Cybersecurity Newsletter - 10/08/2020
BAHAMUT Group Targeting Governments and Businesses in Middle East and UAE
BlackBerry released new research highlighting the true reach and sophistication of one of the most elusive, patient, and effective publicly known threat actors – BAHAMUT.
The report uncovered malicious applications that are directly attributable to BAHAMUT based on configuration and unique network service fingerprints presented. The applications were complete with well-designed websites, privacy policies and written terms of service which helped them bypass safeguards put in place by both Google and Apple.
Those investigated by BlackBerry were determined to be intended for targets in the UAE as downloads were region-locked to the Emirates.
Kraken: Fileless APT attack abuses Windows Error Reporting service
On September 17th, Malwarebyte discovered a new attack called Kraken that injected its payload into the Windows Error Reporting (WER) service as a defense evasion mechanism.
That reporting service, WerFault.exe, is usually invoked when an error related to the operating system, Windows features, or applications happens. When victims see WerFault.exe running on their machine, they probably assume that some error happened, while in this case they have actually been targeted in an attack.
While this technique is not new, this campaign is likely the work of an APT group that had earlier used a phishing attack enticing victims with a worker’s compensation claim. The threat actors compromised a website to host its payload and then used the CactusTorch framework to perform a fileless attack followed by several anti-analysis techniques.