Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the Grandoreiro banking trojan. 
"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute '

Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the **Grandoreiro** banking trojan.

"In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler said in a report.

The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain.

Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archive, from which is extracted a loader that masquerades as a PDF document to trigger the execution.

The phishing messages prominently incorporate themes revolving around payment refunds, litigation notifications, cancellation of mortgage loans, and deposit vouchers, to activate the infections.

"This \[loader\] is responsible for downloading, extracting and executing the final 400MB 'Grandoreiro' payload from a Remote HFS server which further communicates with the \[command-and-control\] Server using traffic identical to LatentBot," Zscaler researcher Niraj Shivtarkar said.

That's not all. The loader is also designed to gather system information, retrieve a list of installed antivirus solutions, cryptocurrency wallets, banking, and mail apps, and exfiltrate the information to a remote server.

Observed in the wild for at least six years, Grandoreiro is a modular backdoor with an array of functionalities that allows it to record keystrokes, execute arbitrary commands, mimic mouse and keyboard movements, restrict access to specific websites, auto-update itself, and establish persistence via a Windows Registry change.

What's more, the malware is written in Delphi and utilizes techniques like binary padding to inflate the binary size by 200MB, CAPTCHA implementation for sandbox evasion, and C2 communication using subdomains generated via a domain generation algorithm (DGA).

The CAPTCHA technique, in particular, requires the manual completion of the challenge-response test to execute the malware in the compromised machine, meaning that the implant is not run unless and until the CAPTCHA is solved by the victim.

The findings suggest that Grandoreiro is continuously evolving into a sophisticated malware with novel anti-analysis characteristics, granting the attackers full remote access capabilities and posing significant threats to employees and their organizations.

The development also arrives a little over a year after Spanish law enforcement agencies apprehended 16 individuals belonging to a criminal network in connection with operating Mekotio and Grandoreiro in July 2021.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

Plus: The Twilio hack snags a reporter, a new tool to check for spyware, and the Canadian weed pipeline gets hit by a cyberattack.

A new jailbreak for John Deere tractors, demonstrated at the Defcon security conference in Las Vegas last Saturday, put a spotlight on the strength of the right-to-repair movement as it continues to gain momentum in the United States. Meanwhile, researchers are developing expanded tools for detecting spyware on Windows, Mac, and Linux computers as the malware continues to proliferate. 

WIRED took a deep look this week at the Posey family that wielded the Freedom of Information Act to learn more about the US Department of Defense and promote transparency—and make millions in the process. And researchers found a potentially crucial flaw in the Veterans Affairs department's VistA electronic medical record system that has no easy fix.

If you need some digital security and privacy projects this weekend for your own protection, we've got tips on how to create a secure folder on your phone, how to set up and most safely use the Signal encrypted messaging app, and Android 13 privacy setting tips to keep your data exactly where you want it and nowhere you don't. 

And there's more. Each week, we highlight the news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories. And stay safe out there.

The Janet Jackson classic “Rhythm Nation” may be from 1989, but it’s still blowing up the charts—and some hard drives. This week, Microsoft shared details of a vulnerability in a widely used 5400-RPM laptop hard drive sold around 2005. Just by playing “Rhythm Nation” on or near a vulnerable laptop, the disk can crash and take its laptop down with it. Spinning disk hard drives have been increasingly phased out in favor of solid-state drives, but they still persist in a host of devices around the world. The flaw, which has its own CVE vulnerability tracking number, is due to the fact that “Rhythm Nation” inadvertently produces one of the natural resonant frequencies created by the movement in the hard drive. Who wouldn’t vibe hard with such a classic jam? Microsoft says the manufacturer that made the drives developed a special filter for the audio processing system to detect and quash the frequency when the song was playing. Audio hacks that manipulate speakers, grab information leaked in vibrations, or exploit resonant frequency vulnerabilities aren’t discovered often in research but are an intriguing area. 

When the cloud services company Twilio announced last week that it had been breached, one of its customers that suffered knock-on effects was the secure messaging service Signal. Twilio underpins Signal's device verification service. When a Signal user registers a new device, Twilio is the provider that sends the SMS text with a code for the user to put into Signal. Once they had compromised Twilio, attackers could initiate a Signal device swap, read the code from the SMS sent to the real account owner, and then take control of the Signal account. The secure messaging service said that the hackers targeted 1,900 of its users and explicitly searched for three. Among that tiny subset was the Signal account of Motherboard security reporter Lorenzo Franceschi-Bicchierai. Signal is built so the attackers could not have seen Franceschi-Bicchierai's message history or contacts by compromising his account, but they may have impersonated him and sent new messages from his account.

TechCrunch published an investigation in February into a group of spyware apps that all share backend infrastructure and expose targets’ data because of a shared vulnerability. The apps, which include TheTruthSpy, are invasive to begin with. But they're also inadvertently exposing the phone data of hundreds of thousands of Android users, TechCrunch reported, because of an infrastructure vulnerability. This week, though, TechCrunch published a tool victims can use to check whether their devices have been compromised with the spyware and take back control. “In June, a source provided TechCrunch with a cache of files dumped from the servers of TheTruthSpy’s internal network,” TechCrunch’s Zack Whittaker wrote. “That cache of files included a list of every Android device that was compromised by any of the spyware apps in TheTruthSpy’s network up to April 2022, which is presumably when the data was dumped. The leaked list does not contain enough information for TechCrunch to identify or notify owners of compromised devices. That’s why TechCrunch built this spyware lookup tool.”

Domain Logistics, a distribution company that works with the Ontario Cannabis Store (OCS) in Canada, was hacked on August 5, limiting OCS’s ability to process orders and deliver weed products to stores and customers around Ontario. OCS said there was no evidence that customer data had been compromised in the attack on Domain Logistics. OCS also says that cybersecurity consultants are investigating the incident. Customers in Ontario can order online from OCS, which is government-backed. The company also distributes to the roughly 1,330 licensed cannabis stores in the province. “Out of an abundance of caution to protect OCS and its customers, the decision was made to shut down Domain Logistics’ operations until a full forensic investigation could be completed,” OCS said in a statement.

Janet Jackson’s ‘Rhythm Nation’ Can Crash Old Hard Drives

The countermeasure, which compares the time and voltage at which circuits are activated, is being implemented in 12th Gen Intel Core processors.

Intel has developed and incorporated a circuit into its latest line of PC chips that can detect when attackers are using motherboard exploits to extract information from PC devices.

The "tunable replica circuit" on the latest Intel chips can detect attempts to glitch systems through voltage, clock, or electromagnetic techniques, Intel said during Black Hat. Attackers use these techniques to insert their own firmware and take control of the device.

"Every semiconductor ever produced is vulnerable to these attacks. The question is, how easy is it to exploit? We've just made it a lot harder to exploit because we detect these attacks," says Daniel Nemiroff, senior principal engineer at Intel.

The circuit is being implemented in Alder Lake, the 12th Gen Intel Core processors, which are used in laptops. Servers may get this technology at a later date, Nemiroff says.

**The Circuit's Inner Workings**

Typically, when a computer turns on, the silicon's power management controller waits for the voltage to ramp to a certain value before it starts activating components. For example, the power management controller activates the security engine, the USB controller, and other circuits when they reach their voltage values.

Under normal operations, once the microcontrollers activate, the security engine loads its firmware. In this motherboard hack, attackers attempt to trigger an error condition by lowering the voltage. The resulting glitch gives attackers the opportunity to load malicious firmware, which provides full access to information such as biometric data stored in trusted platform module circuits.

The tunable replica circuit protects systems against such attacks. Nemiroff describes the circuit as a countermeasure to prevent the hardware attack by matching the time and corresponding voltage at which circuits on a motherboard are activated. If the values don't match, the circuit detects an attack and generates an error, which will cause the chip's security layer to activate a failsafe and go through a reset.

"The only reason that could be different is because someone had slowed down the data line so much that it was an attack," Nemiroff says.

Such attacks are challenging to execute because attackers need to get access to the motherboard and attach components, such as voltage regulators, to execute the hack. The attackers will also need to know the exact time at which to mount a voltage glitch and what voltage they should drive to the pin.

"It's practical in the sense that if someone has stolen your machine from a taxi \[and\] brings it to their lab, they've got all the time in the world to open the laptop and then solder the right voltage generator lines to the machine itself," Nemiroff said.

That is the reason why the circuit is currently being integrated into chips used for laptops and not servers and desktops. Servers and desktops are not as portable and, thus, harder to steal, Nemiroff says.

**Deploying Countermeasures**

While no evidence of a motherboard exploit used in this manner exists, defenses need to be incorporated now, before attacks become widespread.

"There's no recorded exploit of an Intel PC system using these attacks, but there are various examples of other devices that have been attacked that are more interesting, like discrete TPMs and smart cards," Nemiroff says.

Glitching the security of a system isn't novel; it has existed in pay TV and smart cards for more than two decades, said Dmitry Nedospasov, who runs hardware security services provider Toothless Consulting and Advanced Security Training, which provides information security training.

Intel is adding system countermeasures to its platform controller hub, not its CPU. It's not clear to what extent the countermeasure implemented in the controller hub would be capable of protecting the system.

"The threat model is not clear and so is the reason why this mitigation is required," Nedospasov said.

As to the effectiveness of the circuit, it will be hard to verify whether it works without some kind of peer review, Nedospasov said.

"It's not clear what will and will not work in practice," Nedospasov said.

A lot of the patents on hardware countermeasures for chips were created in the 1990s and early 2000s, many of which came from pay TV.

"What this also means is that the 20-year patent periods have already expired or are expiring in the coming years. Many in the industry believe that we can expect more and more hardware countermeasures as manufacturers will no longer have to license the patents to implement these protections," Nedospasov said.

It is possible customers are putting pressure on Intel to shore up its on-chip security mechanisms, Nedospasov said.

"The bar is being raised and people are running out of software and firmware attacks, but they are going to come at us with hardware attacks. We figure this is the right time to deploy those kinds of countermeasures," Nemiroff said.

Intel Adds New Circuit to Chips to Ward Off Motherboard Exploits

Emerson Electric's Proficy Machine Edition Version 9.00 and prior is vulenrable to CWE-353 Missing Support for Integrity Check, and has no authentication or authorization of data packets after establishing a connection for the SRTP protocol.

CVE-2022-2793

Threat Roundup for August 12 to August 19

The fact that the flaws enable remote code execution, exist across all major Apple OS technologies, and are being actively exploited heightens the need for a quick response.

Security researchers are urging users of Apple Mac, iPhone, and iPad devices to immediately update to newly released versions of the operating systems for each technology, to mitigate risk from two critical vulnerabilities in them that attackers are actively exploiting.

The zero-day flaws allow threat actors to take complete control of affected devices. They impact users of iPhone 6s and later, all models of iPad Pro, iPod touch (7th generation), iPad Ai2 and later, iPad 5th generation and later, and iPad mini 4 and later. Also affected are users with Macs running macOS Monterey, macOS Big Sur, and macOS Catalina. Apple disclosed the vulnerabilities and the updates addressing them on Wednesday.

**Remote Code Execution Flaws**

One of the zero-days (CVE-2022-32893) exists in WebKit, Apple's browser engine for Safari and for all iOS and iPadOS Web browsers. Apple described the flaw as tied to an out-of-bounds write issue that attackers could use to remotely take control of vulnerable devices. "Processing maliciously crafted web content may lead to arbitrary code execution," Apple warned in one of its typically terse vulnerability disclosures this week. "Apple is aware of a report that this issue may have been actively exploited," the company noted.

The other vulnerability (CVE-2022-32894) is also an out-of-bounds write flaw that gives attackers a way to execute code with kernel-level privileges on vulnerable devices. Such vulnerabilities allow attackers to gain complete access to the underlying hardware. The company said it is aware of reports of attackers actively exploiting the bug.

Apple said it had implemented "improved bounds checking" in iOS 15.6.1, iPadOS 15.6.1, macOS Monterey 12.5.1, and Safari 15.6.1 to address both issues.

Lisa Plaggemier, executive director of the National Cybersecurity Alliance, said the widespread use of Apple's technologies puts both businesses and consumers at risk from the vulnerabilities. "While cyber criminals will no doubt try to access personal information about consumers, accessing a business often has significantly more upside for malicious actors," she says.

**WebKit Flaw Has Wider Impact**

In a blog, Sophos identified CVE-2022-32893 as having potentially the wider impact compared to the other flaw that Apple disclosed this week. The flaw gives attackers a way to set up "booby-trapped" Web pages that can trick Macs, iPhones, and iPads into running untrusted software. "Simply put, a cybercriminal could implant malware on your device even if all you did was to view an otherwise innocent web page," the security vendor said.

The flaw has widespread impact because WebKit powers all Web rendering software on Apple's mobile devices and is used widely by Mac users as well. The vulnerability impacts more applications and systems components than just the Safari browser itself, so steering clear of the browser alone is not enough to mitigate risk, Sophos said.

"The WebKit component is particularly problematic, as it is the browser engine across all Apple software," says Rick Holland, chief information security officer and vice president of strategy at Digital Shadows. "Apple users should patch now. These updates need to be applied as soon as possible."

**Both Consumers & Organizations at Risk**

Like many others have noted about the sparse nature of software vendor vulnerability disclosures recently, Holland too said it would have been more useful for defenders if Apple had provided more context and details around the flaws.

"Apple is light on the technical details of this week's two zero-day vulnerabilities," he says. "However, it is never reassuring to see the phrase 'execute arbitrary code with kernel privileges'," as Apple's disclosure reads.

Defenders should push patches out immediately and send notifications that employees should be patching any personal iPhones, iPads, or Macs. These updates present a security awareness opportunity to discuss the risks to employees' lives and provide patching instructions, including how to enable automatic updates.

Mike Parkin, senior technical engineer at Vulcan Cyber, says there's not enough information to determine how easily attackers can exploit these vulnerabilities. But reports about the flaws being already used in the wild is concerning, he says, especially because they allow for remote code execution. Apple products are widely used both in enterprise and consumer markets, and often overlap for people who work in Bring Your Own Device (BYOD) environments, he says. Given that, and the relative lack of detail, it's hard to say who'll be more at risk.

"Organizations should deploy the appropriate controls to minimize the risk to their environments," Parkin advocates. "The ones that allow BYOD devices will face some additional challenges, as they'll need to address systems that they don't directly control."

Patch Now: 2 Apple Zero-Days Exploited in Wild

Apple Security Advisory 2022-08-18-1 - Safari 15.6.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-18-1 Safari 15.6.1

Safari 15.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213414.

WebKit  
Available for: macOS Big Sur and macOS Catalina  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

Safari 15.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL+gHUACgkQ4RjMIDke  
Nxm9eg/8CZFhmd5zgsQlwjn4R9kWVnIHCIzkhmjQGMzQ3C1FCiMwt+aDN2C1aYxN  
DiElfQy6ieI+4RNTxuNakhAQ0lS7F+TStHW9meblHkIA/qFfhBVxyaWZr+Hl0Bsw  
2K+0D9twK6xqh88hlvdm/GGEkEv8pKXKtzWaDoOdutXtasG6apc2nAMcqcWyN3SE  
hw+/PXhnxY5TNDQsz4wYsriichEPHIPJh3tCEgV2EvfsYx3GrX8Yga3T34GHwSj7  
H04Q3P1vNkdDDziFV7gZuWVXqKrpQxnReIKtZzffO0cW2x7lsSKw3H70yHlh2JLL  
yUDP28jJXOFGHD3izx+YHmFB4Q4dcHSVsil39Mq150s5iyJSkO2YDgWCyZBQ1tuB  
/dLIGuuQQtA3CqzBPSKneeeb0Cf5I6dnjh93R/aXLNiy+1AvizxJFOJ+EAlDCOxt  
o85iZxjWaGaQxng3qeA5nex5QWUvXRPyXoxyxnkfEeswv7PX6XLQXTASIo/Ug3E8  
KcIbtnkPatuwHt44eprrW6afaWhiY2IhiLKRFQeDm5vtYOr0FDAWGKl9bW203Frt  
2o6TVP9uXxZRIfMUmxBjdvNFScez49vlU6v+cIjj8UON/lWKZLkLDEFxfCWxlAWK  
eTc6a0tIAP5EMyd7EZdVhvxJSMxcCrXiO2iiS5TccIFZ5VvgZwA=t1cZ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-18-1

Apple Security Advisory 2022-08-17-1 - iOS 15.6.1 and iPadOS 15.6.1 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-08-17-1 iOS 15.6.1 and iPadOS 15.6.1iOS 15.6.1 and iPadOS 15.6.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213412.KernelAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: An application may be able to execute arbitrary code withkernel privileges. Apple is aware of a report that this issue mayhave been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.CVE-2022-32894: an anonymous researcherWebKitAvailable for: iPhone 6s and later, iPad Pro (all models), iPad Air 2and later, iPad 5th generation and later, iPad mini 4 and later, andiPod touch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: An out-of-bounds write issue was addressed with improvedbounds checking.WebKit Bugzilla: 243557CVE-2022-32893: an anonymous researcherThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.6.1 and iPadOS 15.6.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL9UiMACgkQ4RjMIDkeNxkiuw/+IhqxvCCS9q8hQMHDpFvVVmFdfO+7ukTVSpd12Cp5r0VGVP/zJOCecXR1cnFHIPx8zVZXzQzsa+lCSWhT+20qOiuCjpqWNVY9pCovCPds3r1hhL2/1H0KejGK2Ms910r+yxvEmhzz0MPk95d5+k+LaBPC1sfuNVTn9eUXImPDuLzLIyd8nW5khjNWspOIlS82VNBAcw8VQMxjgsiD6lhSsqvdkBPNhbI4/mMeIEXOOb+fRtHUOtorGLF2R1DzU1zmPLytcPGE+hxVXnR5F1z/+ea1DEWumvzSNfwja9HI2xPfmm9E8Pomq9lkSEW8cxlqAdKY2/cQ2B2I7ihJ3REfJjSnhXqTsuad1jVn9k1t8ZmKBWh6bgOQKQQg9BfIhcCeL398fmRUZQG1h6zo33MukUMMjfTgRjrjxhETLYCZQybjFAC4s98j2S0oyUpKaBUHc+tL/uupW01LwzP53SR2e4rBQhi+ACqiCEoJKAHYfJaj6YeblILiM6SaQdfbsiCzSIqM6nJLl5ZIYn6rXEEKGyGpKMAYXvc7FsR691DTQxMiQ8KcraoCwAerLzviWOF2tVNmDYkv5EFnXhSB4+uYzViSQhPKM8s2DRhP/WhxdVF3woRhIyHLq60SqKoFKvQwTVTugIFIR4cGfsfAbV7zCBhqH7+fKBGfLeTOBCH7ULE=SLRt-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-17-1

Apple Security Advisory 2022-08-17-2 - macOS Monterey 12.5.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-08-17-2 macOS Monterey 12.5.1

macOS Monterey 12.5.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213413.

Kernel  
Available for: macOS Monterey  
Impact: An application may be able to execute arbitrary code with  
kernel privileges. Apple is aware of a report that this issue may  
have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2022-32894: an anonymous researcher

WebKit  
Available for: macOS Monterey  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
WebKit Bugzilla: 243557  
CVE-2022-32893: an anonymous researcher

macOS Monterey 12.5.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmL9UiYACgkQ4RjMIDke  
NxkMiQ/+JkF0Octgd1/I72UFVdhIbUrvL+BkQdTWXfzrfGpFl3EOSUkvn+F3qmt4  
pAxtbKeg4T5VyJqGz+bQDOZ+VXGsO4w/9n0WWjEGA/P+BHkP2gUZLlhZQRq1XY5c  
gW8EBiUEA20qtz9s0AUFOtS8l6J1QStOhA5W6OWS4xJp4GTwFKSbZHDrHjACBoi1  
5XpFM0H5sbFG66C9Fb+p55BLWMBoyxbi8YiQIDmcZ7/+kNGSsBkfHtvSmoFaSVr1  
vP/2o2zEUburmKy9C9nUrXruJB6oqjWrkKfe2bbHOa9Zpf9zPcDyYXFbpJLYyAov  
R2h8pTppfxdPpuFKVht+MUpc9VnW8oZsuk0bWiI/D9dAOX1otoLE1599SXy/rXSU  
2SLeM+Uv4iiJGiNSfDuvcCCqhzCCUf2/pS8VTcnDZczsOGPLWROswzQ46yVWHIxO  
iCNH8iHliDo5UNzem+yza5hRgjDbArEjoP10zzx2AxFioQuJXWWEWIbcb966MKzs  
gL+DB2BqVhF+OScf+jC66BefgSndsGBfkKgulrZ1HOmJ2E/BwOCYKYrDQhtNEJbr  
dFjv8+cMO1vuqKb33p5rjzNIqucBYEuoLtIaXz1yJ5aF/3M5HVaqBgBFioQHUvKj  
zc/QF2P6Ue3AMhUkmkMkZVJRMYI966fFD9NMKjGz9H/gCm+8iN0JBQ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-08-17-2

APTs continue to exploit the dynamic job market and the persistent phenomenon of remote working, as explored by PwC at Black Hat USA.

Fake job offers have become a top phishing tactic for state-sponsored threat actors to lure in unsuspecting targets in the wake of the COVID-19 pandemic, as many reconsider their careers amid growing demand for skilled workers and managers.

The cyber-threat analyst team at PwC, which has followed a prime example of this (the Lazarus Group's Operation In(ter)ception) closely, presented a detailed account of the Lazarus campaign and how the group implemented the strategy during last week's Black Hat USA 2022 conference in Las Vegas.

PwC principal threat analyst Sveva Vittoria Scenarelli, who studies advanced persistent threats (APTs) in the Asia-Pacific region with an emphasis on North Korea, noted that the stakes are high.

"This is an espionage-motivated campaign that is incredibly persistent in targeting the aerospace sector, the defense industrial base, manufacturing chemical sector, for everything from military secrets to intellectual property to confidential information of strategic interest," Scenarelli explained during her presentation at Black Hat, called "Talent Need Not Apply: Tradecraft and Objectives of Job-themed APT Social Engineering."

The Cybersecurity & Infrastructure Security Agency (CISA) agrees, and has warned that the threat actors (aka APT38, Black Artemis, BlueNoroff, Hidden Cobra, and Stardust Chollima) "employ malicious cyberactivity to collect intelligence, conduct attacks, and generate revenue."

Scenarelli explained that Lazarus follows up with its targets via messaging apps such as WhatsApp.

This is "to make sure that the victims do open the malicious viewer documents or the malicious executables that the threat actor has sent," she said. "Black Artemis will also set up domains. This can be for command and control of its malicious implants to send emails that appear to come from on a legit site, or indeed to perform Web exploitation as an initial access method."

Scenarelli explained that Black Artemis creates domains that spoof prominent job search websites like Indeed, with attractive positions at high-profile companies such as Google and Oracle. She underscored that many sites look legitimate, though there are obvious signs they are fake. For instance, the Indeed decoy site URL is Indeed.US.org, she said. Scenarelli noted that the job descriptions disguised as .docx, .pdf, or .rtx files launch when the victims click on the documents, which may enable macros.

Similarly, Scenarelli recalled another attack by the group, which made off with $625 million in cryptocurrency. She warned that this variant, which PwC researchers call "Black Alicanto," is financially motivated and dangerous. In the wake of Microsoft recently disabling macros in Office documents, Scenarelli said this malware might use .lnk files, perhaps embedded in password-protected Microsoft Word documents.

"Threat actors are having to pivot a bit in their initial access techniques and using more and more .lnk files, ISO files, MSI installers, and stuff like that," she said. But in the background, she noted, the .lnk file is calling MSHDA.exe, which connects to a remote server to pull down a malicious JavaScript script that PwC calls "Cabbage Loader."

This script places a .lnk file in the victim's startup folder "to ensure persistence and then pulls down a whole series of other JavaScript payloads," she explained. "These are essentially profilers that want to make sure that the actual person that's interacting with them is not a sandbox, is not a researcher, but it's actually a target of interest."

Scenarelli concluded that Lazarus and other North Korea-based threat actors continue to exploit the growing demand for skilled people, who, despite their training and awareness of threats, can be caught off guard.

"The job market right now is a really key area for North Korea-based threat actors," she said. "So, keep your eyes peeled, make sure you're aware of whom you're interviewing. And for the love of all that is holy, don't open those links that you get sent on LinkedIn, do not open them."

Tag

#mac