A

You're listening to the Cyberwire Network, powered by N2K.

B

When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Hello everyone and welcome to the Cyberwires Research Saturday. I'm DAV and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

C

As Russia is focusing more and more on Hugo and the Ukraine, of course we are seeing a little bit of conflict between Russian and Chinese APTs. So we pay a lot of attention to countries that are in areas of interest for these two powers.

B

That's Martin Zouciek, Technical Solutions Director at bitdefender. The research we're discussing today is titled Famous Sparrow Apt Targets Azerbaijani Oil and Gas Industry. Well, take us through the research. What initially caught your attention here and what did you discover?

C

So what initially got our attention was actually old news because we found some of the malware ddred for example mofu tagendor that is associated with the famous periokudube. So but what we found out early on is that these malware samples are slightly modified compared to what is publicly. So that is always a sign that the part of portfolio from the APT keeps developing and keeps changing. So we are always interested in following. Anytime we find new version of the known malware it is something that we pay a lot of attention. So we started following the whole case, the whole incident and we discovered there is actually quite a lot of new stuff and that's how this research came together. So it started with us finding modifiers version of known malware and then we started discovering the whole operation behind it.

B

Well, reading through the research, there were three waves of activity what changed each time? Can you take us through what you all saw?

C

Yes, so exactly there were three waves of activity and all of them came to the same door. So all of them came to Exchange Server. So proxy hell, proxy shell proxy nutshell we call it internally Proxy hell. It's kind of all encompassing, right? It's really nothing new because we've been talking about it since 2022 more and more threat actors are focused on vulnerability exploits. And every single year this is becoming more obvious. So this was one of those cases where you have one of these services that is commonly targeted. You don't patch it. It's only question of time. Who and how many threat actors will get inside the same door. So what we saw here was three separate waves of attack. Every time focusing on proxy nutshell exploitation of Microsoft Exchange, but every time using slightly different version of the malware where they were trying to establish persistence to this environment. We've also seen the victim in this case that discovered this ongoing operation. They tried to clean it up, but unfortunately they never close the antidote that attackers use. So they came back with different set of malwares.

B

Who was the victim in this case? The research mentions Azerbaijani oil and gas industry folks. Is, is that the degree to which we can identify them?

C

Yes, it is.

B

Fair enough. What do we suppose the attackers were after here? Is this an espionage kind of thing? Are they looking to gain control? Any insights there?

C

So in this case, it was almost certainly espionage operation. The reason why we decided to name the country and industry is that Azerbaijan is becoming critically important for Europe and European Union. We documented, we didn't go too much into like geopolitical implications here, but Azerbaijan has been expanding its goal as a strategic energy partner for Europe, including Germany, Austria, I believe they, they signed the contracts like in the last 12 months or so. So this is definitely important energy partner for Europe. And that's what we believe. And again, it's pretty much always, I would say, educated guess because in cyber espionage you never have all the information. So you need to make a lot of assumptions based on what you see. And again, in this case what we can see is that this was, in our opinion, espionage operation specifically because how Azerbaijan is becoming more important for Europe.

B

I see the research mentions the use of DLL sideloading and particular techniques with that. Can you explain to us what that means and why the threat actors may have selected this technique?

C

So for me, if we put aside like all geopolitical implications, the DLL sideloading was the most interesting part of this research. Now, before we get to what is new about this one, if you don't mind, let me just briefly talk about DLL sideloading in general, please. So DLL sideloading is defense evasion technique where the threat actors are actually relying on the behavior of the Windows operating system. And what they are going to find is that they will use legitimate process. And when you run that process, it's going to load the libraries where the functions are available in the program and they can either replace the library with malicious library that has the same name that is the most common method. And pretty much what you are going to do is that if you are defender and you are monitoring, you are going to see, let's say Outlook exe legitimate process signed by Microsoft in this case and on execution it is going to load library that is malicious. So that is DLL side loading. Now, couple of years ago and the last few weeks are kind of blending together. So I cannot say when, but we started noticing DLL sideloading appearing more and more. We actually did like a detailed explainer when we first encountered it because there was not enough information for what we were seeing. The most important takeaway is following in my opinion. So when we saw DLL side loading being used as effective technique in very short time the same technique was adopted by various different APT groups and then by financially motivated cybercriminals. So there was very short time between this is new technique or this. Well, the technique itself is known for a long time, but this is kind of new technique that is becoming more popular until the moment when this became like a commodity technique across especially the Chinese APT ecosystem. So there is a lot of theories behind one thing that we are seeing with all these advanced APT groups. There must be, for the lack of better words, I'm going to call it academies for teaching offensive researchers. So what we are seeing very often is one group comes up with new approach and very quickly all the groups from the same ecosystem are going to adopt that technique. Why it matters is that anytime we discover new advanced version, for example of the DLL sideloading, even if we found it in specific country, in this case Azerbaijan, it's really critical to pay attention because you are going to see the same technique used by other APT groups in the next few months. Essentially. So that is why even though the research is specifically focused on oil and gas industry in Azerbaijan, this specific technique is really critical because again, we believe this will be adopted by multiple groups with different workloads in the next few months.

B

We'll be right back. Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allowlisting you stop unknown executables cold. With ring fencing you control how trusted applications behave. And with ThreatLocker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source and regain control over their environments. Schedule your demo@threatlocker.com N2K today.

D

No one goes to Hanks for spreadsheets. They go for a darn good pizza. Lately though, the shop's been quiet. So Hank decides to bring back the $1 slice. He asks Co pilot in Microsoft Excel to look at his sales and costs and help him see if he can afford it. Copilot shows Hank where the money's going and which little extras make the dollar slice work. Now Hanks has a line out the door. Hank makes the pizza. Copilot handles the spreadsheets. Learn more@m365copilot.com work.

B

Wow.

C

So that is kind of a high level, a little bit of history and why this metrics. Now I can tell you what was new and different about the DLL sideloading in this case, maybe.

B

Yeah please.

C

So typically as I mentioned, the way how DLL side loading works is you have legitimate process, legitimate executable. When you execute it, it's going to locate library that have been replaced, it's going to load that library and execute malicious code inside. We have a lot of detection technology that is already looking at this, looking at unusual locations and this behavior. What was advanced in this case is that the malicious code itself is not initialized when the library is loaded. Instead there were multiple subgrid steps and when they all work together only then malicious code is executed. So when the host executable is going to be executed in this case it's going to load malicious DLL and it's going to trigger one of the functions. The functions in this malicious library is just going to patch one of APIs in memory to create hook. It is not going to execute anything malicious and then it's going to stop working. Going back to that legitimate process that started that loaded this library and executed one of the functions. It will continue with execution until it comes to the moment in execution when it's going to call another function from the same library and it is the second function that is going to pretty much execute the loader from the API and restore the payload and execute it. So what this means is that typically the the detection that we are seeing in these malicious libraries, they are typically Looking hey, am I running in the sandbox? Is this virtual environment? There is a lot of logic like this. In this case, this is not needed because this advanced DLL sideloading is completely hidden from security sandboxes. So if the sandbox is going to execute it, it is most probably in most cases just going to say, hey, all of this is completely clean. I haven't seen anything suspicious.

B

And that's because it's happening in multiple stages.

C

Yes. And you need to execute those stages in specific order. So for example, if you will have a look at this library, try to analyze what are exported functions, which functions are available to you, and then you will try to execute those functions one by one. There is not going to be any malicious behavior. You need to execute those functions kind of in the same session and in specific order, and only then it becomes malicious. So for any kind of analysis, this is actually going to be really hard to observe. I remember when we were working on this research, I immediately went, okay, let me have a look at VirusTotal. And this was like completely undetected by all the engines.

B

Now the research mentions deployment of a couple of backdoor families. You've got deedrat and Turn Door. What part do they play in all this?

C

Yes, so there were a couple of different backdoors that they've used. And pretty much all of this was for the threat actors after Genish Luxas. Again, same door every single time. They were just trying to use some of these backdoors that are well known to us. The only thing that was interesting for us is that there were slight modifications between them. Some bits have been changed. So again, for us, this is kind of the proof that the toolkit itself continues being actively developed and modified.

B

What are the opportunities for detection here? If I'm a defender, what should I be looking for?

C

So we share it, as we always do. The complete list of IOCs is publicly available, which we are doing every single time. My recommendation. The reason why we share this is also giving opportunities for other security companies to test out this new technique of DLL sideloading and making sure that their technology is able to recognize and detect when this is happening. Typically with DLL sideloading attacks, it is combination of legitimate executable with malicious dll. We documented which executable was used in this case. But as I mentioned before, DLL sideloading it is not vulnerability of specific executable, it is legitimate behavior of Windows operating system that are the threat actors abusing. So again, like we are pretty sure that we are not only going to see the same technique used by different groups, but we are also going to see different executables that are vulnerable to the same execution flow.

B

You mentioned that the victim organization had discovered some things and had efforts to remove the malware but ultimately they were not successful. Why did they come up short?

C

So that is something that I have very strong opinions about. Again we have been documenting for many years how the threat actors again are very actively looking for Internet facing services and abusing them. And we are still seeing organizations are very slow in patching and they still don't understand how the time to exploit is shortening dramatically. So there is a lot, a lot of reports and numbers related to how quickly are these new vulnerabilities weaponized. Typically last year we've been talking when there is new vulnerability and POC is available, you have less than 24 hours before weaponization is industrialized is what I would call so again this is another example of a tech that we've seen many and many and many times over the last few weeks. We did have interesting research 2024 or 2025 where one of these exposed Internet facing services was compromised as well and the customer haven't patched this for a month. Which like few years ago leaving something unpatched for a month was not considered such a big deal. But for example what we've seen with this victim again from different research was that within a month after the vulnerability was announced. So pretty much like 24 hours after vulnerability was discovered we started seeing attacks. One month later we have seen 70 different threat actors occupying the same machine in the MZ. So again whether you are looking at ransomware groups, initial access brokers, APTs for all of them, any Internet facing service, any vulnerability that leads to remote code execution is immediately like a huge target that they will start focusing on.

B

What are ultimately the takeaways here? Based on the information you all have gathered and shared, what do you hope people come away with?

C

So one of the key takeaways here should be it is important to pay attention to research even if it is not in your geo. So as I mentioned before, we actually spent quite a lot of time discussing how to address something like this because it is oil and gas, it's in ASIC by John and at the same time we believe everyone should pay attention to this research because it is talking about technique that is going to be used everywhere very soon. So again one of the takeaways should be understand how APT groups are working together, how they are sharing the knowledge and this is different for different countries. I would say they have different approach to this, but again for example with Chinese apts, what we are seeing is anytime one of the groups come up with new Olympic technique, all of them are going to adopt it real quick.

B

Our thanks to Martin Zoujek from Bitdefender for joining us. The research is titled Famous Sparrow Apt Targets Azerbaijani Oil and Gas Industry. We'll have a link in the Show Notes and that's Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. Foreign.

E

Reynolds here from Mint Mobile with a message for everyone Paying Big Wireless Way too much. Please, for the love of everything good in this world, stop with Mint. You can get premium wireless for just $15 a month. Of course, if you enjoy overpaying. No judgments. But that's weird. Okay, one judgment anyway. Give it a try@mintmobile.com Switch upfront payment

A

of $45 for three month plan equivalent to $15 per month required Intro rate first three months only, then full price plan options available, taxes and fees extra. See full terms@mintmobile.com.