In the last example, a 13-year-old backdoor trojan dubbed Bandook (a commercially available Remote Access Tool available since 2007) has recently returned from the past for a new espionage campaign against various targets worldwide, adapting itself to the existing trend of exploiting the cloud inside a complex multi-stage kill chain.Įven in this case the attack chain is quite sophisticated, and can be simplified as follows: While the exploitation of social media for C2 communication is not new, it is not often observed in the wild." DropBook differs from the other espionage tools in the arsenal since it relies solely on fake Facebook accounts for C2 to receive instructions from its operators. In addition, DropBook,, exploits the social media platform Facebook, where the backdoor operators create fake accounts to control the backdoor while hiding in plain sight. "Both backdoors operate in a stealthy manner, implementing the legitimate cloud storage service Dropbox to exfiltrate the stolen information from their targets, thus evading detection or takedowns by using legitimate web service. Unsurprisingly, as observed by the researchers, the exploitation of cloud services has the purpose to avoid detection and make the malicious infrastructure resilient:
Shanapara dropbook download#
Dropbook is a Python backdoor that can execute commands received from Facebook and also download and execute additional payloads from Dropbox.Among the different malicious features, the backdoor implements a Dropbox client that exfiltrates the data
Once executed, the bait documents download the two backdoors from either Dropbox or Google Drive. The attack chain starts with phishing documents delivered via social engineering with themes related to current Middle Eastern affairs. This campaign, aimed at Arab-speaking targets, used two previously unidentified backdoors called Sharpstage and DropBook (this second name may sound familiar), and exploited multiple cloud services for the stages of malware delivery (Dropbox and Google Drive) and command and control (again Dropbox and Facebook, hence the name DropBook for the second backdoor). Security researchers from Cybereason have recently revealed the details of an active espionage campaign carried out by Molerats (also known as The Gaza Cybergang), a politically motivated threat group with victims primarily in the Middle East, Europe and the United States. This campaign has an uncommon degree of complexity with multiple stages that provide different levels of evasion: the exploitation of a well-known cloud service, steganography and the weaponization of a security tool.Ī Cocktail of Cloud Services for Molerats This benign characteristic is exploited by the attackers as the decoded payload includes an EICAR string to deceive analysis tools and SOC analysts, making them believe that the payload is part of a test. This Powershell script then downloads a PNG file from the image hosting service Imgur and, through steganography, the pixel values of the image are used to decode a Cobalt Strike script that connects to the command and control to receive additional instructions.Ĭobalt Strike is a penetration testing tool that allows, among the other things, commands to be run on the endpoint and is often weaponized by threat actors (as in this case). When the macro is executed, it launches a Powershell that downloads and executes a Powershell script from GitHub. Its latest campaign deploys an extremely complex kill chain where the malware strain is initially delivered via a Word file with an embedded macro. The group's victims are mainly in the telecommunications, government (IT services) and oil sectors. MuddyWater (AKA Seedworm and TEMP.Zagros) is an Iranian threat group that primarily targets the Middle East, but also Europe and North America.
However, some recent campaigns show how cloud exploitation is becoming increasingly common, even in cyber-espionage operations, where legitimate services are used to deliver the malicious payload within a multi-stage kill chain, adding an additional layer of evasion. Exploiting the cloud for criminal purposes such as phishing and malware delivery (the Ryuk ransomware is probably the most noteworthy) is now a consolidated trend. To top the year off, in December the massive supply-chain campaigns were discovered, whose real extent is not yet clear.Īn additional thing of note from last year is the emergence of the weaponization of cloud services by state-sponsored groups. Not only did the pandemic affect the threat landscape, but double extortion ransomware attacks have become the new normal. From an information security perspective, 2020 was a complicated year.
0 kommentar(er)
