2025-w34 weekly note

Wednesday weekly note 2025-w34

• Analysis: UAT-7237, ApolloShadow, SHELLTER, LoptikMod, macOS.ZuRu

Analysis:

UAT-7237:

• Flow:
• Similar case:
• Community discussion:

ApolloShadow:

• Info and flow:
  • Moscow embassies, ISP-level adversary-in-the-middle (AitM), trusted root certificate. Captive Portal, then prompt to download and install
• Similarity and uniqueness:
  • Its ancestor: SUNBURST and GoldFinder
  • ISP-Level Adversary-in-the-Middle (AiTM) Attack
• Community discussion:
  • A Blueprint for Future Attacks: difficult-to-defend-against tactic

SHELLTER:

• Info and flow:
  • Red-teaming tools leaked
• Similarity and uniqueness:
  • Cobalt Strike and Brute Ratel. Talking about the mere existence of such tools!?
• Community discussion:
  • Discussion by Elastic lab: safeguards

LoptikMod:

• Info and flow:
  • DoNot APT
  • phish, malware, batch file scheduled, c2
• Similarity and uniqueness:
  • Similar model to a lot of attacks
  • But the malware use binary strings to decode or restore other meaningful strings within the malware. Low number of import at runtime.
  • Instead of directly importing APIs, malware can load them dynamically at runtime. This is done using functions like LoadLibrary (to load a DLL) and GetProcAddress (to retrieve the address of a specific function within that DLL).
  • Anti-VM technique with magic value targeting VMWare
• Community discussion:

macOS.ZuRu:

• Info and flow:
  • social engineer with poisoned web results on Baidu for the popular Terminal emulator iTerm2.
  • Also poisoning Baidu for other popular macOS utilities including SecureCRT, Navicat and Microsoft’s Remote Desktop for Mac
• Similarity and uniqueness:
  • including a modified version of the open-source Khepri C2 framework
  • “ad hoc” signature to bypass Apple’s code-signing checks
• Community discussion: