Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/7/2021
05:10 PM
Kelly Sheridan
Kelly Sheridan
Quick Hits
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Voice-Changing Software Found on APT Attackers' Server

Security researchers believe the presence of Morph Vox Pro could indicate APT-C-23 has new plans for their phishing campaigns.

The discovery of voice-changing software on the server of APT-C-23 could have implications for the group's future phishing attacks, Cado Security researchers report.

APT-C-23, a group connected to attacks in the Middle East, is known as part of a larger group called "Molerats" that is mostly located in Palestine, the report states. Molerats usually target political parties in Palestine and the Israeli government, specifically the Israeli Defense Force (IDF). On occasion, the attackers have also been known to target Western governments.

Cado Security calls APT-C-23 "a medium-sophistication" group and notes it typically relies on social engineering to manipulate victims into downloading malware. In the past, the group has been known to impersonate women to trick their targets into installing malicious applications.

"The reason they're doing this is espionage, and then what they're doing with this data, is mostly trying to track what people are up to and I think help them on the ground a bit," says Cado Security co-founder and CTO Chris Doman.

Researchers found a server belonging to APT-C-23 in early 2020. The server had previously been identified as serving malware in targeted attacks; however, a misconfiguration had since made the attackers' toolset publicly available. By the time they discovered it, the toolkit contained malware used for espionage, tools to identify vulnerable routers, custom tooling to leverage compromised email accounts to send phishing emails, and a phishing code for webmail logins.

"It's pretty common to find these servers spun up to serve malware to targets or to receive commands from that malware," he adds. "Interestingly in this case, they left the server open." 

Molerats use a number of different malware families, researchers state, but most start with a self-extracting rar archive. The archives execute MSHTA/VBScript downloaders, which are used to install the H-Worm backdoor, they explain in a blog post.

The server's most interesting tool was a voice-changing application called Morph Vox Pro, which included a serial key and voices pack. Given APT-C-23's previous phishing campaigns, researchers speculate the group is using this tool to produce audio messages that could be used to convince targets to install malware.

In analyzing the server, researchers also learned more about how attackers deliver malware. For example, an application provided guidance on how to bulk-send phishing emails to targets. A separate file contained sample commands to find vulnerable routers with ZoomEye, an Internet scanning service. A "support" folder held a credential phishing page for Microsoft accounts.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.