Sunday 15th December 2024

Good morning everyone, I hope you're all having a fantastic weekend. They say what happens in the cloud stays in the cloud—but that’s only if you’re not on the radar of a nation-state cyber gang. From Iranian hackers playing puppet master with gas pumps and water systems to Russian cyber spies turning Android devices into surveillance hubs, cyber threats are looking more dystopian by the day. And in Thailand, government officials are grappling with a sneaky new backdoor targeting their systems.

Enjoy the read!

Thailand Targeted in Advanced Cyberattack Campaign

Thai government officials have become the focus of a sophisticated new cyberattack leveraging DLL side-loading to deploy a backdoor known as Yokai. The campaign starts with malicious RAR archives containing deceptive shortcut files designed to deliver malware in the background while displaying decoy documents.

The files, labeled in Thai, reference a U.S. legal case involving Woravit Mektrakarn, adding an air of legitimacy to the phishing lure. When launched, the shortcuts drop a chain of malicious components, culminating in the deployment of Yokai, a backdoor that grants attackers control over the compromised system.

Meanwhile, researchers have uncovered parallel malware operations using Node.js-compiled executables to distribute cryptocurrency miners and steal personal data. These campaigns rely on social engineering, spreading via YouTube links to malicious downloads, and employ anti-evasion tactics to bypass detection.

As phishing schemes become more intricate—weaponising DLL side-loading, obfuscated PowerShell scripts, and even Office document exploits—cybersecurity defences must continually adapt to outpace attackers.

Always verify unexpected attachments, even if they seem authentic. Malicious files are becoming harder to spot.

Russian Cyber Espionage Group Targets Android Devices with Advanced Spyware

Russian cyberspy group Gamaredon (aka Shuckworm), linked to the FSB, has been caught using Android spyware—BoneSpy and PlainGnome—to surveil Russian-speaking individuals in former Soviet states. This marks Gamaredon’s first foray into mobile malware, underscoring the growing role of smartphones in cyber-espionage.

• BoneSpy, active since 2021, evolved from the open-source DroidWatcher app. It’s delivered via fake Telegram apps or by impersonating Samsung Knox.
• PlainGnome, spotted in 2024, is a custom-made tool with stealthier capabilities like only activating data theft when the device is idle.

Both spyware tools can:

• Record calls and ambient audio
• Steal SMS, contacts, browsing history, and GPS data
• Snap photos and take screenshots
• Extract clipboard content and device notifications

These apps rely on social engineering to dupe victims into granting dangerous permissions. They aren’t on Google Play, but Google Play Protect can block known versions.

Gamaredon’s focus on Android devices reflects a shift in cyber-espionage as mobile phones become critical hubs for sensitive data. Staying vigilant against phishing and fake apps is more important than ever.

Iranian Hackers Target US and Israeli Fuel and Water Systems with IOCONTROL Malware

Iranian-linked cyber gang CyberAv3ngers, affiliated with the Islamic Revolutionary Guard Corps (IRGC), used custom malware called IOCONTROL to infiltrate fuel and water management systems in the US and Israel, according to Claroty's Team82.

The threat:

• IOCONTROL is a backdoor targeting Linux-based IoT and OT systems, including fuel pumps, PLCs, and firewalls.
• It compromised hundreds of Gasboy and Orpak fuel management devices, enabling attackers to disrupt services or steal payment data.
• In water facilities, it targeted critical devices like Unitronics PLCs, posing risks to public infrastructure.

How it works:

• Communicates via the MQTT IoT protocol to disguise traffic as legitimate.
• Uses Cloudflare’s DNS over HTTPS (DoH) for encrypted hostname translation, evading detection.
• Deploys a backdoor for ongoing device control, enabling arbitrary code execution and lateral network movement.

The timeline:

• Attacks spanned mid-October 2023 to late January 2024, with a resurgence in July-August targeting SCADA and IoT systems.
• The group claimed responsibility for 200 gas station disruptions in both countries via Telegram.

Team82 labeled IOCONTROL a nation-state cyberweapon capable of crippling civilian infrastructure. This marks a growing trend in targeting IoT and OT systems critical to daily life.

As IoT vulnerabilities proliferate, robust detection protocols and encrypted traffic analysis are more vital than ever.