Back to blog

ShadowTalk Update – PAN-OS Vulnerability, Lazarus Group, BEC scammer “Hushpuppi”, and New Photon ATO Research

ReliaQuest 13 July 2020

Threat Intelligence

This week, Digital Shadows (now ReliaQuest) team Viktoria, Demelza, Adam and Stefano cover:

PAN-OS Vulnerability (CVE-2020-2021): Impact & Mitigation
Magecart Developments: Lazarus Group tied to Magecart
FBI arrests “Hushpuppi” for alleged BEC Cybercrime Scheme
Photon ATO Research: Overview + Key takeaways

Listen below 👇👇👇

ShadowTalk Threat Intelligence Podcast · Weekly: PAN-OS Vulnerability, Lazarus Group, BEC scammer “Hushpuppi”, and New Photon ATO Research

TrickBot checks victims’ screen resolution to evade analysis

Security researchers found that the “TrickBot” banking trojan was checking the screen resolution of victims’ computers to see if a virtual machine (VM) was running. Malware commonly checks for files and processes used by VM guest software, so security researchers typically do not install the guest software, which improves screen resolution and offers other features. Being aware of this practice, TrickBot’s developers were likely using screen resolution checks as another anti-VM check, and would terminate TrickBot processes if a VM was detected.

Lazarus Group linked to Magecart-style web skimming

Security researchers reported that the North Korea-linked advanced persistent threat (APT) collective “Lazarus Group” has been conducting “Magecart”-style web skimming attacks against retail companies in the United States, allegedly including global fashion retailer Claire’s. The researchers speculated that Lazarus Group used spearphishing emails to achieve initial infection, aiming to obtain the passwords of retail staff and gaining access to inject skimming scripts, which they said aligns with the group’s financial motives.

Entities in Myanmar likely targeted by Chinese APT

Researchers have linked a cyber-threat campaign against entities in Myanmar to an unknown APT group associated with the People’s Republic of China (PRC). The campaign began in March 2020 and targeted victims via malicious LNK (Windows shortcut) files. After obtaining access to their targets, the attackers used the red-teaming tool “Octopus”³ for command-and-control (C2) communication. Elements of LNK files were similar to those used by the PRC-linked “Mustang Panda” APT group, although researchers did not attribute the attack to any specific threat group.

³An open-source tool, commonly used in red-teaming assessments that simulate attacks; Octopus is designed to covertly communicate with the C2 server

Weekly Intelligence Summary 10 July 2020