It is exceptionally rare for a well-documented threat actor, previously implicated in very high-profile attacks, to stay completely under the radar for several years. Yet, in the last three years that is what APT group the Dukes (aka APT29 and Cozy Bear) has done. Despite being well known as one of the groups to hack the Democratic National Committee in the run-up to the 2016 US election, the Dukes has received little subsequent attention. The last documented campaign attributed to them is a phishing campaign against the Norwegian government that dates back to January 2017
In August 2019, FireEye released the “Double Dragon” report on our newest graduated threat group: APT41. A China-nexus dual espionage and financially-focused group, APT41 targets industries such as gaming, healthcare, high-tech, higher education, telecommunications, and travel services. This blog post is about the sophisticated passive backdoor we track as LOWKEY, mentioned in the APT41 report, and associated with ESETs recent Winnti Group related blog https://www.welivesecurity.com/2019/10/14/connecting-dots-exposing-arsenal-methods-winnti/ .
In our September 5, 2019, Threat Insight post, “Seems Phishy: Back To School Lures Target University Students and Staff,” we discussed the seasonal uptick of phishing campaigns that are directed at university students and staff, usually between June and October of every year. Since our blog post, colleagues at Secureworks have provided further details on one actor we highlighted, tracked by Proofpoint as TA407, also known as Silent Librarian, Cobalt Dickens, and Mabna Institute. In this blog, we provide additional insight into the actor and their evolving TTPs in ongoing, academia-focused campaigns.
The Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.”
Charming Kitten, an Iranian APT group, plays a role in the domain of cyber-attacks for the purpose of interfering with democratic procedures. On 4th of October 2019, Microsoft has announced that Phosphorus (known as Charming Kitten) attempted to attack email accounts that are associated with the following targets: U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics, and prominent Iranians living outside Iran.
By monitoring the campaign primarily targeting Japanese service providers, FortiGuard Labs was able to identify this campaign and what, to the best of our knowledge, is a new malware family. During our analysis, we also encountered other samples that were not completely developed and lacked some of the functionalities discussed in this blogpost, suggesting that the malware is currently under development and is being tested in the wild. The capabilities of this family are limited at the moment, but the fact that we were able to find different samples that showed significant improvement in the span of a few weeks shows that this family should not be underestimated.
Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many recent samples are observed to conduct worm-like behavior to spread across network shares or via SMB, and contain multiple levels of anti-analysis controls such as VM awareness and lengthy execution delays.
We found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been actively monitoring this threat since its emergence and early development, and saw it being frequently updated. KovCoreG, active since 2011, is a long-running campaign known for using the Kovter botnet malware, which was distributed mainly through malvertisements and exploit kits. Kovter has been involved in click fraud operations since 2015, using fraudulent ads that have reportedly cost businesses more than US$29 million. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts, including Trend Micro.
Over the course of the last two years, BlackBerry Cylance researchers uncovered a suspected Chinese advanced persistent threat (APT) group conducting attacks against technology companies located in south-east Asia. The threat actors deployed a version of the open-source PcShare backdoor modified and designed to operate when side-loaded by a legitimate NVIDIA application.
The FortiGuard SE Team discovered a particularly interesting targeted attack towards the end of August in Virus Total. The attack targeted a supplier for a distribution/logistics provider to a nation state. The email contained an attachment that appeared to have been sent by a company that manufactures and distributes electrical components and other parts, and has likely dealt at least once with the targeted organization via email.
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org