Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
OnionPoison involved in wild infection chain of TOR Browser installer spread via YouTube channels
WhiskerSpy is a backdoor trojan that was discovered in early 2021. It is associated with the threat actor group Earth Kitsune, which has been active since at least 2018. The backdoor is designed to give the attackers full control over the compromised system and steal sensitive information. They have previously used various backdoors such as AgfSpy and CloudDragon to carry out their malicious activities. WhiskerSpy is particularly notable for its advanced technical features, including the use of lesser-known hashing algorithms and elliptic curve cryptography.Their recent deployment of the WhiskerSpy backdoor shows their continued evolution and sophistication in their tools, tactics, and procedures (TTPs). ## Technical Details WhiskerSpy is a 64-bit executable that can run on Windows systems. It can be installed via a variety of methods, including exploit kits, malicious email attachments, and watering hole attacks. Once installed, WhiskerSpy communicates with a command and control (C&C) server to receive instructions from the attackers and report back on the status of the compromised system. WhiskerSpy implements a number of standard functions, including an interactive shell, file upload and download, file listing, file deletion, and more. Each function is associated with specific status codes that report back to the C&C server on the success or failure of the operation. For example, the interactive shell function can return either a CommandLine Process Fail (CPF) or CommandLine Process Success (CPS) status code depending on whether the command executed successfully. WhiskerSpy also includes a unique "alive" packet that responds to the server with the bytes "e7 94 9f", which is also the UTF-8 encoding of the Chinese character 生 (shēng = life). This allows the attackers to confirm that the backdoor is still operational on the compromised system. One of the most interesting aspects of WhiskerSpy is its use of advanced cryptography. It generates unique machine IDs and session IDs for each compromised system using a combination of the MD5 and SHA-1 hashing algorithms. It then uses elliptic curve cryptography (ECC) to protect its encryption keys, making it much more difficult for security researchers to analyze and reverse engineer the malware. WhiskerSpy is also notable for its persistence mechanisms. It patches legitimate installers to hide its activities and uses a variety of techniques to avoid detection by antivirus software, including packing and obfuscation. In addition, it employs a unique technique for maintaining persistence by hiding its code in the Windows Task Scheduler using an XML file. ## Earth Kitsune Group Attribution: The deployment of the WhiskerSpy backdoor can be attributed to the Earth Kitsune group with medium confidence. Injecting malicious scripts into North Korean-related websites shows a similar modus operandi and victimology to the previous activities of the group. The delivery server and the C&C server of WhiskerSpy used in this attack have two infrastructure overlaps with previous research on Operation Earth Kitsune. The first overlap is that both WhiskerSpy's C&C domain londoncity[.]hopto[.]org and Earth Kitsune’s domain rs[.]myftp[.]biz were resolved to the same IP address 45[.]76[.]62[.]198. The second overlap is that WhiskerSpy’s C&C domains londoncity[.]hopto[.]org and updategoogle[.]servehttp[.]com, plus the domain of the delivery server microsoftwindow[.]sytes[.]net were all resolved to 172[.]93[.]201[.]172. This IP address was also mapped from the domain selectorioi[.]ddns[.]net which was used by Earth Kitsune’s agfSpy backdoor. ## End Note WhiskerSpy is an advanced and sophisticated backdoor trojan associated with the Earth Kitsune threat actor group. Its advanced technical features, including the use of lesser-known hashing algorithms and elliptic curve cryptography, make it particularly difficult to analyze and detect. To defend against advanced threats like WhiskerSpy, organizations should employ a multilayered security approach and use technologies that can detect and block these types of threats from infiltrating the system through endpoints, servers, networks, and emails.
In recent months, there has been an increase in cyber espionage campaigns targeting internet-facing devices, particularly those used for managed security purposes such as firewalls and IPS/IDS appliances. As they are connected to the internet, attackers with the right exploit can obtain access to a network without the victim having to take any action. This gives the attacker more control over the process and reduces the probability of discovery. One such campaign that has been discovered is being widely executed by a China-based group and is targeting FortiOS devices with a new Linux-based malware called "BOLDMOVE". The group is believed to have exploited a recently discovered vulnerability (CVE-2022-42475) in Fortinet's FortiOS SSL-VPN as a zero-day in December 2022. The vulnerability allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. In this threat research we will provide a comprehensive analysis of the BOLDMOVE malware and its conventional tactics, techniques, and procedures (TTPs) leveraged by the China-based threat actor group in their ongoing cyber espionage campaign. ## Background Fortinet is a leading provider of network security devices and the FortiOS operating system is widely used in enterprise networks. In November 2022, Fortinet quietly fixed a vulnerability (CVE-2022-42475) in FortiOS that allows remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. Fortinet publicly announced the vulnerability in December 2022 and advised its customers to promptly patch their devices as the vulnerability was being actively exploited by threat actors. It wasn't until January 2023 that Fortinet shared more details about how hackers exploited the vulnerability, explaining that threat actors had targeted government entities with custom malware specifically designed to run on FortiOS devices. The attackers were focused on maintaining persistence on exploited devices by using the custom malware to patch the FortiOS logging processes so that specific log entries could be removed or to disable the logging process altogether. ## Malware Analysis BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device, with the Linux version specifically created to run on FortiOS devices. Mandiant identified several versions of BOLDMOVE with varying capabilities, but the core set of features observed across all samples include: Performing system surveying. Receiving commands from the C2 (command and control) server. Spawning a remote shell on the host. Relaying traffic through the breached device. The commands supported by BOLDMOVE allow threat actors to remotely manage files, execute commands, create interactive shells, and control the backdoor. The Windows and Linux variants are largely the same but utilize different libraries, and it is believed that the Windows version was compiled in 2021, almost a year before the Linux variant. One of the Linux variants of BOLDMOVE contains functionality that specifically targets FortiOS devices. One of the key capabilities of BOLDMOVE is its ability to manipulate system logs on a compromised device. This allows attackers to remove specific log entries or disable logging processes entirely, making it more difficult for defenders to detect and track the intrusion. This allows the attackers to maintain persistence on the device for longer periods of time, and also makes it harder for defenders to understand the scope and nature of the attack. Additionally, this version of BOLDMOVE can send requests to internal Fortinet services, allowing attackers to send network requests to the entire internal network and spread laterally to other devices. The Linux variant of BOLDMOVE leverages several statically compiled libraries to implement its functionality, including an undetermined and likely custom library used for event handling, WolfSSL for SSL encrypted communication to the C2 server, and Musl libc. Upon failure, the malware reruns itself in a new process. In addition, if the malware is executed with a command line argument, it would not initiate the backdoor logic but rather attempt to execute the provided argument as a new process. Prior to starting the backdoor's logic, the malware calls the signal function in order to ignore the signals SIGCHLD, SIGHUP, SIGPIPE. The extended version of BOLDMOVE contains all the aforementioned functionality but with additional features. It contains Execution Guardrails (T1480) by verifying that it is running on a specific device and using specific configurations. ## TTPs The China-based group behind the BOLDMOVE malware has used several TTPs in their cyber espionage campaign. These include: Exploiting a zero-day vulnerability in FortiOS devices. Developing custom malware specifically designed to run on FortiOS devices. Maintaining persistence on exploited devices by patching the FortiOS logging processes and disabling logging altogether. Using a C2 server to receive commands and control the malware. Using a remote shell to access and control the compromised device. Relaying network traffic through the breached device. Target Selection: The targeted entities in this campaign have been government entities and managed service providers located in Europe and Africa. This suggests that the group behind the BOLDMOVE malware is focused on gathering sensitive information from government and potentially critical infrastructure organizations. BOLDMOVE malware uses a specific path in order to gain access to and control FortiOS devices. The malware begins by exploiting a zero-day vulnerability in FortiOS devices, specifically CVE-2022-42475. This vulnerability allows for remote unauthenticated attackers to crash targeted devices remotely or gain remote code execution. Once the vulnerability has been exploited, the malware uses a custom-developed Linux variant specifically created to run on FortiOS devices. The malware then uses this variant to perform system surveying, receive commands from the C2 (command and control) server, and spawn a remote shell on the host. Additionally, the malware can relay traffic through the breached device, allowing it to spread laterally to other devices on the network. The attackers also focus on maintaining persistence on the compromised device by patching the FortiOS logging processes and disabling logging altogether. It is important to note that this is not the only way of intrusion and the attackers may use other techniques as well, but this is the general path that is used by the BOLDMOVE malware. ## Mitigation To protect against the BOLDMOVE malware and similar threats, organizations should take the following steps: Apply the latest security patches for FortiOS devices as soon as they become available. Use network segmentation and access controls to limit the spread of malware within the network. Monitor network traffic for signs of malicious activity, such as network communications with known C2 servers. Regularly review system and security logs for signs of suspicious activity. Use endpoint protection and intrusion detection/prevention systems to detect and block malware. Regularly update anti-virus software and perform malware scans. ## Ending Note The BOLDMOVE malware is a new and sophisticated threat that specifically targets FortiOS devices. The China-based group behind the malware has demonstrated a deep understanding of how these devices operate and the initial access opportunity they present. By exploiting a zero-day vulnerability and developing custom malware, the group has been able to maintain a persistent foothold on compromised devices and gather sensitive information from government and critical infrastructure organizations. Organizations should take immediate steps to protect themselves against this threat by applying the latest security patches and implementing the recommended mitigation techniques.
In recent years, the threat landscape of mobile devices has grown exponentially, with Advanced Persistent Threat (APT) groups increasingly targeting mobile devices as a means to gain access to sensitive information. One such APT group, which goes by the moniker StrongPity has resurfaced lately. StrongPity APT is a cyber-espionage group infamous for its targeted attacks against individuals and organizations in the Middle East and North Africa, as well as in Europe and South America. The group has been active since at least 2012, and has been known to use a variety of tools and techniques to gain access to its targets. In this [threat research](https://www.secureblink.com/threat-research), we will provide an in-depth analysis of the StrongPity APT group campaign, which primarily targets Android users with a trojanized version of the legitimate Telegram app and its methods of operation, as well as the technical details of the malware used in the campaign. ## Background: StrongPity APT group has been active since at least 2012 and is known for its targeted attacks against individuals and organizations in the Middle East and North Africa, as well as in Europe and South America. The group has been known to use a variety of tools and techniques to gain access to its targets, including phishing emails, watering hole attacks, and malware. The group's primary focus is on espionage, but it has also been known to use its access to target's systems for financial gain. The group is believed to have been active since at least 2012 and is known for using a variety of tactics to target individuals and organizations in a number of countries, including Belgium, France, Italy, Spain, and Turkey. The group has been linked to a number of high-profile attacks, including the targeting of a Turkish mobile operator in 2016 and a number of attacks against Belgian and Italian telecommunications companies in 2017. ## Campaign Overview: The latest campaign by the StrongPity APT group is focused on Android users and leverages a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as "the" Shagle app. The campaign is being [distributed](http://twitter.com/malwrhunterteam/status/1549125906416943108) through a website impersonating Shagle services, which only provides an Android app to download, with no web-based streaming possible. The trojanized app uses the same package name as the legitimate Telegram app, which means that if the official Telegram app is already installed on the device, the backdoored version cannot be installed. ## Malware Analysis: The StrongPity backdoor has various spying features, including the ability to record phone calls and collect SMS messages, call logs, and contact lists. The malware is also capable of exfiltrating data from other apps if the victim grants the app notification access and activates accessibility services. This allows the attackers to gain access to sensitive information from a variety of apps including Viber, Skype, Gmail, Messenger, and Tinder. ![Trojanized app requesting dangerous permissions.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Trojanized_app_requesting_dangerous_permissions_c6a35492dc.jpg) ***Trojanized app requesting dangerous permissions*** The malware's 11 dynamically triggered modules are responsible for these various functions and are being documented publicly for the first time. The StrongPity malware is modular in nature, with additional binary modules being downloaded from the C&C server, which means that the number and type of modules used can be changed at any time to fit the campaign requests. This modularity allows the malware to remain flexible and adaptable to the needs of the campaign. ![11 module-fetch.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/11_module_fetch_0f5f0a4496.jpg) ***Modules of 11 getting fetched from C&C Servers*** ## Targeting Shagle Users Shagle is a legitimate random-video-chat platform that allows strangers to talk via an encrypted communications channel. However, the platform is entirely web-based and does not offer a mobile app. StrongPity has been found using a fake website since 2021 that impersonates the actual Shagle site to trick victims into downloading a malicious Android app. ![Fake vs Real App.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Fake_vs_Real_App_6ab74d219d.jpg) ***Comparison between legit as well as fake Shagle app*** Once installed, this app enables the hackers to conduct espionage on the targeted victims, including monitoring phone calls, collecting SMS texts, and grabbing contact lists. The fake Shagle website is designed to mimic the original website and is likely being spread through spear-phishing emails, smishing (SMS phishing), or instant messages on online platforms. ## Victimology: The campaign is likely very narrowly targeted, as ESET telemetry still hasn’t identified any victims. The repackaged version of Telegram uses the same package name as the legitimate Telegram app, which means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed. This might mean that the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed or the campaign focuses on countries where Telegram usage is rare for communication. ![Malicious app won't install as Telegram installed.jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/Malicious_app_won_t_install_as_Telegram_installed_83a15382fa.jpg) ***If official Telegram app is already installed then trojanized version cannot be successfully installed*** ## Code Analysis The malicious Android application distributed by StrongPity is an APK file named "video.apk," which is the standard [Telegram](https://core.telegram.org/api/obtaining_api_id#using-telegrams-open-source-code) v7.5.0 (February 2022) app modified to impersonate a Shagle mobile app. [ESET researchers](https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/) were able to attribute the campaign to the StrongPity APT group based on code similarities with past payloads and the fact that the Android app is signed with the [same certificate](http://www.trendmicro.com/ru_ru/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html) the APT used to sign an app that mimicked the Syrian e-gov Android application in a 2021 campaign. Upon installation, the malware requests access to the Accessibility Service and then fetches an AES-encrypted file from the attacker's command and control server. This file consists of 11 binary modules extracted to the device and used by the backdoor to perform various malicious functionality. Each module performs an espionage function and is triggered as needed. ### Here is a following list of malicious spyware modules: libarm.jar: records phone calls libmpeg4.jar: collects text of incoming notification messages from 17 apps local.jar: collects file list (file tree) on the device phone.jar: misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date resources.jar: collects SMS messages stored on the device services.jar: obtains device location systemui.jar: collects device and system information timer.jar: collects a list of installed apps toolkit.jar: collects contact list watchkit.jar: collects a list of device accounts wearkit.jar: collects a list of call logs The gathered data is stored in the app's directory, encrypted with AES, and eventually sent back to the attacker's command and control server. ## Indicators of Compromise In order to detect and protect against the StrongPity malware, it is important to be aware of the following Indicators of Compromise (IoCs): File Hashes: The following file hashes have been identified as associated with the StrongPity malware: 50F79C7DFABECF04522AEB2AC987A800AB5EC6D7 (video.apk) 77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91 (libarm.jar) 5A15F516D5C58B23E19D6A39325B4B5C5590BDE0 (libmpeg4.jar) D44818C061269930E50868445A3418A0780903FE (local.jar) F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE (phone.jar) ## Mitigation & Prevention: To protect against the StrongPity campaign, it is important to be cautious when downloading apps from third-party app stores, and to only download apps from official app stores such as Google Play. Additionally, organizations should implement security controls such as firewalls, intrusion detection systems, and anti-virus software to detect and prevent malware infections. It is also important to be aware of phishing attempts, and to be cautious when clicking on links in emails or text messages. Additionally, organizations should be aware of the signs of a potential APT attack, such as unusual network traffic, and to have incident response plans in place to quickly detect and respond to an attack. Regularly updating software and systems, and providing cybersecurity training to employees can also help to prevent a successful attack.