A joint investigation by Palo Alto Networks and ClearSky Cyber Security has shed light on a recently discovered malware campaign that tries to infect U.S. and Middle Eastern targets with four distinct families of Windows and Android-based downloaders and information stealers.
Piggybacking off of previous research by the Helios Team at China's 360 Security, Palo Alto's Unit 42 threat intelligence team published a blog post on Wednesday identifying the quartet of malware programs as KasperAgent, Micropsia, SecureUpdate and Vamp. Each of these programs are affiliated with the same email address, which was used to register domains that either host the aforementioned malware samples or act as a command-and-control centers for them.
Palo Alto began examining the threat in March 2016, but the attacks appear to date back to at least July 2015. As of the blog post's writing, researchers have so far uncovered 263 samples containing one of the four malware programs, which have primarily attacked unspecified targets in the U.S. Israel, Palestine and Egypt, as well as media organizations in a number of other countries. In some cases, the attackers attempt to increase their odds of success by phishing victims for credentials -- typically by spoofing legit services such as Google Drive -- while simultaneously trying to infect them with the malware.
"A lot of our research is focused on attacks on enterprises... [but] we didn't see a lot of that," said Ryan Olson, director of Unit 42 at Palo Alto Networks. "I would guess in this case, it would more be individuals" being targeted, he continued, speaking with SC Media.
According to Palo Alto, none of the malware programs is especially sophisticated from a technical, anti-analysis perspective, but the campaign using the malware is tenacious and persistent. "Certainly this group has launched quite a few attacks," said Unit 42 director Ryan Olson in an interview with SC Media, noting that the attackers "have quite a bit of infrastructure as well."
The four malware programs spread via spear phishing emails and fake news sites, both of which often contain links to malicious, shortened URLs. One of the fake news sites, written in Arabic, claims to leak the names of Palestine's most successful public secondary schools, before the official results can be officially posted.
KasperAgent, the most commonly detected of the four malwares (113 samples found), is a combination downloader and spying tool written in Microsoft Visual C++, and named for a term found within its PDB strings. Disguised as a phony product called Adobe Cinema Video Player, the Windows-based malware typically serves as a basic reconnaissance tool and downloader, but some enhanced versions can also steal browser passwords, take screenshots, record keystrokes, and exfiltrate basic computer information and arbitrary files, among other capabilities. KasperAgent also drops and displays a decoy document that contains Arabic names and ID numbers, the blog post noted.
The information stealer Micropsia is so named because it arrives in a densely compressed form that makes it appear smaller than it truly is. After a complex unpacking process, the Window-based malware activates a final payload with four executables used for encrypting traffic and exfiltrating data, as well as creating persistence. Micropsia's functionality includes recording and reporting keystrokes via a hard-coded text file, taking screen shots, and searching for files that possess Microsoft Office extensions and archiving them prior to exfiltration.
The Android-based SecureUpdate malware is a pure downloader that delivers additional unwanted programs, masking its malicious cargo under the guise of supposed secure updates. Some versions of this malware also attempt to steal credentials by asking victims to create an account, in hopes that they will input the very same credentials that they have used before for other online and mobile services.
Finally, the Vamp APK (Android application package) is a mobile spy tool with the ability to record calls and steal phone contacts, documents and messages.
Researchers are currently unable to attribute the activity to any known threat group. However, the blog post noted that "the scale of the campaign in terms of sheer numbers of samples and the maintenance of several differing malware families involved suggests a reasonably sized team and that the campaign is not being perpetrated by a lone wolf, but rather a small team of attackers."
