Intelligence Corner

Introduction Raccoon Stealer is a fairly new tool that is able to extract passwords, browser cookies, email credentials, plugin/extension data, and crypto wallet files. The malware can download and execute arbitrary files through command-and-control and has become a very popular tool of choice as of late. According to Avast , Raccoon Stealer has been observed being distributed through downloaders like GCleaner and Buer Loader since 2019, and has seen multiple updates since original release. In the recent research paper provided by the Avast team, analysts point out that their samples of the malware appeared to be distributed in the form of game cheats, patches, game mods, or other popular software. Raccoon Stealer can be used by anyone who buys it so the scope of delivery themes is endless. Technical Analysis (Shortened) Raccoon Stealer is written in C/C++ via Visual Studio. The malware does several checks on an infected machine before executing the main payload. Once of these checks i...

A recent threat report by Sophos Labs details techniques and tactics utilized by the infamous Qakbot/Qbot malware. By inserting itself into existing email conversations and using the account of compromised victims, it is able to spread quickly across a target's network. Qakbot leverages reply-all messages equipped with a link to a download URL containing the zip file of a MS Office maldoc.  See below: There are hundreds of variants of the distributed emails, in different languages and with slightly different one-liners. The primary malicious document analyzed by the Sophos team was an uncommon .xlsb , or Excel Binary Workbook extension. On par with expectations, the embedded payload executed upon enabling content. Here are some key takeaways from their analysis: the payload was dropped into a random 5-character folder in the root of the C: drive. via MS Edge, it contacts a compromised website and injects itself into an Edge instance the malware profiled the machine it was on (ie: ...

Google's Threat Analysis Group (TAG) warned Gmail users about Chinese APT31 (Judgement Panda/Zirconium) observed phishing activity targeting high-profile accounts affiliated with the US government. Shane Huntley of Google TAG shared on Twitter information about this campaign including assurance that Google blocked 100% of these emails and classified them as spam. The campaign was first detected in February 2022 and, so far, shows no indication that it is related to the current Ukraine/Russia conflict. Google continues to monitor and react specifically to government-backed threat alerts. Back in October, some 50,000 alerts regarding state-sponsored activity and/or phishing were sent to customers throughout the 2021 year. Over 15,000 of these alerts were confidently linked to Russian GRU's APT28 (Fancy Bear) . APT31 has been linked in the past with the theft of the EpMe NSA exploit some years before the Shadow Brokers leaked it in 2017. Microsoft analysts have also observed APT...

Security researcher, Max Kellermann, publicly disclosed a vulnerability affecting Linux Kernel 5.8 and on dubbed 'Dirty Pipe'. The vulnerability is being tracked as CVE-2022-0847 and provides local, non-privileged users to overwrite data in read-only files. Max stated in his report that this bug shows similarities with the Dirty COW bug ( CVE-2016-5195 ). A proof-of-concept was released by Max where he was able to inject information into read-only files, ultimately removing any restrictions and modifying configs in order to escalate access. A fellow researcher, Phith0n, provided an illustration on how the bug could be leveraged to modify the /etc/password  file so that the root user's password no longer exists. Once made, this change allows a non-privileged user to simply su root  for access to root permissions.  Following these developments, another researcher going by BLASTY released an even easier way of gaining root permissions through patching the /usr/bin/su  c...

Description : Through interviews with FBI agents and executives of victim companies, this film aims to help the private sector recognize the urgent need to protect their intellectual property against sustained and ongoing industrial espionage by the People’s Republic of China (PRC). Visit fbi.gov/chinathreat to learn more. https://www.fbi.gov/video-repository/made-in-beijing-030722.mp4/view 

A recent Proofpoint article highlighted activity they identified as likely a nation-state sponsored phishing campaign against European government entities and the refugee movement. Compromised Ukrainian military emails are/were being leveraged to distributed malicious macro attachments containing a Lua-based malware they dubbed SunSeed. The activity follows reports from CERT-UA of increased phishing and disruptive operations targeting Ukrainian organizations by Russian-associated 'UNC1151', or TA445 per Proofpoint. In this post, I have cited the original article but will summarize Proofpoint's findings and provide any additional context I may have. Delivery The original email detected by Proofpoint researchers was found on Feb. 24, 2022, inbound to a European government entity, and originated from ukr[.]net .  Email Subject: "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022". Malicious Attachment:  ...