Weekly Threat Briefing: New SpeakUp Backdoor Infects Linux and macOS with Miners

Weekly Threat Briefing: New SpeakUp Backdoor Infects Linux and macOS with Miners

February 5, 2019 | Anomali Labs

The intelligence in this weekís iteration discuss the following threats: APT32, APT39, Backdoors, CookieMiner, Cryptominers, Data breach, Malspam, Malware, Phishing, SectorA05, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain?

Anomali Labs recently analyzed a large number of weaponized RTF phishing files related to APT groups aligned with Chinese and Indian state interests. This analysis has identified a shared object dimension and shared obfuscation methods across weaponized RTF files utilized by the APT groups known as Sidewinder (Indian State Interests), Goblin Panda/Conimes (Chinese State Interests), Temp.Periscope/ APT40 / Leviathan (Chinese State Interests), and Temp.Trident / Dagger Panda & Nomad Panda / Icefog (Chinese State Interests). Both unique object dimensions and multiple shared obfuscation methods are visible in the RTF files which appear to be artifacts of a shared RTF phishing weaponizer. In addition to shared RTF properties, a distinct pattern of post-exploitation TTP’s is shared between the APT groups aligned with China, whereas a unique post-exploitation execution chain can be seen in Sidewinder APT campaigns. The use of a common RTF phishing weaponizer alongside distinct post-exploitation TTPs introduces the possibility that Chinese and Indian APTs may have an overlapping supply chain for the acquisition of exploits and phishing weaponizers. However, after these tools are acquired a distinct and complex network of APT digital quartermasters may determine how these tools are equipped with payloads and deployed in distinct operations.

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.