Blog

Fake banking apps laced with malware continue to be an effective tool for threat actors. For the Yanbian Gang, a criminal group centered in Yanbian, China, that targets organizations across Asia, it's a craft they've been improving on for over a decade. 

The Yanbian Gang has targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's more recent activity in this vector to analyze their malware of choice and the large-scale hosting infrastructure they use to distribute and control it.

For more than ten years, RiskIQ has been crawling and absorbing the internet to define the web's identity and map the relationships between its infrastructure to show customers how they, and attackers targeting them, fit within it. To continue to strengthen our Internet Intelligence Graph, RiskIQ's research team has begun analyzing popular malware families' known campaigns to fingerprint trends in threat infrastructure. 

We analyzed infrastructure that likely belongs to Agent Tesla remote access trojans (RATs) to determine commonalities and identify trends that will help us detect them. 

Shortly after the COVID-19 pandemic began, there was a spike in threat infrastructure using the crisis to bait, deceive, and social engineer victims. Reports of threat campaigns attempting to fool Turkish-speaking users into downloading Android apps containing the Cerberus and Anubis banking trojans surfaced. Today, new RiskIQ data shows these attacks have not stopped, shedding light on the full extent of these campaigns. 

In May 2020, threat researcher BushidoToken authored a blog pulling together multiple indicators, some appearing as early as April 2020, from researchers tracking Cerberus and Anubis activity targeting Turkish speakers. These two remote access Trojans (RATs), which follow a malware-as-a-service model, steal user credentials to access bank accounts. Highly deceptive, they can overlay over other apps (dynamic overlays), capture keystrokes, SMS harvest and send, call forward, and access other sensitive data across the device. 

The campaigns exploited the pandemic to distribute malicious Android applications via web pages promising free internet packages to encourage people to stay home. To get the "free internet," users only had to install an application on their phones. In all, BushidoToken compiled 24 .apk filenames connected to the campaigns and a long list of domains and URLs. However, recent RiskIQ research shows these campaigns went on for much longer, with more infrastructure and tactics than outlined in May reporting.

As sophisticated attacks dominate the headlines, it's important to remember that the vast majority of cybercrime results from simple, effective, and tested tools. These tools are easy to use and accommodate a wide range of attacker skill levels. The LogoKit phishing kit, which RiskIQ has detected running on more than 300 unique domains in the past week and 700 over the past month, is a prime example. 

Simple deception is still useful for picking off large groups of victims, and operators of LogoKit know this all too well. Unlike many other phishing kits, the LogoKit family is an embeddable set of JavaScript functions designed to interact within the Document Object Model (DOM), the site's presentation layer. Integrating with the DOM allows for the script to dynamically alter the visible content and HTML form data within a page, all without user interaction. This capability gives attackers a wide range of options for visually deceiving their victims by easily integrating it into existing HTML pretext templates or building fake forms to mimic corporate login portals. 

RiskIQ's recent analysis of Magecart infrastructure has shown its massive scale and put its interconnectivity into focus. Our most recent research takes two email addresses evoking the name of one of the most prominent bulletproof hosting providers on earth and ties them to newly discovered batches of Magecart infrastructure. From there, we show how this infrastructure overlaps with previously reported Magecart activity and highlight some common Magecart operator practices that can help researchers identify skimming infrastructure.

In October, RiskIQ discovered what we believe to be a new Magecart skimmer placed on several e-commerce sites, including websites for the well-known hair treatment company Bosely and the Chicago Architecture Center (CAC), one of Chicago's largest cultural organizations. The skimmer was or has been on both these sites for several months.

RiskIQ researchers have dubbed the skimmer used in these attacks "Meyhod," after a mistyped function in the skimming code. Meyhod itself is simple compared to the Magecart skimmers we've recently analyzed, such as the new variant of the Grelos skimmer and the Ant and Cockroach skimmer. However, Meyhod is carefully crafted to blend in with victim sites' appearance and functions, indicating experienced Magecart operators wield it.

The Meyhod skimmer works by appending code to seemingly benign JavaScript resources ranging from commonly used JavaScript libraries to custom code. These resources have been embedded in cart and checkout pages using script tags that could easily be mistaken for an ordinary call to a library.  

In early July 2020, RiskIQ began tracking a phishing campaign identified through our internet intelligence graph targeting colleges and universities worldwide. From July 2020 into October 2020, RiskIQ systems uncovered 20 unique targets in Australia, Afghanistan, the UK, and the USA.  

All these attacks used similar tactics, techniques, and procedures (TTPs) as Mabna Institute, an Iranian company that, according to the FBI, was created for illegally gaining access "to non-Iranian scientific resources through computer intrusions." Mabna Institute earned the moniker "Silent Librarian" due to its focused efforts to compromise university students and faculty by impersonating university library resources using domain shadowing to harvest credentials. 

However, while RiskIQ's findings are consistent with TTPs in use by Silent Librarian, they alone are not sufficient to attribute the threat activity we've detected against these 20 universities directly to Mabna Institute. Therefore, RiskIQ has named actors identified during this research as "Shadow Academy."

Ryuk Ransomware has flooded US hospitals, threatening to shut down their operations when they're needed most. Ryuk now accounts for a third of all ransomware attacks in 2020, with its operators finding success while many healthcare organizations are most vulnerable. 

However, the cybersecurity community is coming together to combat this rash of attacks, combining resources to provide network defenders with alerts and intelligence to protect our healthcare institutions. 

To do our part, RiskIQ released the entirety of the infrastructure related to the Ryuk strain of ransomware collected by RiskIQ's Internet Intelligence Graph.

Recently, RiskIQ's suspicious domain classifier surfaced several Google analytics typosquatting domains. One, in particular, led RiskIQ's research team to a phishing campaign impersonating Saudi Arabian government websites.

Based on infrastructure overlap in RiskIQ's Internet Intelligence Graph, our researchers determined that the campaign is connected to a previous research report from March of 2019, which outlined a phishing campaign against the Saudi Arabian government it dubbed Bad Tidings. According to the research—and corroborated by RiskIQ's data—the Bad Tidings campaign dates as far back as 2017.

Analysis of the new infrastructure found by RiskIQ appears to be a follow-on to the Bad Tidings campaign and has been ongoing since the middle of 2019. Based on our analysis of the domain infrastructure used in this new crop of attacks, the attackers appear to be impersonating several organizations, including the Saudi ministries of the interior, foreign affairs, and labor and social development. They are also impersonating the Enjazit e-visa platform and the Absher mobile app, which allows Saudi citizens to access government services.