Cyber-attacks are becoming ubiquitous, it’s a daily threat for most organizations, indeed most individuals.
“Are we safe from this?” is a question Chief Executive’s ask their security team a lot.
With Threat Simulator our customers and partners can quickly determine an organization’s ability to defend against the latest attacks seen in the news and answer this question while shortening the time to remediate with our recommendations.
Our global Application and Threat Intelligence (ATI) Research Center has summarized the latest the cyberattacks covered by Threat Simulator during May.
Disable or Modify System Firewall – ‘reg add’: Disable Microsoft Defender Firewall through registry (Command Prompt)
The ‘reg add’ tool is a Windows command-line tool used to add a new subkey or entry to the registry, and also to overwrite the value of an already existing entry. This audit modifies ‘HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\’ registry in order to disable the standard profile firewall.
Data Destruction – “dd”: Overwrite and remove files (Bash)
Adversaries may try to render files irrecoverable by forensic techniques through overwriting them with randomly generated data. The utility ‘dd’ present on most UNIX and UNIX-like operating systems by default has the ability of copy, convert and format a file. This audit uses ‘dd’ to overwrite files and ‘rm’ to remove them afterwards.
Data Destruction – “shred”: Overwrite files (Bash)
Adversaries may try to render files irrecoverable by forensic techniques through overwriting them with randomly generated data. GNU Shred is a program that will overwrite files repeatedly in a way that makes them very difficult to recover by a third party. This audit uses ‘shred’ to overwrite files and delete them afterwards.
Rename System Utilities – ‘copy’: Masquerading cmd.exe as an instance of lsass.exe (Command Prompt)
The ‘copy’ command is used to copy files from one location to another on Windows machines. This audit uses the ‘copy’ command to copy the command interpreter executable, renaming it to lsass.exe, masquerading the lsass service. “lsass.exe” is a legitimate Windows process that handles authentication and security-related functions on a computer.
Rename System Utilities – ‘copy’: Masquerading cmd.exe as an instance of lsm.exe (Command Prompt)
The ‘copy’ command is used to copy files from one location to another on Windows machines. This audit uses the ‘copy’ command to copy the command interpreter executable, renaming it to lsm.exe, masquerading the lsm service. “lsm.exe” is the Local Session Manager Service in Microsoft Windows and it manages connections related to the terminal server on the hosted machine.
Rename System Utilities – ‘copy’: Masquerading cmd.exe as an instance of cdm.exe (Command Prompt)
The ‘copy’ command is used to copy files from one location to another on Windows machines. This audit uses the ‘copy’ command to copy the command interpreter executable, renaming it to cdm.exe. ‘cdm.exe’ is a name similar to ‘cmd.exe’, which makes it easier to avoid detection when masquerading the ‘cmd.exe’ process.
Rename System Utilities – ‘copy’: Masquerading powershell.exe as an instance of taskhostw.exe (Command Prompt)
The ‘Copy-Item’ powershell command is used to copy files from one location to another on Windows machines. This audit uses the ‘Copy-Item’ command to copy powershell to rename it and masquerade as an instance of taskhostw.exe, which is the name of a legitimate windows service. ‘taskhostw.exe’ is a legitimate system process that is associated with the Windows Task Scheduler. It allows users to schedule automated tasks, such as running programs, scripts, or system maintenance activities, at specified times or intervals.
Rename System Utilities – ‘copy’: Masquerading cmd.exe as an instance with .tmpl extension (Command Prompt)
The ‘copy’ command is used to copy files from one location to another on Windows machines. This audit uses the ‘copy’ command to copy the command interpreter executable [cmd.exe], renaming it to an instance with a .tmpl extension, masquerading the tmpl files. A .tmpl file is a template file that typically contains placeholders or variables that can be replaced with actual values or content to generate a final file. These files contain a set of predefined values and configurations that can be used to quickly set up an application or service in a specific way. If a malicious file is designed to look like a .tmpl file, it can result in unwittingly deploying incorrect configurations and settings.
Rename System Utilities – ‘copy’: Masquerading wscript.exe as an instance of svchost.exe (Command Prompt)
The ‘Copy-Item’ powershell command is used to copy files from one location to another on Windows machines. This audit uses the ‘Copy-Item’ command to copy the system utility ‘wscript.exe’, renaming it to “svchost.exe”, which is the name of a legitimate windows service. ‘wscript.exe’, also known as Windows Script, is a service that provides the Windows systems with scripting abilities. ‘svchost.exe’ is a shared service process that allows many Windows services to share a single process and it has access to sensitive areas of the computer.
New Threat Campaigns
CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers:
AhnLab released a report covering a recent attack campaign in which XMRig CoinMiner is installed on poorly managed Linux SSH servers. This campaign is also referred to as “KONO DIO DA” due to a personalized message the threat actor included in the malware. The threat actor maintains persistence by deploying a SSH backdoor besides XMRIG CoinMiner installation. If the miner is successfully installed, it uses system resources in order to mine Monero Coins. Moreover, the threat actor can log into the system through the backdoor SSH account at any given time in order to steal data, install additional malware or perform other malicious activities.
CHAIN REACTION: ROKRAT’S MISSING LINK:
Check Point released a report about the distribution of ROKRAT malware by the North Korean threat actor APT37 through various infection chains. Originally only found on Windows, the malware has evolved over the years, with newer versions discovered on macOS and Android platforms. The malware delivery method changed from malicious documents to LNK files recently.
Qakbot Distributed via OneNote and CHM:
The AhnLab Security Emergency Response Center (ASEC) has reported a distribution method of the Qakbot malware through OneNote, which is using Windows Help files (CHM). This method is similar to the Qakbot distribution via PDF in April, and users are advised to be cautious when opening emails and OneNote files from unknown sources.
RecordBreaker Stealer Distributed via Hacked YouTube Accounts:
AhnLab released a report about the recent distribution of RecordBreaker infostealer malware via hacked YouTube accounts. RecordBreaker disguises itself as a software crack or installer and is capable of stealing information from victim systems, as well as installing additional malware. In an observed case, RecordBreaker was distributed via a Youtube account with over 100,000 subscribers, which seemed recently hacked. The threat actor stole information from infected machines and installed CoinMiner in order to mine cryptocurrency.
A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors:
Mandiant has analyzed 3 attack-patterns which use Windows shortcuts and Chromium-based browser extensions for system compromise. All 3 scenarios investigated have started from a malware which tampers with the linking process of extensions and the browser. Afterwards, it replaces benign Chromium extensions with customized malicious scripts. The final purpose of these attacks seems to be diverse, some samples such as RILIDE try to hijack the web session of the user while other try to steal data such as emails and cryptocurrencies.
Attack on Security Titans: Earth Longzhi Returns With New Tricks:
Trend Micro released a report regarding a campaign conducted by Earth Longzhi that uses multiple techniques to evade detection and also a new technique called stack rumbling for DoS.Earth Longzhi is a sub-group of APT41 and they exploit a vulnerable driver to disable security products by a bring-your-own-vulnerable-driver (BYOVD) attack. They evade API monitoring by installing drivers as kernel-level services by using Microsoft Remote Procedure Call (RPC). They disable security products using a technique called stack rumbling via Image File Execution Options (IFEO), which seems to be a new denial-of-service (DoS) technique.
ASEC Weekly Phishing Email Threat Trends (April 16th, 2023 – April 22nd, 2023):
AhnLab Security Emergency response Center (ASEC) has published a report on phishing email threats that occurred between April 16th, 2023 to April 22nd, 2023. That week, the phishing emails were mostly disguised as delivery companies such as DHL and FedEx, with an HTML file attached. The report highlights that FakePage is the most common threat type, with 52%, followed by Infostealers (20%), Backdoor (11%), and Worm (8%).
Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram:
SentinelOne released a report in which it analyses Atomic Stealer’s features and presents a second variant for macOS never reported before. Via a dedicated Telegram channel, cybercriminals can purchase a malicious installer for Atomic MacOS Stealer. In addition, the author threat actor provides a web interface from which malware customers can manage their campaigns. Payload distribution is left up to the crimeware actor renting the package. Atomic Stealer, written in Go, is capable of stealing account passwords, browser data, session cookies and crypto wallets using a one-hit smash and grab methodology.
A doubled ‘Dragon Breath’ adds new air to DLL sideloading attacks:
Sophos released a report regarding the activity of Dragon Breath threat actor that targets the online gambling sector and uses DLL sideloading techniques. This group employs a double-clean-installer approach, in which an application side-loads a second application that side-loads a malicious DLL. This DLL will execute the final payload. The infection vectors seem to be fake installers of Telegram or WhatsApp.
Clean Rooms, Nuclear Missiles, and SideCopy, Oh My!:
Fortinet released a report on a new threat campaign attributed to the Pakistani APT group “SideCopy” that seems to target Indian defense industry personnel. The initial infection vector seems to be a phishing email and the malware deployed is capable of gaining control over the victim’s system and collecting sensitive information.
Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign:
SentinelOne released a report regarding a campaign conducted by Kimsuky threat actor that uses a new malware component called ReconShark. Kimsuky is a North Korean group and this report covers their attack against Korea Risk Group, with the assumption that their activity targets many other organizations and individuals across the globe. To deliver the malware, they use phishing emails tuned for their specific target, increasing the likelihood of success. These emails entice the users to download a file and recently they made use of Microsoft OneDrive.
Threat Source newsletter (May 4, 2023) — Recapping the biggest headlines to come out of RSA:
Talos released its new weekly Threat Source Newsletter (May 4, 2023) including the topics covered in the recent RSA Conference in San Francisco, where AI and its impact on cybersecurity was a major talking point. It was reported that the use of web shells is becoming more popular in cyber-attacks, while the lack of multi-factor authentication is still a problem when it comes to enterprise security. The top headlines of the week include Meta flagging more than 1,000 domains spreading ChatGPT-themed tools. They carry malware and a critical vulnerability in Illumina DNA sequencing devices, which are used by attackers to alter or steal patients’ medical data.
ASEC Weekly Malware Statistics (April 24th, 2023 – April 30th, 2023):
AhnLab released a weekly malware statistics report for April 24th, 2023 – April 30th, 2023. In the collected data, infostealer was first with 54.9%, downloader second with 33.3%, followed by backdoor with 10.5%, ransomware with 0.6% and banking malware also with 0.6%. The top 5 malware identified were: AgentTesla, Amadey, Formbook, Guloader (Tied) and SnakeKeylogger (Tied).
Threat Roundup for April 28 to May 5:
Talos released a report on the most widespread threats identified between April 28 and May 5.
The article lists the top threats as follows: Win.Packed.njRAT, Win.Dropper.Bifrost, Win.Ransomware.Cerber, Win.Dropper.Kuluoz, Win.Dropper.XtremeRAT, Win.Dropper.Tofsee and Win.Trojan.Ramnit. For each threat is briefly described, and a JSON file is provided with all associated IOCs and file hashes.
ASEC Weekly Phishing Email Threat Trends (April 23rd, 2023 – April 29th, 2023):
AhnLab Security Emergency response Center (ASEC) has published a report on phishing email threats that occurred between April 23rd, 2023 to April 29th, 2023. That week, it was noticed that the malware was disguised as image files, with eye-catching messages that would entice the user to open them. The report highlights that FakePage is the most common threat type, with 62%, followed by Infostealer (15%), Worm (11%), Trojan (6%), Downloader (3%) and Exploit (3%).
AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717):
Fortinet released a report on AndoryuBot, a botnet that uses SOCKS protocol and is distributed through the Ruckus vulnerability (CVE-2023-25717). CVE-2023-25717 is a vulnerability that affects multiple Ruckus wireless Access Point (AP) devices and allows remote code execution. AndoryuBot contains DDoS attack modules for various protocols and communicates with its C2 server via SOCKS protocol.
Fake system update drops Aurora stealer via Invalid Printer loader:
Malwarebytes released a report on a new loader called Invalid Printer that is distributed via malvertising and drops Aurora stealer on victim systems. The threat actor utilizes malicious ads that point to a fake, but convincing Windows security update. The payload used by this campaign is Aurora stealer, a widespread malware that is able to collect credentials from targeted systems.
Investigating Ducktail LinkedIn Operation:
Trend Micro released a report regarding a spear-phishing campaign called Ducktail, done via LinkedIN messages and allowing the threat actor to compromise Facebook business accounts. The operation targets marketing and HR professionals by sending direct messages on LinkedIn. Even though, the chat message itself is not available anymore, it is concluded that the receiver is tricked into downloading malicious files hosted on iCloud. Once the malware is on the target machine, it collects credentials from all browsers while opening a legitimate PDF document in order to draw the attention of the victim from the attack itself. Finally, it tries to log in using the victim’s Facebook account. In addition, it exfiltrates the acquired local information through Telegram.
RapperBot DDoS Botnet Expands into Cryptojacking:
Fortinet released a report about a new campaign of the RapperBot malware family, active since January 2023. The threat actors behind this began to explore cryptojacking as a new method of attack, targeting Intel x64 machines. The campaign is similar to the earlier ones through the fact that it uses a SSH public key to maintain backdoor access to infected machines. The significant update to the malware functionality is in its C2 communication protocol. An extra layer of XOR encoding was added to prevent easy detection.
Analysis of CLR SqlShell Used to Attack MS-SQL Servers:
AhnLab released a report on SqlShell malware that targets MS-SQL servers and is able to execute commands issued by attackers as well as performing various other malicious activities. Usually, the targets are MS-SQL database servers that are poorly configured and threat actors resort to brute force or dictionary attacks. The end goal is to install other malware on the compromised system such as CoinMiner or ransomware.
ASEC Weekly Malware Statistics (May 1st, 2023 – May 7th, 2023):
AhnLab released a report regarding most frequent types of malware that have been collected between May 1st and May 7th. General categories are ranked as follow: infostealers 60.6%, downloaders 27.3%, backdoor 9.1% and ransomware with 3%. The top 5 specific malware sorted by percentage of found samples in the total analyzed scenarios is: Agent Tesla (infostealer, 25.8%), Formbook (infostealer 20.5%), Amadey (downloader, 17.4%), Guloader (downloader, 9.8%) and Lokibot (infostealer, 6.8%).
Uncovering RedStinger – Undetected APT cyber operations in Eastern Europe since 2020:
Malwarebytes released a report regarding the activity of Red Stinger threat actor against Ukraine for data gathering and surveillance. The operation started in 2020, and it continued after the war between Russia and Ukraine started. The report covers 5 campaigns and the attackers used an extensive toolset and targeted specific entities, with victims from both UA and RU-aligned entities.
New phishing-as-a-service tool ‘Greatness’ already seen in the wild:
Talos has identified a new phishing-as-a-service (PaaS) offering called ‘Greatness’ since mid-2022, which provides convincing decoy and login pages, being suited for phishing business users. The threat includes multi-factor authentication bypass, IP filtering, and integration with Telegram bots. It operates as a ‘man-in-the-middle’ attack and steals authentication credentials or cookies.
Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG:
Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have discovered that the CVE-2023-2730 vulnerability in PaperCut servers was exploited by a ransomware threat actor. The vulnerability exists due to improper access controls found inside a Java class and allowed the Bl00dy Ransomware Gang to bypass authentication and conduct remote code execution (RCE) through 2 methods. However, FBI and CISA note that actors may develop other methods for RCE.
Botnet Fenix: A New Type of Tax Payday in Latin America:
Metabase Q released a report on a new botnet called “Fenix” which targets individuals that use online government services in Mexico and Chile typically to pay taxes. This campaign, makes use of the tax season in those countries in order to redirect users to fake malicious websites that imitate the official web portals. Upon accessing the fake websites, the users are tricked into installing a “security tool” that will supposedly increase safety when using the web portal. However, this is how users unknowingly install malware that will steal sensitive information from their system.
Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers:
SentinelOne released a report regarding the use of Babuk source code leaks into creating new ransomware targeting VMWare ESXi. The source code leaks from 2021 gave an insight into the development operations of a threat actor and offered the opportunity for others to build new malware targeting Linux systems. The report compares Babuk samples with other samples of different ransomware groups, like Conti and REvil and different malware families like Cylance, Dataf Locker, Rorschach aka BabLock, Lock4 and RTM Locker.
Threat Source newsletter (May 11, 2023) — So much for that ransomware decline:
Talos released its new weekly Threat Source Newsletter (May 11, 2023) including the most prevalent malware observed over the past week. It was reported that even though the revenue made from ransomware is not as profitable for threat actors as expected, the volume of attacks it is not changing all that much. The top headlines of the week include new exploit code for a critical vulnerability in PaperCut MF/NG print management software, two vulnerabilities being actively exploited in the wild, and the discovery of a new phishing-as-a-service tool called “Greatness”.
RecordBreaker Infostealer Disguised as a Well-known Korean Software:
AhnLab released a report about the recent distribution of RecordBreaker infostealer malware disguised as software realesed by a well-known Korean software company. Typically, RecordBreaker (also known as Raccoon Stealer v2) disguises itself as a software crack or keygen and is distributed via various channels such as websites or YouTube accounts. When installed on the victim’s system, RecordBreaker is capable of stealing sensitive information, as well as installing additional malware.
ASEC Weekly Phishing Email Threat Trends (April 30th, 2023 – May 6th, 2023):
AhnLab Security Emergency response Center (ASEC) has published a report on phishing email threats that occurred between April 30th, 2023 to May 6th, 2023. That week, the phishing emails were mostly disguised as plane tickets, taking advantage of the upcoming holiday season. The report highlights that FakePage is the most common threat type, with 44%, followed by Infostealer (40%), Worm (6%), Trojan (5%), Downloader (4%) and Exploit (1%).
Malicious AI Tool Ads Used to Deliver Redline Stealer:
TrendMicro presented the use of fake webpages of popular AI tools (MidJourney, ChatGPT) and social engineering to convince victims into downloading malware droppers. The downloaded payload is an obfuscated PowerShell script which communicates with the C2 server through the Telegram API. Victims which execute this script are infected with the Redline stealer, capable of stealing browser cookies, password and crypto wallets data.
More Supply Chain Attacks via Malicious Python Packages:
Fortinet discovered more than 30 new zero-day attacks in PyPi packages (Python Package Index) and grouped them by similarities. The analysis of these malicious Python packages found two main objectives: loading additional malware to the victim’s system and stealing sensitive information.
Geacon Brings Cobalt Strike Capabilities to macOS Threat Actors:
SentinelOne released an article about a Go implementation of Cobalt Strike Beacon, named Geacon, which is used against macOS targets. Two popular forks of Cobalt Strike Beacon: Geacon Plus and Geacon Pro, developed by an anonymous Chinese developer named “z3ratu1”, were included in the 404 Starlink project. Malicious Geacon payloads were also observed on VirusTotal, indicating a potential malicious campaign.
Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules:
Trend Micro released a report regarding the activity of Water Orthrus, a threat actor that is associated with 2 new campaigns: CopperStealth and CopperPhish. CopperStealth campaign delivers the rootkit via a Chinese website and it targets users from that country. CopperPhish campaign targets users globally and it is a phishing kit designed to steal card information.The same threat actor is associated with the Scranos campaign from 2019.
Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors:
Symantec released a report regarding the activity of Lancefly, a threat actor that uses a custom backdoor and targets organizations in South and Southeast Asia. The backdoor is called Merdoor and it has been first seen in 2018. During this time, it has been rarely seen, meaning that the attacks are highly targeted. The functionalities of the backdoor include installation as a service, keylogging, communication with command-and-control servers and listening on a local port for commands.
The Dragon Who Sold His Camaro: Analyzing Custom Router Implant:
Check Point Research published an article uncovering a new threat actor named Camaro Dragon which targets and forces TP-Link routers into modifying their firmware and infecting private networks. The threat actor overlaps with other Chinese state-sponsored groups due to similarities in how the firmware implants work and on what software dependencies the attack is built upon. The malicious firmware image is originated from a genuine TP-Link software executable from which attackers added a novel and custom backdoor known as Horse Shell. While the method in which routers are initially infected is not known, the attack has capabilities of forcing the device to connect to C2 servers, start remote shells and exfiltrate files.
Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code:
Talos identified a new threat actor named RA Group that spreads a ransomware based on the leaked Babuk source code. RA Group managed to compromise four organizations activating in industry sectors such as manufacturing, financial-services, insurance or pharmaceuticals. Three targeted organizations are US-based and one based in South Korea. In order to increase ransom payment likelihood, RA group leverages double extortion by threatening to leak the exfiltrated data on a site that they manage.
8220 Gang Evolves With New Strategies:
This report highlights the activities of the 8220 Gang, that has been targeting vulnerable applications in cloud and container environments since 2017. This threat actor exploits vulnerabilities and deploys cryptocurrency miners on compromised systems, by reusing tools and abusing legitimate utilities. They have recently employed new strategies, including the exploitation of the Linux utility “lwp-download” and the Oracle WebLogic vulnerability CVE-2017-3506, in their campaigns.
#StopRansomware: BianLian Ransomware Group:
FBI, CISA and ACSC released a report regarding the activity of BianLian, a ransomware group that targeted organization in USA and Australia. The group gains access to victims through valid RDP credentials. They use discovery and credential harvesting techniques and then they exfiltrate the date via FTP, Rclone and Mega. Their goal is to extort the victims by leaking the information they gathered if the payment is not made. They use custom backdoors written in Go, tailored to the victim and they install remote access tools, like TeamViewer, Atera Agent, SplashTop and AnyDesk. Their techniques include also defense evasion, disabling antivirus tools.
SparkRAT Being Distributed Within a Korean VPN Installer:
AhnLab published their findings regarding a VPN program installer embedded with the open-source SparkRAT. Once the installer is executed, a .NET dropper initializes the environment and gains persistence for SparkRAT malware. Notable for being developed with GoLang, SparkRAT provides basic features commonly found in RAT malware, such as executing commands, stealing information, and controlling processes and files.
Infostealer Being Distributed to Japanese Users:
AhnLab released a report regarding infostealers disguised as an adult game targeting Japanese users. The malware is executed using DLL hijacking technique. When an executable is run, a malicious DLL is loaded. The 2 infostealers are named Stellar and ReceiverNeo. The first one targets user credentials and the second is run as a scheduled task to exfiltrate screenshots.
The distinctive rattle of APT SideWinder:
Group-IB along with cyber security company Bridewell released a joint research report disclosing 55 previously unknown IP addresses that could potentially be used by SideWinder APT group in future phishing attacks. The newly identified phishing domains try to imitate different organizations in industry sectors including government, financial, telecommunications or news. The targeted organizations are based in countries such as Pakistan, China or India.
The Phantom Menace: Brute Ratel remains rare and targeted:
“Sophos released an article about Brute Ratel, a commercial tool intended for Red Team and Adversary Simulation exercises. Despite fears of becoming the go-to tool for threat actors and becoming the successor of Cobalt Strike, Brute Ratel did not exceed the expectations and it still remains largely unused. A notable attack which used this tool took place on January 1st and involved a highly obfuscated JavaScript file which injected a component of the Brute Ratel inside another genuine program. Brute Ratel remains unpopular due to the distaste for the tool among threat actors and the efforts of the tool’s developers to stop ilicit distribution of cracked versions.”
Threat Source Newsletter (May 18, 2023) — It’s really OK to take a break sometimes, especially in security:
Talos released its new weekly Threat Source Newsletter (May 18, 2023) including the most prevalent malware observed over the past week. It was reported that a new threat actor named RA Group was identified. It spreads a ransomware based on the leaked Babuk source code and is targeting US and South Korean organizations across multiple industry sectors. The top headlines of the week include the need for global governments to properly enforce spyware regulation, the recent ransomware attack against MSI as well as Twitter’s announced end-of-end encryption for direct messages and the remaining unpatched vulnerabilities.
Black Basta: Anatomy of the Attack:
Infoblox released a report on the activity of Black Basta, a Russian-speaking ransomware group that leverages double extortion techniques. This threat actor targeted organizations across multiple industry sectors in Europe and English-speaking countries. Their most recent attack victim was ABB, a well-known automation company. Black Basta was also behind the attacks on American Dental Association (ADA), Sobeys, Knauf and Yellow Pages Canada.
CloudWizard APT: the bad magic story goes on:
Securelist released a report regarding a campaign in the region of the Russo-Ukrainian conflict in which they present how the implanted framework CloudWizard functions. The malicious framework is complex and able to take screenshots, microphone recordings, browser cookies and keystrokes. It collects these data and uploads it, at regular intervals, in various cloud providers such as Google Drive, Dropbox or OneDrive. If none of these methods is working, it will send the data to a C2 web server. The presumed installer of the framework would be either deployed physically on the target machine or through a Network Setting. In addition, the Securelist researchers found evidence which link the malware’s author to other campaigns such as Operation Groundbait or Operation BugDrop.
Rust-Based Info Stealers Abuse GitHub Codespaces:
Trend Micro released a report regarding a Rust-based infostealer that uses GitHub Codespaces to deliver the malware. The malware is disguised as genuine applications and takes advantage of exposed ports on a Codespace instance to exfiltrate data from web browsers, Discord, Steam and cryptocurrency wallets. The infostealer also includes anti-debugging features, to check if the malware is run in a sandbox or debugging environment.
Kimsuky Group Using Meterpreter to Attack Web Servers:
AhnLab released a report regarding the attacks conducted by Kimsuky against Windows IIS web servers. It is believed that their targets are vulnerable or poorly managed IIS web servers. After gaining initial access, they install Metasploit Meterpreter, a security tool that was intended for penetration tests and red-team exercises. Their goal seems to be remote access, by installing a proxy malware that ensures RDP connection to the victim machine.
CLOUD-BASED MALWARE DELIVERY: THE EVOLUTION OF GULOADER:
Check Point released a report on the evolution of GuLoader shellcode-based downloader malware that was used in numerous attacks in order to deliver various types of popular malware such as Formbook, XLoader, AgentTesla to the targeted systems. This malware was identified at least three years ago and is constantly improving. Its payload is fully encrypted, thus allowing cloud services storage, antivirus evasion and long-term download availability. The latest version of GuLoader provides new anti-analysis features, which substantially increase the difficulty of analysis.
WINTAPIX: A New Kernel Driver Targeting Countries in The Middle East:
Fortinet released a report on a new kernel driver called WINTAPIX that is targeting primarily Saudi Arabia and other Middle Eastern countries. The driver leverages the Donut open-source project in order to inject its malicious shellcode. Based on the malware’s targets, Fortinet believes that an Iranian threat actor is behind the driver’s distribution.
StrelaStealer Being Distributed To Spanish Users:
AhnLab analysis team discovered that an information stealer known as StrelaStealer is targeting Spanish users, disguised in spam emails as ZIP attachments instead of ISO files as in prior campaigns. The ZIP attachment contains a PIF (Program Information File) which contains the malicious code. Once executed, it steals user credentials from ThunderBird and Outlook mail clients. In the end, it creates an alert, also written in Spanish, which states that the archive is corrupted.
Meet the GoldenJackal APT group. Don’t expect any howls:
Securelist researchers discovered a threat actor group called GoldenJackal which targets government and diplomatic entities in the Middle East and South Asia using a specific toolset with various malicious features. The threat actor utilizes numerous .NET programs such as JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher. The initial infection comes from 2 sources: a Skype installer implanted with the JackalControl Trojan and a malicious document which exploit the Follina vulnerability. The toolchain is able to get control of the target computer (JackalControl), exfiltrate files (JackalSteal), spread itself into USB devices (JackalWorm), steal browser credentials (JackalPerInfo) and exfiltrate screen captures (JackalScreenWatcher). Securelist found some similarities between GoldenJackal and Turla such as using compromised WordPress websites as C2 servers.
BlackCat Ransomware Deploys New Signed Kernel Driver:
Trend Micro released a report regarding a BlackCat ransomware incident from February 2023 that used a signed driver to evade detection. Threat actors try to combat Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR) technologies by running their malicious code via the kernel level (or even lower). They also try to comply with Microsoft code-signing requirements, by using a certificate that was leaked or stolen from a compromised machine, or by obtaining a new valid certificate (impersonating a legitimate entity, abusing Microsoft portal or purchasing valid code-signing certificates from underground markets).
YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner:
Fortinet discovered that popular compromised YouTube channels deceive viewers into installing malicious binaries that are disguising as pirated software products. Researchers observed that these luring videos are uploaded in batches and deleted regularly. Moreover, some of them contain likely auto-generated comments with links to file-sharing services that allow users to download password-protected archives. The archive contains multiple samples of malware (Vidar Stealer, GUI_MODERNISTA, Vadwax and Vaxa). In addition, various files and directories are included in order to masquerade as legitimate installers. The purpose of this infection is to steal text files found on the Desktop, divert cryptocurrency funds to the attacker wallet and install cryptocurrency miners.
Operation “Total Exchange”: New PowerExchange Backdoor Discovered in the UAE:
Fortinet researchers have published a report in which they investigate unknown malware samples used in previous attacks targeting government entities in United Arab Emirates. The unknown sample, called PowerExchange, is a custom-made PowerShell-based backdoor that targets Microsoft Exchange. Compromised servers will communicate with the attacker’s C2 server through emails. The infection chain starts from an archive which contains a .NET executable, which when run, loads and executes PowerExchange. The purpose of this campaign is to steal credentials found on the Exchange servers and exploit the CVE-2020-0688 vulnerability. The threat actor is suspected to be APT34 since the PowerExchange shares similarities in behavior with the TriFive backdoor.
Volt Typhoon targets US critical infrastructure with living-off-the-land techniques:
Microsoft has uncovered a campaign initiated by a Chinese state-sponsored actor known as Volt Typhoon, specialized in post-compromise credential access and network discovery. The campaign is designed to be as stealthy as possible, exfiltrating information by routing only through compromised network equipment, proxies and VPN hardware. Initial access of the attack is made through internet-facing Fortinet FortiGuard devices in which the attacker gains Active Directory credentials. However, the exact method of gaining control over these devices is still being researched. Once the threat actor gains control, they conduct hands-on-keyboard activity via the command line.
Technical Analysis of Pikabot:
Zscaler researchers have found a new malware trojan called Pikabot which consists of multiple components, contains evasion techniques and can implant hacking tools such as Cobalt Strike. The malware consists of 2 components: an injector which tries to evade detection techniques and the main module which communicates with the C2 server. Researchers have found that Pikabot shares similarities with Qakbot trojan regarding malware behaviors. Many key features of the malware are inspired from open-source proof-of-concepts found on GitHub.
The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile:
Akamai presents how an unexperienced young individual has become a successful threat actor by targeting gaming industry using Dark Frost Botnet resulting in Distributed Denial of Service (DDoS). Researchers state that even threat actors with lower skill levels can inflict significant damage due to the rise of botnet as-a-service and tools that generate code using artificial intelligence. The showcased threat actor targets misconfigurations in Hadoop YARN servers, vulnerability which is known since 2014 but with no assigned CVE yet. Once exploited, an attacker can execute their code remotely on the target machine. The attacker successfully executes their own malware, called Dark Frost botnet, which shares similarities with Gafgyt, BASHLITE/Qbot and Mirai strains.
Buhti: New Ransomware Operation Relies on Repurposed Payloads:
Symantec released a report about a new threat group, Blacktail, which reutilize LockBit and Babuk ransomwares but with a novel custom-made exfiltration tool called Buhti. One of the reasons that explain the threat group’s success is their quickness in exploiting latest vulnerabilities such as the one found in PaperCut NG and MF (CVE-2023-27350) which allows remote code execution (RCE). Besides encrypting important files, the malware executables can communicate with a C2 server. The custom malware is an exfiltration tool written in Golang and compatible with both Windows and Linux.
Shedding light on AceCryptor and its operation:
Welivesecurity researchers document a cryptor-as-a-service tool , called AceCryptor, which allows attackers to pack their malware in order to evade detection, analysis and sandboxing. Since many threat actors employ such a service instead of making their own obfuscation and anti-detection mechanism, a wide variety of malware samples have been found to be enhanced by this tool (SmokeLoader, Redline Stealer, RanumBot etc.) AceCryptor is intricate and based on 3 layers/levels of shellcodes, each of them decrypting the next one. Unique traits of the tool include time-demanding code loops (to make it difficult for researchers to debug), randomization of API calls (to make behavior detection difficult) and encrypted code layers.
Analysis of Attack Cases: From Korean VPN Installations to MeshAgent Infections:
AhnLab presents additional improvements and features found in SparkRAT malware which is delivered through tampered VPN installers. A first difference observed in comparison to the previous campaign is that the dropper malware embedded in the VPN installer is rewritten from .NET to Golang. The dropper is responsible with installing and executing the SparkRAT malware. SparkRAT is the component able to execute commands issued by the attacker remotely, gather information and tamper with files and processes. A second feature unique to this campaign is the usage of SparkRAT to download and install MeshAgent, an open-source management tool that provides remote desktop capabilities.
New Info Stealer Bandit Stealer Targets Browsers, Wallets:
Trend Micro released a report about a new information stealer named Bandit Stealer, written in Golang, which targets Windows machines but with a possibility of evolving to other platforms as well.
The malware tries to gain privilege escalation using an existing tool, runas.exe, that allows programs to run under different users privileges.
In addition, it checks for sandbox environments and alters itself in order to avoid detection.
The target of the malware is to gather system/hardware information of the victim machine, Telegram sessions and browser data related to cryptocurrencies.
Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII:
SentinelOne researchers have showcased a campaign called Operation Magalenha, run by a Brazilian threat group which is specialized in credential stealing using 2 backdoor variants, referred to as PeepingTitle.
These backdoors, written in Delphi, share a similarity with the Maxtrilha malware family, more specifically the key use for encryption.
The attacks start with an obfuscated VB script which can collect government-issued credentials for citizens while also downloading the PeepingTitle backdoor.
In addition, the threat group moved their C2 infrastructure to a cloud provider with more relaxed policies regarding abuse such as Timeweb, a Russian company.
People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection:
CISA alerts against a state-sponsored cyber actor called Volt Typhoon from China that targets networks in critical infrastructures sectors in the US and may target similar sectors worldwide.
The actor’s primary technique is “living off the land,” utilizing built-in network administration tools to carry out their objectives, blending in with normal system activities and limit the amount of activity that is captured in default logging configurations.
The advisory, authored by several agencies including the NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK, offers guidance and best practices for detecting this activity.
FlowCloud malware infection via USB Flash Drive:
NTTSecurity reports an increase in attacks against Japanese organizations using USB flash drives, by groups such as Mustang Panda, KilllSomeOne, and TA410.
Since early 2022, the SOC has identified FlowCloud infections in multiple organizations. FlowCloud is a type of malware associated with the attack group TA410, which has been active since around 2019.
Recent attacks utilize FlowCloud malware, which suggests the involvement of a different subgroup called FlowingFrog.
The attacks originate from USB flash drives, a method frequently used by groups against Japanese companies.
ASEC Weekly Phishing Email Threat Trends (May 14th, 2023 – May 20th, 2023):
“AhnLab Security Emergency response Center (ASEC) has published a report on phishing email threats that occurred between May 14th, 2023 to May 20th, 2023. That week, the phishing emails were mostly delivered with archive files (63%). The report highlights that FakePage is the most common threat type, with 27%, followed by infostealers (25%), downloaders (21%), trojans (21%), exploits (4%), backdoors (2%), and worms (1%).”