WyzGuys Tech Talk

A quick Saturday digest of cybersecurity news articles from other sources.

How Chinese Bad Actors Infected Networks With Thumb Stick Malware…

WIRED just published an article that made me both disappointed and surprised at the same time. Security researchers found USB-based Sogu espionage malware spreading within African operations of European and U.S. firms.

Yup, you read that right: USB-based malware.

Here is a quick summary with a link to the full article at WIRED. The upshot? You still need to train your global workforce on the risks of them good ‘ol USB sticks…

The cybersecurity firm Mandiant has uncovered a resurgence in USB-based malware attacks led by a China-linked hacker group called UNC53. This group has successfully hacked at least 29 global organizations since last year by social engineering employees into using malware-infected USB drives.

Many of these attacks have originated from the African operations of multinational companies in countries such as Egypt, Zimbabwe and Kenya. The malware used is a decade-old strain known as Sogu, which has been involved in significant cyber-espionage activities in the past.

The campaign is especially effective in regions where USB drives are still commonly used, like Africa. Mandiant found that the malware often spreads from shared computers in places like internet cafés, affecting various sectors including consulting, banking and government agencies. The malware uses clever tactics to infect machines, even those without internet connections, and communicates with a command-and-control server to steal data.

Mandiant researchers note that this indiscriminate method allows the hackers to cast a wide net, sorting through victims for high-value targets later. The campaign highlights the need for organizations to remain vigilant against all forms of cyber threats, even those considered outdated.

This is particularly important for global networks that include operations in developing countries, where older technologies like USB drives are still in use. Train your workforce!

Blog post with links:
https://blog.knowbe4.com/chinese-spies-infected-dozens-of-networks-with-thumb-drive-malware

RELATED TOPICS:
China’s Cyber Offensive: FBI Director Reveals Unmatched Scale of Hacking Operations:
https://blog.knowbe4.com/chinas-cyber-offensive-fbi-director-reveals-unmatched-scale-of-hacking-operations

USPS Customers Become the Latest Target of the Chinese Smishing Group Called “Smishing Triad”:
https://blog.knowbe4.com/usps-customers-target-chinese-smishing-triad

Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org

Previously unseen version of SysUpdate used in August 2023 campaign.

The Budworm advanced persistent threat (APT) group continues to actively develop its toolset. Most recently, the Threat Hunter Team in Symantec, part of Broadcom, discovered Budworm using an updated version of one of its key tools to target a Middle Eastern telecommunications organization and an Asian government.

Both attacks occurred in August 2023. Budworm (aka LuckyMouse, Emissary Panda, APT27) deployed a previously unseen variant of its SysUpdate backdoor (SysUpdate DLL inicore_v2.3.30.dll). SysUpdate is exclusively used by Budworm.

As well as its custom malware, Budworm also used a variety of living-off-the-land and publicly available tools in these attacks. It appears the activity by the group may have been stopped early in the attack chain as the only malicious activity seen on infected machines is credential harvesting.

Tools Used

Budworm executes SysUpdate on victim networks by DLL sideloading the payload using the legitimate INISafeWebSSO application. This technique has been used by the group for some time, with reports of INISafeWebSSO being leveraged dating as far back as 2018. DLL sideloading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. It can help attackers evade detection.

SysUpdate is a feature-rich backdoor that has multiple capabilities, including:

• List, start, stop, and delete services
• Take screenshots
• Browse and terminate processes
• Drive information retrieval
• File management (finds, deletes, renames, uploads, downloads files, and browses a directory)
• Command execution

Trend Micro reported in March 2023 that Budworm had developed a Linux version of SysUpdate with similar capabilities to the Windows version. SysUpdate has been in use by Budworm since at least 2020, and the attackers appear to continually develop the tool to improve its capabilities and avoid detection.

As well as SysUpdate, the attackers used a number of legitimate or publicly available tools to map the network and dump credentials. Tools used by the attackers in this campaign included:

• AdFind: A publicly available tool that is used to query Active Directory. It has legitimate uses but is widely used by attackers to help map a network.
• Curl: An open-source command-line tool for transferring data using various network protocols.
• SecretsDump: A publicly available tool that can perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and Kerberos keys, as well as dumping the NTDS.dit Active Directory database.
• PasswordDumper: A password-dumping tool.

Budworm Background

Budworm is a long-running APT group that is believed to have been active since at least 2013. The attackers are known for their targeting of high-value victims, often focusing on organizations in the government, technology, and defense sectors. Budworm has targeted victims in many countries in Southeast Asia and the Middle East, among other locations, including the U.S. Symantec’s Threat Hunter Team published a blog in October 2022 detailing how Budworm activity was seen on the network of a U.S. state legislature. In that campaign, the attackers also targeted the government of a Middle Eastern country, a multinational electronics manufacturer, and a hospital in Southeast Asia. The attackers also leveraged DLL sideloading in that campaign to load their HyperBro malware.

The victims in this campaign — a government in Asia and a telecommunications company in the Middle East — do align with the kinds of victims we often see Budworm targeting. The targeting of a telecommunications company and government also point to the motivation behind the campaign being intelligence gathering, which is the motivation that generally drives Budworm activity.

That Budworm continues to use a known malware (SysUpdate), alongside techniques it is known to favor, such as DLL sideloading using an application it has used for this purpose before, indicate that the group isn’t too concerned about having this activity associated with it if it is discovered.

The use of a previously unseen version of the SysUpdate tool also demonstrates that the group is continuing to actively develop its toolset. The fact that this activity occurred as recently as August 2023 suggests that the group is currently active, and that those organizations that may be of interest to Budworm should be aware of this activity and the group’s current toolset.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

SHA256 file hashes

c501203ff3335fbfc258b2729a72e82638719f60f7e6361fc1ca3c8560365a0e — Legitimate INISafeWebSSO application

c4f7ec0c03bcacaaa8864b715eb617d5a86b5b3ca6ee1e69ac766773c4eb00e6 — SysUpdate backdoor

551397b680da0573a85423fbb0bd10dac017f061a73f2b8ebc11084c1b364466 — Password dumper

df571c233c3c10462f4d88469bababe4c57c21a52cca80f2b1e1af848a2b4d23 — Hacktool

c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 — SecretsDump

f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e — AdFind

ee9dfcea61282b4c662085418c7ad63a0cbbeb3a057b6c9f794bb32455c3a79e — Curl

Making Money Off Death – Obituary Scraping

By Gary Braley

HOW LOW CAN THEY GO?
I recently searched for a friend’s obituary and was surprised to see it show up as the very first “hit”. An article I ran across explained what may have happened. Following is an edited version of that article.

There is an entire industry devoted to making money off obituaries by “scraping” i.e. copying legitimate obits and reposting them on copycat websites along with ads – that’s where the profit comes in.

Obituary pirating, where people scrape and republish obituaries from funeral homes and websites like Legacy.com, has been an ethically dubious business for years. Piracy websites are often skilled enough at search engine optimization to rise to the top of search results, and they use the resulting traffic to charge a premium for digital ads that appear next to text lifted wholesale from funeral homes, local newspapers, and other authorized obituary publishers. Occasionally these pirate sites go a step further, manipulating bereaved people into buying sympathy gifts  like candles or flowers and pocketing the money.

The flood of YouTube obituary videos is an update on this practice. Some of these channels upload dozens of death notice summaries every hour, abandoning any pretense of looking like an official source of information in an effort to churn out as many videos as they can.

In many cases you will see YouTube obituaries made by someone reading and recording the original obit. I presume this is to avoid the charge of plagiarism resulting from merely copying the text.

What can you do? If you want to find and pass along an obituary I suggest you make sure it is from the funeral home and not one of these copycats.

ZenRAT Malware Targets Windows Users Via Fake Bitwarden Password Manager Installation Package

Windows operating systems are the target of new malware dubbed ZenRAT by U.S.-based cybersecurity company Proofpoint. The attackers built a website that impersonates the popular Bitwarden password manager; if accessed via Windows, the fake site delivers the ZenRAT malware disguised as Bitwarden software. It’s currently unknown if the malware is used by threat actors for cyberespionage or for financial fraud.  More…