Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Google Threat Analysis Group Uncovers Commercial Spyware

Google's Threat Analysis Group (TAG) has detailed an exploitation framework which they uncovered when an anonymous submitter disclosed three bugs to the Chrome bug reporting program. The bugs, each accompanied by instructions and a source code archive, are:

• Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape
• Heliconia Soft: a web framework which deploys a PDF containing a Windows defender exploit
• Files: a set of Firefix exploits for Linux and Windows

The vulnerabilities were patched by the respective vendors in 2021 and early 2022, but were likely used as 0days prior to that. The first two exploits end with a launcher DLL that fetches the exploitation agent from a URL and then launches it - they were supplied with a dummy agent called agent_simple and it is likely that, in reality, this will be replaced by a customized agent.

Heliconia Noise includes a pre-commit cleaning script which checks that the produced binaries do not contain sensitive strings, such as the project name, developer names, etc. Ironically, this script leaks all of these, including the name of the company behind this project, Variston IT. Variston Information Technology is a small Barcelona-based company which, it claims, offers "tailor made Information Security Solutions". From these exploits, it seems that Variston has joined the ranks of NSO Group, Cytrox and others in offering commercial spyware.

Lecigne, Clement and Benoit Sevens, New details on commercial spyware vendor Variston, blog post, 30 November 2022. Available online at https://blog.google/threat-analysis-group/new-details-on-commercial-spyware-vendor-variston/.

North Korean Backdoor Uses Google Drive for C2

ESET researchers have reported on a newly-analyzed backdoor called Dolphin, deployed by North Korean group APT37 (ScarCruft, Reaper) against targets in South Korea. First detected in early 2021, Dolphin was used in a watering-hole attack on a South Korean online newspaper, in that case being deployed as the final stage of the attack via an Internet Explorer exploit and some shellcode which loaded another APT37 backdoor called BLUELIGHT. Most attacks ended with BLUELIGHT, but ESET discovered that, on selected targets, BLUELIGHT was then used to download and chain to Dolphin.

While BLUELIGHT can exfiltrate selected files upon command, Dolphin extends this capability to active searching of drives and the exfiltration of files with extensions of interest. Backdoor initially reports some basic information about the victim system (name, username, OS version, local and external IP addresses, installed security products, check for debugger and other tools such as Wireshark) and then downloads commands, issued by its operators, from Google Drive storage, executing them and uploading the results.

Dolphin's commands give it extensive capabilities apart from file exfiltration. It can also search connected portable devices such as smartphones, using the Windows Portable Device API, perform screenshots and keylogging, download and execute shellcode, run aribtrary shell commands and perform credential stealing. Another interesting trick found in some versions is to downgrade the security of a user's Google account, by enabling IMAP access to GMail and then enabling "less secure app access", presumably to backdoor the Google account.

The ESET report provides a full analysis of the evolution of Dolphin, as well as MITRE ATT&CK techniques and IOC's.

Jurčacko , Filip, Who's swimming in South Korean waters? Meet ScarCruft's Dolphin, blog post, 30 November 2022. Available online at https://www.welivesecurity.com/2022/11/30/whos-swimming-south-korean-waters-meet-scarcrufts-dolphin/.

China-related Cyberespionage Campaign Targets Philippines - Also SE Asia, Asia-Pacific, US and Europe

Mandiant Managed Defense has lifted the lid on a cyberespionage campaign being run in the Philippines by a Chinese nexus group tracked as UNC4191. Although the campaign leveraged USB devices to infect machines in the Philippines, the targeted organizations were based in other locations around the world.

After initial infection via the USB's, the threat actor used legitimately-signed binaries to side-load malware, including three new families Mandiant named MISTCLOAK, DARKDEW and BLUEHAZE. This would lead to deployment of a renamed NCAT binary which created a reverse shell on the victim's system, gaining the thread actor backdoor access. The malware would also replicate itself by infecting any new USB drives plugged into the system.

Timestamps in binaries date back to September 2021, indicating that this campaign may have been running for some time, especially considering the self-propagating nature of the malware. The range of both public- and private-sector entities targeted suggest that the campaign objective is collection of intelligence related to China's political and commercial interests.

The Mandiant report provides a full analysis, including YARA rules and IOC's.

Tomcik, Ryan, John Wolfram, Tommy Dacanay and Geoff Ackerman, Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia, blog post, 28 November 2022. Available online at https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.