Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

4/7/2021
05:10 PM
Kelly Sheridan
Kelly Sheridan
Quick Hits
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Voice-Changing Software Found on APT Attackers' Server

Security researchers believe the presence of Morph Vox Pro could indicate APT-C-23 has new plans for their phishing campaigns.

The discovery of voice-changing software on the server of APT-C-23 could have implications for the group's future phishing attacks, Cado Security researchers report.

APT-C-23, a group connected to attacks in the Middle East, is known as part of a larger group called "Molerats" that is mostly located in Palestine, the report states. Molerats usually target political parties in Palestine and the Israeli government, specifically the Israeli Defense Force (IDF). On occasion, the attackers have also been known to target Western governments.

Cado Security calls APT-C-23 "a medium-sophistication" group and notes it typically relies on social engineering to manipulate victims into downloading malware. In the past, the group has been known to impersonate women to trick their targets into installing malicious applications.

"The reason they're doing this is espionage, and then what they're doing with this data, is mostly trying to track what people are up to and I think help them on the ground a bit," says Cado Security co-founder and CTO Chris Doman.

Researchers found a server belonging to APT-C-23 in early 2020. The server had previously been identified as serving malware in targeted attacks; however, a misconfiguration had since made the attackers' toolset publicly available. By the time they discovered it, the toolkit contained malware used for espionage, tools to identify vulnerable routers, custom tooling to leverage compromised email accounts to send phishing emails, and a phishing code for webmail logins.

"It's pretty common to find these servers spun up to serve malware to targets or to receive commands from that malware," he adds. "Interestingly in this case, they left the server open." 

Molerats use a number of different malware families, researchers state, but most start with a self-extracting rar archive. The archives execute MSHTA/VBScript downloaders, which are used to install the H-Worm backdoor, they explain in a blog post.

The server's most interesting tool was a voice-changing application called Morph Vox Pro, which included a serial key and voices pack. Given APT-C-23's previous phishing campaigns, researchers speculate the group is using this tool to produce audio messages that could be used to convince targets to install malware.

In analyzing the server, researchers also learned more about how attackers deliver malware. For example, an application provided guidance on how to bulk-send phishing emails to targets. A separate file contained sample commands to find vulnerable routers with ZoomEye, an Internet scanning service. A "support" folder held a credential phishing page for Microsoft accounts.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Elon, I think our cover's been blown."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...
CVE-2021-2299
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful atta...