Welcome to the Daily Threat Briefing for March 18, 2024. Today's briefing explores three stories: a malware report on the latest AsukaStealer, Earth Krahang's latest campaign exploiting intergovernmental trust to launch cross-government attacks, and a report on a cyber attack against New Zealand-based media company MediaWorks
Executive Summary
1???AsukaStealer: Evolution of Malware Tactics
???Actionable Takeaway:?Cybersecurity teams must know and understand AsukaStealer's evolving tactics, such as rebranding, to stay relevant within the cybercrime ecosystem to identify new detection gaps efficiently. Implementing advanced detection tools and conducting regular security audits can mitigate the risk posed by such evolving threats.
2???Earth Krahang: Exploiting Diplomatic Trust for Cyber Espionage
???Actionable Takeaway:?Governments and organizations must prioritize the security of their digital infrastructure, focusing on strengthening email systems and public-facing servers against sophisticated spear-phishing and vulnerability exploitation.
3???MediaWorks Data Breach: A Wake-Up Call for Personal Data Security
???Actionable Takeaway:?Organizations must ensure the security of personal data through rigorous data protection policies, regular security assessments, and clear communication with stakeholders in the event of a breach. Individuals should remain cautious and vigilant, particularly regarding unsolicited communications demanding ransom.
AsukaStealer: The Next Chapter in ObserverStealer's Story
On March 18, 2024, Russian Panda and Any.Run
released a technical report on AsukaStealer, revealing its technical analysis, C2 communication patterns, and comparisons with its predecessor, ObserverStealer.
- AsukaStealer was announced for sale by 'breakcore' (previously known as ObserverStealer) on May 19, 2023, for?$80 a month. It's developed in C++ and includes capabilities like deploying additional payloads, configuring FileGrabber settings, and facilitating log delivery via Telegram.
- ObserverStealer had not gained popularity due to negative feedback. AsukaStealer is seen as its rebrand, featuring technical and operational improvements.
- The analysis highlights AsukaStealer's technical aspects: it's written in C++, uses XOR encryption for C2 addresses, gathers system information (e.g., HWID, operating system, language preferences, system architecture), scans for specific processes like Telegram.exe and Steam, and captures screenshots.
- AsukaStealer's data exfiltration techniques are detailed. They include gathering sensitive Firefox files (cookies. sqlite, logins.json, cert9.db, key4.db) and Chrome Local State files for decryption.
- The report delineates the C2 communication process and illustrates how AsukaStealer interacts with its command and control (C2) server, retrieves configuration, sends system information, captures screenshots, and exfiltrates data.
- Comparisons with ObserverStealer show similarities in C2 communication and XOR encryption but differences in data parsing and decryption, indicating AsukaStealer's evolved operational tactics.
Insights and Analysis
The transition from ObserverStealer to AsukaStealer indicates a strategic pivot aimed at overcoming previous shortcomings and adapting to the evolving cybersecurity landscape.
- The shift from ObserverStealer to AsukaStealer, motivated by user feedback and the desire for enhanced functionality, emphasizes malware developers' focus on refining their tools to evade detection and increase efficacy.
- The rebranding and development efforts reflect technical adaptation and a psychological strategy to regain trust and interest within the cybercriminal community. It highlights the significance of reputation and perception, even in illicit markets.
- The report's details on AsukaStealer's encryption methods, data exfiltration techniques, and stealthy operation underscore the need for robust, secure coding practices and proactive defence strategies. By understanding threats like AsukaStealer's tactics and techniques, developers can better safeguard their applications against similar attacks.
- This report is technical, with Indicators of Compromise (IoCs)
Earth Krahang Exploits Intergovernmental Trust to Launch Cross-Government Attacks
On March 18, 2024, TrendMicro released a technical report on an APT campaign known as Earth Krahang, which has been targeting government entities worldwide since early 2022, focusing on Southeast Asia and activities observed in Europe, America, and Africa. This threat actor believed to be distinct yet connected to the China-nexus actor Earth Lusca, employs a variety of tactics, including exploiting public-facing servers, spear-phishing, and leveraging compromised government infrastructure for cyberespionage.
- Earth Krahang targets government entities through spear-phishing and vulnerabilities in public-facing servers.
- The campaign exploits vulnerabilities such as CVE-2023-32315 (OpenFire) and CVE-2022-21587 (Oracle Web Applications Desktop Integrator).
- Spear-phishing emails feature geopolitical themes to lure victims into executing malicious payloads.
- The actor uses compromised government webservers to host backdoors and send phishing emails from government accounts to other entities, abusing intergovernmental trust.
- Post-exploitation techniques include installing VPNs for network access, maintaining persistence, and accessing credentials and emails through brute-force attacks and other methods.
- Earth Krahang utilizes custom backdoors, including Cobalt Strike, RESHELL, and XDealer, indicating a sophisticated and evolving toolkit.
- The report details Earth Krahang's extensive victimology, noting compromises and targeting of entities across 45 countries. It focuses primarily on the government, education, and communications sectors.
Insights and Analysis
Earth Krahang's technical sophistication and global reach highlight the increasing threat to government entities and the critical importance of cybersecurity defences.
- The use of compromised government infrastructure for attacks highlights the need for governments to improve their cybersecurity posture, emphasizing the importance of securing public-facing servers and email systems against exploitation.
- The campaign's ability to adapt and evolve, as evidenced by the transition from RESHELL to XDealer malware, demonstrates the importance of continuously monitoring and analyzing threat actors to anticipate and defend against new tactics and tools.
- The reliance on social engineering through spear-phishing highlights the ongoing vulnerability of humans in cybersecurity defences. Training and awareness programs for government employees about the dangers of phishing and the importance of verifying email authenticity can mitigate this risk.
- The technical report, complete with Indicators of Compromise (IoCs)
An update regarding MediaWorks' cyber security incident
On March 15, 2024, MediaWorks released a technical report on a potential cybersecurity incident. The incident revolves around a hacker who claims to have stolen the personal data of over 2.4 million individuals from MediaWorks' database, which contained information from website competition entries.
- The alleged breach was first brought to public attention when the hackers posted about it on a cybercrime forum, stating their intent to sell the stolen data.
- The compromised data includes names, addresses, dates of birth, and contact details (phone and email), as well as some images or videos submitted for the competition.
- MediaWorks has confirmed that the breached database contained detailed personal information but clarified that financial details and passwords were not compromised.
- The company is taking steps to secure the data by moving competition entries to a new secure database and has engaged external experts to investigate the incident.
- The New Zealand privacy commissioner has not been notified as the breach has not been officially verified.
- Affected individuals have started receiving direct extortion emails from the hacker, demanding a Bitcoin ransom to prevent the sale or public release of their data.
Insights and Analysis
The attempted extortion of individuals using their data highlights a distressing trend of hackers targeting the human element in cybersecurity incidents.
- Direct targeting of individuals for extortion stresses the critical importance of protecting personal information and the psychological impact cyber-attacks can have on victims.
- The incident reflects the necessity for robust data protection measures and a swift response to potential breaches, including immediate steps to secure vulnerable data and transparent communication with affected parties.
- Secure coding practices and regular security audits become paramount in preventing such breaches, emphasizing the need for continuous improvement in cybersecurity defences.
- This report does not include technical details or Indicators of Compromise (IoCs)
Welcome to my daily threat insights and Analysis as a threat intelligence professional. Here, I present three key stories that captured my attention. Please note that these reports are not affiliated with any organization, and my insights should be considered as opinions or a starting point for navigating the vast sea of public reporting. Conduct a thorough impact analysis specific to your business needs before taking action. Follow me for more content and stay ahead in the ever-evolving world of threat intelligence.
References:
