ShadowTalk Update – 4.29.19
April 29, 2019
Jamie and Alex are back with Harrison this week to talk about the leak of information related to APT34 on Telegram, including victim data, personally identifiable information and the group’s tools. Other highlights from this week include a phishing campaign delivering RevengeRAT, more information about the Wipro breach, and details about the threat actors responsible for the previously reported ASUS server compromise.
Highlights from the week include: A phishing campaign leverages legitimate web services to deliver RevengeRAT; a breach of an IT outsourcing firm is tentatively linked to a campaign targeting gift card providers; and further details on the ASUS server compromise implicate the attackers behind ShadowHammer.
Source code of APT34 cyber espionage tools leaked
An individual using the alias “Lab Dookhtegan” has used messaging service Telegram to release information on the members of and tools used by Iranian-state–associated threat actor APT34. The release also included data likely obtained from APT34’s victims. The release of technical details about the tactics, tools, and procedures (TTPs) the group use is likely to have a disruptive effect on ongoing and future APT34 operations. However, it is possible that the group could switch to using infrastructure shared with other Iranian groups. Although the released tools could be repurposed by other threat groups, it is possible that victim data exposed by the leak could also be reused by further threat actors in separate campaigns. The identity of Lab Dookhtegan could not be confirmed; it is possible that they are either an APT34 member or a foreign government seeking to destabilize Iranian cyber operations. Either outcome will likely lead to retaliation by Iran in the event it is able to identify the individual.
Phishing campaign leverages legitimate web services to deliver RevengeRAT
A malicious phishing campaign referred to as Aggah has recently been detected targeting a wide range of organizations across multiple geographies with the “RevengeRAT” remote-access trojan. Attackers leveraged legitimate web services to act as command-and-control infrastructure, likely to obscure malicious activity and avoid detection. Although researchers have made tentative links to the Gorgon Group, this attribution cannot be confidently confirmed due to a lack of supporting technical indicators.
Breach of IT outsourcing firm tentatively linked to campaign targeting gift card providers
Security researchers have released further information on the attack against Indian IT outsourcing firm Wipro, claiming that infrastructure behind this attack was linked to several campaigns targeting gift card and customer loyalty scheme providers. It is possible that the same group conducted these attacks; however, this could not be independently verified. Financially motivated threat actors consider gift cards and customer loyalty schemes high value targets as they can easily be monetized through financial fraud or on criminal marketplaces.
Further details on ASUS server compromise indicate attackers behind ShadowHammer
Researchers have released further details on the supply chain attack referred to as ShadowHammer that compromised an ASUS server to push malicious software updates to devices between June and November 2018. The report also identified several other organizations in the gaming sector that had been targeted with similarly functioning malware. The threat actor behind ShadowHammer was unknown at the time of writing, although the attacker(s) has continued to show interest in supply chain companies that develop software and is likely to remain active in the next 12 months.
For more details, read the full Weekly Intelligence Summary here:
To stay up to date with the latest in digital risk protection, subscribe to our threat intelligence emails here.