Intel wrap – 5th January, 2024.

February 9, 2024
Musa Nadir Sani

This aims to keep readers abreast of developments in the cyber security space from an intel perspective. The news covers the trending cyber security news over a timeframe of 7 days before the publication day of each report.
This week’s wrap will be centered around Operation Triangulation, Agent Tesla being used to exploit CVE-2017-11882, an analysis of Kimsuky Group’s Attacks Using AppleSeed, the Nim-based campaign impersonating the Nepali Government, and APT 28.


Operation Triangulation: The last (hardware) mystery

Key Takeaways:

  • Operation Triangulation is an advanced, zero-click iMessage attack chain targeting iOS devices (up to iOS 16.2), utilizing four zero-days, including CVE-2023-41990 and CVE-2023-32434.
  • The attack involves sophisticated techniques like return/jump oriented programming, usage of JavaScript for privilege escalation, and manipulation of JavaScriptCore and kernel memory.
  • CVE-2023-38606 concerns an undisclosed hardware feature in Apple-designed SoCs (A12–A16 Bionic) that bypasses hardware-based kernel memory protection by manipulating MMIO registers; its discovery is unprecedented.
  • The attackers’ motivations and methods for uncovering and exploiting this hardware feature are still unknown, raising concerns about “security through obscurity” in hardware security.
  • Apple’s mitigation in iOS 16.6 includes adding certain MMIO ranges to the pmap-io-ranges to prevent physical address mapping and highlight the vulnerability’s sensitivity.

Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla

Key Takeaways:

  • Threat actors are exploiting the CVE-2017-11882 vulnerability in Microsoft Office to deliver the Agent Tesla malware.
  • Threat actors use spam emails with malicious attachments containing the CVE-2017-11882 exploit to target users.
  • The infection sequence involves the use of obfuscated VBS files, malicious JPG files, and a Base64-encoded DLL to evade detection and deliver the Agent Tesla payload.
  • Agent Tesla is an advanced keylogger that steals data from various browsers, mail clients, and FTP applications.
  • The exfiltrated data is sent to a Telegram bot controlled by the threat actors.

Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed

Key Takeaways:

  • The Kimsuky threat group, known to be supported by North Korea, has been active since 2013 and primarily targets national defense, defense industries, media, diplomacy, national organizations, and academic sectors. –
  • The group uses spear phishing attacks for initial access, with recent attacks involving shortcut-type malware in LNK file format, JavaScripts, and malicious documents.
  • AppleSeed is a backdoor used by the Kimsuky group for control over infected systems, with features such as downloading additional malware, keylogging, taking screenshots, and stealing information.
  • The group has been using a variant of AppleSeed called AlphaSeed, which uses Golang and communicates with the C&C server using ChromeDP.
  • The Kimsuky group has also been observed using Meterpreter and VNC (TightVNC and HVNC) malware to control infected systems.

A Look at the Nim-based Campaign Using Microsoft Word Docs to Impersonate the Nepali Government

Key Takeaways:

  • Threat actors are increasingly using uncommon programming languages like Nim to develop malware, making it harder for security analysts to detect and analyze the threats.
  • This report analyzes a recent campaign that impersonates the Nepali government using Microsoft Word documents. The documents contain a malicious backdoor written in Nim.
  • The campaign starts with the delivery of a Word document via email, which prompts the recipient to enable macros. Once enabled, the macros execute code that drops the Nim backdoor onto the victim’s system.
  • The backdoor communicates with command and control (C&C) servers to receive and execute commands. It utilizes various anti-analysis techniques to evade detection, including checking for running analysis tools and terminating itself if any are detected.
  • To maintain persistence, the campaign creates scripts and scheduled tasks to ensure the backdoor is executed upon system startup.


APT28: From Initial Damage to Domain Controller Threats in an Hour

Key Takeaways:

  • A new threat group is targeting Ukrainian organizations with a malware campaign.
  • The threat actors are using well-known malware tools such as Emotet and TrickBot.
  • The campaign is motivated by financial gain, as the threat actors are likely to use the malware for stealing sensitive information and conducting banking fraud.
  • Ukrainian organizations are advised to enhance their security measures and educate their employees about phishing and social engineering techniques.
  • It is crucial for organizations to keep their security software and systems updated to prevent exploitation of known vulnerabilities.







Related Posts

Scroll to Top