ESET Research Profile picture
Feb 8 5 tweets 3 min read
👏 Proofpoint for this blogpost on #TA866. @ESETResearch have been tracking this group for a while and we assess with medium confidence that TA866 and #AsylumAmbuscade are the same group. 1/4
In their February 2022 espionage campaign, attackers delivered a LUA downloader that installed #AHKBOT / #SunSeed AutoHotkey, the same implant used in recent crimeware campaigns. 2/5
Targets included several European Ministries of Foreign Affairs and other organizations related to the Russia-Ukraine war. 3/5
proofpoint.com/us/blog/threat…
#AHKBOT is a downloader in AutoHotkey that can downloads additional spying plug-ins (in AHK as well) to steal passwords, take screenshots, etc. The full chain is shown in the figure below. 4/5
The group has been doing both cybercrime and cyberespionage campaigns since at least 2020. We will present more details in a presentation @Botconf in April (botconf.eu/botconf-2023/b…). 5/5

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with ESET Research

ESET Research Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ESETresearch

Nov 30, 2022
#ESETesearch discovered Dolphin, a sophisticated backdoor extending the arsenal of the #ScarCruft APT group. Dolphin has a wide range of spying capabilities and is deployed on selected targets only.
welivesecurity.com/2022/11/30/who… 1/6
The backdoor was used as the final payload of a multistage attack in early 2021, involving a watering-hole attack on a South Korean online newspaper, an Internet Explorer exploit, and another ScarCruft backdoor, named BLUELIGHT, previously reported by Volexity and Kaspersky. 2/6
While BLUELIGHT performs basic reconnaissance, Dolphin actively searches the drives of compromised systems for files of interest and exfiltrates them to Google Drive. Its other capabilities include keylogging, taking screenshots and stealing credentials from browsers. 3/6
Read 6 tweets
Nov 25, 2022
#ESETResearch discovered an ongoing Android RAT campaign that uses #FIFAWorldCup in Qatar🇶🇦 as a lure and already infected over 750 devices. It spreads via Facebook page linking to a website distributing the RAT. Downloaded RAT also offers World Cup news and live broadcasts 1/4 ImageImageImage
The RAT has extensive capabilities like exfiltrating SMS, call logs, contact list, photos, clipboard, files with particular extensions, record phone calls, take pictures, etc. Exfiltrated data is encrypted and uploaded to attacker’s server. 2/4 ImageImage
IoCs:
Distribution website: kora442[.]com
C&C server: firebasecrashanalyticz[.]com
APK hash: 60B1DA6905857073C4C46E7E964699D9C7A74EC7
ESET detection: Android/Spy.Agent.BOC 3/4
Read 4 tweets
Nov 25, 2022
On November 21st #ESETResearch detected and alerted @_CERT_UA of a wave of ransomware we named #RansomBoggs, deployed in multiple organizations in Ukraine🇺🇦. While the malware written in .NET is new, its deployment is similar to previous attacks attributed to #Sandworm. 1/9
@_CERT_UA Its authors make multiple references to Monsters, Inc., the 2001 movie by Pixar. The ransom note (SullivanDecryptsYourFiles.txt) shows the authors impersonate James P. Sullivan, the main character of the movie, whose job is to scare kids. 2/9
@_CERT_UA The executable file is also named Sullivan.<version?>.exe and references are present in the code as well. 3/9
Read 9 tweets
Nov 23, 2022
#ESETresearch discovered an active #Android campaign conducted by the hack-for-hire group #Bahamut. The campaign has been active since January 2022, with malicious apps are distributed through a fake #SecureVPN website
@LukasStefanko welivesecurity.com/2022/11/23/bah… 1/6
We discovered at least 8 versions of the spyware, all trojanized versions of legitimate VPN apps SoftVPN and OpenVPN; none have been available on Google Play. The fake SoftVPN triggered our YARA rules; we also got a DM from @malwrhunterteam about the sample. TY folks!
2/6 Image
The fake website was registered on 2022-01-27 and created based on a free web template. It was most likely used by the threat actor as an inspiration, as it required only small changes and looks trustworthy.
3/6 Image
Read 6 tweets
Nov 22, 2022
#ESETResearch discovered that #LuckyMouse/#APT27 used a code-signing certificate belonging to VMPsoft, the developer of the VMProtect packer. The signed file is a loader for the SysUpdate backdoor (aka Soldier). We notified VMPSoft of this compromise 1/4
virustotal.com/gui/file/a8527… Image
Pivoting on the certificate, we found genuine VMPsoft binaries and a sample of SysUpdate signed and packed with VMProtect. Since LuckyMouse rarely use VMProtect, it is possible that they also stole VMProtect packer when they got the digi certificate. 2/4
virustotal.com/gui/file/cc196…
While the certificate is still valid, we have notified GlobalSign.

Thumbprint: 6EF192CBD6E540F1D740D1BD96317ACAE8C6AF9D

Subject: Permyakov Ivan Yurievich IP, Ekaterinburg, Sverdlovskaya oblast, RU

Valid from: 2022-05-17 11:18:43

Valid to: 2023-05-18 11:18:43 3/4
Read 4 tweets
Nov 9, 2022
#ESETResearch discovered and reported to the manufacturer 3 vulnerabilities in the #UEFI firmware of several Lenovo Notebooks. The vulnerabilities allow disabling UEFI Secure Boot or restoring factory default Secure Boot databases (incl. dbx): all simply from an OS. @smolar_m 1/9
Reported vulnerabilities – #CVE-2022-3430, #CVE-2022-3431, and #CVE-2022-3432 – affect various Lenovo Yoga, IdeaPad and ThinkBook devices. All affected devices with an active development support have been fixed after we reported them to the manufacturer. 2/9
While disabling UEFI Secure Boot allows direct execution of unsigned UEFI apps, restoring factory default dbx enables the use of known vulnerable bootloaders (e.g., #CVE-2022-34301 found by @eclypsium) to bypass Secure Boot, while keeping it enabled.
eclypsium.com/2022/08/11/vul… 3/9
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(