22 October 2020

Operation Earth Kitsune spies on users via compromised sites


Operation Earth Kitsune spies on users via compromised sites

Security researchers at Trend Micro have uncovered a new watering hole campaign, which they dubbed “Operation Earth Kitsune” that uses a new variant of the SLUB malware. While in the past the previous versions of SLUB have been abusing Slack and GitHub (hence the name SLUB), the new variant employs an open-source online chat service called Mattermost.

In order to compromise websites to host malware the attackers behind Operation Earth Kitsune used a total of five command and control (C&C) servers, seven samples, and a slew of RCE and EoP vulnerabilities, including CVE-2019-5782 (Google Chrome), CVE-2020-0674 (Internet Explorer), CVE-2016-0189 (Internet Explorer) and CVE-2019-1458 (Microsoft Windows).

The campaign was discovered when the researchers noticed that the Korean American National Coordinating Council (KANCC) website was redirecting visitors to the Hanseattle website, which, in turn, redirected users to a malicious code for the CVE-2019-5782 Google Chrome vulnerability.

“For the Chrome attack vector, the exploit used CVE-2019-5782 and another vulnerability that does not have an assigned CVE. To deploy a weaponized version of this, the attacker reused a POC code. It also implemented two customizations: the separation of the shellcode to load in from the Javascript encoded version, and the inclusion of support for other operating system versions,” the researchers said.

In addition to SLUB, which main goal was to exfiltrate system data, the hackers also deployed two new malware variants dubbed dneSpy and agfSpy that allowed them to gain additional control of the victim’s machine.

To keep track of its deployment the new SLUB variant used Mattermost. To do this the malware created a channel for each infected machine with all communication used HTTP in port 443.

“The Operation Earth Kitsune campaign remains very active and still relatively unknown due to the implementation of various techniques, such as security software checks during malware deployment, that are designed to hide the threat actors orchestrating the campaign,” the researchers said.

“We believe that a very capable group is behind the campaign, given the samples’ design and the number of deployed vectors. All compromised websites follow a common pattern in terms of the web tools used and the contextual content they contain. This relation is further backed by the commonalities in the organization types and the maintenance of the initial vectors that are deployed from the same related websites,” Trend Micro added.

Back to the list

Latest Posts

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020
Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

Chinese APT Mustang Panda resumes efforts to collect intel on Vatican

In the latest campaign the treat actor was observed using updated toolset in order to evade detection.
25 November 2020