ShadowTalk Update – 2.18.19
February 19, 2019
Alex and Jamie matched with Harrison in this Valentine’s week episode of ShadowTalk. We discuss why four different APT groups were observed using the same tooling, vulnerabilities in Apple’s iOS, and what everyone did for Valentine’s Day.
Highlights from the week include: the exploitation of two zero-day vulnerabilities in Apple’s iOS platform, the abuse of Google Translate to conceal malicious hyperlinks in a phishing campaign, and the adoption of steganography techniques against Italian banking customers involving the “Ursnif” banking trojan.
Attackers in Asia Pacific share malicious supply chain
Four APT groups associated with different nation-states have been using the same Rich Text Format (RTF) phishing weaponizer tool in their various campaigns, according to security researchers. The implication is that the Chinese and Indian groups seem to be drawing from the same supply chain, although the source of the tool and its creator are unconfirmed. One theory is that the groups purchased specialized malicious tools through a niche supply chain aimed at APT threat actors; the growing market for such tools helps hinder attack attribution and means less-sophisticated threat groups do not have to invest in developing their own capabilities.
Threat actors exploit zero-day vulnerabilities in Apple iOS
A researcher at Google reported that unknown attackers had exploited two previously unreported zero-day vulnerabilities affecting Apple devices. Both flaws exploit core iOS security features by allowing attackers to gain elevated privileges, or executing arbitrary code with kernel privileges through malicious apps. Specific details of the zero-days are not publicly available, most likely to reduce the risk of additional exploitation attempts. Apple released a patch to address both bugs, and has advised users to update their devices as soon as possible.
Phishing campaign abuses Google Translate to conceal malicious links
In a recent email phishing campaign attackers used the online translation tool Google Translate to obscure a link included in phishing emails. When victims accessed the link, they were led to a malicious domain: a spoofed login page for Google or Facebook whose URL was obscured in their browser’s address bar. The attackers’ technique likely bypassed in-browser security notifications. Using Google Translate for obfuscation is a unique tactic, but this campaign was unlikely to have been conducted by sophisticated threat actors. It is more likely to have been a widespread and untargeted campaign. Attackers are almost certain to continue to develop their social engineering techniques to make their phishing campaigns more successful in the long-term future.
Ursnif banking trojan adopts steganography techniques
A new cyber threat campaign has been distributing the Ursnif banking trojan to Internet banking users based in Italy. The campaign used steganography to obscure malicious code and evade security software: a relatively sophisticated technique that has been increasingly adopted by threat actors to increase the effectiveness of their campaigns. This tactic is likely to remain popular for the long-term future. Moreover, Ursnif has seen widespread use across multiple target geographies, and is likely to continue being actively developed. Additional Ursnif infections will probably be reported in the next three to six months.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.