❌
There are new articles available, click to refresh the page.

TAG Bulletin: Q4 2021

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2021. It was last updated on February 7, 2022.OctoberWe terminated 9 Y…

TAG Bulletin: Q3 2021

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2021. It was last updated on October 29, 2021.


July 

  • We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Ukrainian and Russian that was supportive of Russia’s government and critical of the Ukrainian military. We received leads from FireEye that supported us in this investigation.
  • We blocked 10 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of Ukraine’s government and supportive of Russia.
  • We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Iraq. This campaign uploaded content in Arabic that was supportive of Iran-backed militias and critical of the U.S. and its allies. Our findings are similar to findings reported by Facebook.
  • We terminated 7 YouTube channels as part of our investigation into coordinated influence operations linked to Jordan. This campaign uploaded content in Arabic that was supportive of the Jordanian government and critical of its opposition. Our findings are similar to findings reported by Facebook.
  • We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Algeria. This campaign uploaded content in Arabic that was supportive of the Algerian government and its military. Our findings are similar to findings reported by Facebook. We received leads from Graphika that supported us in this investigation.
  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was critical of certain local politicians in Campeche, Mexico. Our findings are similar to findings reported by Facebook.
  • We terminated 4 YouTube channels as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was supportive of a member of the National Action Party. Our findings are similar to findings reported by Facebook.
  • We terminated 16 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Sudan. This campaign uploaded content in Arabic that was supportive of the Muslim Brotherhood and critical of the current Sudanese government. Our findings are similar to findings reported by Facebook.
  • We terminated 850 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

August

  • We terminated 1 advertising account and blocked 2 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Arabic that was supportive of Syria’s and Russia’s governments.
  • We terminated 137 YouTube channels and 2 blogs as part of our investigation into coordinated influence operations linked to Myanmar. This campaign uploaded content in Burmese that was supportive of Myanmar’s military coup in February 2021.
  • We terminated 9 YouTube channels and 1 blog as part of our investigation into coordinated influence operations linked to Vietnam. This campaign uploaded content in Vietnamese that was supportive of the Vietnamese Army’s interests in the region.
  • We terminated 1,196 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

September

  • We terminated 5 blogs and blocked 3 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Germany. This campaign uploaded content in German that was supportive of the German "Reichsbürger" conspiracy movement.
  • We terminated 1,217 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

Phishing campaign targets YouTube creators with cookie theft malware

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Since late 2019, our team has disrupted financially motivated phishing campaigns targeting YouTubers with Cookie Theft malware.

The actors behind this campaign, which we attribute to a group of hackers recruited in a Russian-speaking forum, lure their target with fake collaboration opportunities (typically a demo for anti-virus software, VPN, music players, photo editing or online games), hijack their channel, then either sell it to the highest bidder or use it to broadcast cryptocurrency scams.

In collaboration with YouTube, Gmail, Trust & Safety, CyberCrime Investigation Group and Safe Browsing teams, our protections have decreased the volume of related phishing emails on Gmail by 99.6% since May 2021. We blocked 1.6M messages to targets, displayed ~62K Safe Browsing phishing page warnings, blocked 2.4K files, and successfully restored ~4K accounts. With increased detection efforts, we’ve observed attackers shifting away from Gmail to other email providers (mostly email.cz, seznam.cz, post.cz and aol.com). Moreover, to protect our users, we have referred the below activity to the FBI for further investigation.

In this blog, we share examples of the specific tactics, techniques and procedures (TTPs) used to lure victims, as well as some guidance on how users can further protect themselves.

Tactics, techniques and procedures

Cookie Theft, also known as “pass-the-cookie attack,” is a session hijacking technique that enables access to user accounts with session cookies stored in the browser. While the technique has been around for decades, its resurgence as a top security risk could be due to a wider adoption of multi-factor authentication (MFA) making it difficult to conduct abuse, and shifting attacker focus to social engineering tactics.

Social engineering YouTubers with advertisement offer

Many YouTube creators provide an email address on their channel for business opportunities. In this case, the attackers sent forged business emails impersonating an existing company requesting a video advertisement collaboration.

Example phishing email message

Example phishing email message

The phishing typically started with a customized email introducing the company and its products. Once the target agreed to the deal, a malware landing page disguised as a software download URL was sent via email or a PDF on Google Drive, and in a few cases, Google documents containing the phishing links. Around 15,000 actor accounts were identified, most of which were created for this campaign specifically.

Fake software landing pages and social media accounts

The attackers registered various domains associated with forged companies and built multiple websites for malware delivery. To date, we’ve identified at least 1,011 domains created solely for this purpose. Some of the websites impersonated legitimate software sites, such as Luminar, Cisco VPN, games on Steam, and some were generated using online templates. During the pandemic, we also uncovered attackers posing as news providers with a “Covid19 news software.”

Lure message and landing pages for the forged covid news software.

Lure message and landing pages for the forged covid news software.

In one case, we observed a fake social media page copying content from an existing software company. The following screenshot is an example of a fake page where the original URL is replaced with one leading to a cookie theft malware download.

Original (left) and fake (right) instagram accounts

Original (left) and fake (right) instagram accounts

Because Google actively detects and disrupts phishing links sent via Gmail, the actors were observed driving targets to messaging apps like WhatsApp, Telegram or Discord.

Delivering cookie theft malware

Once the target runs the fake software, a cookie stealing malware executes, taking browser cookies from the victim’s machine and uploading them to the actor's command & control servers. Although this type of malware can be configured to be persistent on the victim's machine, these actors are running all malware in non-persistent mode as a smash-and-grab technique. This is because if the malicious file is not detected when executed, there are less artifacts on an infected host and therefore security products fail to notify the user of a past compromise.

We have observed that actors use various types of malware based on personal preference, most of which are easily available on Github. Some commodity malware used included RedLine, Vidar, Predator The Thief, Nexus stealer, Azorult, Raccoon, Grand Stealer, Vikro Stealer, Masad (Google’s naming), and Kantal (Google’s naming) which shares code similarity with Vidar. Open source malware like Sorano and AdamantiumThief were also observed.Related hashes are listed in the Technical Details section, at the end of this report.

Most of the observed malware was capable of stealing both user passwords and cookies. Some of the samples employed several anti-sandboxing techniques including enlarged files, encrypted archive and download IP cloaking. A few were observed displaying a fake error message requiring user click-through to continue execution.

Fake error window require user click through

Fake error window require user click through

Cryptocurrency scams and channel selling

A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming. The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.

On account-trading markets, hijacked channels ranged from $3 USD to $4,000 USD depending on the number of subscribers.

Hack-for-Hire attackers

These campaigns were carried out by a number of hack-for-hire actors recruited on Russian-speaking forums via the following job description, offering two types of work:

hack-for-hire job description

This recruitment model explains the highly customized social engineering, as well as the varied malware types given each actor's choice of preferred malware.

Protecting our users from attacks

We are continuously improving our detection methods and investing in new tools and features that automatically identify and stop threats like this one. Some of these improvements include:

  • Additional heuristic rules to detect and block phishing & social engineering emails, cookie theft hijacking and crypto-scam livestreams.
  • Safe Browsing is further detecting and blocking malware landing pages and downloads.
  • YouTube has hardened channel transfer workflows, detected and auto-recovered over 99% of hijacked channels.
  • Account Security has hardened authentication workflows to block and notify the user on potential sensitive actions.
Sensitive action blocked in account

Sensitive action blocked in account

It is also important that users remain aware of these types of threats and take appropriate action to further protect themselves. Our recommendations:

  • Take Safe Browsing warnings seriously. To avoid malware triggering antivirus detections, threat actors social engineer users into turning off or ignoring warnings.
  • Before running software, perform virus scanning using an antivirus or online virus scanning tool like VirusTotal to verify file legitimacy.
  • Enable the “Enhanced Safe Browsing Protection” mode in your Chrome browser, a feature that increases warnings on potentially suspicious web pages & files.
  • Be aware of encrypted archives which are often bypassing antivirus detection scans, increasing the risk of running malicious files.
  • Protect your account with 2-Step-verification (multi-factor authentication) which provides an extra layer of security to your account in case your password is stolen. Starting November 1, monetizing YouTube creators must turn on 2-Step Verification on the Google Account used for their YouTube channel to access YouTube Studio or YouTube Studio Content Manager.

Additional resources: Avoid & Report Phishing Emails.

Technical Details

Related Malware hashes:

  • RedLine (commodity)
    • 501fe2509581d43288664f0d2825a6a47102cd614f676bf39f0f80ab2fd43f2c
    • c8b42437ffd8cfbbe568013eaaa707c212a2628232c01d809a3cf864fe24afa8
  • Vidar (commodity)
    • 9afc029ac5aa525e6fdcedf1e93a64980751eeeae3cf073fcbd1d223ab5c96d6
  • Kantal (share code similarity with Vidar)
    • F59534e6d9e0559d99d2b3a630672a514dbd105b0d6fc9447d573ebd0053caba (zip archive)
    • Edea528804e505d202351eda0c186d7c200c854c41049d7b06d1971591142358 (unpacked sample)
  • Predator The Thief (commodity)
    • 0d8cfa02515d504ca34273d8cfbe9d1d0f223e5d2cece00533c48a990fd8ce72 (zip archive)
  • Sorano (open source)
    • c7c8466a66187f78d953c64cbbd2be916328085aa3c5e48fde6767bc9890516b
  • Nexus stealer (commodity)
    • ed8b2af133b4144bef2b89dbec1526bf80cc06fe053ece1fa873f6bd1e99f0be
    • efc88a933a8baa6e7521c8d0cf78c52b0e3feb22985de3d35316a8b00c5073b3
  • Azorult (commodity)
    • 8cafd480ac2a6018a4e716a4f9fd1254c4e93501a84ee1731ed7b98b67ab15dd
  • Raccoon (commodity)
    • 85066962ba1e8a0a8d6989fffe38ff564a6cf6f8a07782b3fbc0dcb19d2497cb
  • Grand Stealer (commodity)
    • 6359d5fa7437164b300abc69c8366f9481cb91b7558d68c9e3b0c2a535ddc243
  • Vikro Stealer (commodity)
    • 04deb8d8aee87b24c7ba0db55610bb12f7d8ec1e75765650e5b2b4f933b18f6d
  • Masad (commodity)
    • 6235573d8d178341dbfbead7c18a2f419808dc8c7c302ac61e4f9645d024ed85
  • AdamantiumThief (open source)
    • Db45bb99c44a96118bc5673a7ad65dc2a451ea70d4066715006107f65d906715

Top Phishing Domains:

  • pro-swapper[.]com
  • downloadnature[.]space
  • downloadnature[.]com
  • fast-redirect[.]host
  • bragi-studio[.]com
  • plplme[.]site
  • fenzor[.]com
  • universe-photo[.]com
  • rainway-gaming[.]com
  • awaken1337[.]xyz
  • pixelka[.]fun
  • vortex-cloudgaming[.]com
  • vontex[.]tech
  • user52406.majorcore[.]space
  • voneditor[.]tech
  • spaceditor[.]space
  • roudar[.]com
  • peoplep[.]site
  • anypon[.]online
  • zeneditor[.]tech
  • yourworld[.]site
  • playerupbo[.]xyz
  • dizzify[.]me

Countering threats from Iran

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. We have a long-standing policy to send you a warning if we detect that your account is a target of government-backed phishing or malware attempts. So far in 2021, we’ve sent over 50,000 warnings, a nearly 33% increase from this time in 2020. This spike is largely due to blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear.

We intentionally send these warnings in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track our defense strategies. On any given day, TAG is tracking more than 270 targeted or government-backed attacker groups from more than 50 countries. This means that there is typically more than one threat actor behind the warnings.

In this blog, we explore some of the most notable campaigns we’ve disrupted this year from a different government-backed attacker: APT35, an Iranian group, which regularly conducts phishing campaigns targeting high risk users. This is the one of the groups we disrupted during the 2020 US election cycle for its targeting of campaign staffers. For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government.

Hijacked websites used for credential phishing attacks

In early 2021, APT35 compromised a website affiliated with a UK university to host a phishing kit. Attackers sent email messages with links to this website to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo. Users were instructed to activate an invitation to a (fake) webinar by logging in. The phishing kit will also ask for second-factor authentication codes sent to devices.

APT35 has relied on this technique since 2017 — targeting high-value accounts in government, academia, journalism, NGOs, foreign policy, and national security. Credential phishing through a compromised website demonstrates these attackers will go to great lengths to appear legitimate – as they know it's difficult for users to detect this kind of attack.

Phishing page hosted on a compromised website

Phishing page hosted on a compromised website

Utilization of Spyware Apps

In May 2020, we discovered that APT35 attempted to upload spyware to the Google Play Store. The app was disguised as VPN software that, if installed, could steal sensitive information such as call logs, text messages, contacts, and location data from devices. Google detected the app quickly and removed it from the Play Store before any users had a chance to install it. Although Play Store users were protected, we are highlighting the app here as TAG has seen APT35 attempt to distribute this spyware on other platforms as recently as July 2021.

Spyware app disguised as a VPN utility

Spyware app disguised as a VPN utility

Conference-themed phishing emails

One of the most notable characteristics of APT35 is their impersonation of conference officials to conduct phishing attacks. Attackers used the Munich Security and the Think-20 (T20) Italy conferences as lures in non-malicious first contact email messages to get users to respond. When they did, attackers sent them phishing links in follow-on correspondence.

Targets typically had to navigate through at least one redirect before landing on a phishing domain. Link shorteners and click trackers are heavily used for this purpose, and are oftentimes embedded within PDF files. We’ve disrupted attacks using Google Drive, App Scripts, and Sites pages in these campaigns as APT35 tries to get around our defenses. Services from Dropbox and Microsoft are also abused.

Google Sites page disguised as a Google Form to redirect to a phishing site

Google Sites page disguised as a Google Form to redirect to a phishing site

Telegram for threat actor notifications

One of APT35’s novel techniques involves using Telegram for operator notifications. The attackers embed javascript into phishing pages that notify them when the page has been loaded. To send the notification, they use the Telegram API sendMessage function, which lets anyone use a Telegram bot to send a message to a public channel. The attackers use this function to relay device-based data to the channel, so they can see details such as the IP, useragent, and locales of visitors to their phishing sites in real-time. We reported the bot to Telegram and they have taken action to remove it.

Public Telegram channel used for attacker notifications

Public Telegram channel used for attacker notifications

How we keep users safe from these threats

We warn users when we suspect a government-backed threat like APT35 is targeting them. Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked. If you receive a warning it does not mean your account has been compromised, it means you have been identified as a target.

Workspace administrators are also notified regarding targeted accounts in their domain. Users are encouraged to take these warnings seriously and consider enrolling in the Advanced Protection Program or enabling two-factor authentication if they haven't already.

We also block malicious domains using Google Safe Browsing – a service that Google's security team built to identify unsafe websites across the web and notify users and website owners of potential harm. When a user of a Safe Browsing-enabled browser or app attempts to access unsafe content on the web, they’ll see a warning page explaining that the content they’re trying to access may be harmful. When a site identified by Safe Browsing as harmful appears in Google Search results, we show a warning next to it in the results.

Threat Analysis Group will continue to identify bad actors and share relevant information with others in the industry, with the goal of bringing awareness to these issues, protecting you and fighting bad actors to prevent future attacks.

Technical Details

Indicators from APT28 phishing campaign:

service-reset-password-moderate-digital.rf[.]gd

reset-service-identity-mail.42web[.]io

digital-email-software.great-site[.]net

Indicators from APT35 campaigns:

Abused Google Properties:

https://sites.google[.]com/view/ty85yt8tg8-download-rtih4ithr/

https://sites.google[.]com/view/user-id-568245/

https://sites.google[.]com/view/hhbejfdwdhwuhscbsb-xscvhdvbc/

Abused Dropbox Properties:

https://www.dropbox[.]com/s/68y4vpfu8pc3imf/Iraq&Jewish.pdf

Phishing Domains:

nco2[.]live

summit-files[.]com

filetransfer[.]club

continuetogo[.]me

accessverification[.]online

customers-verification-identifier[.]site

service-activity-session[.]online

identifier-service-review[.]site

recovery-activity-identification[.]site

review-session-confirmation[.]site

recovery-service-activity[.]site

verify-service-activity[.]site

service-manager-notifications[.]info

Android App:

https://www.virustotal.com/gui/file/5d3ff202f20af915863eee45916412a271bae1ea3a0e20988309c16723ce4da5/detection

Android App C2:

communication-shield[.]site

cdsa[.]xyz

Financially motivated actor breaks certificate parsing to avoid detection

Introduction

Google’s Threat Analysis Group tracks actors involved in disinformation campaigns, government backed hacking, and financially motivated abuse. Understanding the techniques used by attackers helps us counter these threats effectively. This blog post is intended to highlight a new evasion technique we identified, which is currently being used by a financially motivated threat actor to avoid detection.

Attackers often rely on varying behaviors between different systems to gain access. For instance, attacker’s may bypass filtering by convincing a mail gateway that a document is benign so the computer treats it as an executable program. In the case of the attack outlined below, we see that attackers created malformed code signatures that are treated as valid by Windows but are not able to be decoded or checked by OpenSSL code — which is used in a number of security scanning products. We believe this is a technique the attacker is using to evade detection rules.

Technical Details

Code signatures on Windows executables provide guarantees about the integrity of a signed executable, as well as information about the identity of the signer. Attackers who are able to obscure their identity in signatures without affecting the integrity of the signature can avoid detection longer and extend the lifetime of their code-signing certificates to infect more systems.

OpenSUpdater, a known family of unwanted software which violates our policies and is harmful to the user experience, is used to download and install other suspicious programs.The actor behind OpenSUpdater tries to infect as many users as possible and while they do not have specific targeting, most targets appear to be within the United States and prone to downloading game cracks and grey-area software.

Groups of OpenSUpdater samples are often signed with the same code-signing certificate, obtained from a legitimate certificate authority. Since mid-August, OpenSUpdater samples have carried an invalid signature, and further investigation showed this was a deliberate attempt to evade detection. In these new samples, the signature was edited such that an End of Content (EOC) marker replaced a NULL tag for the 'parameters' element of the SignatureAlgorithm signing the leaf X.509 certificate.

EOC markers terminate indefinite-length encodings, but in this case an EOC is used within a definite-length encoding (l= 13). 


Bytes: 30 0D 06 09 2A 86 48 86  F7 0D 01 01 0B 00 00 

Decodes to the following elements:

SEQUENCE (2 elem)

OBJECT IDENTIFIER 1.2.840.113549.1.1.11 sha256WithRSAEncryption (PKCS #1)

EOC


Security products using OpenSSL to extract signature information will reject this encoding as invalid. However, to a parser that permits these encodings, the digital signature of the binary will otherwise appear legitimate and valid. This is the first time TAG has observed actors using this technique to evade detection while preserving a valid digital signature on PE files. 

As shown in the following screenshot, the signature is considered to be valid by the Windows operating system. This issue has been reported to Microsoft.

Image of digital signatures settings

Since first discovering this activity, OpenSUpdater's authors have tried other variations on invalid encodings to further evade detection.

The following are samples using this evasion:

https://www.virustotal.com/gui/file/5094028a0afb4d4a3d8fa82b613c0e59d31450d6c75ed96ded02be1e9db8104f/detection

New variant:

https://www.virustotal.com/gui/file/5c0ff7b23457078c9d0cbe186f1d05bfd573eb555baa1bf4a45e1b79c8c575db/detection

Our team is working in collaboration with Google Safe Browsing to protect users from downloading and executing this family of unwanted software. Users are encouraged to only download and install software from reputable and trustworthy sources.


How we protect users from 0-day attacks

Zero-day vulnerabilities are unknown software flaws. Until they’re identified and fixed, they can be exploited by attackers. Google’s Threat Analysis Group (TAG) actively works to detect hacking attempts and influence operations to protect users from digital attacks, this includes hunting for these types of vulnerabilities because they can be particularly dangerous when exploited and have a high rate of success.


In this blog, we’re sharing details about four in-the-wild 0-day campaigns targeting four separate vulnerabilities we’ve discovered so far this year: 


The four exploits were used as a part of three different campaigns. As is our policy, after discovering these 0-days, we quickly reported to the vendor and patches were released to users to protect them from these attacks. We assess three of these exploits were developed by the same commercial surveillance company that sold these capabilities to two different government-backed actors. Google has also published root cause analyses (RCAs) on each of the 0-days.


In addition to the technical details, we’ll also provide our take on the large uptick of in-the-wild 0-day attacks the industry is seeing this year. Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year — 11 more than the total number from 2020. While there is an increase in the number of 0-day exploits being used, we believe greater detection and disclosure efforts are also contributing to the upward trend.

Graph depicting number of 0-days found each year starting from 2014 - 2021

Chrome: CVE-2021-21166 and CVE-2021-30551

Over the past several months, we have discovered two Chrome renderer remote code execution 0-day exploits, CVE-2021-21166 and ​​CVE-2021-30551, which we believe to be used by the same actor. CVE-2021-21166 was discovered in February 2021 while running Chrome 88.0.4323.182 and CVE-2021-30551 was discovered in June 2021 while running Chrome 91.0.4472.77.


Both of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia. The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users. When a target clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server. The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins, and available MIME types. This information was collected by the attackers to decide whether or not an exploit should be delivered to the target. Using appropriate configurations, we were able to recover two 0-day exploits (CVE-2021-21166 & CVE-2021-30551), which were targeting the latest versions of Chrome on Windows at the time of delivery.


After the renderer is compromised, an intermediary stage is executed to gather more information about the infected device including OS build version, CPU, firmware and BIOS information. This is likely collected in an attempt to detect virtual machines and deliver a tailored sandbox escape to the target. In our environment, we did not receive any payloads past this stage.


While analyzing CVE-2021-21166 we realized the vulnerability was also in code shared with WebKit and therefore Safari was also vulnerable. Apple fixed the issue as CVE-2021-1844. We do not have any evidence that this vulnerability was used to target Safari users.

Related IOCs


  • lragir[.]org

  • armradio[.]org

  • asbares[.]com

  • armtimes[.]net

  • armlur[.]org

  • armenpress[.]org

  • hraparak[.]org

  • armtimes[.]org

  • hetq[.]org

Internet Explorer: CVE-2021-33742

Despite Microsoft announcing the retirement of Internet Explorer 11, planned for June 2022, attackers continue to develop creative ways to load malicious content inside Internet Explorer engines to exploit vulnerabilities. For example, earlier this year, North Korean attackers distributed MHT files embedding an exploit for CVE-2021-26411. These files are automatically opened in Internet Explorer when they are double clicked by the user.


In April 2021, TAG discovered a campaign targeting Armenian users with malicious Office documents that loaded web content within Internet Explorer. This happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page. At the time, we were unable to recover the next stage payload, but successfully recovered the exploit after an early June campaign from the same actors. After a fingerprinting phase, similar to the one used with the Chrome exploit above, users were served an Internet Explorer 0-day. This vulnerability was assigned CVE-2021-33742 and fixed by Microsoft in June 2021.


The exploit loaded an intermediary stage similar to the one used in the Chrome exploits. We did not recover additional payloads in our environment.


During our investigation we discovered several documents uploaded to VirusTotal.


Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world. On July 15, 2021 Citizen Lab published a report tying the activity to spyware vendor Candiru. 

Related IOCs


Examples of related Office documents uploaded to VirusTotal:

  • https://www.virustotal.com/gui/file/656d19186795280a068fcb97e7ef821b55ad3d620771d42ed98d22ee3c635e67/detection

  • https://www.virustotal.com/gui/file/851bf4ab807fc9b29c9f6468c8c89a82b8f94e40474c6669f105bce91f278fdb/detection


Unique URLs serving ​​CVE-2021-33742 Internet Explorer exploit:

  • http://lioiamcount[.]com/IsnoMLgankYg6/EjlYIy7cdFZFeyFqE4IURS1

  • http://db-control-uplink[.]com/eFe1J00hISDe9Zw/gzHvIOlHpIXB

  • http://kidone[.]xyz/VvE0yYArmvhyTl/GzV


Word documents with the following classid:

  • {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}


Related infrastructure:

  • workaj[.]com

  • wordzmncount[.]com

WebKit (Safari): CVE-​2021-1879

Not all attacks require chaining multiple 0-day exploits to be successful. A recent example is CVE-​2021-1879 that was discovered by TAG on March 19, 2021, and used by a likely Russian government-backed actor. (NOTE: This exploit is not connected to the other three we’ve discussed above.)


In this campaign, attackers used LinkedIn Messaging to target government officials from western European countries by sending them malicious links. If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next stage payloads. The campaign targeting iOS devices coincided with campaigns from the same actor targeting users on Windows devices to deliver Cobalt Strike, one of which was previously described by Volexity.


After several validation checks to ensure the device being exploited was a real device, the final payload would be served to exploit CVE-​2021-1879. This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated. There was no sandbox escape or implant delivered via this exploit. The exploit targeted iOS versions 12.4 through 13.7. This type of attack, described by Amy Burnett in Forget the Sandbox Escape: Abusing Browsers from Code Execution, are mitigated in browsers with Site Isolation enabled such as Chrome or Firefox. 

Related IOCs

  • supportcdn.web[.]app

  • vegmobile[.]com

  • 111.90.146[.]198

Why So Many 0-days?

There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild. The attackers behind 0-day exploits generally want their 0-days to stay hidden and unknown because that’s how they’re most useful. 


Based on this, there are multiple factors that could be contributing to the uptick in the number of 0-days that are disclosed as in-the-wild:

Increase in detection & disclosure

This year, Apple began annotating vulnerabilities in their security bulletins to include notes if there is reason to believe that a vulnerability may be exploited in-the-wild and Google added these annotations to their Android bulletins. When vendors don’t include these annotations, the only way the public can learn of the in-the-wild exploitation is if the researcher or group who knows of the exploitation publishes the information themselves. 


In addition to beginning to disclose when 0-days are believed to be exploited in-the-wild, it wouldn’t be surprising if there are more 0-day detection efforts, and successes, occurring as a result. It’s also possible that more people are focusing on discovering 0-days in-the-wild and/or reporting the 0-days that they found in the wild.

Increased Utilization

There is also the possibility that attackers are using more 0-day exploits. There are a few reasons why this is likely:

  • The increase and maturation of security technologies and features mean that the same capability requires more 0-day vulnerabilities for the functional chains. For example, as the Android application sandbox has been further locked down by limiting what syscalls an application can call, an additional 0-day is necessary to escape the sandbox. 
  • The growth of mobile platforms has resulted in an increase in the number of products that actors want capabilities for. 
  • There are more commercial vendors selling access to 0-days than in the early 2010s.
  • Maturing of security postures increases the need for attackers to use 0-day exploits rather than other less sophisticated means, such as convincing people to install malware. Due to advancements in security, these actors now more often have to use 0-day exploits to accomplish their goals. 

Conclusion

Over the last decade, we believe there has been an increase in attackers using 0-day exploits. Attackers needing more 0-day exploits to maintain their capabilities is a good thing — and it  reflects increased cost to the attackers from security measures that close known vulnerabilities. However, the increasing demand for these capabilities and the ecosystem that supplies them is more of a challenge. 0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use. In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors.


Meanwhile, improvements in detection and a growing culture of disclosure likely contribute to the significant uptick in 0-days detected in 2021 compared to 2020, but reflect more positive trends. Those of us working on protecting users from 0-day attacks have long suspected that overall, the industry detects only a small percentage of the 0-days actually being used. Increasing our detection of 0-day exploits is a good thing — it allows us to get those vulnerabilities fixed and protect users, and gives us a fuller picture of the exploitation that is actually happening so we can make more informed decisions on how to prevent and fight it.


We’d be remiss if we did not acknowledge the quick response and patching of these vulnerabilities by the Apple, Google, and Microsoft teams. 

TAG Bulletin: Q2 2021

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q2 2021. It was last updated on July 29, 2021.

April

  • We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to El Salvador. This campaign uploaded content in Spanish focusing on a mayoral race in the Santa Tecla municipality. Our findings are similar to findings reported by Facebook.


  • We terminated 43 YouTube channels as part of our investigation into coordinated influence operations linked to Albania. This campaign uploaded content in Farsi that was critical of Iran’s government and supportive of Mojahedin-e Khalq. Our findings are similar to findings reported by Facebook.


  • We terminated 728 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about protests in Hong Kong and criticism of the U.S. response to the COVID-19 pandemic. These findings are consistent with our previous reports.

May

  • We terminated 57 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was supportive of Russia’s government.


  • We terminated 11 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of Ukraine and of U.S. narratives related to Russian troop build up on the Ukrainian border.


  • We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of protests in Belarus. We received leads from FireEye that supported us in this investigation.


  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Iran. This campaign uploaded content in Bahasa Indonesia that was critical of Israel and Saudi Arabia.


  • We blocked 3 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Mexico. This campaign uploaded content in Spanish that was supportive of a number of local mayoral and gubernatorial candidates. Our findings are similar to findings reported by Facebook.


  • We terminated 1,015 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.

June

  • We terminated 33 YouTube channels as part of our investigation into coordinated influence operations linked to Azerbaijan. This campaign uploaded content in Azerbaijani and Armenian that was critical of Armenia and supportive of the Azerbaijani military. Our findings are similar to findings reported by Facebook.


  • We terminated 17 YouTube channels and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Ukrainian that amplified several media platforms posing as news outlets and promoting a select number of local politicians. Our findings are similar to findings reported by Facebook.


  • We terminated 3 YouTube channels, 1 Play developer, and blocked 1 domain from eligibility to appear on Google News surfaces and Discover as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in English, Russian, German, Italian, French, and Spanish that was supportive of Russia’s positions on the military conflicts in Ukraine, the Middle East, and Central Asia.


  • We terminated 15 YouTube channels as part of our investigation into coordinated influence operations linked to Ethiopia. This campaign uploaded content in Amahric that was supportive of Prime Minister Abiy Ahmed and was critical of his opposition. Our findings are similar to findings reported by Facebook.


  • We terminated 36 YouTube channels, 1 ads account and 1 blog as part of our investigation into coordinated influence operations linked to Pakistan. This campaign uploaded content in English and Urdu that was critical of India’s government in its treatment of Muslims, particularly in the region of Kashmir. Our findings are similar to findings reported by Facebook. We received leads from Graphika that supported us in this investigation.


  • We terminated 123 YouTube channels as part of our investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of the protests supporting Alexei Navalny.


  • We terminated 9 YouTube channels as part of our investigation into coordinated influence operations linked to China. This campaign uploaded content in Mandarin Chinese that was positive in sentiment about life in Xinjiang, China and was critical of Western allegations of abuses. We received leads from Graphika that supported us in this investigation.


  • We terminated 2 YouTube channels as part of our investigation into coordinated influence operations linked to Moldova. This campaign uploaded content in Russian that contained a variety of sensational political narratives, including one about an imminent threat to Russia from Ukraine and the U.S.


  • We terminated 989 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports. We received leads from FireEye and Graphika that supported us in this investigation.

TAG Bulletin: Q1 2021

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2021. It was last updated on April 20, 2021.

January

  • We terminated 4 YouTube channels and 1 advertising account as part of our ongoing investigation into coordinated influence operations linked to Ukraine. This campaign uploaded content in Russian pertaining to current events in Kazakhstan and critical of European Union policies toward Moldova.

  • We terminated 5 blogs as part of our investigation into coordinated influence operations linked to Morocco. This campaign uploaded content in Arabic that was critical of the Algerian government. This campaign was consistent with similar findings reported by Facebook.

  • We terminated 5 YouTube channels as part of our investigation into coordinated influence operations linked to Brazil. This campaign was linked to a PR firm named AP Exata Intelligence and uploaded content in Portuguese expressing support for several mayoral candidates in Brazil. This campaign was consistent with similar findings reported by Facebook.

  • We terminated 6 YouTube channels as part of our investigation into coordinated influence operations linked to Kyrgyzstan. The campaign uploaded content in Kyrgyz critical of the former President Almazbek Atambayev and the opposition leader Adakhan Madumarov. This campaign was consistent with similar findings reported by Facebook.

  • We terminated 3 advertising accounts as part of our investigation into coordinated influence operations linked to Egypt. This campaign was linked to a PR firm named Mubashier and uploaded content in Arabic supportive of the Russian government across several countries in the Middle East.

  • We terminated 1 YouTube channel as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on current events in Ukraine.

  • We terminated 1 YouTube channel, 2 advertising accounts and 1 mobile developer account as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on such topics as the U.S. election and the poisoning of Alexei Navalny.

  • We terminated 5 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on such topics as the annexation of Crimea and the Syrian civil war.

  • We terminated 2 YouTube channels and 1 advertising account as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on historical events in Afghanistan, Armenia and Ukraine.

  • We terminated 2 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian on such topics as the U.S. current events and Alexei Navalny political rallies.

  • We terminated 3 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Iran. This campaign uploaded content in English and was amplifying narratives on regional topics such as Israel, the Nagorno Karabakh conflict, and the war in Yemen. We received leads from FireEye that supported us in this investigation.

  • We terminated 2,946 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about the U.S. response to COVID-19 and growing U.S. political divisions. We received leads from Graphika that supported us in this investigation. These findings are consistent with our previous reports in the Q3 and Q4 TAG bulletins.

February

  • We terminated 5 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Iran. This campaign uploaded content in English, Farsi, and Bahasa Indonesian on several topics including criticism of Israel and the U.S. election. This campaign was consistent with similar findings reported by Twitter.

  • We terminated 5 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian specific to narratives around the Russian military. This campaign was consistent with similar findings reported by Twitter.
  • We terminated 938 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about the U.S. COVID-19 vaccine rollout and current events. We received leads from FireEye and Graphika that supported us in this investigation. These findings are consistent with our previous reports in the Q3 and Q4 TAG bulletins.

March

  • We terminated 13 YouTube channels as part of our investigation into coordinated influence operations linked to Morocco. This campaign uploaded content in Arabic that was supportive of Morocco’s government and discussed issues related to regional intelligence agencies as well as Moroccan ownership of the Western Sahara region. This campaign was consistent with similar findings reported by Facebook.
  • We terminated 3 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian, French, German, English and Spanish about the conflict in Syria, historical footage of the war in Afghanistan, and the civil war in Eastern Ukraine.
  • We terminated 34 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to Russia. This campaign uploaded content in Russian that was critical of the protests in support of Alexei Navalny.

  • We terminated 33 YouTube channels and 2 advertising accounts as part of our ongoing investigation into coordinated influence operations linked to Myanmar. This campaign uploaded content in Burmese about the military coup in Myanmar.

  • We terminated 682 YouTube channels and 2 advertising accounts as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports in the Q3 and Q4 TAG bulletins.

❌