CyberWire Daily - Research Briefing: Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware.
Episode Date: December 26, 2022Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
Here's your CyberWire Pro research briefing for Tuesday, December 20th, 2022.
ESET describes a spear phishing campaign that targeted Japanese political entities ahead of the Japanese House of Councilors election in July 2022.
The threat actor, tracked by ESET as Mirror Face,
was conducting espionage against a specific political party.
ESET says,
purporting to be a Japanese political party's PR department,
Mirror Face asked the recipients to distribute the attached videos
on their own
social media profiles to further strengthen the party's PR and to secure victory in the House of
Councillors. Furthermore, the email provides clear instructions on the video's publication strategy.
Since the House of Councillors election was held on July 10, 2022, this email clearly indicates that Mirrorface
sought the opportunity to attack political entities. Also, specific content in the email
indicates that members of a particular political party were targeted. ESET doesn't specify which
political party is being targeted, but given that they're calling the campaign Liberal Face, it would seem
likely that the effort is directed at the Liberal Democrats. While other researchers have seen some
signs of connections with APT10, ESET is quite clear in saying that it's been unable to come up
with any more specific attribution, stating, Mirror Face is a Chinese-speaking threat actor targeting companies
and organizations based in Japan. While there is some speculation that this threat actor might be
related to APT-10, ESET is unable to attribute it to any known APT group. Mandiant has observed a
campaign targeting Ukrainian government organizations with Trojanized Windows 10
operating system installers distributed via torrent sites. The researchers say,
we believe that the operation was intended to target Ukrainian entities due to the language
pack used and the website used to distribute it. The use of Trojanized ISOs is novel in espionage operations, and included anti-detection capabilities indicates that the actors behind this activity are security-conscious and patient,
as the operation would have required a significant time and resources to develop
and wait for the ISO to be installed on a network of interest.
Mandiant has not uncovered links to previously
tracked activity, but believes the actor behind this operation has a mandate to steal information
from the Ukrainian government. While the researchers don't attribute the campaign to
any particular threat actor, they note that the operation's targets overlap with organizations
targeted by GRU-related clusters with wipers at the outset
of the war. Researchers at Cisco Talos have published a report looking at the ways in which
attackers are using alternative methods to execute malicious code via Office documents,
as Microsoft phases out support for VBA macros. Threat actors have recently started introducing malicious code
to documents using Office add-ins,
which are pieces of executable code in various formats and capabilities
that can be added to Office applications
in order to enhance the application's appearance or functionality.
XLL files specifically are used for executing malicious code
via an Excel document.
The researchers state, if the user attempts to open a file with the file extension.xll in Windows Explorer,
the shell will automatically attempt to launch Excel to open the.xll file.
This is because.xll is the default file name extension for a specific class of Excel add-ins.
Before an.xll file is loaded, Excel displays a warning about the possibility of malicious code being included.
This is a similar approach as the message about potentially dangerous code,
which is displayed after an Office document containing VBA macro code is opened.
Unfortunately, this protection technique is often ineffective as
a protection against the malicious code, as many users tend to disregard the warning.
Cisco Talos has observed several high-profile threat actors using XLLs to deliver malware,
including the Chinese state-sponsored actor APT10 and the financially motivated gang FIN7. The researchers conclude,
even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors
until mid-2017, when some APT groups started using them to implement a fully functional backdoor.
We also identified that their usage significantly increased over the last two
years as more commodity malware families adopted XLLs as their infection vector. As more and more
users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from
VBA-based malicious documents to other formats, such as XLLs, or rely on exploiting newly discovered And that's your CyberWire Pro research briefing. thing.