Pegasus used against activists and journalists in Jordan. The Lazarus Group distributes a trojanized DeFi wallet. Deep Panda operates Log4Shell.
In one look.
- Pegasus used against activists and journalists in Jordan.
- The Lazarus Group distributes a trojanized DeFi wallet.
- Deep Panda operates Log4Shell.
- The Trojan comes with ransomware and DDoS features.
- Redis servers targeted by Muhstik malware.
Pegasus used against activists and journalists in Jordan.
University of Toronto Citizen Lab said phones belonging to “four Jordanian human rights defenders, lawyers and journalists were hacked with NSO Group’s Pegasus spyware between August 2019 and December 2021”. The researchers do not attribute this activity to any particular government, but they do note that two Pegasus clients appear to be primarily focused on targets in Jordan:
“One of the clients, which we call MANSAF, appears to spy primarily in Jordan, with limited additional operations in Iraq, Lebanon and Saudi Arabia. We believe MANSAF has been operating since December 2018.
“The other client, which we call BLACKIRIS, appears to spy almost exclusively in Jordan, and has been active since at least December 2020. An April 2021 report in Axios mentioned negotiations between NSO Group and the Jordanian authorities “in recent months”, with a source mentioning that a contract had been signed.”
The Lazarus Group distributes a trojanized DeFi wallet.
Kaspersky said The North Korean Lazarus Group, known for carrying out financially motivated operations as well as espionage, uses a Trojan cryptocurrency wallet app called “DeFi Wallet” to provide a backdoor. Researchers suspect that the malicious app is distributed via spear-phishing emails or social media posts. The app functions as a legitimate decentralized finance (DeFi) wallet to avoid suspicion, while running malware in the background:
“When executed, the application drops both a malicious file and an installer for a legitimate application, launching the malware with the installation path of the created Trojan. Then the malware spawned overwrites the legitimate application with the Trojan application. Through this process, the Trojan application is removed from the disk, allowing it to cover its tracks.”
Deep Panda operates Log4Shell.
Fortinet is monitoring a campaign by Chinese threat actor Deep Panda that opportunistically exploits the Log4Shell vulnerability to target organizations in the “financial, academic, cosmetic and travel industries”. The threat actor uses a new rootkit called “Fire Chili” which has been digitally signed with a stolen digital certificate. The researchers note that the same stolen certificate was used in other campaigns by Winnti, another Chinese state-sponsored actor.
The Trojan comes with ransomware and DDoS features.
Cyble researchers have observed a new remote access Trojan called “Borat” which has ransomware and DDoS capabilities in addition to the expected RAT features. Cyble says, “The Borat RAT is a powerful and unique combination of remote access Trojans, spyware and ransomware, making it a triple threat to any machine compromised by it. “recording audio, controlling the webcam, and stealing traditional information behavior, Borat is clearly a threat to watch out for. The added functionality to conduct DDOS attacks makes it an even more dangerous threat that organizations and individuals must to watch.
Redis servers targeted by Muhstik malware.
Juniper Networks warns that a malicious actor is targeting Redis servers using a recently patched vulnerability (CVE-2022-0543). The researchers state: “This vulnerability exists in certain Redis Debian packages. The attack began on March 11, 2022 from the same threat actor we have seen. targeting confluence servers in September 2021 and the same group targeting Log4j in December. The payload used is a variant of the Muhstik bot that can be used to launch DDOS attacks.”