ShadowTalk Update – 2.11.19
February 8, 2019
Alex and Jamie join Harrison to discuss how the United Arab Emirates (UAE) intelligence services compromised iPhones through the “Karma” malware. They also look at a spam campaign targeting American users, distributing the “Trickbot” banking trojan; Vietnamese threat group “OceanLotus” deploying a new custom downloader; and a distributed denial of service (DDoS) campaign displaying record-breaking power by combining techniques. Read the full intelligence summary here.
Highlights from the week include: a spam campaign targeting American users, distributing the “Trickbot” banking trojan; Vietnamese threat group “OceanLotus” deploying a new custom downloader; and a distributed denial of service (DDoS) campaign displaying record-breaking power by combining techniques.
UAE compromises iPhones through Karma spyware
The UAE’s intelligence services reportedly used spyware known as Karma to compromise the Apple iPhones of “hundreds” of domestic and foreign individuals. Contractors, such as Emirati security officials and former United States intelligence operatives, employed Karma to target activists, diplomats and government officials, according to Reuters news agency. There have now been numerous controversial incidents involving the sale and use of spyware, indicating a broader trend. It highlights how commercially available tools can enable state-associated threat actors to develop their capability and grow as a threat.
Spam campaign hits US email users with Trickbot banking trojan
A spam campaign distributing the Trickbot banking trojan was identified targeting users in the United States. Phishing emails impersonated an investment banking company or other organizations to increase their perceived legitimacy. The messages contained a malicious attachment that triggered the trojan infection process when opened by a recipient. Reporting suggested that the campaign could have extended beyond the United States, and more attacks using Trickbot are likely in the next three to six months.
Vietnamese threat group OceanLotus releases custom downloader
The Vietnamese threat group OceanLotus has deployed a new custom downloader that includes new anti-detection techniques in a recently observed cyber attack campaign. The code for the “KerrDown” malware was hidden in a lure document, very likely to bypass security platforms capable of identifying malicious binaries. OceanLotus continues to be highly active and has steadily developed its tactics and tools. Although this recent campaign appears to have targeted Vietnamese-speaking entities, the group has previously targeted foreign entities and it is possible that the same tactics will be deployed against other targets in the next six months.
New DDoS attack campaign four times more powerful than previous
A distributed denial of service attack, reportedly four times more powerful than that reported against GitHub in 2018, was recently observed by security researchers. The attack used two older techniques known as “syn flood” and “large syn flood” simultaneously to direct 500 million packets per second against an unspecified target. This type of attack is reportedly harder to mitigate because of the volume of packets sent. In this case, the victim was able to negate the attack’s impact, but other organizations that lack DDoS protection services would almost certainly have suffered significant disruption. The exact motive of the attackers is unconfirmed, but DDoS attacks are typically used to cause disruption (although they can also serve as a distraction from other malicious activity).
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.