Intel Reports

Activity Summary - Week Ending on 28 September 2023:

• Vimplecom hit in Russia
• 53 ‘new’ Botnets hits
• Transparent Tribe
• CapraRAT
• AndroRAT
• KNP Logistics - Akira
• Sisters Health System
• Russian Attacks
• Local US Municipalities

Red Sky Alliance Compromised (C2) IP’s 

On 20 September 2023, Red Sky Alliance identified 561 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity 

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 27 September 2023, analysts identified 35 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers). 

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

Transparent Tribe and CapraRAT – A suspected Pakistani actor known for targeting military and diplomatic personnel in both India and Pakistan, has been identified by Sentinel Labs with a more recent expansion to the Indian Education sector.  Since 2018, reports have detailed the group’s use of what is now called CapraRAT, an Android framework that hides RAT features inside of another application.  The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.[1]

Transparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and social engineering to entice users to install a weaponized application.  Earlier in 2023, the group distributed CapraRAT Android apps disguised as a dating service that conducted spyware activity.

One of the newly identified APKs reaches out to a YouTube channel belonging to Piya Sharma, which has several short clips of a woman in various locales.  This APK also borrows the individual’s name and likeness.  This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications, and that Piya Sharma is a related persona.  CapraRAT is a comprehensive RAT that provides the actors with the ability to harvest data on demand and exfiltrate it.  Notable features include:

• Recording with the microphone, front & rear cameras
• Collecting SMS and multimedia message contents, call logs
• Sending SMS messages, blocking incoming SMS
• Initiating phone calls
• Taking screen captures
• Overriding system settings such as GPS & Network
• Modifying files on the phone’s filesystem
• App Analysis

CapraRAT is distributed as an Android APK.  When the tool was initially named by Trend Micro, their research team noted that CapraRAT may be loosely based on the AndroRAT source code.

Sentinel Labs performed static analysis on two YouTube-themed CapraRAT APKs: 8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk, uploaded to VirusTotal in July 2023. 83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk, uploaded to VirusTotal in August 2023.  We also identified a third APK called Piya Sharma, the YouTube channel persona described earlier: 14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk, uploaded to VirusTotal in April 2023

The yt and YouTube APKs apps are disguised as YouTube, borrowing the YouTube icon.

• Applications icons on an Android device, including YouTube_052647.apk
• Applications icons on an Android device, including YouTube_052647.apk
• Application icons, including the Piya Sharma app
• Application icons, including the Piya Sharma app
• apk displays the YouTube website when launched
• apk displays the YouTube website when launched

The app requests several permissions.  YouTube is an interesting choice for masquerading the app: some permissions, like microphone access, make sense for recording or search features.  Other permissions–like the ability to send and view SMS–are less relevant to the expected app behaviors.

• Permissions prompts during install of the weaponized YouTube app
• Permissions prompts during install of the weaponized YouTube app
• Installation permissions requested by the Piya Sharma APK
• Installation permissions requested by the Piya Sharma APK

When the app is launched, MainActivity’s load_web method launches a WebView object to load YouTube’s website.  Because this loads within the trojanized CapraRAT app’s window, the user experience is different from the native YouTube app for Android and akin to viewing the YouTube page in a mobile web browser.

• Smali snippet of the load_web method in MainActivity
• Smali snippet of the load_web method in MainActivity

Key Components

Because CapraRAT is a framework inserted into a variety of Android applications, the files housing malicious activity are often named and arranged differently depending on the app. The CapraRAT APKs we analyzed contain the following files:

• Name apk
• Configuration com/media/gallery/service/settings
• Version MSK-2023
• Main com/media/gallery/service/MainActivity
• Malicious Activity com/media/gallery/service/TPSClient
• Name apk
• Configuration com/Base/media/service/setting
• Version F.U.3
• Main com/Base/media/service/MainActivity
• Malicious Activity com/Base/media/service/TCHPClient
• Name Piya Sharma.apk
• Configuration com/videos/watchs/share/setting
• Version U.H.3
• Main com/videos/watchs/share/MainActivity
• Malicious Activity com/videos/watchs/share/TCPClient

CapraRAT’s configuration file, which is named interchangeably setting or settings, holds the default configuration information, as well as metadata like versioning.  The CapraRAT version syntax seen in YouTube_052647.apk and Piya Sharma.apk–A.F.U.3 and V.U.H.3, respectively–matches the convention used to track Transparent Tribe’s Windows tool, CrimsonRAT.  However, there is no tangible relationship between these version numbers and the C2 domains as we saw in CrimsonRAT.

Thanks to creative spelling and naming conventions, the RAT’s configuration provides consistent static detection opportunities, with each of the following present in the samples from earlier in 2023 as well:

• is_phical
• isCancl
• isRealNotif
• SERVERIP
• smsMoniter
• smsWhere
• verion

MainActivity is responsible for driving the application’s key features.  This activity sets persistence through the onCreate method which uses Autostarter, an open-source project with code that lets developers automatically launch an Android application.  The TPSClient class is initialized as an object called mTCPService; then, this method calls the serviceRefresh method, which creates an alarm at the interval specified in the settings file’s timeForAlarm variable.  In this example, the value 0xea60 is equal to 60,000 milliseconds, meaning the alarm and persistence launcher run once per minute.

The RAT’s core functionality is in an activity similar to the Extra_Class activity from the March 2023 samples reported by ESET.  Henceforth, we call this activity TPSClient for simplicity.  These files are rather large, decompiling to over 10,000 lines of Smali code.  By comparison, the March versions’ equivalents have only about 8,000 lines.

TPSClient contains CapraRAT’s commands, which are invoked through the run method via a series of switch statements that map the string command to a related method.

• The smsmons command logic inside the run method of TPSClient
• The smsmons command logic inside the run method of TPSClient

Many of these commands have been documented in previous research, though there are several changes in these new versions.  The hideApp method now checks if the system is running Android version 9 or earlier and if the mehiden variable in the setting(s) config file was set to False; if applicable, the app will be hidden from the user’s view.  While similarities between CapraRAT and AndroRAT are seemingly minimal at this point in CapraRAT’s development, the AndroRAT source code documentation notes that the tool becomes unstable after Android version 9, so there are likely underlying changes to the OS that make this method behave differently depending on the OS version.  TPSClient has a method check_permissions() that is not in Extra_Class.  This method checks the following series of Android permissions and generates a string with a True or False result for each:

• READ_EXTERNAL_STORAGE
• READ_CALL_LOG
• CAMERA
• READ_CONTACTS
• ACCESS_FINE_LOCATION
• RECORD_AUDIO
• READ_PHONE_STATE

Interestingly, some other older versions contain this method, suggesting that the samples may be tailored for targets or are potentially developed from different branches.

C2 & Infrastructure:  In CapraRAT’s configuration file, the SERVERIP variable contains the command-and-control (C2) server address, which can be a domain, IP address, or both.  The C2 port is in hexadecimal Big Endian format; the human readable port can be obtained by converting into decimal, resulting in port 14862 for yt.apk, port 18892 for YouTube_052647.apk, and port 10284 for Piya Sharma.apk.

• C2 configuration from yt.apk (left) and YouTube_052647.apk (right)
• C2 configuration from yt.apk (left) and YouTube_052647.apk (right)

The shareboxs[.]net domain used by YouTube_052647.apk has been associated with Transparent Tribe since at least 2019.  Interestingly, the ptzbubble[.]shop domain was registered the same week of ESET’s report outlining the group’s Android apps that leveraged other C2 domains.

The IP addresses associated with C2 from the two YouTube samples have Remote Desktop Protocol port 3389 open with the service identified as Windows Remote Desktop, indicating the group uses Windows Server infrastructure to host the CapraRAT C2 application.  The Piya Sharma app’s C2 IP, 209[.]127.19.241, has a certificate with common name value WIN-P9NRMH5G6M8, a longstanding indicator associated with Transparent Tribe’s CrimsonRAT C2 servers.

84[.]46.251.145–the IP address hosting ptzbubble[.]shop domain–shows historical resolutions associated with Decoy Dog Pupy RAT DNS tunneling lookups.  Any connection between these campaigns is unclear; it is plausible that a service hosted on this IP was infected by that campaign.  Based on the query dates, the claudfront[.]net lookup was during the time the CapraRAT actor was using this IP address to host ptzbubble[.]shop, while a lookup to allowlisted[.]net was in December 2022, which was potentially before this actor started using the IP.

• Resolution history for IP hosting ptzbubble[.]shop, 84[.]46.251.145
• Resolution history for IP hosting ptzbubble[.]shop, 84[.]46.251.145

Conclusion:  Transparent Tribe is a perennial actor with reliable habits.  The relatively low operational security bar enables swift identification of their tools.  The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media.  Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat.

Defensive and preventative measures should include:

• Do not install Android applications outside of the Google Play store.
• Be wary of new social media applications advertised within social media communities.
• Evaluate the permissions requested by an application, particularly an application you are not particularly familiar with. Do these permissions expose you to more risk than the potential benefit of the app?
• Do not install a third-party version of an application already on your device.

Indicators of Compromise (IOC):

Files Hashes – SHA1

• 14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma APK
• 83412f9d757937f2719ebd7e5f509956ab43c3ce – CapraRAT, YouTube_052647.apk
• 8beab9e454b5283e892aeca6bca9afb608fa8718 – CapraRAT, yt.apk

C2 Network Communications

• net
• shop
• net
• 95[.]111.247.73
• 209[.]127.19.241

GLOBAL TRENDS:

Trucks and Akira in UK – Supply Chain hit in the UK.  KNP Logistics, described by its administrators as one of the United Kingdom’s largest privately owned logistics groups, declared itself insolvent on 25 September, blaming a ransomware attack back in June of 2023.  Approximately 730 employees will be laid off because of the administration process, although one of the group’s key entities has been sold, saving about 170 jobs.

The incident is a unique public example of the existential threat that experts warn ransomware can pose to supply chain businesses.  But KNP Logistics Group was already struggling before the ransomware attack, according to the joint administrator who is handling the insolvency process on behalf of business advisory firm FRP Advisory.[2]  “Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue.  We will support all affected staff through this difficult time,” he said. According to the administrators, the “major ransomware attack … affected key systems, processes and financial information. This adversely impacted on the financial position of the Group and ultimately, its ability to secure additional investment and funding.”

KNP Logistics Group, which traded under a number of names including Knights of Old, was added to the Akira ransomware gang’s list of victims in June 2023.  In July, the cybersecurity firm Avast publicly released a decryptor for the Akira ransomware, offering a hope for the dozens of victims attacked since the gang emerged in the spring.  Previously the decryptor had been privately circulating among incident responders.  It is not known whether KLP Logistics would have been able to use the decryptor had the business group accessed it.  A spokesperson for the company’s administrators did not respond to Recorded Future News asking if KLP had contacted law enforcement or an external incident response company following the ransomware attack.

Earlier this year, the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and from regulators.  Reported ransomware attacks on organizations in the United Kingdom reached record levels last year, when criminals compromised data on potentially more than 5.3 million people from over 700 organizations, according to a surprisingly neglected dataset published by the ICO.

The data reveals there had been hundreds of cyber incidents affecting the transport and leisure sector in the U.K. since April 2019.  Data on 2023 is not yet available, but the UK’s security minister said this month that the UK was “a top target for cybercriminals.  Their attempts to shut down hospitals, schools and businesses have played havoc with people’s lives and cost the taxpayer millions.  Sadly, we’ve seen an increase in attacks.”

An NCSC spokesperson said, “Ransomware is one of the most significant cyber threats facing the UK and attacks can have far reaching impact.  The NCSC has published free and actionable advice for organizations of all sizes on how to put robust defenses in place to protect their networks.”

US - Hospital Sisters Health System in Illinois said on 18 September it had restored hospital and clinic websites in addition to other functions.  The announcement was made on a website dedicated to outage updates.  HSHS was the victim of "a cybersecurity incident," according to its president.[3]   

HSHS acknowledged the outage in a social media post on 27 August.  Last week’s post also indicated it had restored phone systems, MyChart and guest Wi-Fi.  MyChart applications help patients schedule, manage, and check in for appointments; message care teams; pay bills; get test results and after-visit instructions and request prescription refills.  "Our team remains focused on restoring the rest of our systems, which will take time and may contribute to delays," according to the hospital's update. "While our websites are now functional, we will continue to post updates on our temporary site, hshsupdates.org, as information becomes available."

The Illinois Division director of marketing/communications for HSHS, did not respond to an email seeking clarification regarding what systems are still out.  HSHS representatives said "federal law enforcement" was investigating the attack.  The public affairs officer for FBI Springfield IL, would not confirm or deny an investigation.  HSHS has not said who was responsible for the attack or if patient records have been compromised.

The Catholic nonprofit health system operates 15 hospitals around Illinois and Wisconsin, including HSHS St. John's Hospital in Springfield and HSHS St. Francis Hospital in Litchfield, along with several other clinics.  The attack also hit Prevea Health, which partners with six HSHS hospitals in Wisconsin.

Russia - Russian cyber-attacks against Ukraine skyrocketed in the first half of 2023, with 762 incidents observed by Ukraine’s State Service of Special Communications and Information Protection (SSSCIP).

This represents a 123% surge compared with the second half of 2022.  However, the SSSCIP also found that these attacks were significantly less successful than in the past, with critical incidents dropping by 81% and the number of what the agency tracks as “incidents with impact” falling by 48% in H1 2023 compared with H2 2022.

How Russian Cyber Tactics Are Changing - These changes can be attributed to a shift in tactics used by the attackers from sophisticated tactics and tools like wiper malware to employing a simpler ‘spray and pray’ approach with a growing use of ‘living off the land’ techniques.  For instance, malware distribution has decreased by 52.41%, largely replaced by less sophisticated phishing attacks and leveraging open source email systems with known vulnerabilities.[4]

Source: SSSCIP

How Russia’s Cyber Strategy Had to Adapt Ukraine’s Defenses - Ukraine's defense of its infrastructure has markedly improved compared to six months ago, the SSSCIP added in the report. 
A good example is the effort the CERT-UA and its partners deployed to improve their incident detection & response and threat intelligence capabilities. This forced Russian threat actors to act faster once they infiltrated a network.  “It prompted them to place even greater emphasis on a particular tactic: dumping documents, sometimes as many as 21,000 office documents in certain cases, along with browser credentials.  They execute this tactic within the first 30 minutes of successfully infiltrating a compromised system,” reads the report.

Law Enforcement and Media Top Targets of Russian Cyber Aggression - During the observed period, Russia-backed threat actors have also shifted their targeting away from the energy sector – attacks against Ukrainian energy organizations have dropped by 61% – to focus heavily on law enforcement agencies and the media industry.

Source: SSSCIP

“During this period, we encountered espionage operations conducted by military [advanced persistent threat groups] (APTs) aimed at gaining access to and extracting data from various law enforcement units in Ukraine.  Their primary objectives were to identify which evidence of Russian war crimes and exercise control over potential ground-deployed spies have our law enforcement teams,” wrote the SSSCIP.  Some of these espionage campaigns also targeted Ukraine’s private sector to gain information about the outcomes of Russia’s kinetic operations, including missile and drone attacks, in the case of potential targets of the Russian army.  Finally, the SSSCIP noticed that state-sponsored hackers tended to revisit previous victims who handle and maintain the critical data needed by the Russian military during the observed period.  “This approach grants attackers the ability to strategize future actions and anticipate our responses,” the SSSCIP wrote.

US - Cyber-attacks on municipalities have been increasing at an alarming rate, this is a cause for concern.  The reason that municipalities are such an appealing target to hackers is that they store valuable information and records of many citizens.  As local and national governments are changing their method of keeping records from paper to digital and as technology advances, it makes hackers extremely interested in breaking into the systems to extract the data.  Municipalities are easier targets compared to private companies because it is known to hackers that their systems can be outdated, making them easier prey to catch.

Our reliance on technology is growing, and more information is being stored on digital platforms.  Technology has many benefits and does help speed up everyday processes, however, when the proper security measures are not in place they can be hacked.[5]

The breach of a municipality’s data can be devastating.  When digitally stored data and the IT (Information Technology) infrastructure are compromised, it can cause significant disturbances and disruptions to normal city functions.  For example, a breach in a municipality can impact the city’s utilities, emergency services, and local law enforcement, and the community will be affected in a negative way.  Attacks on cities threaten the integrity of confidential data.  People’s information and records are stored digitally, the release of this data includes individuals’ personally identifiable information (PII).  Data including important documents, records, and information about a person can be leaked to the public or lost.

It is known that local government data are using old and dated technology that is not updated and is running on outdated software versions that could be vulnerable to attacks.  When technology is not updated this leads to increased exposure to risks because patches and other security fixes are included in the latest update.

When a system is compromised even by paying the ransom you are not guaranteed that you will get access to all the data, and it can be permanently deleted.  Hackers can find exploits online that run specific code or commands to compromise a system.  When a zero-day attack occurs, it is especially important that affected systems are isolated from the network so that they are not further affected or contaminate any other devices.

One of the most recent attacks was a breach at a healthcare administrator which targeted employees and staff of the House of Representatives in March of 2023.  Information of over a hundred lawmakers was released. When there are breaches like this substantial amounts of personal information could potentially be released and could get into the hands of the wrong people.

One effective way of understanding how cyber-attacks work can be found in the speech delivered last year at the Fairfax County Public School Boards Annual Conference by Adib Sarkar, founder, and CEO of CYB3R8.  He stated that “Everything’s interconnected these days, from our smartphones to the cloud systems we use.  And guess what?  Each connection is a potential weak spot for hackers to exploit. It is like playing a game of “Find the Vulnerability,” and all it takes is one tiny crack to bring the whole system crashing down.”-Adib Sarkar

Devices need to be secured because any small vulnerability can compromise the entire system.  There are many ways that hackers can try to get into systems.  They can try getting in through vulnerabilities in code or try brute forcing (putting thousands of password combinations until they crack the password) their way into a system, but an easier way is to trick employees using social engineering, which means tricking people into giving out information.  For example, some hackers will send out emails disguising themselves as someone else just to get information about a system that they can later get into.

To solve this problem, local governments must make sure their staff are trained to know how to spot and avoid being tricked by something that is malicious.  They should have routine password changes and the stored data should be encrypted so it is not easily accessible.

One big reason cities are such a big target for breaches is that their systems are outdated because they are underfunded or do not have enough security measures properly implemented at the scale needed.  Investing more money into IT security can help to avoid being a target.  Trying to recover from a disastrous incident such as a large amount of data loss can be detrimental to a city and can lower its reputation.

The reason hackers want this information is to sell people’s data on the web and to get insight into companies.  A large driving factor for attacks is money, and the more information a hacker can extract, the more they make. If the data the hackers are taking is more current, it is more valuable. Information is usually sold in bulk, and quickly before it can be caught.   “These hackers might want to cause chaos, disrupt services, or steal sensitive information to use as leverage.”- Adib Sarkar

To have a secure system, it is important that the technology is updated to comply with new laws and regulations.  Data on systems should be audited regularly to check for any anomalies.  Old tech should be replaced, and modern technology should be updated regularly because technology constantly evolves and changes.  Investing in new security systems and training will be a better way to manage their funding, rather than dealing with a breach which can be devastating.

[1] https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/

[2] https://therecord.media/knp-logistics-ransomware-insolvency-uk/

[3] https://news.yahoo.com/hshs-hospital-clinic-websites-other-233312688.html

[4] https://www.infosecurity-magazine.com/news/cyberattacks-ukraine-surge-success/

[5] https://www.cyberdefensemagazine.com/cyber-attacks-on-municipalities/