CTI Roundup: Sniper Dz, Elastic 2024 Global Threat Report Insights, and Andariel Financial Attacks

In this week’s roundup, CTI provides an overview of the Sniper Dz phishing-as-a-service (PhaaS) platform, including its infrastructure and tactics. Next up, CTI provides key takeaways from Elastic Security Labs’ 2024 Global Threat Report. CTI also looks at recent evidence that multiple organizations in the U.S. were targeted by the North Korean state-sponsored actor known as Andariel (aka Stonefly).

Sniper Dz targets social media and online services

Palo Alto has been closely monitoring the Sniper Dz phishing-as-a-service (PhaaS) platform and has shared their analysis of the platform’s infrastructure and tactics.

According to Palo Alto, Sniper Dz targets popular social media platforms and online services and has at least 140,000 associated phishing websites.

A closer look at the Sniper Dz platform

The Sniper Dz platform enables actors to carry out phishing attacks easily, as its admin panel allows actors to generate phishing pages quickly. To access the admin panel, actors must create an account with an email address. With this account, they can access a range of phishing pages that target different brands and users.

After gaining access to the platform, threat actors have two methods of launching attacks:

1. Phishing pages hosted on Sniper Dz infrastructure
2. Downloadable phishing templates hosted on other infrastructure

Sniper Dz’s phishing pages/templates

With this tactic, the actor doesn’t have to set up a web server to host the sites, and content for the phishing pages is hidden behind proxy servers. If the actor uses the downloadable phishing templates on their infrastructure instead, they have many options.

[Read also: What is Business Email Compromise (BEC)? What to know about the rising costs of BEC attacks]

Infrastructure and tactics

Sniper Dz hides its phishing content behind public proxy servers. The service abuses the legitimate public proxy server proxymesh[.]com.

The group configures the proxy server to load phishing content without direct communication automatically. By doing this, the group helps to protect their backend servers since the browser will see the proxy server as responsible for loading the phishing site.

In addition, the group obfuscates their phishing template code and exfiltrating credentials to a centralized infrastructure owned by Sniper Dz.

Tracking victims and templates

Sniper Dz keeps track of its victims with the help of embedded custom JavaScript and analytics servers.

The script will load a tracker from a legitimate analytics server to track victims who visit the links hosted on their infrastructure and those hosted on different infrastructures.

Known attacks using Sniper Dz

Since 2023, Palo Alto has discovered more than 140,000 phishing pages associated with Sniper Dz.

The group has remained active during this time, though it seemingly peaked towards the end of 2023. Sniper Dz has thousands of customers, with 7,156 subscribers on its Telegram channel as of August 2024.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Palo Alto’s research indicates that many actors could leverage the Sniper Dz PhaaS platform based on their number of Telegram subscribers and infrastructure.

Telegram recently updated its privacy policy, noting that it will now share users’ phone numbers and IP addresses with law enforcement following court orders. This policy change could entice threat actors to migrate their business.

That said, it will be interesting to see if malicious services sold on Telegram, such as Sniper Dz, will continue to thrive on Telegram or elsewhere.

Elastic Security Labs releases its 2024 Global Threat Report

Elastic Security Labs has released its Global Threat Report for 2024, which includes the latest cybersecurity threats and trends in generative AI, malware, endpoint behaviors, and cloud security.

Generative AI

Elastic has observed threat actors leveraging generative AI in a few ways, one of the most obvious being phishing campaigns. Unsurprisingly, actors can use AI to scale their operations and enhance their social engineering by more easily personalizing their campaigns. An expansion of this is seen with the current rise of deepfakes.

In addition to phishing, actors are leveraging AI for malware development. This has not yet been widely adopted but is slowly growing.

[Read also: Racing to deploy GenAI? Learn how good security starts with good governance]

Malware detections

Elastic’s report also explores different types of malware in the wild and targeted operating systems. Windows is still the top-targeted operating system.

They looked at YARA signatures for malware types and categories to break their data down. They found that Trojans overwhelmingly made up most of the malware they observed.

Lastly, looking at malware families, the top families were Cobalt Strike and Metasploit.

Endpoint behaviors

Elastic looked at the most commonly observed tactics, techniques, and procedures (TTPs) across Windows, macOS, and Linux. Most endpoint behaviors they observed were related to defense evasion, accounting for 38.99% of all observed tactics, down 6% from the previous year. Execution and persistence followed as the next leading tactics, with a combined approximate amount of 30%.

The most common techniques for Windows were process injection, system binary proxy execution, and impair defenses. For Linux, impair defenses was the top technique, followed by file and directory permissions modifications.

Lastly, reflective code loading was the top defense evasion technique for macOS, followed by subverting trust control and indicator removal.
 

Cloud security

Elastic determined that organizations are still misconfiguring cloud environments and/or not implementing the appropriate security protections, enabling threat actors to thrive in these environments.

One of the most common issues they observed was related to storage, with 47% of Azure failures tied to storage accounts and about 30% of AWS failures coming from S3 checks.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Elastic’s report goes deeper than many other trend reports out there, breaking things down by specific tactics.

One of the most interesting takeaways was Elastic’s comment about the impact – or lack thereof – of AI:

Artificial intelligence capabilities didn’t transform the landscape for better or worse — it didn’t lead to an explosion of new threats and it didn’t create such an advantage where all threats were eliminated.

This is an important reminder that while AI is commonly talked about and can provide advantages to threat actors, we’re not seeing this explosive adoption of AI across the threat landscape just yet.

Andariel launches financial attacks against U.S. organizations

Symantec recently uncovered evidence that North Korea’s Andariel group targeted multiple organizations in the U.S.

According to Symantec, the actor failed to deploy ransomware to these victims. The attacks indicate that this actor continues to conduct attacks, even though they are the subject of a recent indictment.

Who is Andariel?

The Andariel group is linked to the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB).

This actor first appeared in 2009 when it carried out DDoS attacks against several South Korean, U.S. government, and financial websites.

Attribution

Symantec determined that the Andariel group is continuing to conduct financially motivated attacks, particularly against U.S. organizations.

In multiple attacks, the actor deployed its custom malware, Backdoor.Preft, which has been previously attributed to this group. The attacks also left behind several indicators of compromise that Microsoft previously identified in Andariel attacks.

In July 2024, the U.S. Justice Department indicted a North Korean individual on charges related to a recent Andariel attack. The individual is charged with being involved in extorting U.S. hospitals and others between 2021 and 2023, laundering ransom proceeds, and using those proceeds to fund other cyberattacks against defense, technology, and government sectors globally.

Some targets of these follow-on attacks include two U.S. Air Force bases and NASA-OIG.

What tools does Andariel use?

As noted, this actor commonly leverages malware called Preft, a multi-stage backdoor that can download files, upload files, execute commands, and download additional plugins.

The actor also uses an additional backdoor called Nukebot that has similar functionality but with the addition of screenshot capabilities. This tool’s source code has been leaked previously, which is likely how this actor obtained access to the tool.

The actor is also observed using more common tools like malicious batch files, Mimikatz, keyloggers, Sliver, Chisel, PuTTY, Plink, Megatools, Snap2HTML, and FRP.

Analyst comments from Tanium’s Cyber Threat Intelligence team

As Symantec points out:

The indictment naming one of its members has not yet led to a cessation of activity.

If anything, it seems as though the indictment has encouraged the group to continue its activities, especially against the U.S. This group has been around for well over a decade and has survived several forms of disruption, and it’s likely that we’ll continue to see this group thrive for some time.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.