*It's difficult to follow expert commentary on contemporary computer security, and also it's not good for you, because you might be led into a lucrative life of crime as a pawn of the North Koreans.
*So, in this post, I'm simply excerpting the cool bits of cybercrime jargon in a recent report. Sure, you could Google it and probably find the origin, but if you're a criminal, you're too lazy. If you're merely given to prurient interest, though, you could name-drop stuff like this and sound really scary, even if you don't know where the RETURN key is on a desktop machine.
Operation ShadowHammer
ShadowPad, ExPetr and the backdooring of CCleaner
sophisticated supply-chain attack
the Sofacy/Hades actor
Dookhtegan or Lab_dookhtegan
the OilRig threat actor
a list of web shells
the origins of the tools included in the dump
an entity going by the alias Bl4ck_B0X created a Telegram channel named GreenLeakers
alleged screenshots from a MuddyWater C2 server
a website named Hidden Reality
relied on Telegram and Twitter profiles to post messages related to Iranian CNO capabilities
the APT described as the 27th function of the sigs.py file: DarkUniverse
A rather simple DLL with only one exported function that implements persistence, malware integrity, communication with the C2 and control over other modules
a zero-day vulnerability in WhatsApp
read their encrypted chats, turn on the microphone and camera and install spyware
collecting personal information such as contacts, messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers
up-to-date versions of these implants in the wild
five exploitation chains to escalate privileges
‘water-holed’ websites to deliver the exploits
reduced payouts for Apple one-click exploits
a high-severity zero-day in the v412 (Video4Linux) driver, the Android media driver
left more than a billion Samsung, Huawei, LG and Sony smartphones vulnerable to an attack
wrapped its notorious JavaScript KopiLuwak malware in a dropper called Topinambour
The malware is almost completely ‘fileless’
two KopiLuwak analogues – the.NET RocketMan Trojan and the PowerShell MiamiBeach Trojan
a new COMpfun-related targeted campaign
tentatively associated with Turla based on victimology
manipulating installed digital root certificates and marking outbound TLS traffic with unique host-related identifiers
patch the corresponding system pseudo-random number generation (PRNG) functions in the process’s memory
adds the victims’ unique encrypted hardware- and software-based identifiers to this ‘client random’ field.
a compiled Python script, PythocyDbg, within a Southeast Asian foreign affairs organization
Nimrod/Nim, a programming language with syntax resembling both Pascal and Python that can be compiled down to JavaScript or C targets
Zebrocy spear-phished multiple NATO and alliance partners
executables with altered icons and identical filenames
remote Word templates pulling contents from the legitimate Dropbox file-sharing site
an elaborate, previously unseen steganographic technique
implement the utilities they need as one huge set – an example of the framework-based architecture
a public login credential dumper and homemade PowerShell scripts for lateralovement
this malware can run as a passive backdoor, an active backdoor or a tunneling tool
a brand new type of backdoor, called ApolloZeus, which is started by a shellcode wrapper with complex configuration data
tailored Ghost RAT malware that can fully control the victim
network-driven backdoors, several generations of modular backdoors, harvesting tools and wipers for carrying out destructive attacks
implementing some specific NOBUS and OPSEC concepts such as protection from C2 sink-holing by checking the server SSL certificate hash, self-uninstall for orphaned instances
the LuckyMouse threat actor that had been targeting Vietnamese government and diplomatic entities abroad since at least April 2018
Besides pen-testing frameworks, the operators use the NetBot downloader and Earthworm SOCKS tunneler
all the tools in the infection chain dynamically obfuscate Win32 API calls using leaked HackingTeam code
targeted governments in Myanmar, Mongolia, Ethiopia, Vietnam and Bangladesh, along with remote foreign embassies located in Pakistan, South Korea, the US, the UK, Belgium, Nepal, Australia and Singapore
large waves of attacks against government institutions and military contractors in Central Asia, which are strategically important to China’s Belt and Road Initiative
a technique called load order hijacking
ShaggyPanther, a previously unseen malware and intrusion set targeting Taiwan and Malaysia
SinoChopper/ChinaChopper, a commonly used web shell shared by multiple Chinese-speaking actors
TajMahal, a previously unknown APT framework that has been active for the last five years. This is a highly sophisticated spyware framework that includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents, and cryptography key stealers; and even its own file indexer for the victim’s computer
FruityArmor had used zero-days before, while SandCat is a new APT actor
The low OPSEC and simplistic malware involved in this operation does not seem to point to an advanced threat actor
Collection #1 was just part of a larger dump of leaked credentials comprising 2.2 billion stolen account records
In August, two Israeli researchers discovered fingerprints, facial recognition data and other personal information from the Suprema Biostar 2 biometric access control system in a publicly accessible database
