What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-04-01 06:52:00 | Bahamut Possibly Responsible for Multi-Stage Infection Chain Campaign (lien direct) | Authored by: Gage Mele, Tara Gould, Winston Marydasan, and Yury Polozov
Key Findings
Anomali Threat Research discovered cyberthreat actors distributing malicious documents exploiting a vulnerability (CVE-2017-8570) during a multi-stage infection chain to install a Visual Basic (VB) executable on target machines.
This exploitation creates a backdoor that appears to only retrieve an infected machine’s username, possibly indicating reconnaissance activity.
We assess with low confidence, based on limited technical intelligence and targeting consistent with previously observed activity, that the advanced persistent threat (APT) cyberespionage group known as Bahamut may be responsible for this campaign.
Bahamut is a “group for hire” and typically targets entities and individuals in the Middle East and South Asia with spearphishing messages and fake applications as the initial infection vector.
Overview
Based on a discovery in mid-February 2021, Anomali Threat Research assesses with low confidence that the APT cyberespionage group-for-hire Bahamut has been conducting malicious activity against multiple targets since at least June 4, 2020. While researching malicious files, our researchers analyzed a .docx file (List1.docx) that contained a shared bundled component with another .docx file that was communicating via template injection with lobertica.info, a domain previously attributed to Bahamut.[1] Further analysis of this file and the infection chain it follows is provided in subsequent sections below.
The header dates of a template injection domain (lobertica.info/fefus/template.dot) contacted by Screeshot from NACTA Website.docx (including “Screeshot” spelling error) indicated malicious activity dating back to at least June 4, 2020. The title of the document may be a reference to Pakistan’s National Counter Terrorism Authority (NACTA), which would be consistent with Bahamut’s previous targeting and geographical location. The June timeframe also aligns with Pakistan’s virtual meeting with the Financial Action Task Force (Groupe d'Action Financière) held on June 24, 2020, which resulted in keeping Pakistan on the financial grey list for terrorism funding.[2] Additionally, in June 2020, between the 9th and 15th, the United Arab Emirates (UAE) and Pakistan conducted repatriation flights for Pakistani nationals in the UAE. And, as of June 29, the UAE suspended passengers from Pakistan, until more COVID-19-related facilities could be created.[3] While the timing may be coincidental, sophisticated threat actors such as Bahamut are known to use real-world events as themes for targeted cyber campaigns. Historically, in December 2016, Bahamut reportedly targeted human rights activists in the Middle East with spearphishing attacks to deliver Android-based malware, this persisted through 2018, with the targeting of entities and individuals in Egypt, Iran, India, Pakistan, Palestine, Qatar, Tunisia, and the UAE.[4]
Details
Anomali Threat Research identified malicious .docx files that exploit a remote code execution (RCE) vulnerability (CVE-2017-8570). The activity apparently began in June 2020 and continued through at least mid-February 2021. The actors used at least three files with generic names: List1.docx, List for Approval.docx, and report.doc, and one appearing to employ a NACTA theme with a typo: Screeshot from NACTA Website.docx. (Figure 1)
Figure 1 – Infection Chain
Technical Analysis
Threat actors distributed .docx files with the objective of dropping a rich text format (RTF) file |
Malware Vulnerability Threat | Bahamut |
1
We have: 1 articles.
We have: 1 articles.
To see everything:
Our RSS (filtrered)
