At a glance.

  • Sophisticated campaign compromises SOHO routers.
  • Evilnum targets migration organization.
  • Black Basta ransomware gang updates its arsenal.

Sophisticated campaign compromises SOHO routers.

Lumen’s Black Lotus Labs is tracking a sophisticated campaign that’s hijacking SOHO routers belonging to organizations in North America and Europe:

“We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold. While we currently have a narrow view of the full extent of the actor’s capabilities due to the limited state of SOHO device monitoring in general, using proprietary telemetry from the Lumen global IP backbone, we have enumerated some of the command-and-control (C2) infrastructure associated with this activity and identified some of the targets. We assess with high confidence the elements we are tracking are part of a broader campaign.”

The researchers don’t attribute the campaign to any particular threat actor, but they suspect a nation-state is behind the activity due to its sophistication:

“While compromising SOHO routers as an access vector to gain access to an adjacent LAN is not a novel technique, it has seldom been reported. Similarly, reports of person-in-the-middle style attacks, such as DNS and HTTP hijacking, are even rarer and a mark of a complex and targeted operation. The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization.”

Evilnum targets migration organization.

Zscaler warns that the Evilnum APT is using malware-laden spearphishing documents to target an “intergovernmental organization which deals with international migration services.” Zscaler notes that Evilnum has in the past primarily conducted cyberespionage against financial services firms, so this campaign represents a notable shift in its targeting. Zscaler doesn’t name the targeted entity, but they say “the attack and the nature of the chosen target coincided with Russia-Ukraine conflict.”

Black Basta ransomware gang updates its arsenal.

Trend Micro says the Black Basta ransomware gang is now using the QakBot banking Trojan to gain initial access, then exploiting the PrintNightmare vulnerability (CVE-2021-34527) to carry out privileged file operations:

“In the case of a Trend Micro customer, its system was infected with Black Basta ransomware that was deployed by QakBot (Figure 1). This behavior is typical of the QakBot malware family, which has served as a key enabler of ransomware families like MegaCortex, PwndLockerm, Egregor, ProLock, and REvil (aka Sodinokibi). QakBot, which was discovered in 2007, is known for its infiltration capabilities and has been used as a ‘malware-installation-as-a-service’ for various campaigns. Over the years, this banking trojan has become increasingly sophisticated, as evidenced by its exploitation of a newly disclosed Microsoft zero-day vulnerability known as Follina (CVE-2022-30190).”

The researchers add, “Upon further analysis of the system that was affected by Black Basta, we found evidence that points to the ransomware group’s exploitation of the PrintNightmare vulnerability. Exploiting this vulnerability, Black Basta abused the Windows Print Spooler Service or spoolsv.exe to drop its payload, spider.dll, and perform privileged file operations. It also exploited the vulnerability to execute another file in the affected system, but samples of this file were no longer available in the system.”