In one look.
- Sophisticated campaign compromises SOHO routers.
- Evilnum targets the migration organization.
- The Black Basta ransomware gang is updating its arsenal.
Sophisticated campaign compromises SOHO routers.
Lumen’s Black Lotus Labs is tracking a sophisticated campaign that hijacks SOHO routers belonging to organizations in North America and Europe:
“We have identified a multi-level Remote Access Trojan (RAT) developed for SOHO devices that allows the actor to swing into the local network and access additional systems on the LAN by hijacking the network communications to maintain an undetected presence.While we currently have a narrow view of the full extent of the actor’s capabilities due to the limited state of monitoring SOHO devices in general, using proprietary telemetry from Lumen’s global IP backbone, we have listed some of the command and control (C2) infrastructure associated with this activity and identified some of the targets.We assess with great confidence that the items we are tracking are part of a larger campaign. wide.
The researchers don’t attribute the campaign to any particular threat actor, but they suspect a nation-state is behind the activity due to its sophistication:
“While compromising SOHO routers as an access vector to access an adjacent LAN is not a new technique, it has been rarely reported. Similarly, reports of person-in-the-middle attacks, such as than DNS and HTTP hijacking, are even rarer and the mark of a complex and targeted operation.The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign may have been conducted by a state-sponsored organization.
Evilnum targets the migration organization.
Zscaler warns that Evilnum APT is using malware-laden spear-phishing documents to target an “intergovernmental organization dealing with international migration services.” Zscaler notes that Evilnum has in the past primarily conducted cyber espionage against financial services firms, so this campaign represents a notable shift in its targeting. Zscaler doesn’t name the targeted entity, but they say “the attack and the nature of the chosen target coincided with the Russian-Ukrainian conflict.”
The Black Basta ransomware gang is updating its arsenal.
Trend Micro reports that the Black Basta ransomware group now uses the QakBot banking Trojan to gain initial access and then exploits the PrintNightmare vulnerability (CVE-2021-34527) to perform privileged file operations:
“In the case of a Trend Micro customer, their system was infected with Black Basta ransomware that was deployed by QakBot (Figure 1). This behavior is typical of the QakBot malware family, which served as a key enabler for ransomware families like MegaCortex. , PwndLockerm, Egregor, ProLock and REvil (aka Sodinokibi). QakBot, which was discovered in 2007, is known for its infiltration capabilities and has been used as a “malware installer as a service” for various campaigns. Over the years, this banking Trojan has become increasingly sophisticated, as evidenced by its exploitation of a recently disclosed Microsoft zero-day vulnerability known as Follina (CVE-2022-30190).
The researchers add: “After further analysis of the system affected by Black Basta, we found evidence indicating that the ransomware group exploited the PrintNightmare vulnerability. Exploiting this vulnerability, Black Basta abused the Windows Print Spooler service or spoolsv.exe to drop its payload, spider.dll, and perform privileged file operations.It also exploited the vulnerability to execute another file in the affected system, but samples of this file were no longer available in the system.