The Russian state-backed Star Blizzard hacker group has ramped up operations with new, constantly evolving malware families (NoRobot, MaybeRobot) deployed in complex delivery chains that start with ClickFix social engineering attacks.
Also known as ColdRiver, UNC4057, and Callisto, the Star Blizzard threat group abandoned the LostKeys malware less than a week after researchers published their analysis and leveraged the *Robot malicious tools "more aggressively" than in any of its previous campaigns.
In a report in May, the Google Threat Intelligence Group (GTIG) said that it observed the LostKeys malware being leveraged in attacks on Western governments, journalists, think tanks, and non-governmental organizations.
The malware was used for espionage purposes, its capabilities including data exfiltration based on a hardcoded list of extensions and directories.
After publicly disclosing the LostKeys malware, GTIG researchers say that ColdRiver completely abandoned it and started to deploy new malicious tools, tracked as NOROBOT, YESROBOT, and MAYBEROBOT, in operations just five days later.
According to GTIG, the retooling started with NOROBOT, a malicious DLL delivered through “ClickFix” attacks involving fake CAPTCHA pages that tricked the target into executing it via rundll32 under the guise of a verification process.
The hackers try to trick the target into performing an "I am not a robot" a captcha challenge to prove they are human by executing a command that launches the NOROBOt malware.
ClickFix page used to deliver NOROBOT
Source: Google
Researchers at cloud security company Zscaler analyzed NOROBOT in September and named it BAITSWITCH, along with its payload, a backdoor they called SIMPLEFIX.
... continue reading