At a glance.

  • New red-teaming tool used by threat actors.
  • Trickbot focuses on Ukraine.
  • China increases targeting of Russian organizations.
  • Bitter APT targets Bangladesh.

New red-teaming tool used by threat actors.

Palo Alto Networks’s Unit 42 warns that a threat actor is abusing a new red-teaming tool, Brute Ratel C4 (BRc4), to target various organizations in North and South America. The researchers noted links to previous campaigns by Russia’s APT29, but they refrain from making a definitive attribution:

“This unique sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. Specifically, this sample was packaged as a self-contained ISO. Included in the ISO was a Windows shortcut (LNK) file, a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking. However, while packaging techniques alone are not enough to definitively attribute this sample to APT29, these techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRc4.”

Trickbot focuses on Ukraine.

Researchers at IBM Security have found that the Russia-based criminal gang Trickbot “has been systematically attacking Ukraine since the Russian invasion”:

“Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns — two of which have been discovered by X-Force — against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter. Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected.

“ITG23’s campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection.”

The researchers add, “The systematic attacks observed against Ukraine include reported and suspected phishing attacks against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population. Successful attacks that resulted in data theft or ransomware would provide ITG23 with additional extortion opportunities, and particularly damaging attacks could harm Ukraine’s economy.”

China increases targeting of Russian organizations.

SentinelOne notes that Chinese state-sponsored threat actors have increased their targeting of Russian organizations over the past few weeks:

“China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as ScarabMustang Panda, ‘Space Pirates’, and now the findings here. ​​Our analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time. While the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations.”

Bitter APT targets Bangladesh.

Researchers at SECUINFRA say the South Asia-based APT “Bitter” is conducting cyberespionage operations against military organizations in Bangladesh. The threat actor used spearphishing emails with themes related to the Bangladeshi Navy to deliver various remote access Trojans.