The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good | Russian Nationals Sanctioned for Roles in GRU-Linked Influence Campaigns

Two Russian nationals are the latest to be sanctioned by the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) this week for their roles in various malign influence campaigns. Ilya Andreevich Gambashidze, the founder of Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin, CEO and owner of Company Group Structura LLC, stand accused of working with the GRU to target audiences across the U.S. and in Europe.

This disinformation operation, known as Doppelgänger, targets audiences in Europe and the U.S. through fake news sites and social media accounts. Doppelgänger is known for persistent and aggressive attacks, closely exploiting current geopolitical and socio-economic events and movements as they receive media attention.

The Treasury alleges that Gambashidze and Tupikin played major roles in impersonating government entities and media outlets through a network of at least 60 spoofed sites. Designed to be a close imitation of their legitimate counterparts, the websites even featured working links and cookie consent pages to lull site visitors into a sense of legitimacy.

This is not the first sanction for Gambashidze. He, along with SDA and Structura LLC, were first sanctioned by the EU in 2023 for amplifying propaganda in support of Russia’s war against Ukraine.

With major elections fast approaching for the United States and across EU entities, activity from nation-backed threat actors is predicted to spike, making information warfare an even harder terrain to navigate. Initiatives like public awareness campaigns, social media literacy programs, and strict social media protocols will continue to be significant methods of pushing back the risks of online propaganda and wide-spreading disinformation campaigns.

The Bad | Evasive HTML Smuggling Via Google Sites Seen in Infostealing Campaigns

Threat actors are capitalizing on bogus Google Sites pages and HTML smuggling techniques to distribute AZORult malware, aimed at pilfering sensitive information. Security researchers describe this as an unconventional method, one where the actors embed malicious payloads within separate JSON files hosted on external websites.

AZORult was first spotted in 2016 and often spread through phishing emails, trojanized software installers, and malvertising. It is notably discreet, able to extract credentials, browser history, cookies, and other personal data from cryptocurrency wallets and several specific extensions.

The latest iteration of AZORult involves fake Google Docs that use HTML smuggling to deliver the payload. This method works by manipulating legitimate HTML5 and JavaScript features to launch the malware via a “smuggled” encoded script. Once visitors to the Docs are tricked into opening the pages via phishing emails, the payloads are activated, kickstarting a chain of actions which ultimately execute the scripts that contain the stealer malware.

Detection evasion techniques like this one are gaining popularity within the threat landscape. Last summer, a PRC-linked nation-state was seen using HTML smuggling to deliver the PlugX RAT on foreign affairs ministries and embassies. Nokoyawa operators also favor this method and are known to use it to deliver a password-protected ZIP and deploy their ransomware. SentinelOne customers are protected from Nokoyama.

Infostealers like AZORult are another example of how much campaign operators are evolving, experimenting with unorthodox methods to stay evasive. Organizations that have a layered approach to security are positioned best in defense of these novel techniques, heavily reducing where threat actors can go within a system and minimizing their access paths to critical data.

The Ugly | New “AcidPour” Data Wiper Found Targeting Linux Networking Devices

SentinelLabs first discovered AcidRain, a data wiper responsible for taking Eutelsat KA-SAT modems offline in Ukraine during the onset of the 2022 Russian invasion. AcidRain was officially attributed soon after to the Russian government by the EU and its member states.

Now, the researchers are reporting the discovery of the wiper’s latest variant, AcidPour, as it targets Linux x86 IoT and networking devices. Attribution has not yet been confirmed, though the timing of the discovery lines up closely with multiple Ukrainian telecom networks being offline, reportedly since March 13, 2024.

It’s been an interesting weekend! Eagle-eyed @TomHegel spotted what appears to be a n

ew variant of AcidRain. Notably this sample was compiled for Linux x86 devices, we are calling it ‘AcidPour’. Those of you that analyzed AcidRain will recognize some of the strings. Analysis 🧵 pic.twitter.com/wY3PJKaOwK

— J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024

While sharing similarities with its predecessor, AcidPour expands the original set of capabilities to include Linux Unsorted Block Image (UBI) and Device Mapper (DM) logic to erase content from RAID arrays and large storage devices.

Data wipers are designed to delete or corrupt data on a targeted system or network, making critical information inaccessible or unusable. Since this is an irreversible process, data wipers are a highly destructive tool capable of disrupting major operations and inflicting financial and reputational damage on the victims. Data wipers are often used for sabotage, espionage, or as a diversionary tactic to cover up other malicious activities.

Two years after the discovery of AcidRain, AcidPour once again highlights the potential for destruction that wipers can cause both within and beyond the combat theater of the Russo-Ukrainian war. AcidPour clearly expands the destructiveness of the malware and shows a refinement in how threat actors are approaching their selected targets – critical infrastructure and communications.