#ESETesearch discovered Dolphin, a sophisticated backdoor extending the arsenal of the #ScarCruft APT group. Dolphin has a wide range of spying capabilities and is deployed on selected targets only. welivesecurity.com/2022/11/30/who… 1/6
The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT, previously reported by Volexity and Kaspersky. 2/6
While BLUELIGHT performs basic reconnaissance, Dolphin actively searches the drives of compromised systems for files of interest and exfiltrates them to Google Drive. Its other capabilities include keylogging, taking screenshots and stealing credentials from browsers. 3/6
Some Dolphin versions can lower the security of signed-in Gmail accounts, probably to maintain access to victims’ inboxes. To achieve this, the backdoor steals the existing cookie of the logged-in account from the browser and crafts requests modifying the settings. 4/6
Since the initial discovery of Dolphin in April 2021, we have observed multiple versions of the backdoor, as shown in the timeline, in which the threat actors improved the backdoor’s capabilities and made attempts to evade detection. 5/6
#ESETResearch discovered an ongoing Android RAT campaign that uses #FIFAWorldCup in Qatar🇶🇦 as a lure and already infected over 750 devices. It spreads via Facebook page linking to a website distributing the RAT. Downloaded RAT also offers World Cup news and live broadcasts 1/4
The RAT has extensive capabilities like exfiltrating SMS, call logs, contact list, photos, clipboard, files with particular extensions, record phone calls, take pictures, etc. Exfiltrated data is encrypted and uploaded to attacker’s server. 2/4
IoCs:
Distribution website: kora442[.]com
C&C server: firebasecrashanalyticz[.]com
APK hash: 60B1DA6905857073C4C46E7E964699D9C7A74EC7
ESET detection: Android/Spy.Agent.BOC 3/4
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9
@_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
@_CERT_UA The executable file is also named Sullivan.<version?>.exe and references are present in the code as well. 3/9
We discovered at least 8 versions of the spyware, all trojanized versions of legitimate VPN apps SoftVPN and OpenVPN; none have been available on Google Play. The fake SoftVPN triggered our YARA rules; we also got a DM from @malwrhunterteam about the sample. TY folks! 2/6
The fake website was registered on 2022-01-27 and created based on a free web template. It was most likely used by the threat actor as an inspiration, as it required only small changes and looks trustworthy. 3/6
#ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4 virustotal.com/gui/file/a8527…
Pivoting on the certificate, we found genuine VMPsoft binaries and a sample of SysUpdate signed and packed with VMProtect. Since LuckyMouse rarely use VMProtect, it is possible that they also stole VMProtect packer when they got the digi certificate. 2/4 virustotal.com/gui/file/cc196…
While the certificate is still valid, we have notified GlobalSign.
#ESETResearch discovered and reported to the manufacturer 3 vulnerabilities in the #UEFI firmware of several Lenovo Notebooks. The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS. @smolar_m 1/9
Reported vulnerabilities – #CVE-2022-3430, #CVE-2022-3431, and #CVE-2022-3432 – affect various Lenovo Yoga, IdeaPad and ThinkBook devices. All affected devices with an active development support have been fixed after we reported them to the manufacturer. 2/9
While disabling UEFI Secure Boot allows direct execution of unsigned UEFI apps, restoring factory default dbx enables the use of known vulnerable bootloaders (e.g., #CVE-2022-34301 found by @eclypsium) to bypass Secure Boot, while keeping it enabled. eclypsium.com/2022/08/11/vul… 3/9
#Emotet’s operators were busy updating their systeminfo module, with changes that enable malware operators to improve the targeting of specific victims and distinguish tracking bots from real users. #ESETresearch 1/7
The operators completely changed the attributes that are collected and sent to the attacker’s C&Cs. The new list includes processor brand, size of physical memory in MB and an approximate % of it being in use. 2/7
The magic number – used by the server to verify that the systeminfo module is up to date – is obtained in a different way too. Instead of being part of the main function, 64 functions are used, with the module selecting one that returns the correct value. 3/7