MA-940.052023: MyCERT Advisory - Snake Malware Threat From Russian Cyber Actors
1.0 Introduction
Recently, The US Cybersecurity & Infrastructure Security Agency (CISA) and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. The advisory titled Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat.
2.0 Impact
Snake can be considered to be the most sophisticated cyber espionage tool designed and used for long-term intelligence collection on sensitive targets. The sophistication of Snake stems from three principal areas.
First, Snake employs means to achieve a rare level of stealth in its host components and network communications.
Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems.
Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.
3.0 Affected Products
Windows, MacOS, and Linux operating systems.
4.0 Recommendations
MyCERT urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance.
Kindly refer to https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a for more information on Snake malware.
Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
MA-931.042023: MyCERT Alert - RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads
1.0 Introduction
The popularity of generative AI platforms like Google Bard and OpenAI’s ChatGPT has captured audiences worldwide. Google Bard is an artificial intelligence (AI) language model developed by Google that uses deep learning techniques to generate poetry and lyrical verses. It leverages large amounts of text data to compose original and creative poems in various styles and forms, such as sonnets, haikus, and free verse. Google Bard's output is known for its coherence, rhythm, and imagery. It is a valuable tool for writers, poets, and artists seeking inspiration or looking to enhance their creative works with evocative language. Also, ChatGPT is a large language model developed by OpenAI based on the GPT-3.5 architecture. It is an advanced AI chatbot trained to understand and generate human-like text responses. ChatGPT can interact with users on various topics, providing information, answering questions, and generating text-based responses. It is designed to understand context, contextually respond to user queries, and provide detailed and coherent responses. ChatGPT has been trained on a vast amount of text data, allowing it to generate fluent and coherent text, and making it a powerful tool for various applications, including customer service, content creation, and virtual assistance.
Security experts uncovered a new campaign to spread the RedLine Stealer malware strain by taking advantage of the popularity of these AI platforms. The malware was first spotted in March 2020, Redline Stealer is a piece of malware that specifically targets end users. Distributed through compromised software downloads, phishing, and drive by downloads. RedLine Stealer is a type of malware sold as ‘malware-as-a-a-service’ (MaaS), which can be purchased on underground forums. It is designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software. The malware can upload and download files, execute commands, and regularly send information about the infected computer to the perpetrators.
2.0 Impact
Successful execution of the malware at victims’ computers allows sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data will be stolen from the victims’ computers. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software.
3.0 Technical Details
The MaaS ecosystem is supported by online discussion boards that serve as markets for hackers to sell their malware and stolen information. Access to viruses, stolen data, and even hacking tools are just a few of these forums' services. Sometimes, forum moderators serve as a middleman between buyers and sellers and receive a revenue cut.
Figure 2: Screenshot of the RedLine Stealer Malware Ad, used for the Open AI campaign in Dark Web Marketplace
On the dark web, malware employed in the attacks can be sold for $100 to $150. One-time purchases or monthly subscriptions are the two ways it is offered for sale.
Figure 3: The different Malware bundles available to purchase
After acquiring and using the malware, hackers sell the stolen information to other hackers specialising in online fraud in dark web forums, allowing them to concentrate on their illegal business model. They primarily utilise the messaging service Telegram to buy and disseminate RedLine Stealer malware since it offers more secrecy and encryption for their operations.
3.1 Modus Operandi - Using Facebook
The modus operandi of the RedLine Stealer malware is stealing login credentials from popular Facebook communities or company profiles with thousands of followers. The perpetrators then spread sponsored posts encouraging users to download free the “alleged” ChatGPT or Google Bard files, as shown in Figures 4 and 5.
Figure 4: Facebook post advertising to download ChatGPT-V4