Cyber espionage group use Google Drive to drop malware on government networks worldwide (21st Novem

Ref# AL2022_76 | Date: Nov 21st 2022

Description  

Hackers started a spear phishing attempt to spread personalized malware stored in Google Drive to international governmental, academic, and scientific institutions. 

Summary  

The attacks which have been observed between March and October 2022 have been linked to cyber espionage group Mustang Panda. 

Using Google accounts, the hackers sent emails to their targets with lures that persuaded them to click on Google Drive links and download their customized virus. According to analysts, the hackers sent communications with geopolitical subjects, and most of them were directed at governmental or legal institutions. 

How it works  

The embedded link leads to a Google Drive or Dropbox folder, two trustworthy, reputable platforms that are normally less questionable, in order to get over security measures. These links direct you to download RAR, ZIP, and JAR compressed files that include ToneShell, ToneIns, and PubLoad malware variants. 

The procedure typically involved DLL side-loading once the victim started an executable contained in the archives, even though the hackers used a variety of malware loading routines. To allay concerns, a fake document is presented in the foreground. 

A stager called PubLoad is in charge of decrypting shellcode, managing command and control (C2) connections, and creating persistence by adding registry entries and setting up scheduled activities. 

Later versions of PubLoad, according to Trend Micro, have more complex anti-analysis measures, suggesting that Mustang Panda is actively attempting to enhance the tool. 

ToneShell, the primary backdoor utilized in the most recent campaign, is installed by ToneIns. Obfuscation is used to load ToneShell, avoid detection, and establish persistence on the compromised system. 

ToneShell is a standalone backdoor that is loaded directly into memory and has code flow obfuscation capabilities using unique exception handler implementation. This also works as an anti-sandbox mechanism, as the backdoor won”t execute in a debugging environment. 

ToneShell connects to the C2, sends a package containing victim ID information, and then waits for further instructions. These instructions allow upload, download, and execute files, as well as create shells for intranet data sharing and modify the sleep configuration. 

Remediation 

Tor prevent infection it is recommended that users never download attachments or open links from unknown email addresses. It is also recommended to always have an updated anti-virus solution on your devices. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.   

PDF Download: Cyber espionage group use Google Drive to drop malware.pdf

References