Here are the stories that caught our eye this week:
Chinese-based APT group, potentially active since 2014. In each campaign, the initial attack vector was malicious Word documents, resulting in a modified Cobalt Strike variant or the MgBot RAT (Remote Access Trojan). They also found malicious Android RATs believed to be used by the APT group.
Meanwhile, two real-world events in late June 2020 strained political relations between India and China. The first was a border skirmish along their disputed shared border in the Himalayas, reportedly resulting in casualties on both sides. Secondly, the Indian government banned 59 Chinese apps, most notably TikTok, on national security and privacy grounds.
The malware does not contain the necessary code to self-propagate. The attack vector used in these campaigns is malicious Word documents attached to spear-phishing emails, attempting to leverage social engineering to compromise targeted users.
The 14 publicly available samples associated with these campaigns consist of malicious Word documents, the Windows RAT MgBot, and an Android RAT. BluVector, a leader in advanced threat detection, detected all of these diverse samples through its Machine Learning Engine (MLE).
ESET researchers believe that the attack is part of or a renewal of a malicious campaign that was identified by Trend Micro back in September 2019. Today, one of the biggest reasons for mixed feelings being associated with cryptocurrencies can be attributed to threat actors trying to use the technology to scam innocent users from the very start.
A recent report by ESET has identified yet another such case where malware in the form of malicious cryptocurrency trading applications was found being distributed for Mac devices. The malware is designed to steal the following:
- Browser history & cookies
- Cryptocurrency wallets
- Images captured from the user’s screen serving as spyware as well.
As of now, according to ESET’s researchers, there is no clear indication as to how the attackers are targeting users, but the real Kattana tweeted back on March 12, 2020, alleging that their users were being approached directly suggesting a social engineering ploy at play.
“WE’VE COME TO KNOW THAT SOME OF OUR USERS WERE APPROACHED BY THE MALICIOUS COPYCAT SERVICE OF KATTANA, LOCATED AT: HTTPS://T.CO/PASARVJPPZ
PLEASE, BE EXTRA MINDFUL ABOUT ANYONE WHO APPROACHES YOU FOR ANY REASON RELATED TO CRYPTO-TRADING. THEY MIGHT BE FRAUDS.
— KATTANA (@KATTANATRADE) MARCH 12, 2020“
The possibility of the US following India in banning TikTok became stronger after a proposal to bar the downloading of the short video-sharing platform on government-issued devices got the backing of the US House of Representatives. The House passed the National Defense Authorization Act for Fiscal Year 2021 by a vote of 295 to 125 on Tuesday. There is no guarantee yet that the ban will become an act as the Senate is expected to pass its version of the bill later this week and thereafter the two chambers will sort out their differences before sending it for the President’s signature. The app came under the scanner of security services over fears of it sharing user data with the Chinese government. TikTok has denied the allegations.
A hack of Twitter last week shook the foundations of the internet, cybersecurity, and political worlds. A gang of young people purportedly obsessed with OGusers, early Twitter adopters with one or two characters in their handles, ostensibly targeted 130 high-profile accounts and reset passwords and sent messages from the accounts of 45 “celebrities.” The hacks appear financially motivated, with the attackers fleeing with $121,000 worth of bitcoin generated through the scam messages they sent from the accounts of Joe Biden, Barack Obama, Bill Gates, Elon Musk and other personages. Coming as they did during a period of high paranoia just a few months from the 2020 presidential election, the hacks seem somehow intermixed with the ongoing fear of the kinds of nation-state digital attacks that took place during the 2016 elections. he take-over of what has become a vital political platform attracted the attention of lawmakers, including James Comer (R-KY), the ranking member of the House Committee on Oversight and Reform, who sent a letter to Twitter CEO Jack Dorsey demanding a briefing no later than July 24. Cryptography and security expert Bruce Schneier characterized the hacks as a “class break” that disrupted an entire class of systems and wasn’t dependent on the level of Twitter users’ protection, such as two-factor authentication. The Department of Homeland Security defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” Given the reactions that the Twitter hacks spawned in both the political and security worlds, that definition seems more apt than not.