eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New Variants of BeaverTail and InvisibleFerret Malware Identified
Bottom Line: By impersonating recruiters to deliver malware, North Korean threat actors gain access to a variety of industries, leading to the theft of sensitive data and cryptocurrency, as well as potentially enabling espionage.
On October 9th, Unit 42 published a detailed report on an ongoing campaign named Contagious Interview (CL-STA-0240), led by threat actors associated with Democratic People’s Republic of Korea (DPRK). The primary targets of this campaign are job seekers in the tech industry, particularly those using platforms like LinkedIn and X (formerly Twitter) to find opportunities. The attackers impersonate recruiters to build trust and then manipulate their victims into executing malicious software under the guise of an actual interview process. Two key malware components observed in this campaign are the BeaverTail downloader and InvisibleFerret backdoor, both of which are designed for cross-platform attacks, capable of affecting macOS and Windows systems.
BeaverTail acts as the initial downloader in the attack. Its primary role is to infiltrate the victim’s system and execute additional payloads, including the InvisibleFerret backdoor. Its built using the Qt framework and can execute on both macOS and Windows platforms. This malware focuses on stealing browser passwords and cryptocurrency wallets, targeting 13 cryptocurrency wallet browser extensions. It is typically delivered through fake software packages masquerading as legitimate applications, such as MicroTalk and FreeConference. Once the malware is executed, it establishes connection with the Command-and-Control(C2) server to download the Python payload.
InvisibleFerret is the final stage malware deployed after BeaverTail. It is a Python-based backdoor observed in the CL-STA-0240 campaign. It has multiple components that facilitate the attackers to maintain long-term control over infected system. The backdoor is capable of fingerprinting the infected endpoint, performing remote control functions, and keylogging to capture user input. It also exfiltrates sensitive files and can steal browser credentials and credit card information. Additionally, InvisibleFerret can download and run the Anydesk client for further remote access and control. Recent update to InvisibleFerret’s code were observed, indicating active development and refinement of the malware’s code.
The new variants of these malware do not expand their core capabilities. Rather, they are focuses on efficiency improvements.
eSentire Threat Intelligence Analysis:
The targeting of developers via interview lures is notable for a variety of reasons. First off, developers will have access to a variety of sensitive information, making them high-value targets for threat actors. The compromise of developer accounts may enable a variety of malicious actions including information theft, persistent access for monitoring, direct financial theft, or even supply chain compromises. Additionally, the use of the interview lure may hamper investigations and the reporting of malicious activity. Users that are successfully socially engineered into downloading and executing malicious content are less likely to report unusual activity or be honest during internal investigations, as it would require the confirmation that they knowingly interviewed for another company via their current organization’s assets. The fear of reprisals may result in employees hiding the activity.
Unit42 does not speculate on the goal of the threat actors responsible for this campaign. North Korean APTs have a history of diverse goal sets that deviate from standard state-sponsored activity. Past campaigns have resulted in malware and ransomware deployment for direct financial gain, the theft of both sensitive data and cryptocurrency, espionage, destructive wiper attacks, and supply chain compromises to impact downstream customers.
In response to the disclosure of this report, the eSentire Threat Intelligence team performed threat hunts across the customer base, evaluated current detection capabilities, and blocked known malicious infrastructure via the eSentire Global Block List. It should be noted that eSentire has detected and mitigated activity that matches the findings of this report, prior to report disclosure. Telemetry to allow for attribution was not available in this case. This incident was discussed in the October TRU Intelligence Briefing webinar. A technical blog on eSentire observations of InvisibleFerret will be published in the near future.
OpenAI - Influence and Cyber Operations
Bottom Line: OpenAI continues to monitor for the abuse of its platform for influence and cyber operations. While OpenAI indicates that there has not been successful virality of content, the full impact of this activity remains unclear.
On October 9th , OpenAI, the American artificial intelligence research organization behind ChatGPT, released a long-form report on state-sponsored abuse of the company’s services in both information operations and cyberattacks. According to OpenAI, in the past year, the company has disrupted twenty separate campaigns, three of which involved known APT groups, with the remainder being focused on information operations. Information operations included election disinformation across multiple countries.
APT groups observed abusing ChatGPT have been attributed to China and Iran. The Chinese APT group is tracked under the name SweetSpecter. This group was observed leveraging “OpenAI’s services for reconnaissance, vulnerability research, scripting support, anomaly detection evasion, and development” . Outside of this activity, SweetSpecter also targeted both governments and OpenAI employees in a spear- phishing campaign that resulted in the deployment of the SugarGhost Remote Access Trojan (RAT).
Iranian state-sponsored groups confirmed to abuse OpenAI services are CyberAv3ngers and STORM-0817. The CyberAv3ngers group masquerades as a hacktivist organization but is believed to operate at the behest of the Iranian Islamic Revolutionary Guard Corps (IRGC). The group was observed using OpenAI services to conduct research on Programmable Logic Controllers (PLC), commonly used in critical infrastructure such as water and wastewater treatment facilities. According to OpenAI, the group was attempting to discover vulnerabilities, build debugging code, and gain scripting advice. This is highly notable, as in December 2023, CISA, in coordination with other intelligence agencies, released a report on CyberAv3ngers and their active targeting of water treatment facilities.
STORM-0817 was observed using OpenAI services in order to develop both malware and social media scraping tools. The group employed AI models to assist with building an Instagram scraper, debugging android malware, and translating profiles on LinkedIn. Information submitted to OpenAI platforms indicates that the group was building “surveillanceware” .
eSentire Threat Intelligence Analysis:
With the now widespread adoption of Large Language Models (LLMs) for legitimate use, threat actors have also identified the potential value of these tools. While the report is focused on state-sponsored campaigns, it is almost certain that financially motivated threat actors are also abusing these platforms in a similar manner. Despite the clear threat actor interest, OpenAI states that, “we have not seen evidence of this leading to meaningful breakthroughs in their ability to create substantially new malware or build viral audiences”. While there are areas where LLMs fall short for malicious purposes, such as malware development, there are others where these tools significantly assist attacks, including social engineering, the crafting of convincing lures, and research assistance. With the continued improvement and interest in LLM models, the eSentire Threat Intelligence team expects to see an increase in the testing and abuse of commercial platforms by threat actors of varying skill levels.
eSentire security teams continue to monitor for abuse of AI and LLM models by real-world threat actors.
U.S. Wiretap Systems Targeted in China-Linked Hack
Bottom Line: Targeting Internet Service Providers (ISPs) in a breach of this scale would provide espionage-focused threat actors with a trove of valuable information, ranging from privileged conversations to sensitive technical data and financial information. The impact of this intrusion depends on whether persistence was established and exfiltration was completed.
On September 26th , the Wall Street Journal (WSJ) reported that a Chinese APT group compromised multiple Internet Service Providers (ISPs). This week, WSJ released a follow-on article, naming the impacted companies as Verizon Communications, AT&T, and Lumen Technologies, as well as multiple non-U.S. telecoms. It is reported that threat actors carried out this activity to gain access to wiretap systems used by U.S. law enforcement.
The activity described in this report is attributed to the Chinese state-sponsored APT group Salt Typhoon, also referred to as FamousSparrow, GhostEmperor. The group is reported to have operated since at least 2019 and has a history of targeting government agencies, telecommunications and internet providers, hotels, and other private businesses. The group’s past activity is reported to have impacted companies in North and South America, Europe, Asia, Africa, and the Middle East.
In the recent campaign, WSJ reports that threat actors potentially targeted “information from systems the federal government uses for court-authorized network wiretapping requests”. These systems are in place to enable law enforcement to work with telecommunications companies on ongoing investigations. As such, similar companies have a legal responsibility to intercept and store information related to court orders.
Technical details on the breaches have not been shared publicly at this time. WSJ states that the breaches were discovered “in recent weeks and remains under active investigation by the U.S. government and private-sector security analysts” . It is unclear when or how initial compromises occurred, but Salt Typhoon is suspected to have had access to domestic surveillance systems for “months or longer” . It couldn’t be determined if systems that support foreign intelligence surveillance were also impacted by the breach. According to sources familiar with the matter, Salt Typhoon collected large amounts of internet traffic, and the goal of the activity is tentatively believed to be information theft. It should be noted that this reporting is focused on the breach of American companies, but the campaign is also reported to have impacted a small number of non-U.S. providers.
eSentire Threat Intelligence Analysis:
According to the WSJ, “a person familiar with the attack said the U.S. government considered the intrusions to be historically significant and worrisome.” The impact of these breaches is dependent on the level of access threat actors achieved, along with what and how much data they were able to exfiltrate. Information surrounding domestic surveillance programs is extremely limited due to the sensitive nature of law-enforcement operations. Past Freedom of Information Act (FOIA) requests provide some insight into what data U.S. law enforcement can access, which includes encrypted messages and metadata. With the limited available information, it seems probable that Salt Typhoon is performing this activity to enable espionage.
As these attacks are now being investigated, it is probable that threat actor access has been revoked. Depending on the perceived value of this access, Salt Typhoon or other Chinese APTs may attempt to regain access through alternative avenues. This could include the targeting of other telecommunications companies or cyberattacks against law-enforcement agencies that would have access to domestic surveillance capabilities.
It should be noted that Verizon, AT&T, and Lumen Technologies have neither confirmed the breaches nor responded to media requests. WSJ reporting on this campaign does not directly state its key sources, describing them as “people familiar with the matter”. While this is notable reporting from a reputable news agency, information should be viewed skeptically until confirmed by either victim organizations or government sources.
The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
