A gambling company in the Philippines has been targeted by Chinese threat actors as part of a campaign that has been going on since October 2021.
Slovak cybersecurity firm ESET has tracked a series of attacks against a Southeast Asian gambling company under its name. Operation Talking Goblin.
“These attacks use specific tactics, targeting support agents of victim companies via chat applications, specifically Comm100 and LiveHelp100 apps,” ESET said in a report shared with The Hacker News. increase.
The use of a trojanized Comm100 installer to deliver malware was first documented by CrowdStrike in October 2022. CrowdStrike attributed the compromise of its supply chain to an attacker believed to have ties to China.
The attack chain utilizes the aforementioned chat app to distribute a C# dropper and deploy another C# executable. This ultimately serves as a conduit for dropping her Cobalt Strike beacons on hacked workstations.
Also highlighted in ESET’s APT Activity Report Q4 2022 to Q1 2023 are the attacks by India-related actors Donot Team and SideWinder against government entities in South Asia.
Another limited set of attacks has been active since at least 2013 and is associated with another Indian APT group called Confucius believed to be associated with the Patchwork group. Threat actors have used Pegasus-themed lures and other decoy documents in the past to target Pakistani government agencies.
According to ESET, the latest intrusion involved the use of a remote access Trojan called Ragnatela, an upgraded variant of the BADNEWS RAT.
Elsewhere, the cybersecurity firm says it has detected an Iranian threat actor called OilRig (aka Hazel Sandstorm) deploying a custom implant labeled Mango to an Israeli healthcare company. increase.
Microsoft recently announced that Storm-0133, a new threat cluster affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has targeted only Israeli local government agencies and companies serving the defense, lodging, and medical sectors. It’s worth noting that we attributed it to a targeted attack.
“The MOIS group demonstrated improved operational security using a legitimate but compromised Israeli website for command and control (C2). It complicates the efforts of defenders, who often identify network activity,” Microsoft said. Additionally, Storm-0133 points out that he relied on the Mango malware in these intrusions.
ESET also said that an unnamed Indian data management service provider was on the receiving end of an attack launched by North Korea-backed Lazarus Group in January 2023 using an Accenture-themed social engineering lure. I was.
“The attacker’s goal was to monetize their presence within the corporate network, presumably by compromising business email.”
In February 2023, the Lazarus Group compromised a Polish defense contractor via fake job listings and launched an attack chain that weaponized a modified version of SumatraPDF to deploy a RAT called ScoringMathTea and a sophisticated download codenamed ImprudentCook. is said to have started
Rounding out the list are spear phishing activities by Russian-aligned APT groups such as Gamaredon, Sandworm, Sednit, The Dukes, and SaintBear. The last attack was detected using an updated version of the Elephant malware framework and new Go. Based backdoor known as ElephantLauncher.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
Other notable APT activity uncovered during this period includes Winter Vivern and YoroTrooper activity, a group ESET has been tracking since early 2022 under the name SturgeonPhisher, which has strong overlaps. says there is.
YoroTrooper is suspected to have been active since at least 2021, with attacks targeting governments, energy, and international organizations in Central Asia and Europe.
The disclosure of its tactics in March 2023 is suspected to have led to a “significant drop in activity,” and the group may now be reorganizing its arsenal and changing its tactics.
ESET’s findings follow Kaspersky’s own APT Trends report from Q1 2023, which found that Lebanon We have discovered a previously unknown threat actor named Trila targeting government agencies.
The Russian cybersecurity firm also drew attention to the discovery of a new Lua-based malware strain called DreamLand targeting Pakistani government agencies.
Kaspersky researchers said, “The malware is modular and uses the Lua scripting language combined with a Just-in-Time (JIT) compiler to execute hard-to-detect malicious code.” said.
“It also has various anti-debugging features and employs the Windows API via the Lua FFI which utilizes C language bindings to perform activities.”
