""discovered evidence of a captive portal hijack being used to deliver malware disguised as an Adobe Plugin update to targeted entities." Captive portals are login pages - like the sort of thing you see when connecting to public Wi-Fi, or some corporate networks. Google found attackers compromised edge devices on the target networks and used those machines to poison captive portals so they redirect to a fake page that advises users to download necessary security updates."
"The updates are, in fact, malware that first retrieves an MSI package, then installs other malware called CANONSTAGER that deploys the SOGU.SEC backdoor, which connects to a command-and-control server. Google says the dodgy update - a file named AdobePlugins.exe - is signed by an outfit called Chengdu Nuoxin Times Technology Co. Ltd. which used a valid GlobalSign certificate. Google says it's tracking 25 known malware samples signed with a certificate issued to Chengdu Nuoxin, and says those certs are "in use by multiple PRC-nexus activity clusters.""
Attackers compromised edge devices to poison captive portals and redirect users to fake pages that prompt downloads of a malicious AdobePlugins.exe update. The executable, signed by Chengdu Nuoxin Times Technology Co. Ltd with a valid GlobalSign certificate, retrieves an MSI, installs CANONSTAGER, and deploys the SOGU.SEC backdoor which connects to a command-and-control server. Google tracked 25 samples signed with Chengdu Nuoxin certificates and linked those certificates to multiple PRC-nexus activity clusters. Attribution points to UNC6384/TEMP.Hex (Mustang Panda/Silk Typhoon/Hafnium). The campaign targeted diplomats in Southeast Asia and other global entities and appears aligned with PRC strategic espionage interests.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]