Stantinko Bots Targets Russia

An adware and coin-miner botnet targeting Russia, Ukraine, Belarus, and Kazakhstan. the trojan masquerades as HTTPd, a commonly used program on Linux servers, and is a new version of the malware belonging to a threat actor tracked as Stantinko.

Stantinko has been traditionally a Windows malware, the expansion in their toolset to target Linux didn’t go unnoticed, but observed to be a Linux proxy version .

Upon execution, “httpd” validates a configuration file located in “etc/pd.d/proxy.conf” that’s delivered along with the malware, following it up by creating a socket and a listener to accept connections from what the researchers believe are other infected systems.

An HTTP Post request from an infected client paves the way for the proxy to pass on the request to an attacker-controlled server, which then responds with an appropriate payload that’s forwarded by the proxy back to the client.

In the event a non-infected client sends an HTTP Get request to the compromised server, an HTTP 301 redirect to a preconfigured URL specified in the configuration file is sent back.

Stating that the new version of the malware only functions as a proxy, Stantinko is the latest malware targeting Linux servers to fly under the radar, alongside threats such as Doki, IPStorm and RansomEXX.

Energetic Bear ! Strikes US

The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks , said by advisory of CISA & FBI

Intruders identified as Russian hacker group, Energetic Bear a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.

The two agencies said Energetic Bear “successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers.”

Networking Gear has been the target of attack

Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.

Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).

To move laterally across compromised networks, they used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials.

Below are some of the details that are compromised and ex-filtrated by the group

  • Sensitive network configurations and passwords.
  • Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
  • IT instructions, such as requesting password resets.
  • Vendors and purchasing information.
  • Printing access badges.

This recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. But nothing known to be till now.

XDSpy APT not uncovered So long

XDSpy the APT group, recently discovered by researchers, targeted government and private companies in Belarus, Moldova, Russia, Serbia, and Ukraine, including militaries and Ministries of Foreign Affairs.

Experts believe that the hacker group could have targeted many other countries and a good portion of its operations has yet to be discovered.

The tools in the arsenal of the XDSpy APT are quite basic, although efficient, their primary tool is a downloader dubbed named XDDown.

The malware samples analyzed by the researchers are slightly obfuscated using string obfuscation and dynamic Windows API library loading. The malware supports multiple features, including the monitoring of removable drives, taking screenshots, exfiltrating documents, and collecting nearby Wi-Fi access point identifiers.

Experts also noticed that hackers also used NirSoft utilities to recover passwords from web browsers and email clients.

Experts observed the threat actor exploiting a remote code issue in Internet Explorer tracked as CVE-2020-0968 that was addressed by Microsoft with the release of Patch Tuesday security updates for April 2020.

ESET described XDDown as a “downloader” used to infect a victim and then download secondary modules that would perform various specialized tasks.

The XDDown malware has a modular structure, some of the plugins analyzed by ESET are:

  • XDRecon
  • XDList
  • XDMonitor
  • XDUpload
  • XDLoc.
  • XDPass

The analysis of the spear-phishing campaigns linked to the APT group revealed that the hackers used email subject lines with lures related to lost and found objects and the COVID-19 pandemic. These messages came with malicious attachments such as Powerpoint, JavaScript, ZIP, or shortcut (LNK) files.

“XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months.” concludes the report. “The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit.”