Cyber Threat Investigations & Expert Services (CTIX) FLASH Wrap-Up

Executive Summary

The Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Wrap-Up is a collection of high-level cyber intelligence summaries pertaining to current or emerging cyber events in February 2023, originally published in CTIX FLASH Updates throughout February. This publication includes malware threats, threat actor activity, and newly identified vulnerabilities impacting a wide range of industries and victims. The CTIX FLASH Update is a semi-weekly newsletter that provides a timely snapshot of cyber events, geared toward cyber professionals and end users with varying levels of technical knowledge. The events published in the FLASH typically occurred close in time to publication of the report.

To stay up to date on the latest cyber threat activity, sign up for our weekly newsletter: the Ankura CTIX FLASH Update.

MALWARE ACTIVITY

Russian Espionage Group Uses Go-Based Malware "Graphiron" to Target Ukrainian Organizations

Reported in the February 10th, 2023, FLASH Update

• "Graphiron", a new information-stealing malware, has recently been observed in attacks targeting an array of Ukrainian organizations. The attacks are being launched by the Russian espionage group Nodaria (aka UAC-0056), who has been active since at least March of 2021. Graphiron is written in the Golang programming language and is designed to "harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files." The earliest evidence of this malware is cited to be from October 2022 and is comprised of two stages: a downloader and a payload. The downloader checks for various malware analysis tools once executed, and if no tools are found, it connects to a hardcoded command-and-control (C2) server in order to download and decrypt the payload. Then, the payload is added to an autorun location for persistence. Researchers noted that the downloader makes just one (1) attempt to download and install the payload, meaning it won't make additional attempts if it fails or sends a heartbeat. Graphiron uses hardcoded file names designed to disguise themselves as Microsoft Office, such as "OfficeTemplate.exe" and "MicrosoftOfficeDashboard.exe". Graphiron is noted to have similarities to other malware used by the Nodaria group, including "GraphSteel" and "GrimPlant", and is constantly evolving its capabilities in order to evade defensive measures. Additional information on the Nodaria threat group as well as indicators of compromise (IOCs) can be viewed in Symantic's report linked below.
  • TheRecord: Graphiron Article
  • Symantic: Graphiron Report

Threat Actors Observed Using Legitimate Platform Geo Targetly in Phishing Campaigns

Reported in the February 14th, 2023, FLASH Update

• Detailed in a new report by Avanan, threat actors were recently observed geo-targeting websites through the platform Geo Targetly. This tactic is used to improve their phishing campaigns by sending customized, geo-specific content (typically by language and region) to different users in one phishing email. Geo Targetly is a legitimate platform that allows "advertisers to redirect users to pages and ads in their local markets" by determining the users' geolocation. These threat actors are utilizing a variant of the "spray-and-pray" technique, which is when an actor sends out a large volume of phishing emails and few are successful. The unique aspect in this campaign is that a large number of users are targeted at once and the content is always relevant and localized, which is being referred to as "spraying without the praying." The customization increases the likelihood of a user falling victim to the attack. In this campaign, a user will access a phishing link that will redirect them (using the legitimate platform) to a fraudulent login page that looks identical to the one it is impersonating and is based in the region the user is located in. Avanan researchers detailed that this is the first instance they have identified Geo Targetly being used and the campaign's method allows for a "fairly widespread attack." Geo Targetly has confirmed that they are aware threat actors are capitalizing on their platform but also argued that this method is not unusual. A Geo Targetly spokesperson claimed that the platform is a URL shortener similar to Bitly and smartURL, and that it is "common for hackers to hide the final destination URL behind a public URL-shortening domain." The spokesperson did confirm, however, that the platform "manually check[s] through URLs created in [their] system to identify such bad actors." CTIX will continue to monitor for different methodologies capitalizing on geo-targeting and provide details of new tactics as they become available.
  • The Record: Geo Targetly Article
  • Avanan: Geo Targetly Report

Click here to continue reading . . .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.