S.O.V.A. – New Android banking trojan
Researchers at Threat Fabric have discovered the existence, at least since the beginning of August, of a new banking trojan for Android which they have named S.O.V.A.. The main objective of the trojan is to collect personally identifiable information (PII) from victims. It is a trojan that contains functionalities that are common in this type of malware, such as the ability to carry out overlay attacks, keylogging or manipulation of notifications; but it also includes other less common functionalities, such as the theft of login cookies, which would allow attackers to access valid user logins without needing to know their credentials.
At the moment, the trojan is under development, and the authors are reportedly advertising it on underground forums with the intention of being able to test it on multiple devices and implement the necessary improvements. According to researchers, adaptations of the malware have already been detected, available for the impersonation of banking institutions mainly in the United States and Spain, although in their advertisement the authors offer the possibility of adapting it against other entities according to the buyer’s needs.
Vermilion Strike: Unofficial version of a Cobalt Strike Beacon
Last August, Intezer researchers discovered an unofficial version of a Cobalt Strike Beacon for Linux and Windows systems. This Beacon, called Vermilion Strike, was reportedly developed from scratch by unknown threat actors, without sharing code with the official version, and is being actively used against organisations around the world. Vermilion Strike uses the same protocol as Cobalt Strike to connect to Command and Control servers and has remote access capabilities such as uploading files, executing commands and modifying files. The threat has been active since August and is being used in targeted attacks against telecommunications companies, government agencies, technology and financial institutions around the world. The ultimate goal of the attacks seems to be focused on cyberespionage.
Operation Harvest: Long-running cyber-espionage campaign
McAfee researchers have published an analysis of a long-running operation they have named “Harvest”. The discovery of this activity began with the analysis of a malware incident that grew into a highly sophisticated cyberattack that would have lasted several years. The threat actor began its incursions by breaching a victim’s web server, generating persistence and installing tools that would be used for information gathering, privilege escalation, lateral movement and file execution. The tools used include PSexec, Procdump, Mimikatz, RottenPotato and BadPotato. In addition to a wide arsenal of tools, the threat agent used PlugX and Winnti malware to escalate privileges and backdoor the victim’s infrastructure. According to the analysis, the researchers believe that the incursion was carried out by a Chinese actor that shares links with APT27 and APT41. Its main objective was to maintain its presence within the victim’s infrastructure in order to leak intelligence information for commercial or military purposes.
Additional details on the 0-day exploitation campaigns in Microsoft MSHTML
Microsoft researchers have published a detailed analysis of the first detected attacks exploiting the CVE-2021-40444 vulnerability, as well as their potential attribution. The first campaigns date back to August, with emails under the guise of legal or contractual agreements where malicious documents were hosted on legitimate file-sharing sites for the distribution of loaders with Cobalt Strike beacons. The final payload was not marked by Windows systems as downloaded from an external source, so it was executed directly, without user interaction, thus demonstrating the exploitation of the vulnerability. According to Microsoft, the authorship of these initial attacks points to DEV-0365, a developing group that includes a cluster of fraudulent activities associated with Cobalt Strike infrastructure. However, they also indicate that some of the infrastructure that hosted the initial malicious documents can be linked to BazarLoader and Trickbot payloads, activity associated with threat actor DEV-0193 (also known as UNC1878 or Wizar Spider). Despite these links to generic actors, Microsoft wanted to differentiate this vulnerability exploitation activity to a new group called DEV-0413, as they indicate that we are not dealing with generic campaigns, but that the phishing emails were closely aligned with the business operations of the organisations being attacked. Over the past few days, in addition to Microsoft’s investigation, security researchers on Twitter have also been warning of the detection of spam campaigns that are distributing the Ramint trojan by exploiting the same flaw.
OMIGOD: Vulnerabilities in the cloud supply chain
Wiz researchers have recently discovered a number of vulnerabilities in the Open Management Infrastructure (OMI) software agent, which is integrated into many of the most popular Azure products. These are four vulnerabilities listed as CVE-2021-38647 CVSS 9.8, CVE-2021-38648 CVSS 7.8, CVE-2021-38645 CVSS 7.8, y CVE-2021-38649 CVSS 7.0, collectively referred to as “OMIGOD”. The risk is in customers using Linux virtual machines in the cloud because the OMI agent runs automatically and without the knowledge of users when enabling certain services in Azure (e.g. Log Analytics, Diagnostics, Configuration Management, etc.), so these vulnerabilities in OMI could allow a potential attacker to escalate to root privileges and execute malicious code remotely. Microsoft has released the patched version of OMI 188.8.131.52., so it is advised to update it as soon as possible, since according to the researchers thousands of Azure clients and millions of connection points are affected.