The novel ChamelGang advanced persistent threat group has launched attacks against Russian energy and aviation companies, as well as entities in nine other countries, including the U.S., Japan, India, Nepal and Taiwan, reports SecurityWeek.
Positive Technologies reported that after initial attacks against the Russian entities, ChamelGang was found to attack organizations in nine other countries, five of which had their government servers compromised. ChamelGang has been leveraging ProxyShell flaws in its attack chain and could soon target flawed servers in the U.K.
Researchers found that aside from using the Cobalt Strike Beacon, Tiny Shell and FRP, ChamelGang has also leveraged unfamiliar malware strains, such as BeaconLoader, ProxyT and the DoorMe backdoor, which has been regarded as one of the group's most interesting tools.
"[DoorMe] is a native IIS module that is registered as a filter through which HTTP requests and responses are processed. Its principle of operation is unusual: the backdoor processes only those requests in which the correct cookie parameter is set. At the time of the incident investigation, DoorMe was not detected by antivirus tools, and although the technique of installing this backdoor is known, we haven't seen its use in recent times," said Denis Goydenko, head of information security threat response at Positive Technologies.