Ransomware/Malware Activity

Fanxiao Domain Spoofing Campaign Accrues Network of Over 42,000 Malicious and Redirect Websites

Researchers from Cyjax have published a report on how a financially motivated threat group known as "Fangxiao" is conducting a massive website spoofing campaign, having built a network of approximately 42,000 domains. The domains mimic very popular brands like Coca Cola, Emirates, McDonalds, and many more as the campaign spoofs entities in the retail, banking, travel, pharmaceuticals, transport, financial, and energy sectors. This campaign appears to function as a traffic generation scam to earn ad revenue for the threat group's own sites, as well monetizing the user data of victims unlucky enough to arrive at one of their honeypot domains. According to the researchers monitoring Fangxiao's activity, the threat group is registering approximately 300 new spoofed domains per day. To add insult to injury, some of the sites contain redirect queries that bring the victims to sites hosting malware like the "Triada" trojan. Users are initially brought to the fake sites through interacting with mobile advertisements or being the victim of WhatsApp phishing attacks with embedded malicious links leading to the group's spoofed landing pages. Fake survey domains are also prevalent, often having timers that create a sense of urgency so that the victim has less time to be suspicious. Upon completion of the survey the victims may be asked to download a malicious application to collect their "reward," registering them as a new Fangxiao referral user. The Cyjax report contains several credible indicators for tactics, techniques, and procedures (TTPs), utilized by Chinese threat groups. This includes authoring their bait sites/ads in Mandarin as well as utilizing email addresses attributed to Chinese threat actor accounts on known hacking forums. CTIX analysts will monitor the fallout from this campaign and continue to report on breaking and novel TTPs utilized in cybercriminal activity. 

• Bleeping Computer: Fangxiao Article

• Cyjax: Fangxiao Report

Threat Actor Activity

Suspected Chinese State-Sponsored Threat Group "Billbug" Conducts Cyberespionage Campaign Across Asia

Since at least March 2022, a suspected Chinese state-sponsored threat actor has been conducting a cyberespionage campaign targeting government agencies, defense organizations, and a certificate authority (CA) in multiple Asian countries. The threat actor is known as "Billbug" (a.k.a. Thrip, Lotus Blossom, Spring Dragon), and according to security researchers they have been active for at least a decade. This information has come to light following the publication of a report by Symantec, who've been tracking Billbug since 2018. This is a very sophisticated threat actor, notorious for leveraging available tools and public utilities that are already present on the victim system such as WinRAR and tracert, as well as deploying custom malware. This tactic helps the threat actor to avoid detection and persist in the target environment for longer. Symantec was able to attribute this campaign to Billbug after identifying the use of two (2) proprietary backdoors that have been used in their other campaigns known as Hannotog ("Backdoor.Hannotog”) and Sagerunex ("Backdoor.Sagerunex"). The Hannotog backdoor is a one-stop-shop that forces the victim's firewall to "enable all traffic and allows the threat actor to establish persistence on the compromised machine, upload encrypted data, run commands, and download files to the device." Part of the Hannotog functionality is that it drops the Sagerunex backdoor, which establishes a connection with an attacker-owned command-and-control (C2) server. Especially troubling for this latest campaign is Billbug taking aim at a CA victim. If the threat actor successfully compromises a CA, they could sign their malware with valid digital certificates, making it even harder for security measures to detect. CTIX analysts will continue to monitor state-sponsored threat actors and report on their activity to our readers.

• Bleeping Computer: Billbug Article

• The Hacker News: Billbug Article

• Symantec: Billbug Report

Vulnerabilities

Google Pixel Smartphone Vulnerability Allows Any User to Bypass the Lock Screen

Android has patched a critical vulnerability that allows users with physical access to a locked Google Pixel smartphone to bypass the lock screen without providing the device’s pin/password or biometric key. The flaw was found by security researcher David Schütz who was awarded $70,000 as part of Google's bug bounty program. The vulnerability, tracked as CVE-2022-20465, can be exploited in an easy five (5) step process which is detailed in Schütz's writeup, and leads to local escalation of privilege with no additional execution privileges or user interaction needed. Schütz states that to exploit the flaw, users must supply an incorrect fingerprint three (3) times in a row, which disables biometric authentication. The attacker then swaps the phone's physical SIM card with an attacker-controlled SIM card that has a pin that the attacker knows. The attacker will purposefully enter the wrong pin three (3) times in a row, locking the SIM card, prompting the device to ask for the user's SIM card's Personal Unlocking Key (PUK) code. The attacker then enters their own pin, and the device automatically unlocks. This vulnerability has been patched by Google, and all Pixel users should ensure that they are running the latest stable version of the software. CTIX analysts will continue to report on interesting vulnerabilities.

• Bleeping Computer: CVE-2022-20465 Article

• The Hacker News: CVE-2022-20465 Article