"New APT ChamelGang Targets Russian Energy, Aviation Orgs"

A new APT group has emerged that is specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks.  Since March, researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang, for its chameleon-like capabilities. Though the attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far.  To avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM, and Google in a couple of unique ways, researchers observed.  One is to acquire domains that imitate their legitimate counterparts, such as newtrendmicro.com, centralgoogle.com, microsoft-support.net, cdn-chrome.com, and mcafee-upgrade.com. The other is to place SSL certificates that also mimic legitimate ones, such as github.com, ibm.com, jquery.com, update.microsoft-support.net, on its servers.  ChamelGang, like Nobelium and REvil before it has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target. In one of the cases analyzed by Positive Technologies, the group compromised a subsidiary and penetrated the target company’s network through it.  The researchers stated that the attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as FRP, Cobalt Strike Beacon, and Tiny Shell, as well as previously unknown malware ProxyT, BeaconLoader, and the DoorMe backdoor.

Threatpost reports: "New APT ChamelGang Targets Russian Energy, Aviation Orgs"