Palmerworm.. Chinese active APT.

A new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S., and China.Linking the attacks to Palmerworm (aka BlackTech) — likely a China-based advanced persistent threat (APT) — initial traces found in 2019 . majorly a cyber espionage campaign

Among the multiple victims infected by Palmerworm, the media, electronics, and finance companies were all based in Taiwan, while an engineering company in Japan and a construction firm in China were also targeted.

A 2017 analysis by Trend Micro found the group to have orchestrated three campaigns — PLEAD, Shrouded Crossbow, and Waterbear — with an intent to steal confidential documents and the target’s intellectual property.

Stating that some of the identified malware samples matched with PLEAD, the researchers said they identified four previously undocumented backdoors (Backdoor.Consock, Backdoor.Waship, Backdoor.Dalwit, and Backdoor.Nomri),

The brand new custom malware toolset alone would have made the attribution difficult if it were not for the use of dual-use tools (such as Putty, PSExec, SNScan, and WinRAR) and stolen code-signing certificates to digitally sign its malicious payloads and thwart detection, a tactic that it has been found to employ before.

Another detail that’s noticeably not too clear is the infection vector itself, the method Palmerworm has used to gain initial access to the victim networks. The group, however, has leveraged spear-phishing emails in the past to deliver and install their backdoor, either in the form of an attachment or through links to cloud storage services.

“APT groups continue to be highly active in 2020, with their use of dual-use tools and living-off-the-land tactics making their activity ever harder to detect, and underlining the need for customers to have a comprehensive security solution in place that can detect this kind of activity,”.

Lauda (Loda) RAT

Lauda RAT is a RAT (Remote Access Trojan) that has been working as malware analysts in recent years and was first spotted back in 2017. The Lauda RAT is a simple RAT, but that does not mean that it cannot work. This trojan is written in the AutoIT programming language, which is not uncommon. Once the LODA RAT compromises a system, it is able to perform a long list of tasks.

Loda RAT appears to primarily target users in the United States, Central America, and South America. The creators of Loda RAT are promoting it through fake emails that link users to a link that will launch a fake page that relates to the attackers. This page hosts various macro-laced documents that are designed to target a known vulnerability – CVE-2017-11882. Upon infecting the target computer, Loda RAT will establish a connection with its operators’ C&C (Command and Control) server.

The abilities

Once the Loda RAT is successfully connected to the C&C server, it will wait for commands from the attackers. Lauda can collect information such as RAT password and login credentials. In addition to collecting login credentials, Loda RAT can also:

  • Take screenshots of the user’s desktop and active window.
  • Launch a keylogger that will collect keystrokes.
  • Use the victim’s microphone to record audio.

Recently, the creators of Loda RAT have updated this trojan to include several self-preservation features. Loda RAT code has been circumvented to avoid detection by anti-malware tools. Code bottlenecks make it even more difficult for cyber security researchers to study threats. Lauda can also scan processes running on the RAT compromised system and detect whether an anti-virus application is running. Loda RAT persistence on compromised computers using two common tricks:

  • It uses the Windows Task Scheduler to ensure that its components will start with Windows.
  • It inserts a new Autorun Windows registry key that commands Windows to execute Loda RAT at launch.

O365 Outage and it’s global

Microsoft 365 was down Monday evening, affecting users’ new access request to multiple services including Outlook, Word, Excel and Microsoft Teams.

“We’re investigating an issue affecting access to multiple Microsoft 365 services,” the Microsoft 365 Status account tweeted Monday at 5:44 p.m. ET. “We’re working to identify the full impact and will provide more information shortly.”

“Users may be unable to access multiple Microsoft 365 services,” the software giant posted on its Office status website.

The company determined that a specific portion of its infrastructure was not processing authentication requests in a timely manner. “We’re pursuing mitigation steps for this issue,” the status update said.

Microsoft Office program users who were already logged in would be able to continue their sessions, the company confirmed.

Microsoft Office outage reports began coming in at 5 p.m. ET Monday at online traffic site DownDetector. Some users began reporting a return of service about 8:30 p.m. ET on the site.

The outage stopped work for some, but created more work for some: IT specialists. “The #Office365 outage is generating tickets like crazy,” tweeted one. “I have just told 5 people in a row: ‘No I cannot fix it. Microsoft is working on it.”

But others on Twitter had fun at Microsoft’s expense. “There’s a global 365 outage affecting microsoft outlook, i guess we won Monday after all.”

Another Twitter user posted an a global outage map, noting “The Microsoft 365 Azure Outage isn’t that bad, it’s only down in places with people that are awake.”

Alien RAT 👽 Banking Trojan

Alien RAT with 2FA-Stealing Technique
A new variant of Cerberus malware, which is available for rent on underground forums since January, has been found invading Android devices and targeting more than 200 applications.

The newly identified banking trojan called Alien shares several common capabilities with the Cerberus banking malware.

Researchers reported the Alien RAT targeting a list of at least 226 mobile applications, including banking apps such as BBVA Spain, Bank of America Mobile Banking, as well as a slew of collaboration and social networking apps such as Twitter, Snapchat, and Instagram.

It comes equipped with an advanced ability to bypass two-factor authentication (2FA) security measures to steal the victim’s credentials. The malware also abuses the TeamViewer application to gain full remote control over the victim’s devices.

Researchers speculate that Alien RAT is a fork of the Cerberus malware that has undergone a steady demise in use over the past year, and was up for sale in August. Besides having several common capabilities, there are a few notable differences.

Alien RAT has been implemented separately from the main command handler using different command-and-control (C2) endpoints.

Moreover, Alien’s 2FA-stealing technique is an additional feature than Cerberus’s capabilities.

More malware adding 2FA-bypass technique
Several attackers and malware operators have upgraded their malware and attack vectors to target the 2FA-bypass technique and carry out more successful attacks.

Banking trojans have been evolving with new and improved features to increase the success rate of fraud recently. Financial institutions are recommended to assess their current and future threat exposure and implement relevant detection and control mechanisms at the earliest.