What is Chafer APT?

A few days back cyber experts found the traces in new cybercrime campaigns known as chafer advanced persistent threats (APT) group. This group has been active since 2014 and has done many middle east cyber attacks. This group has a recent record of 2018 and last was 2019 targeted many Saudi and Kuwait organizations.

Whole Uncovered Story of attack :

According to cyber experts, this group has been active since 2014 but recently he has targeted middle east countries like Saudi and Kuwait. The last attack was in 2018 and 2019 targeted several unnamed organizations based in Kuwait and Saudi Arabia. The campaigns used custom-built tools known as bevy as well as “living off the land “ tactics used. 

The “Living off the land tools” has the feature of a target environment that is abused by the cyber attacker to achieve persistence. 

According to Bitdefender’s analysis “Researcher have found threat conducted by this actor in the middle east region back in 2018”.The campaigns based on several tools, including “living off the land” tools, which makes the attribution difficult, there are different hacking tools and a custom-built backdoor. The attackers find the victims affected by the air transport and government sector in the middle east the whole attack is based on proper analysis.

The researcher at work and find out how many companies are going to affect each country. They also say the data is more than we expect and what we get after the analysis report.

Let’s find the campaign Strategies :

A particular way of doing something behind the cyberattacks against the companies of Kuwait and Saudi Arabia finds some same track as the researcher says. According to the source the cyberattacks on the victims from Kuwait were more sophisticated as the cybercriminals were able to move on the network. As the researcher believes that the attackers infarct the victims by sending infected documents with shellcode and that was potentially sent via spear-phishing emails.

The attacker managed to create a user account on the victim’s machine and perform several malicious actions inside the network using the account that they created on victims machine that was an unusual behavior performed on some account that basically the attackers plan to make us believe that they are doing this. Basically their plan was to engage us at that certain point.

Once the attacker has access inside the company server then they install the backdoor (imjpuexa.exe) that was act like service of that machine but it was basically backdoor for the attacker. Even the attackers have done several exercises like network-scanning and credential gathering which helps the attacker to move inside the network. The attacker used the tool name as CrackMapExec.exe , these tools work multifunctioning like network scanning, credential sumping, account discovery, and code injection.

They also use the custom tool like the PLINK tool (known as wehsvc.exe).PLINK is the command-line connection tool mostly used for automated operations. This tool is mostly used to preserve campaign original functionality with some advanced key features such as the possibility to uninstall any service and run as a window service.

The researcher said that the attack on victims in Saudi Arabia was not as elaborate because the attackers did not manage to exploit the victim or they didn’t’ get information of interest.

According to the Research team” we believe initial compromise was achieved through social engineering and a RAT was loaded and executed twice in different name forms (Drivers.exe and driver_x64.exe). The researcher said the user is being tricked into running these applications.

How RAT is involved in attacks?

RAT program is written in Python language and converted into a standalone executable. It is similar to the other RATs tools which security researchers documented previously but this time it is customized for the particular attack. This is not common for the cyber attacker to create and modify according to victims or user needs. It needs a whole analysis of that particular victim. They may change the way the RAT communicates with the server C2C and they can add the other feature that was not necessary.

Different RAT components that were used at the different process. The First component (snmp.exe) works as a backdoor and second (imjpuexa.exe) as you see the target attacks in Kuwait.

As the source says the cyber attacker used “living off the land “ tools in both campaigns.

The post Middle East Government hits by Chapher APT with latest Cyber-Espionage Attack appeared first on Vednam.

Messenger Apps of Android are targeted by WolfRAT Malware

The team of Cisco Talos Intelligence has found this android malware in the wild. This malware especially targets the Messenger apps of android phones. The most popular apps are used these days as a messenger are Facebook, Messenger, WhatsApp, and line.

The details shared by researchers on their blog is this malware loosely based on the leaked malware DenDroid.Time to time the malware seems to have gone in the improvement stage to target the users. Time to time the improvement is done in the code script of this malware but the old code blocks, classes are still inside the android package.

How?

Firstly the malware targets the messaging and chat apps on android. The data steal being done by the screenshot of the chats whenever the apps are open. Most new Malware that exploits Android Accessibility suite to access data. The Screenshots are then uploaded to the C2 Server of the Malware.

The virus reaches the devices through fake and malicious updates done on the targeted devices. There are tricks to mimic the Google service to install the malware in the victim machine.

If Fail, what next?

The Malware will start the main service if all the request permissions and the devices admin privileges are granted. If not, then it launches an ACTION_APPLICATION_SETTING to activate the Plan B access to the user permissions.

Which Country Affected Right Now?

According to the researcher and news, It is currently active in Thailand. The researcher thinks that WolfRAT malware is still active but from the organization it was declared Inactive. 

At present, the malware is actively targeting the android user in Thailand. The threat actors have released open-source platforms for codes and packages. After finding the roots of this malware we consider that it has capabilities of data-stealing in larger mass and it will be a big threat in the future.

The post WolfRAT Malware affects Android Apps target Messenger Apps appeared first on Vednam.

DDoS attack on ESET

From the sources, ESET researcher Lukas revealed details about an android app that used to target the ESET website with DDoS attacks.

The app appeared  “updates for android which seems like a new update. The main thing it was linked with a website i-updater.com that was really fascinating. It seems that it is not harmful and that may cause thousands of downloads.”

According to ESET analysis, the malicious app has an inbuilt ability to load and execute malicious JS on the target device. This may really not happen it appeared online in late 2019. Hence, it was avoided by the google play store’s security.

What really it effect

As the result came, it turned the devices of all its users into its “botnet”.The interesting part is that it displayed the ads on the devices which helps to hide app icons and in between the app start downloading malicious javascript from the attacker’s server to run on user’s devices.

However, the availability to execute JS is what the attackers used to wages a DDoS attack

“The DDoS attack starts with the machines who compromised while receiving a command to load the vulnerable script that specifies the targeted domain. When the script is loaded, the machine starts making requests to the targeted domain.”

This all happens till they don’t reach the ESET website, the team of ESET detected the source behind the attack.

Take Down the App

After finding the threat, the ESET team got in touch with Google who eventually removed the app from the play store. The researcher also checks the website i-updater.com remained up as it was not malicious. When the team checks the website it appeared as a blank page. The site is fully cleaned and no traces are found of threat and malicious script.

Conclusions came after that the attacker may go underground and rebuild the site in a new manner.

The post ESET Website under DDoS attack by Malicious Android App appeared first on Vednam.