ShadowTalk Update – 2.4.19
February 4, 2019
This week, Alex Guirakhoo and Jamie Collier join Harrison to discuss APT39, a new Iran-linked espionage group, as well as other highlights from this week involving updated information about exploiting an authentication error at GoDaddy, malicious uses of the Google Cloud platform, and some excellent steganography being used to target Apple users. The guys also chat about their pups, and imagine a new battle royale game “BorkNite”. Read the full intelligence summary here.
Highlights from the week include an authentication vulnerability affecting Web hosting company GoDaddy, which has reportedly been used to hijack dormant domains for malicious spam campaigns. In addition, several phishing attacks primarily targeting the financial services sector have abused Google Cloud Platform to distribute the “Cobalt Strike” penetration testing tool. Finally, a malvertising campaign that uses steganography techniques for obfuscation is specifically targeting users of macOS.
Iran-linked cyber spies continue to attack Middle Eastern entities
The newly dubbed, Iran-linked APT39 threat group has been seeking to harvest personally identifiable information (PII) by waging cyber espionage attacks against a variety of organizations, primarily in the Middle East. Security researchers are now crediting APT39 for activity that was previously attributed to the Iran-associated Chafer group. Iranian cyber activity has been prevalent throughout the past year, with no indication of a future reduction or cessation in attacks. Tension between Iran and West-aligned countries, such as Saudi Arabia, is likely to spawn future malicious cyber campaigns. Iranian threat groups have demonstrated sophisticated capabilities and evolved their tactics and techniques to target regions and sectors of importance to Iranian state interests. Any information harvested by APT39 and shared with other threat actors could be instrumental in future attacks, such as spearphishing campaigns.
Spammers abused GoDaddy authentication loophole to hijack domains
Security researchers identified an authentication loophole affecting the domain registrar and Web hosting company GoDaddy. This vulnerability was reportedly used to hijack legitimate, dormant domains for use in malicious spamming campaigns during 2018. Threat actors were able to use free accounts to transfer ownership of domains without validation by altering their associated DNS servers. By hijacking legitimate domains with good reputations, threat actors can increase the perceived legitimacy of spam emails, enabling them to bypass filters and improving the likelihood of reaching their intended targets.
Google Cloud Platform manipulated to drop Cobalt Strike tool
In several recent phishing attacks against financial and government entities, threat actors were seen to abuse App Engine (part of Google Cloud Platform, or GCP) and the “remember preferences” option in PDF readers. Attackers distributed decoy PDF documents containing an email file extension (EML) that redirected victims to the App Engine URL, triggering the automatic download of Microsoft Word documents with obfuscated code. In turn, this triggered the download of Cobalt Strike, a penetration testing tool that has been widely exploited by a variety of threat actors. Although the malicious content has since been removed from GCP, similar techniques involving the abuse of URL redirection and PDF “remember” options are likely in future attacks.
Apple users targeted by malvertising campaign using steganography
A recent malvertising campaign was identified targeting macOS users, distributing more than five million email messages per day. Dubbed VeryMal, the campaign used steganography techniques, a sophisticated way to obscure malicious components and avoid detection. Attackers used HTML5 programming to create a canvas object; if the victim’s device had Mac-specific fonts installed, the object looped through the underlying data in the image file and converted an individual pixel to a string of characters that formed the malicious code. This then redirected the victim to a website alerting them that their Adobe Flash Player was out of date—if they interacted with this site, they were infected with the “Shlayer” trojan. Threat actors will likely continue seeking ways to increase obfuscation in campaigns over the next year.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.