Stealthy Linux malware. Aoqin Dragon targets Southeast Asia and Australia. Iranian spearphishing campaign. BlackCat RaaS described.

At a glance.

•  Stealthy Linux malware.
•  Aoqin Dragon targets Southeast Asia and Australia.
•  Iranian spearphishing campaign.
•  BlackCat RaaS described.

Stealthy Linux malware.

Researchers at Intezer and BlackBerry have discovered a very stealthy strain of Linux malware dubbed "Symbiote." Notably, the malware is a shared object library that infects all running processes on a machine:

"What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability."

The researchers believe Symbiote was designed to target the financial industry in Latin America.

Aoqin Dragon targets Southeast Asia and Australia.

SentinelOne has published a report on a Chinese threat actor dubbed "Aoqin Dragon" (pronounced, roughly, "ow-keen') that's conducting cyberespionage in Southeast Asia and Australia:

"We assess that the threat actor’s primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam.... The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project."

Iranian spearphishing campaign.

Check Point observed an Iranian spearphishing campaign that targeted "former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens." The attackers set up a fake URL shortening service, "Litby[.]us," to redirect users to a phony Yahoo login page:

"One of the straightforward purposes of this campaign is to gain access to the inboxes of its victims, specifically for Yahoo inboxes from the flows we observed. The phishing pages include several stages- asking the user for their account ID followed by an SMS code verification page. It is interesting to note that the truncated phone number within the phishing page was customized specifically for the target, and it corresponds to the public records. We suspect that once the victim enters his account ID, the phishing backend server would send a password recovery request to Yahoo, and the 2FA code would allow the attackers to gain access to the victim’s inbox."

BlackCat RaaS described.

Microsoft has published a report on the BlackCat ransomware-as-a-service operation. The researchers stated, "BlackCat is one of the first ransomware written in the Rust programming language. Its use of a modern language exemplifies a recent trend where threat actors switch to languages like Rust or Go for their payloads in their attempt to not only avoid detection by conventional security solutions but also to challenge defenders who may be trying to reverse engineer the said payloads or compare them to similar threats. BlackCat can target and encrypt Windows and Linux devices and VMWare instances. It has extensive capabilities, including self-propagation configurable by an affiliate for their usage and to environment encountered."

Source