Dangerous new cybercrime gang attacks government and military targets
Gang found using unorthodox tactics to deploy infostealers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
A dangerous new cybercrime group has been spotted targeting government agencies and military organizations in the Asia-Pacific region.
According to multiple cybersecurity firms who spotted the threat actor, it seems to be deploying unorthodox tactics to obtain sensitive information from targetendpoints.
Two cybersecurity firms were initially tracking the attackers - Group-IB, and Anheng Hunting Labs. While the former dubbed the group Dark Pink, the latter calls it Saaiwc Group. Regardless of the name, the hackers are using spear-phishing attacks for initial deployment, and infectedUSB drivesfor spreading.
Abusing known flaws
The spear-phishing emails are usually fake job applications designed to lure victims into downloading weaponized ISO files. These files would abuse a known high-severity vulnerability tracked as CVE-2017-0199 (Office/WordPad remote code execution vulnerability) to deploy either Ctealer or Cucky (custom-built infostealers). These would later deploy a registry implant named TelePowerBot.
A separate method was observed deploying KamiKakaBot, designed to read and execute commands.
Both Cucky and Ctealer are designed to stealpasswords, browsing history, saved credentials, and cookies from most of today’s popularbrowsers(and then some). Furthemore, the group is able to access messenger applications, steal documents, and grab audio via microphones connected to infected devices.
Check out our list of the best firewalls out there>The US military is going all-in on zero-trust>US military hackers have carried out attacks to help Ukraine
“During infection, the threat actors execute several standard commands (e.g. net share, Get-SmbShare) to determine what network resources are connected to the infected device. If network disk usage is found, they will begin exploring this disk to find files that may be of interest to them and potentially exfiltrate them,” Group-IB explained.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In the second half of 2022, the group launched at least seven successful attacks, the researchers claim.
All seven organizations (for which the attacks had been confirmed) have been notified of the attack and were given tips on how to proceed. The researchers state that it’s highly likely that the group compromised an even bigger number of organizations, but confirmations are yet to come.
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption
