Threat Report

PURPLE HAZE AND GORE SHELL A sophisticated cyber espionage campaign leveraging new stealer malware and its Telegram-powered ecosystem.

Threat Overview

The Ghost in the Zip report details a complex cyber espionage operation involving the PurpleHaze group, which employs advanced tactics to infiltrate networks. This campaign utilizes a newly discovered stealer malware known as PXA Stealer, along with GORE Shell for command and control (C2) operations. The attackers leverage Telegram’s infrastructure to manage their malicious activities, making detection and mitigation more challenging.

The PurpleHaze group has been observed using various domains and IP addresses to host their C2 servers and exfiltrate data. They exploit vulnerabilities in network devices such as FortiGate firewalls and use sophisticated techniques like DNS-over-HTTPS for communication with their C2 infrastructure. The campaign targets a wide range of industries, including engineering and manufacturing sectors.

Detailed Analysis

The Ghost in the Zip operation is a multi-faceted cyber espionage campaign that employs several advanced tactics to achieve its objectives. At the heart of this campaign is the PXA Stealer malware, which is designed to steal sensitive information from compromised systems. The stealer is distributed through malicious ZIP files, often disguised as legitimate documents or software updates.

Once executed, the PXA Stealer malware connects to a C2 server controlled by the PurpleHaze group. This communication is facilitated using Telegram’s infrastructure, which provides a secure and reliable channel for command and control operations. The use of Telegram allows the attackers to evade detection by traditional security tools, as the traffic appears legitimate.

The GORE Shell component of the campaign is used for post-exploitation activities. It provides remote shell access and TCP tunneling capabilities through compromised devices. This allows the attackers to pivot into other networks after compromising perimeter devices, enabling lateral movement within the target’s infrastructure.

The malware has been observed targeting FortiGate 100D series firewalls, which are commonly used in enterprise networks. By compromising these devices, the attackers gain access to the internal network, allowing them to move laterally and compromise other systems. The use of DNS-over-HTTPS ensures that the location of the C2 server remains hidden from prying eyes.

The campaign also employs various channel types, including ‘session’ and a non-standard ‘jump’ type. The ‘session’ channel type allows the attacker to establish a remote shell on the infected device, providing direct access to the system. The ‘jump’ channel type is used for reverse-SSH tunneling, allowing the attacker to pivot into other networks after compromising a perimeter device.

The malware also offers TCP tunneling capabilities, which allow the attacker to create a secure tunnel between the infected device and the C2 server. This enables the transfer of data and commands, making it particularly useful for exfiltrating sensitive information from the compromised network.

Operational Security Measures

While the Ghost in the Zip campaign implements several operational security measures, its network communications are distinctive due to its use of Telegram’s infrastructure. This makes it easier for security tools to detect and analyze the malware’s traffic. Additionally, the use of a hardcoded C2 URL makes it difficult for the malware to adapt to changes in the network environment, potentially exposing the C2 server to detection and takedown.

Recommendations for Mitigation

Organizations can implement several measures to mitigate the threat posed by the Ghost in the Zip campaign. These include:

• Network Segmentation: Implement network segmentation to limit the lateral movement of attackers within the network. This can be achieved by dividing the network into smaller segments and implementing strict access controls between segments.
• Regular Updates: Keep all systems and software up to date with the latest security patches. This includes firewalls, operating systems, and applications. Regular updates help address known vulnerabilities that can be exploited by malware like PXA Stealer.
• Intrusion Detection Systems (IDS): Deploy IDS to monitor network traffic for signs of malicious activity. IDS can help detect and alert on suspicious traffic patterns, allowing organizations to respond quickly to potential threats.
• Endpoint Protection: Implement endpoint protection solutions to detect and block malware on individual devices. Endpoint protection can help prevent the initial infection and limit the spread of malware within the network.
• Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include phishing simulations, training on recognizing suspicious emails, and best practices for password security.
• Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a ransomware attack or data loss. Backups should be stored offline or in a separate network segment to prevent them from being encrypted or deleted by the malware.
• Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations can significantly reduce the risk of falling victim to the Ghost in the Zip campaign and other sophisticated malware threats.