HTTP File Server, commonly abbreviated as HFS, is a free and simple means to send and receive files across the Internet. This also makes the software a popular choice among malicious actors for hosting and distributing malware and exploits, and an interesting target for malware researchers. An investigation into an HFS instance hosting an exploit for CVE-2018-8174 led to the discovery of an interesting threat actor and their infrastructure, the continued use of the Gh0st RAT malware, and many common attributes we can use to help us identify this malicious activity in the wild.

REFERENCE:
http://blog.inquest.net/blog/2018/07/09/field-notes-malicious-hfs-servers/

Two weeks ago, FortiGuard Labs spotted a malicious document with the politically themed file name “Draft PH-US Dialogue on Cyber Security.doc”. This document takes advantage of the vulnerability CVE-2017-11882. Upon successful exploitation, it drops a malware in the victim’s %temp% directory. Our analysis of this malware shows that it belongs to Hussarini, also known as Sarhust, a backdoor family that has been used actively in APT attacks targeting countries in the ASEAN region since 2014.

FireEye has examined a range of TEMP.Periscope activity revealing extensive interest in Cambodia's politics, with active compromises of multiple Cambodian entities related to the country’s electoral system. This includes compromises of Cambodian government entities charged with overseeing the elections, as well as the targeting of opposition figures. This campaign occurs in the run up to the country’s July 29, 2018, general elections. TEMP.Periscope used the same infrastructure for a range of activity against other more traditional targets, including the defense industrial base in the United States and a chemical company based in Europe. Our previous blog post focused on the group’s targeting of engineering and maritime entities in the United States.

Earlier today the Israel Defense Forces (IDF) uncovered a campaign they attribute to Hamas, in which fake Facebook profiles were used to lure soldiers to install Android malware.

Malware programmed in Golang and cross-compiled to make it compatible both with Linux and Windows.

GROUP:

Previous days we have seen multiple MacOS malware attacks, originating within crypto related Slack or Discord chats groups by impersonating admins or key people. Small snippets are being shared, resulting in downloading and executing a malicious binary.

As a modularized malware, Necurs can run any module on its network of bots. In 2017, we saw Necurs pushing spamming and proxy modules onto its bots. This year, however, there’s a notable decrease on Necurs’ spam volume compared to its spam campaigns in the last quarter of 2017. Instead, we see Necurs pushing cryptocurrency miners and infostealers — FlawedAmmyy RAT, AZORult, and a .NET module — as modules onto its bots.

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.

Throughout 2017 and 2018 Unit 42 has been tracking and observing a series of highly targeted attacks focused in South East Asia, building on our research into the KHRAT Trojan. Based on the evidence, these attacks appear to be conducted by the same set of attackers using previously unknown malware families. In addition, these attacks appear to be highly targeted in their distribution of the malware used, as well as the targets chosen. Based on these factors, Unit 42 believes the attackers behind these attacks are conducting their campaigns for espionage purposes.

Tick is a cyberespionage group primarily targeting organizations in Japan and the Republic of Korea. The group is known to conduct attack campaigns with various custom malware such as Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader. Unit 42 last wrote about the Tick group in July 2017. Recently, Palo Alto Networks Unit 42 discovered the Tick group targeted a specific type of secure USB drive created by a South Korean defense company. The USB drive and its management system have various features to follow security guidelines in South Korea.

ADVERSARY: