakers offer robust defenses of Biden’s AI safety agenda.

These projects “enable the United States to remain on the cutting edge” of AI development “while protecting Americans from potential harms,” says Representative Ted Lieu, the Democratic cochair of the House’s AI task force.

The reporting requirements are essential for alerting the government to potentially dangerous new capabilities in increasingly powerful AI models, says a US government official who works on AI issues. The official, who requested anonymity to speak freely, points to OpenAI’s admission about its latest model’s “inconsistent refusal of requests to synthesize nerve agents.”

The official says the reporting requirement isn’t overly burdensome. They argue that, unlike AI regulations in the European Union and China, Biden’s EO reflects “a very broad, light-touch approach that continues to foster innovation.”

Nick Reese, who served as the Department of Homeland Security’s first director of emerging technology from 2019 to 2023, rejects conservative claims that the reporting requirement will jeopardize companies’ intellectual property. And he says it could actually benefit startups by encouraging them to develop “more computationally efficient,” less data-heavy AI models that fall under the reporting threshold.

AI’s power makes government oversight imperative, says Ami Fields-Meyer, who helped draft Biden’s EO as a White House tech official.

“We’re talking about companies that say they’re building the most powerful systems in the history of the world,” Fields-Meyer says. “The government’s first obligation is to protect people. ‘Trust me, we’ve got this’ is not an especially compelling argument.”

Experts praise NIST’s security guidance as a vital resource for building protections into new technology. They note that flawed AI models can produce serious social harms, including rental and lending discrimination and improper loss of government benefits.

Trump’s own first-term AI order required federal AI systems to respect civil rights, something that will require research into social harms.

The AI industry has largely welcomed Biden’s safety agenda. “What we're hearing is that it’s broadly useful to have this stuff spelled out,” the US official says. For new companies with small teams, “it expands the capacity of their folks to address these concerns.”

Rolling back Biden’s EO would send an alarming signal that “the US government is going to take a hands off approach to AI safety,” says Michael Daniel, a former presidential cyber adviser who now leads the Cyber Threat Alliance, an information sharing nonprofit.

As for competition with China, the EO’s defenders say safety rules will actually help America prevail by ensuring that US AI models work better than their Chinese rivals and are protected from Beijing’s economic espionage.

**Two Very Different Paths**

If Trump wins the White House next month, expect a sea change in how the government approaches AI safety.

Republicans want to prevent AI harms by applying “existing tort and statutory laws” as opposed to enacting broad new restrictions on the technology, Helberg says, and they favor “much greater focus on maximizing the opportunity afforded by AI, rather than overly focusing on risk mitigation.” That would likely spell doom for the reporting requirement and possibly some of the NIST guidance.

The reporting requirement could also face legal challenges now that the Supreme Court has weakened the deference that courts used to give agencies in evaluating their regulations.

And GOP pushback could even jeopardize NIST’s voluntary AI testing partnerships with leading companies. “What happens to those commitments in a new administration?” the US official asks.

This polarization around AI has frustrated technologists who worry that Trump will undermine the quest for safer models.

“Alongside the promises of AI are perils,” says Nicol Turner Lee, the director of the Brookings Institution’s Center for Technology Innovation, “and it is vital that the next president continue to ensure the safety and security of these systems.”

A Trump Win Could Unleash Dangerous AI

A new document shows the Department of Homeland Security is concerned that Chinese investment in lithium batteries to power energy grids will make them a threat to US supply chain security.

Analysts at the US Department of Homeland Security shared an internal report to local agencies in August, warning them about the economic risks of using Chinese utility storage batteries. It warns that the dependence on Chinese batteries could hurt developing a secure supply chain in the US.

The document, first obtained by national security transparency nonprofit Property of the People and seen by WIRED, accuses Chinese companies of “using People’s Republic of China state support to quickly and cheaply enter the emerging US utility battery energy storage industry and create supply chain dependencies on China,” and asks that any suspicious activity be reported.

Specifically, the report alleges three companies—Contemporary Amperex Technology Co. Limited (CATL), Build Your Dreams (BYD), and Ruipu Energy Co. Ltd. (REPT)—have “benefited from the various forms of state support and leveraged this to further business strategies for gaining US market share.”

Currently, CATL and BYD lead the global energy storage battery market by far, with 40 percent and 12 percent market shares, respectively, according to South Korean energy research firm SNE Research. Eight out of the 10 top companies in the industry are from China, so there are few alternatives to turn to when building grid storage.

The report says it builds on previous documents that analyzed Chinese “state-supported firms’ use of noncompetitive tactics in the electric vehicle and battery supply chains.” DHS did not respond to a request for further comment.

In 2022, CATL entered a deal with Primergy Solar to build the largest US solar and storage project in Nevada, which came online this year. Its battery products have also been used by Duke Energy, a North Carolina–based utility company, although the latter dropped CATL as a supplier for marine base electricity storage after concerns around national security were raised by, in part, lawmakers in Washington.

In an emailed statement, Fred Zhang, a CATL spokesperson, rejects the categorization that the firm has relied on state support to gain an edge. “CATL has achieved tremendous growth through continuous innovation, farsighted strategic planning, and a commitment to high-quality products at a reasonable cost,” the statement says.

BYD and REPT did not reply to WIRED’s request for comment.

Following efforts to curb Chinese EV companies’ competitiveness, the US government is now also concerned about how domestic utility companies could become too dependent on Chinese batteries for energy storage.

The US government has in recent years started to catch up in the battery industry. The Inflation Reduction Act and the Bipartisan Infrastructure Bill set out investment tax credits and other economic incentives to build up energy storage capacity in the country. In September it awarded another $3 billion in incentives to projects that boost domestic production of batteries.

These incentives are also the focus of the DHS report, which alleges that Chinese-based firms are targeting US incentives to further grow their market share. “BYD’s public website as of spring 2023 highlighted how US state incentives can make BYD utility storage systems an attractive investment,” the report claims. (WIRED was unable to find the BYD website referenced in the report.)

The CATL spokesperson says the company “does not receive any US federal or state incentives.”

As the US utility grids incorporate more renewable energy sources like solar and wind, it’s essential to build up a battery storage capacity that can store intermittent energy supply for times of heightened demand. And Chinese companies have dominated the global industry of producing lithium batteries for this job. These companies make over 80 percent of the EV battery cells in the world, and they had plans to invest another $2 trillion in 2023 into new production capacities inside and outside the country.

“Chinese original equipment manufacturers currently supply about 90 percent of the energy storage system batteries, actually a larger share than for EVs,” says Vanessa Witte, a senior research analyst at Wood Mackenzie who focuses on US energy storage. “There is a huge oversupply right now, partly due to softening EV demand, along with a number of Tier 2 and Tier 3 OEMs that have started new manufacturing facilities. The excess supply is a big reason the prices are so low.”

These batteries are essential for global energy transition, and Chinese battery companies see them as an opportunity to widen their product markets. They’ve become such an important industry that the Chinese central government emphasized their importance for the first time in its annual government report in March.

The battery supply chain has also emerged as one of the top economic and security concerns around China in the eyes of the US government. The Biden administration has so far raised a 25 percent tariff on Chinese-made lithium-ion EV batteries (and even higher for the EVs they power.) The government has also repeatedly sounded alarms about the national security threats of having Chinese-made equipment and parts in domestic infrastructure.

So far, the particular conversations around energy storage batteries have mostly surrounded cybersecurity, worried that the components could contain backdoor access for hacking like those that have been suspected in Chinese-made port cranes. Those concerns are “a bit overstated,” Witte says. “There haven’t been any incidents that would lend one to believe the battery management system is sending data to China or could disrupt our infrastructure.”

There have been several political efforts to restrict the use of Chinese-made batteries in the US. The pentagon will be the first to be banned from buying batteries from six Chinese companies, in an order which will become effective in 2027, but some congressmembers are still asking for CATL and other Chinese companies to be added to trade blacklists, and there’s a bill in Congress that would ban DHS from procuring Chinese batteries.

But the DHS report shows that the government is also looking at whether the dominance of Chinese batteries can be an economic issue.

“It is simplistic to see this as just unfair competition due to Chinese government support, as a lot of what China did, such as creating demand for batteries through EV subsidies, is not unlike what we see in the West today,” says Yayoi Sekine, head of energy storage research at BloombergNEF.

The pricing advantage that Chinese battery companies have are also the results of harsh market competition and a more established battery supply chain in China, she says, and these battery companies are willing to squeeze their own margins in exchange for keeping their market shares. “We think the US government's attempts to support a healthy battery industry domestically has been incredibly generous through the incentives in the Inflation Reduction Act and the Bipartisan Infrastructure Law,” says Sekine, “but it may still be challenging to compete on cost.”

US Government Says Relying on Chinese Lithium Batteries Is Too Risky

A nascent threat actor known as Crypt Ghouls has been linked to a set of cyber attacks targeting Russian businesses and government agencies with ransomware with the twin goals of disrupting business operations and financial gain.
"The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others,"

Network Security / Data Breach

A nascent threat actor known as **Crypt Ghouls** has been linked to a set of cyber attacks targeting Russian businesses and government agencies with ransomware with the twin goals of disrupting business operations and financial gain.

"The group under review has a toolkit that includes utilities such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet, resocks, AnyDesk, PsExec, and others," Kaspersky said. "As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk."

Victims of the malicious attacks span government agencies, as well as mining, energy, finance, and retail companies located in Russia.

The Russian cybersecurity vendor said it was able to pinpoint the initial intrusion vector in only two instances, with the threat actors leveraging a contractor's login credentials to connect to the internal systems via VPN.

The VPN connections are said to have originated from IP addresses associated with a Russian hosting provider's network and a contractor's network, indicating an attempt to fly under the radar by weaponizing trusted relationships. It's believed that the contractor networks are breached by means of VPN services or unpatched security flaws.

The initial access phase is succeeded by the use of NSSM and Localtonet utilities to maintain remote access, with follow-on exploitation facilitated by tools such as follows -

*   XenAllPasswordPro to harvest authentication data
*   CobInt backdoor
*   Mimikatz to extract victims' credentials
*   dumper.ps1 to dump Kerberos tickets from the LSA cache
*   MiniDump to extract login credentials from the memory of lsass.exe
*   cmd.exe to copy credentials stored in Google Chrome and Microsoft Edge browsers
*   PingCastle for network reconnaissance
*   PAExec to run remote commands
*   AnyDesk and resocks SOCKS5 proxy for remote access

The attacks end with the encryption of system data using publicly available versions of LockBit 3.0 for Windows and Babuk for Linux/ESXi, while also taking steps to encrypt data present in the Recycle Bin to inhibit recovery.

"The attackers leave a ransom note with a link containing their ID in the Session messaging service for future contact," Kaspersky said. "They would connect to the ESXi server via SSH, upload Babuk, and initiate the encryption process for the files within the virtual machines."

Crypt Ghouls' choice of tools and infrastructure in these attacks overlaps with similar campaigns conducted by other groups targeting Russia in recent months, including MorLock, BlackJack, Twelve, Shedding Zmiy (aka ExCobalt)

"Cybercriminals are leveraging compromised credentials, often belonging to subcontractors, and popular open-source tools," the company said. "The shared toolkit used in attacks on Russia makes it challenging to pinpoint the specific hacktivist groups involved."

"This suggests that the current actors are not only sharing knowledge but also their toolkits. All of this only makes it more difficult to identify specific malicious actors behind the wave of attacks directed at Russian organizations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#backdoor