ShadowTalk Update – “HiddenWasp” and “BlackSquid” malware, TA505 and Turla actvity, and Too Much Information:The Sequel
June 7, 2019
Alex and Christian join HVR this week to discuss the Linux malware “HiddenWasp” (along with HVR’s hatred of the insect), the BlackSquid malware, and updated campaign activity from TA505 and Turla threat groups. Then, Harrison sits down with Dr. Richard Gold, head of Security Engineering at Digital Shadows, to discuss Photon Research’s most recent report Too Much Information: The Sequel.
Weekly highlights include: security researchers identifying new malware “BlackSquid”, which targets web servers, network drives, and removable drives; threat group “Turla” using updated PowerShell techniques to target diplomatic entities in Eastern Europe; and the financially motivated “TA505” threat group targeting financial institutions in Chile.
HiddenWasp malware stings Linux users
Security researchers recently identified new Linux malware in the wild that presents a credible threat to a range of sectors and countries using the Linux operating system. The malware is highly likely intended to facilitate the remote control of an already compromised device, and was not being detected by anti-virus solutions. HiddenWasp was developed using code from various publicly available open-source malware variants. This includes the botnet malware “Mirai”, the rootkit “Azazel”, and malware attributed to China-based threat groups.
Cryptocurrency mining aided by new BlackSquid malware
This month researchers have identified new malware dubbed BlackSquid, which targets vulnerable web servers, network drives, removable drives, and compromised websites to distribute a variant of the “XMRig” cryptocurrency miner. BlackSquid uses brute-force cracking attacks and web server exploits as initial infection vectors, and exploits the EternalBlue and DoublePulsar vulnerabilities to propagate within a system. There are numerous flaws in BlackSquid’s code, indicating that it is likely in an early development stage. Additional attacks and technical developments in the malware are likely within three to six months.
Turla sharpens skills exploiting PowerShell tools
In May 2019 the Russian state-associated threat group Turla was identified targeting diplomatic entities in Eastern Europe to exfiltrate sensitive information. The campaign reportedly had three stages: persistence, decryption, and loading the malicious executable. This involved use of PowerShell scripts capable of in-memory loading to distribute and execute the final payload. Turla has previously unsuccessfully used PowerShell in-memory loaders; this is the first fully successful campaign, and the group will likely continue to develop this tool in the mid-term future.
TA505 aims more attacks at Chilean financial entities
Researchers recently reported that the financially motivated threat group TA505 had used a malware variant dubbed Amaday to target unspecified financial institutions in Chile. The group reportedly exfiltrated email correspondence, contact lists, and other sensitive information from their victims. TA505 previously targeted Chile in April 2019, indicating that it is realistically possible Chile is becoming an established target geography for the group.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.