Security News
Two Chinese hacking groups conducting cyber espionage and stealing intellectual property from Japanese and western companies are deploying ransomware as a decoy to cover up their malicious activities. Threat analysts from Secureworks say that the use of ransomware in espionage operations is done to obscure their tracks, make attribution harder, and create a powerful distraction for defenders.
A Chinese advanced persistent threat known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Called PingPull, the "Difficult-to-detect" backdoor is notable for its use of the Internet Control Message Protocol for command-and-control communications, according to new research published by Palo Alto Networks Unit 42 today.
A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. LuoYu has switched to abusing the automatic update mechanism of their victims' apps after previously pushing malware in easier to pull-off watering-hole attacks where they would use compromised local news sites as infection vectors.
Cisco Talos Intelligence Group reported a new attack campaign from the infamous cyberespionage threat actor Mustang Panda, also known as Bronze President, RedDelta, HoneyMyte, TA416 or Red Lich with a particular focus on Europe. The downloader now downloads the decoy document from one URL and uses another URL to download the benign executable file, the DLL file and the final PlugX payload. More malware infections.
A new report from Mandiant reveals details about an ongoing cyberespionage operation run by a threat actor dubbed UNC3524, monitored by Mandiant since December 2019. While such targeting may suggest financial motivations, Mandiant believes it's instead motivated by espionage, because the threat actor maintains its access and remains undetected for an order of magnitude longer than the average dwell time of 21 days.
A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET. Though it's apparently been active since 2018, TA410 first came up on researchers' radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack.
China appears to be entering a raging cyber-espionage battle that's grown in line with Russia's unprovoked attack on Ukraine, deploying advanced malware on the computer systems of Russian officials. China has tried to play a neutral role since Russia began its invasion of Ukraine on February 24, with government officials saying they want to see a peaceful resolution.
ESET Research discovered a still-ongoing cyberespionage campaign using a previously undocumented Korplug variant by the Mustang Panda APT group. The current campaign exploits the war in Ukraine and other European news topics.
The politically motivated Moses Staff hacker group has been observed using a custom multi-component toolset with the goal of carrying out espionage against its targets as part of a new campaign that exclusively singles out Israeli organizations. First publicly documented in late 2021, Moses Staff is believed to be sponsored by the Iranian government, with attacks reported against entities in Israel, Italy, India, Germany, Chile, Turkey, the U.A.E., and the U.S. Earlier this month, the hacker collective was observed incorporating a previously undocumented remote access trojan called "StrifeWater" that masquerades as the Windows Calculator app to evade detection.
Known Palestinian threat actor MoleRats is likely behind a recent malicious email campaign targeting Middle Eastern governments, foreign-policy think tanks and a state-affiliated airline with a new intelligence-gathering trojan dubbed NimbleMamba, researchers said. Researchers from Proofpoint said they have observed a spear-phishing campaign using multiple vectors since November that they believe is the work of TA402, more commonly known as MoleRats and linked to the Palestinian Territories, according to a report posted online Tuesday.