March 14, 2023
Anomali Threat Research

Anomali Cyber Watch: Xenomorph Automates The Whole Fraud Chain on Android, IceFire Ransomware Started Targeting Linux, Mythic Leopard Delivers Spyware Using Romance Scam

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Android, APT, DLL side-loading, Iran, Linux, Malvertising, Mobile, Pakistan, Ransomware,</b> and <b>Windows</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.<br/> <br/> <img src="" width="1200"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="" target="_blank">Xenomorph V3: a New Variant with ATS Targeting More Than 400 Institutions</a></h3> <p>(published: March 10, 2023)</p> <p>Newer versions of the Xenomorph Android banking trojan are able to target 400 applications: cryptocurrency wallets and mobile banking from around the World with the top targeted countries being Spain, Turkey, Poland, USA, and Australia (in that order). Since February 2022, several small, testing Xenomorph campaigns have been detected. Its current version Xenomorph v3 (Xenomorph.C) is available on the Malware-as-a-Service model. This trojan version was delivered using the Zombinder binding service to bind it to a legitimate currency converter. Xenomorph v3 automatically collects and exfiltrates credentials using the ATS (Automated Transfer Systems) framework. The command-and-control traffic is blended in by abusing Discord Content Delivery Network.<br/> <b>Analyst Comment:</b> Fraud chain automation makes Xenomorph v3 a dangerous malware that might significantly increase its prevalence on the threat landscape. Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official store and check the app description and reviews. Organizations that publish applications for their customers are invited to use <a href="" target="_blank">Anomali's Premium Digital Risk Protection service</a> to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] T1417.001 - Input Capture: Keylogging</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1417.002 - Input Capture: Gui Input Capture</a><br/> <b>Tags:</b> malware:Xenomorph, Mobile, actor:Hadoken Security Group, actor:HadokenSecurity, malware-type:Banking trojan, detection:Xenomorph.C, Malware-as-a-Service, Accessibility services, Overlay attack, Discord CDN, Cryptocurrency wallet, target-industry:Cryptocurrency, target-industry:Banking, target-country:Spain, target-country:ES, target-country:Turkey, target-country:TR, target-country:Poland, target-country:PL, target-country:USA, target-country:US, target-country:Australia, target-country:AU, malware:Zombinder, detection:Zombinder.A, Android</p> <h3 id="article-2"><a href="" target="_blank">Cobalt Illusion Masquerades as Atlantic Council Employee</a></h3> <p>(published: March 9, 2023)</p> <p>A new campaign by Iran-sponsored Charming Kitten (APT42, Cobalt Illusion, Magic Hound, Phosphorous) was detected targeting Mahsa Amini protests and researchers who document the suppression of women and minority groups in Iran. In October 2022, the attackers used stolen images to create a fake persona on Twitter claiming to work for Atlantic Council. This fake account engaged in conversations, first sending benign links and documents, then proceeding to send a malicious link or document to phish for credentials.<br/> <b>Analyst Comment:</b> Politically-targeted users should be wary of links and attachments sent to them even if they had some prior online interaction with the sender. Additional attempts to verify that the online account is authentic and belongs to a real person can save you from compromise. Pay attention to the authenticity of domains when asked to log in with your password. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1585.001 - Establish Accounts: Social Media Accounts</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1598 - Phishing For Information</a><br/> <b>Tags:</b> actor:Cobalt Illusion, actor:Charming Kitten, actor:APT42, actor:Phosphorous, mitre-group:Magic Hound, Atlantic Council, source-country:Iran, source-country:IR, target-country:Iran, target-country:IR, Mahsa Amini protests, Opposition, Spearphishing, Instant messaging, Typosquatting, Inauthentic behavior, Twitter, Fake account</p> <h3 id="article-3"><a href="" target="_blank">IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks</a></h3> <p>(published: March 9, 2023)</p> <p>The previously Windows-only IceFire ransomware has added a new Linux variant. The observed attack targeted Linux CentOS, however, this IceFire variant is capable of running on other flavors of Linux as well. The switch to the new OS was also accompanied with a switch in delivery method from phishing to exploiting publicly-facing vulnerabilities such as CVE-2022-47986, a vulnerability in IBM’s Aspera Faspex file sharing software. Overall, the IceFire ransomware family is used in double-extortion attacks predominantly targeting larger organizations in tech, media and entertainment in Iran, Pakistan, Turkey, and United Arab Emirates.<br/> <b>Analyst Comment:</b> At the time of discovery, the IceFire Linux variant had zero antivirus detections. CVE-2022-47986 was a vulnerability that recently received a security patch underlining the need for continuous effort to keep your publicly-facing servers updated to the latest version. Aligning patch and vulnerability processes to cyber threat intelligence significantly enhances the precision and priority of managing your security posture versus emerging threats from exploited vulnerabilities. Organizations keen to understand and maintain grip across their external attack surface are invited to use the Anomali Attack Surface Management service.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a><br/> <b>Tags:</b> malware:IceFire, detection:​​IceFire, malware-type:Ransomware, Double extortion, Big game hunting, target-industry:Technology, target-industry:Media, target-industry:Entertainment , target-country:Turkey, target-country:TR, target-country:Iran, target-country:IR, target-country:Pakistan, target-country:PK, target-country:United Arab Emirates, target-country:AE, Tor, CVE-2022-47986, IBM Aspera Faspex, file-type:ELF, file-type:IFIRE, CentOS, Linux</p> <h3 id="article-4"><a href="" target="_blank">“FakeGPT”: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs</a></h3> <p>(published: March 8, 2023)</p> <p>A new campaign promoting a malicious ChatGPT extension had over 2,000 daily installations during March 3-9, 2022. This malicious Google Chrome extension was promoted by malvertising. Once installed from the official Google Chrome Store, it was simply connecting to the official ChatGPT’s API while stealing browser details and stored cookies in the background. If a high-profile Facebook business account was detected, the attackers install a malicious Facebook app that gets all permissions possible and steals account credentials. This allows for self-propagation of this malicious extension and other malicious activities using Facebook-promoted posts created with these stolen accounts and their credit balances.<br/> <b>Analyst Comment:</b> Following the Guardio’s report the malicious extension has been removed from the Chrome’s store, but the risk of similar activity remains high. Malicious actors and criminals are adept at identifying and exploiting popular trends to ensnare users - the hype around ChatGPT is a prime example. Users, especially those managing business accounts, should avoid unnecessary interactions with promoted content. Don’t install an app if it is new, from an unknown developer, and if you can get the promised functionality from the underlying tool without installing the additional app or extension.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a><br/> <b>Tags:</b> Malvertising, Facebook, Meta, Google Chrome Store, Malicious extension, Malicious app, ChatGPT, Credential harvesting, Account takeover, declarativeNetRequest, Graph API, Messenger Kids, malware-type:Infostealer, iOS</p> <h3 id="article-5"><a href="" target="_blank">Love Scam or Espionage? Transparent Tribe Lures Indian and Pakistani Officials</a></h3> <p>(published: March 7, 2023)</p> <p>In July 2022, Pakistan-sponsored group Mythic Leopard (APT36, Transparent Tribe) registered two domains to distribute trojanized Android applications. The attackers were using romance scam messaging to lure victims to the sites, install an alleged secure messaging app and give it further requested permissions. The app did provide a basic messaging function while also delivering a new version of the powerful CapraRAT spyware/backdoor. ESET researchers detected over 150 victims in India, Pakistan, Russia, Oman, and Egypt (in the order of number of victims).<br/> <b>Analyst Comment:</b> Government and military personnel should be aware of romance scam (honey-trap) social engineering attacks. Do not install unvetted mobile applications outside of official stores (Google Play Store). Mythic Leopard was seen reusing some of its infrastructure, so it is important to block indicators available in the Anomali Platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] T1398 - Modify Os Kernel Or Boot Partition</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1624.001 - Event Triggered Execution: Broadcast Receivers</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1420 - File And Directory Discovery</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1424 - Process Discovery</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1422 - System Network Configuration Discovery</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1426 - System Information Discovery</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1533 - Data From Local System</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1517 - Access Notifications</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1512 - Capture Camera</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1430 - Location Tracking</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1429 - Capture Audio</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1513 - Screen Capture</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1636.002 - Protected User Data: Call Log</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1636.003 - Protected User Data: Contact List</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1636.004 - Protected User Data: Sms Messages</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1616 - Call Control</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1509 - Uncommonly Used Port</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1582 - Sms Control</a><br/> <b>Tags:</b> actor:Transparent Tribe, actor:APT36, mitre-group:Mythic Leopard, detection:Android/Spy.CapraRAT.A, malware:CapraRAT, malware-type:Backdoor, source-country:Pakistan, source-country:PK, target-country:Pakistan, target-country:PK, target-country:India, target-country:IN, target-country:Russia, target-country:RU, target-country:Oman, target-country:OM, target-country:Egypt, target-country:EG, target-industry:Military, target-industry:Politics, Honey-trap, Mobile, Android</p> <h3 id="article-6"><a href="" target="_blank">How Sys01 Stealer Will Get Your Sensitive Facebook Info</a></h3> <p>(published: March 7, 2023)</p> <p>A new, advanced malware dubbed SYS01 stealer has been active in the wild since May 2022 and expanded its prevalence in November 2022. The attack begins with a URL from a fake or hijacked Facebook profile or advertisement (Facebook, Google) to download a ZIP file that pretends to have an application, game, movie, etc. User execution leads to a variation of a benign binary being abused for DLL side-loading. An Inno-Setup installer is being dropped which, in its turn, drops and executes the PHP information stealer. The attackers proceed to steal browser cookies and steal Facebook account information if the victim was logged in. Various stages and variants of the SYS01 stealer infection chain utilize a number of programming languages (C#, PHP, Python with Nuitka Python compiler, and Rust) and obfuscation tools (ionCube, SmartAssembly, and Zephir).<br/> <b>Analyst Comment:</b> Network defenders can consider limiting users’ rights to download and install programs. Train users about the social engineering tricks adversaries use in malvertising. All known SYS01 stealer indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a><br/> <b>Tags:</b> malware:SYS01, malware-type:Infostealer, Facebook Business, Google Ads, file-type:ZIP, file-type:EXE, file-type:PHP, file-type:DLL, Inno-Setup installer, Rust, Python, Nuitka, PHP, C#, SmartAssembly, ionCube, Zephir, Side-loading, target-industry:Government, target-industry:Manufacturing, Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.