Current Week Abductions: Patchwork APT Group, another Mac backdoor
Last December, the activity of the new APT group called Patchwork was recorded for the first time. According to Cymmetria researchers, this Indian group could have been organized back in 2014, a year ago, 2, 5 thousand users became its victims.
Patchwork attackers target mainly government organizations and related companies around the world, including in the United States, Europe, South Asia, the Asia-Pacific region, and the Middle East. According to experts, the hackers of this new group are most likely Indians by origin. This is not very common, as it is customary to associate APT groups with China and Russia, but not with India.
')
Despite the very limited technical capabilities of hackers from Patchwork, their campaigns are impressive in their effectiveness. The name of the group from “patchwork” is the sewing technique from the fabric patches, as they use a variety of codes when developing their tools and malware, which are taken from various sources, such as online forums, GitHub and the black market. During the second stage of the campaign, Indian hackers used the malware only after they were convinced that the victim’s system was stable.
The noise around the Backdoor.MAC.Eleanor malware had not yet subsided, as security experts reported on a new backdoor. According to ESET researchers, OSX / Keydnap malware steals the contents of a keychain of Mac OS X and provides attackers with constant access to the compromised system. It is difficult to determine the exact way in which an infection occurs. It is assumed that the backdoor is distributed via spam emails, but it is also possible that it can reach the system through applications downloaded from untrusted sources. As it became known, one of the downloader components is distributed using ZIP -file The Mach-O executable file disguised as a text or JPEG file is contained in a ZIP archive. At the end of the extension there is a space and if you double-click on a file, it opens in Terminal, and not in TextEdit or Preview, the Finder identifies the icon of the executable file as JPEG or TXT and the user, who is unaware, opens it.
A backdoor packed using a modified version of UPX achieves persistence on the system by setting the PLIST file to / Library / LaunchAgents / if you have superuser rights or $ USER / Library / LaunchAgents / without superuser rights. The executable file icloudsyncd is stored in the directory Library / Application Support / com.apple.iCloud.sync.daemon.
A new version of the Kovter Trojan that disguises itself as a legitimate update for Firefox is spread using drive-by-download attacks. When visiting an infected site, the user is prompted to install a fake browser update.
After that, the malware installs remotely updated Trojans on the infected system to access the computer, clicks on the advertising links, and also performs the functions of extortionate software, at this time on the system it writes the embedded encrypted script in several different sections of the Windows registry and uses PowerShell.exe to malicious action. Kovter does without files.
Patchwork attackers target mainly government organizations and related companies around the world, including in the United States, Europe, South Asia, the Asia-Pacific region, and the Middle East. According to experts, the hackers of this new group are most likely Indians by origin. This is not very common, as it is customary to associate APT groups with China and Russia, but not with India.
')
Despite the very limited technical capabilities of hackers from Patchwork, their campaigns are impressive in their effectiveness. The name of the group from “patchwork” is the sewing technique from the fabric patches, as they use a variety of codes when developing their tools and malware, which are taken from various sources, such as online forums, GitHub and the black market. During the second stage of the campaign, Indian hackers used the malware only after they were convinced that the victim’s system was stable.
OSX / Keydnap
The noise around the Backdoor.MAC.Eleanor malware had not yet subsided, as security experts reported on a new backdoor. According to ESET researchers, OSX / Keydnap malware steals the contents of a keychain of Mac OS X and provides attackers with constant access to the compromised system. It is difficult to determine the exact way in which an infection occurs. It is assumed that the backdoor is distributed via spam emails, but it is also possible that it can reach the system through applications downloaded from untrusted sources. As it became known, one of the downloader components is distributed using ZIP -file The Mach-O executable file disguised as a text or JPEG file is contained in a ZIP archive. At the end of the extension there is a space and if you double-click on a file, it opens in Terminal, and not in TextEdit or Preview, the Finder identifies the icon of the executable file as JPEG or TXT and the user, who is unaware, opens it.
A backdoor packed using a modified version of UPX achieves persistence on the system by setting the PLIST file to / Library / LaunchAgents / if you have superuser rights or $ USER / Library / LaunchAgents / without superuser rights. The executable file icloudsyncd is stored in the directory Library / Application Support / com.apple.iCloud.sync.daemon.
Variant Trojan Kovter
A new version of the Kovter Trojan that disguises itself as a legitimate update for Firefox is spread using drive-by-download attacks. When visiting an infected site, the user is prompted to install a fake browser update.
After that, the malware installs remotely updated Trojans on the infected system to access the computer, clicks on the advertising links, and also performs the functions of extortionate software, at this time on the system it writes the embedded encrypted script in several different sections of the Windows registry and uses PowerShell.exe to malicious action. Kovter does without files.
Source: https://habr.com/ru/post/372465/
All Articles