The Weekly Briefing - 02/21
ALERT: North Korean Hackers Attacking With RokRat Trojan
A North Korean hacking group has been found deploying the RokRat Trojan in a new spear-phishing campaign targeting the South Korean government.
Attributing the attack to APT37 (aka Starcruft, Ricochet Chollima, or Reaper), Malwarebytes said it identified a malicious document last December that, when opened, executes a macro in memory to install the aforementioned remote access tool (RAT).
"The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad," the researchers noted in a Wednesday analysis.
While the previous attacks leveraged malware-laced Hangul Word Processor (HWP) documents, the use of self-decoding VBA Office files to deliver RokRat suggests a change in tactics for APT37, the researchers said.
Defensury Cyber Security experts warn organizations in Russia, Japan, Vietnam, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East to monitor for potential RokRat spear phishing campaigns.
Alert: Cross-Platform ElectroRAT Malware Targeting Users of Crypto
A wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems was revealed by security researchers.
Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS.
The apps are developed using the open-source Electron cross-platform desktop app framework.
"ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines," the researchers said.
While it is common to see various information stealers trying to collect private keys to access victims wallets, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes.
Defensury's experts revealed in their 2021 cyber crime prediction article, that more sophisticated malware attacks are likely going to increase.
The campaign, first detected in December, is believed to have claimed over 6,500 victims.
"Operation ElectroRAT" involved the attackers creating three different tainted applications — each with a Windows, Linux, Mac version — two of which pose as cryptocurrency trade management applications by the name of "Jamm" and "eTrade," while a third app called "DaoPoker" masquerades as a cryptocurrency poker platform.
Not only are the malicious apps hosted on websites built specifically for this campaign, but the services are also advertised on Twitter, Telegram, and legitimate cryptocurrency and blockchain-related forums such as "bitcointalk" and "SteemCoinPan" in an attempt to lure unsuspecting users into downloading the tainted apps.
Once installed, the app opens a harmless-looking user interface when in reality, the ElectroRAT runs hidden in the background as "mdworker," which comes with intrusive capabilities to capture keystrokes, take screenshots, upload files from disk, download arbitrary files, and execute malicious commands received from the C2 server on the victim's machine.
Defensury urges users who have fallen victim to this campaign are urged to kill the process, delete all files related to the malware, move the funds to a new wallet, and change their passwords.
Hackers Can Clone Your Google Titan 2FA Security Keys
Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim's account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.
"The adversary can sign in to the victim's application account without the U2F device, and without the victim noticing," NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.