• ESET Research investigated ScRansom, a novel ransomware developed by the CosmicBeetle threat group. 
• CosmicBeetle has been experimenting with the leaked LockBit builder and trying to mimic LockBit’s brand.
• Furthermore, CosmicBeetle is likely a recent affiliate of the ransomware-as-a-service actor RansomHub, active since March 2024.
• ScRansom is continually improving; however, it is impossible to restore some files.
• CosmicBeetle exploits years-old vulnerabilities to breach SMBs with a focus on Europe and Asia.

BRATISLAVA, PRAGUE — September 10, 2024 — ESET researchers have mapped the recent activities of the CosmicBeetle threat group, documenting its new ScRansom ransomware being deployed and discovering connections to other well-established ransomware gangs. CosmicBeetle has been spreading ransomware to small and medium businesses (SMBs), mainly in Europe and Asia. ESET Research has observed the threat actor using the leaked LockBit builder and trying to leverage LockBit’s ransomware reputation. Besides LockBit, ESET believes that CosmicBeetle is probably a new affiliate of ransomware-as-a-service actor RansomHub, a new ransomware gang active since March 2024 with rapidly increasing activity.

“Probably due to the obstacles that writing custom ransomware from scratch brings, CosmicBeetle attempted to leech off LockBit’s reputation, possibly to mask the issues in the underlying ransomware and in turn to increase the chance that victims would pay,” says ESET researcher Jakub Souček, who analyzed the latest activity of CosmicBeetle. “Additionally, recently, we observed the deployment of ScRansom and RansomHub payloads on the same machine only a week apart. This execution of RansomHub was very unusual compared to the typical cases we have seen in ESET telemetry, but quite similar to CosmicBeetle’s modus operandi. Since there are no public leaks of RansomHub, this leads us to believe with medium confidence that CosmicBeetle may be a recent affiliate of theirs,” adds Souček.

CosmicBeetle often uses brute-force methods to breach its targets. Besides that, it misuses various known vulnerabilities. Small and medium-sized businesses from all sorts of verticals all over the world are the most common victims of this threat actor because that is the segment most likely to use the affected software, or lack robust patch management processes in place. ESET Research has observed attacks on SMBs in the following verticals: manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality leisure, financial services, and regional government.

Besides encrypting, ScRansom can also kill various processes and services on the affected machine. ScRansom is not a very sophisticated piece of ransomware, though CosmicBeetle has been able to compromise interesting targets and cause great harm to them. This is mostly because CosmicBeetle is an immature actor in the ransomware world, and problems plague the deployment of ScRansom. Victims affected by ScRansom, who decide to pay, should be cautious.

ESET Research was able to obtain a decryptor implemented by CosmicBeetle for its recent encryption scheme. ScRansom is undergoing constant development, which is never a good sign for ransomware. The overcomplexity of the encryption (and decryption) process is prone to errors, making restoration of all files doubtful. Successful decryption relies on the decryptor working properly and on CosmicBeetle providing all the necessary keys, and even in that case, some files may be destroyed permanently by the threat actor. Even in the best-case scenario, decryption is long and complicated.

CosmicBeetle, active since at least 2020, is the name ESET researchers assigned to a threat actor discovered in 2023. This threat actor is most known for the usage of its custom collection of Delphi tools, commonly called Spacecolon, consisting of ScHackTool, ScInstaller, ScService, and ScPatcher.

For more technical information about the latest activity of CosmicBeetle, check out the blogpost “CosmicBeetle steps up: Probation period at RansomHub” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Heatmap of CosmicBeetle attacks since August 2023, according to ESET telemetry

• South Korea-aligned advanced persistent threat group APT-C-60 weaponized a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262) in order to target East Asian countries. ESET Research discovered the vulnerability and provides a root cause analysis, along with a description of its weaponization.
• A strange spreadsheet document referencing one of the group’s many downloader components pointed to APT-C-60.
• The exploit is deceptive enough to trick users into clicking on a legitimate-looking spreadsheet while also being very effective and reliable. The choice of the MHTML file format allowed the attackers to turn a code execution vulnerability into a remote one.
• While analyzing the vulnerability, ESET Research discovered another way to exploit it (CVE-2024-7263).
• Following our coordinated vulnerability disclosure policy, as Kingsoft acknowledged and patched both vulnerabilities, we provide a detailed analysis.

BRATISLAVA, MONTREAL — August 28, 2024 — ESET researchers discovered a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262). It was being exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. When examining the root cause, ESET discovered another way to exploit the faulty code (CVE-2924-7263). Following a coordinated disclosure process, both vulnerabilities are now patched. The final payload in the APT-C-60 attack is a custom backdoor with cyberespionage capabilities that ESET Research internally named SpyGlace.

“While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the group’s many downloader components. The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities. During the coordinated vulnerability disclosure process between ESET and the vendor, DBAPPSecurity independently published an analysis of the weaponized vulnerability and confirmed that APT-C-60 has exploited the vulnerability to deliver malware to users in China.

The malicious document comes as an MHTML export of the commonly used XLS spreadsheet format. However, it contains a specially crafted and hidden hyperlink designed to trigger the execution of an arbitrary library if clicked when using the WPS Spreadsheet application. The rather unconventional MHTML file format allows a file to be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the vulnerability provides for remote code execution.

“To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the targeted computer either on the system or on a remote share, and know its file path in advance. The exploit developers targeting this vulnerability knew a couple of tricks that helped them achieve this,” explains Dumont. “When opening the spreadsheet document with the WPS Spreadsheet application, the remote library is automatically downloaded and stored on disk,” he adds.

Since this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheet’s rows and columns inside to deceive and convince the user that the document is a regular spreadsheet. The malicious hyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit.

“Whether the group developed or bought the exploit for CVE-2024-7262, it definitely required some research into the internals of the application but also knowledge of how the Windows loading process behaves,” concludes Dumont.

After analyzing Kingsoft’s silently released patch, Dumont noticed that it had not properly corrected the flaw and discovered another way to exploit it due to an improper input validation. ESET Research reported both vulnerabilities to Kingsoft, who acknowledged and patched them. Two high severity CVE entries were created: CVE-2024-7262 and CVE-2024-7263.

The discovery underlines the importance of a careful patch verification process and making sure that the core issue has been addressed in full. ESET strongly advises WPS Office for Windows users to update their software to the latest release.

For more technical information about the WPS Office vulnerabilities and exploits, check out the blog post “Analysis of two arbitrary code execution vulnerabilities affecting WPS Office” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

• Attackers combined standard malicious techniques – social engineering, phishing, and Android malware – into a novel attack scenario; ESET suspects that messages impersonating Czech banks were sent to random phone customers in Czechia, and they caught customers of three banks.
• According to ESET Brand Intelligence Service data, the group had operated since November 2023 in Czechia, and, as of March 2024, the rating of the group’s techniques improved via the deploying of the NGate Android malware. 
• Attackers were able to clone NFC data from victims’ physical payment cards using NGate, and relay this data to an attacker’s device, which was then able to emulate the original card, and withdraw money from an ATM.
• This is the first time we have seen Android malware with this capability being used in the wild, and without the victims having had their devices rooted.

BRATISLAVA, KOŠICE — August 22, 2024 — ESET researchers uncovered a crimeware campaign that targeted clients at three Czech banks. The malware used, which ESET has named NGate, has the unique ability to relay data from victims’ payment cards via a malicious app installed on their Android devices, to the attacker’s rooted Android phone. The primary goal of this campaign was to facilitate unauthorized ATM withdrawals from the victims’ bank accounts. This was achieved by relaying near field communication (NFC) data from the victims’ physical payment cards, via their compromised Android smartphones, by using the NGate Android malware, to the attacker’s device. The attacker then used this data to perform ATM transactions. If this method failed, the attacker had a fallback plan to transfer funds from the victims’ accounts to other bank accounts.

“We haven’t seen this novel NFC relay technique in any previously discovered Android malware. The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyze, or alter NFC traffic; therefore, we named this new malware family NGate,” says Lukáš Štefanko, who discovered the novel threat and technique.

Victims downloaded and installed the malware after being deceived into thinking they were communicating with their bank and that their device was compromised. In reality, the victims had unknowingly compromised their own Android devices by previously downloading and installing an app from a link in a deceptive SMS message about a potential tax return.

It’s important to note that NGate was never available on the official Google Play store.

NGate Android malware is related to the phishing activities of a threat actor that has operated in Czechia since November 2023. However, ESET believes these activities were put on hold following the arrest of a suspect in March 2024. ESET Research first noticed the threat actor targeting clients of prominent Czech banks starting at the end of November 2023. The malware was delivered via short-lived domains impersonating legitimate banking websites or official mobile banking apps available on the Google Play store. These fraudulent domains were identified through the ESET Brand Intelligence Service, which provides monitoring of threats targeting a client’s brand. During the same month, ESET reported the findings to its clients.

The attackers leveraged the potential of progressive web apps (PWAs), as ESET reported in a previous publication, only to later refine their strategies by employing a more sophisticated version of PWAs known as WebAPKs. Eventually, the operation culminated in the deployment of NGate malware.

In March 2024, ESET Research discovered that NGate Android malware became available on the same distribution domains that were previously used to facilitate phishing campaigns delivering malicious PWAs and WebAPKs. After being installed and opened, NGate displays a fake website that asks for the user’s banking information, which is then sent to the attacker’s server.

In addition to its phishing capabilities, NGate malware also comes with a tool called NFCGate, which is misused to relay NFC data between two devices – the device of a victim and the device of the perpetrator.  Some of these features only work on rooted devices; however, in this case, relaying NFC traffic is possible from non-rooted devices as well. NGate also prompts its victims to enter sensitive information like their banking client ID, date of birth, and the PIN code for their banking card. It also asks them to turn on the NFC feature on their smartphones. Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card.

In addition to the technique used by the NGate malware, an attacker with physical access to payment cards can potentially copy and emulate them. This technique could be employed by an attacker attempting to read cards through unattended purses, wallets, backpacks, or smartphone cases that hold cards, particularly in public and crowded places. This scenario, however, is generally limited to making small contactless payments at terminal points.

“Ensuring protection from such complex attacks requires the use of certain proactive steps against tactics like phishing, social engineering, and Android malware. This means checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when it is not needed, using protective cases, or using virtual cards protected by authentication,” advises Štefanko.

For more technical information about the novel NFC threat, check out the blogpost “NGate Android malware relays NFC traffic to steal cash” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.

Overview of the attack

• Standard phishing delivery techniques were combined with a novel method of phishing, targeting Android and iPhone (iOS) users via PWAs, and on Android also via WebAPKs, ESET Research discovers.
• Installations of PWA/WebAPK applications do not include warnings to the user concerning the installation of a third-party application.
• On Android, these phishing WebAPKs even appear to have been installed from the Google Play store.
• Most of the observed applications targeted clients of Czech banks, but ESET also spotted  apps targeting banks in both Hungary and Georgia.
• Based on the C&C servers utilized, and the backend infrastructure, ESET concludes that two different threat actors were operating the campaigns.
• ESET notified the victims’ banks in order to protect them, and assisted with the takedowns of multiple phishing domains and C&C servers.

BRATISLAVA, PRAGUE — August 20, 2024 — ESET Research discovered an uncommon type of phishing campaign targeting mobile users, and analyzed a case observed in the wild that targeted clients of a prominent Czech bank. This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation. On Android, this could result in the silent installation of a special kind of APK, which even appears to be installed from the Google Play store. The threat targeted iPhone (iOS) users as well.

The phishing websites targeting iOS instruct victims to add a Progressive Web Application (PWA) to their home screens, while on Android, the PWA is installed after confirming custom pop-ups in the browser. At this point, on both operating systems, these phishing apps are largely indistinguishable from the real banking apps that they mimic. PWAs are essentially websites bundled into what feels like a stand-alone application, with this feeling being enhanced by the use of native system prompts. PWAs, just like websites, are cross-platform, which explains how these PWA phishing campaigns can target both iOS and Android users. The novel technique was observed in Czechia by ESET analysts working on the ESET Brand Intelligence Service, which provides monitoring of threats targeting a client’s brand.

“For iPhone users, such an action might break any ‘walled garden’ assumptions about security,” says ESET researcher Jakub Osmani, who analyzed the threat.

ESET analysts’ discovery of a series of phishing campaigns, targeting mobile users, used three different URL delivery mechanisms. These mechanisms include automated voice calls, SMS messages, and social media malvertising. The voice call delivery is done via an automated call that warns the user about an out-of-date banking app, and asks the user to select an option on the numerical keyboard. After  the correct button is pressed, a phishing URL is sent via SMS, as was reported in a tweet. Initial delivery by SMS was performed by sending messages indiscriminately to Czech phone numbers. The message sent included a phishing link and text to socially engineer victims into visiting the link. The malicious campaign was spread via registered advertisements on Meta platforms like Instagram and Facebook. These ads included a call to action, like a limited offer for users who “download an update below.”

After opening the URL delivered in the first stage, Android victims are presented with two distinct campaigns, either a high-quality phishing page imitating the official Google Play store page for the targeted banking application, or a copycat website for that application. From here, victims are asked to install a “new version” of the banking app.

The phishing campaign and method are possible only because of the technology of progressive web applications. In short, PWAs are applications built using traditional web application technologies that can run on multiple platforms and devices. WebAPKs could be considered an upgraded version of progressive web apps, as the Chrome browser generates a native Android application from a PWA: in other words, an APK. These WebAPKs look like regular native apps. Furthermore, installing a WebAPK does not produce any of the “installation from an untrusted source” warnings. The app will even be installed if installation from third-party sources is not allowed.

One group used a Telegram bot to log all entered information into a Telegram group chat via the official Telegram API, while another used a traditional Command & Control (C&C) server with an administrative panel. “Based on the fact that the campaigns used two distinct C&C infrastructures, we have determined that two separate groups were operating the PWA/WebAPK phishing campaigns against several banks,” concludes Osmani. Most of the known cases have taken place in Czechia, with only two phishing applications appearing outside of the country (specifically in Hungary and Georgia).

All sensitive information found by ESET research on this matter was promptly sent to the affected banks for processing. ESET also assisted with the takedowns of multiple phishing domains and C&C servers.

For more technical information about this novel phishing threat, check out the blogpost “Be careful what you pwish for – Phishing in PWA applications” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.