At a glance.

  • Chinese threat actor uses ransomware as a distraction.
  • Scalpers sell appointments for Israeli government services.
  • Lyceum uses drone-themed phishbait.
  • The Bumblebee loader’s growing importance in C2C markets.

Chinese threat actor uses ransomware as a distraction.

Researchers at Secureworks are tracking a Chinese state-sponsored actor called “BRONZE STARLIGHT” that uses ransomware as a cover while it conducts intellectual property theft. The threat actor deploys various strains of ransomware, including LockFile, AtomSilo, Rook, Night Sky, and Pandora. Secureworks notes that “ransomware could distract incident responders from identifying the threat actors’ true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.”

The researchers state, “As of mid-April, a total of 21 victims had been listed across the AtomSilo, Rook, Night Sky, and Pandora leak sites. CTU researchers estimate that approximately 75% would be of interest to Chinese government-sponsored groups focused on espionage based on the victims’ geographic locations and industry verticals. The victims include pharmaceutical companies in Brazil and the U.S., a U.S.-based media organization with offices in China and Hong Kong, electronic component designers and manufacturers in Lithuania and Japan, a law firm in the U.S., and an aerospace and defense division of an Indian conglomerate. The five victims that were not likely targeted for espionage include two real estate companies in the Americas, two small financial institutions in the U.S., and a small interior design company in Europe.”

Scalpers sell appointments for Israeli government services.

Akamai says a scalper group has created a bot to harvest passport renewal appointments for Israeli citizens. The Israeli government is currently dealing with a backlog of more than 700,000 citizens seeking passport renewals following the pandemic, and a group of developers recently released a legitimate appointment scheduling bot called “GamkenBot” to streamline this process. Soon afterwards, scalpers released their own bot that sold appointments for various Israeli government services:

“On May 10, shortly after the launch of GamkenBot, MyVisit Appointments Group was launched on a Telegram channel. Apparently, the Ministry of Interior isn’t the only government office to rely on MyVisit’s appointment system. And so, the Telegram group offers appointments not only for passport renewal, but also appointments for the Population Authority, Israel’s Electricity Corporation, the National Insurance, Israel Post, the Ministry of Transportation, and more. The admins claim to be a group of developers whose bot scans and instantly books open appointments, which are later available for purchase. Discounts are even provided for buyers of 2 or more appointments.”

While this bot is apparently being used for financial gain, Akamai adds that the same tactic could also pose a national security risk:

“Distressingly, the implications don’t end with directly bamboozling citizens for basic governmental programs. This could open the door for any hostile or chaotic entity to shut down not only the Ministry of Interior’s passport line, but also the registration of truck and bus drivers at the Ministry of Transportation, any visits to the National Insurance or Electricity Company, and more. What if this list expanded to include doctors’ appointments or hospital procedures?”

Lyceum uses drone-themed phishbait.

ClearSky has discovered new malware being used by the Iranian threat actor SiameseKitten (also known as Lyceum or Hexane):

“The file is downloaded from a domain registered on June 6th, and it communicates with a previously unknown command and control server whose IP address is adjacent to that of the domain. This indicates an attacker-controlled at least two IPs on the same range. The downloaded file is a reverse shell that impersonates an Adobe update. The group has previously used this method. The reverse shell is dropped by a parent file signed with a fake Microsoft certificate, along with a lure PDF document and an executable designed to establish persistence. There seems to be a shared use of fake Microsoft certificates by a variety of Iranian groups, as Phosphorus was previously observed using the same method. Additionally, the lure PDF document relates to drone attacks conducted in Iran, resembling a similar document previously employed by SiameseKitten.”

Bumblebee rises in the C2C marketplace.

The Symantec Threat Hunter Team, part of Broadcom Software, this morning released a report on the Bumblebee loader. The researchers characterize it as “a recently developed malware loader” and say that it “has quickly become a key component in a wide range of cyber-crime attacks and appears to have replaced a number of older loaders, which suggests that it is the work of established actors and that the transition to Bumblebee was pre-planned.” The rapidity with which Bumblebee has achieved a central position in criminal-to-criminal markets indicates not only the C2C market’s relative efficiency, but the extent to which it’s come to resemble the functioning of legitimate markets. “Bumblebee’s links to a number of high-profile ransomware operations suggest that it is now at the epicenter of the cyber-crime ecosystem,” the Symantec Threat Hunter Team concludes. “Any organization that discovers a Bumblebee infection on its network should treat this incident with high priority since it could be the pathway to several dangerous ransomware threats.” Their study includes a long set of indicators of compromise.