CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Nation-State·Mobile & Wireless

Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit

The state-sponsored group’s campaign has targeted government, higher education, financial, and legal entities, as well as think tanks. The post Russian APT Star Blizzard Adopts DarkSword iOS Exploit Kit appeared first on SecurityWeek.

Star Blizzard Russia APT

A Russian state-sponsored hacking group tracked as Star Blizzard has adopted the DarkSword iOS exploit kit in an ongoing campaign, Proofpoint reports.

On Friday, investigation platform Malfors warned that a Russian threat actor has been using Atlantic Council lures in an email campaign delivering the DarkSword-linked GhostBlade malware.

Shortly after, Proofpoint attributed the campaign to Star Blizzard, an APT associated with the Russian intelligence service FSB and which is also tracked as Callisto, ColdRiver, SeaBorgium, and TA446.

According to the cybersecurity firm, the messages were observed on March 26 and originated from multiple compromised sender addresses.

Over the past two weeks, Proofpoint says, Star Blizzard has significantly increased the volume of malicious emails compared to its normal operational tempo.

The March 26 activity represented a similar spike in volume and marked another shift in attack tradecraft: the emails contained links instead of malicious attachments.

“Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit,” the cybersecurity firm says.

It also notes that it has found evidence that Star Blizzard has added the DarkSword iOS exploit kit to its arsenal, pointing out that this is the first time the APT has been seen targeting iCloud accounts and Apple devices.

The evidence, Proofpoint notes, includes a DarkSword loader uploaded to VirusTotal that references a second-stage domain associated with the hacking group, and a submission on @URLScan showing the use of the exploit.

The known Star Blizzard domain was “serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed,” Proofpoint says.

The cybersecurity firm has not observed the exploit kit’s delivery, but believes that the Russian APT has adopted it for credential harvesting and intelligence collection after someone leaked it on GitHub.

The Atlantic Council-themed campaign has targeted financial, government, higher education, and legal entities, as well as think tanks, “indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set,” Proofpoint notes.

Related: Coruna iOS Exploit Kit Likely an Update to Operation Triangulation

Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine

Related: Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia

Related: Russia-Linked APT Star Blizzard Uses ClickFix to Deploy New LostKeys Malware, Google Warns

Latest News

CYBERNEWSMEDIAPublisher