Anomali Cyber Watch: Conti Ransomware Attack, Iran-Sponsored APTs, New Android RAT, Russia-Sponsored Gamaredon, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Data breach, RATs, SEO poisoning, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
New CapraRAT Android Malware Targets Indian Government and Military Personnel
(published: February 7, 2022)
Trend Micro researchers have discovered a new remote access trojan (RAT) dubbed, CapraRAT, that targets Android systems. CapraRAT is attributed to the advanced persistent threat (APT) group, APT36 (Earth Karkaddan, Mythic Leopard, Transparent Tribe), which is believed to be Pakistan-based group that has been active since at least 2016. The Android-targeting CapraRAT shares similarities (capabilities, commands, and function names) to the Windows targeting Crimson RAT, and researchers note that it may be a modified version of the open source AndroRAT. The delivery method of CapraRAT is unknown, however, APT36 is known to use spearphishing emails with attachments or links. Once CapraRAT is installed and executed it will attempt to reach out to a command and control server and subsequently begin stealing various data from an infected device.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be installed devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Software Deployment Tools – T1072
Tags: APT36, Earth Karkaddan, Mythic Leopard, Transparent Tribe, Android, CapraRAT
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
(published: February 3, 2022)
The Russia-sponsored, cyberespionage group Primitive Bear (Gamaredon) has continued updating its toolset, according to Unit 42 researchers. The group continues to use their primary tactic in spearphishing emails with attachments that leverage remote templates and template injection with a focus on Ukraine. These email attachments are usually Microsoft Word documents that use the remote template to fetch VBScript, execute it to establish persistence, and wait for the group’s instruction via a command and control server. Unit 42 researchers have analyzed the group’s activity and infrastructure dating back to 2018 up to the current border tensions between Russia and Ukraine. The infrastructure behind the campaigns is robust, with clusters of domains that are rotated and parked on different IPs, often on a daily basis.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spearphishing attack.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Template Injection – T1221 | [MITRE ATT&CK] User Execution – T1204
Tags: Primitive Bear, Gamaredon, Cyberespionage, Russia
New Malware Used by SolarWinds Attackers Wind Undetected for Years
(published: February 2, 2022)
CrowdStrike researchers have attributed new malware to the group responsible for the SolarWinds breach, Cozy Bear (APT29, Nobelium, UNC2452) that have been in use since at least mid-2019. Cozy Bear is attributed to Russia’s Foreign Intelligence Service (SVR). The new malware found was a Linux version of the GoldMax and a new Windows implant dubbed TrailBlazer. Cozy Bear’s activity since SolarWinds, tracked as the StellarParticle campaign, continues to incorporate new tools into their arsenal to continue their cyberespionage efforts. The group is abusing and masquerading as legitimate Microsoft Office 365 software, stealing cookies to bypass MFA and move laterally, and using TrailBlazer to masquerade as Google Notification HTTP requests.
Analyst Comment: Cyberespionage actors are often state-sponsored and well-funded. In this instance, Cozy Bear continues to demonstrate the lengths they go to hide their activity. Masquerading as legitimate tools to blend in with normal activity and traffic is a common tactic employed by information-motivated threat actors, and these techniques can be difficult to detect as their use intended. Assessing your inventory and knowing your attack surfaces are key to employing a more resilient cybersecurity posture.
MITRE ATT&CK: [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Account Manipulation – T1098 | [MITRE ATT&CK] Data from Information Repositories – T1213 | [MITRE ATT&CK] Use Alternate Authentication Material – T1550 | [MITRE ATT&CK] Permission Groups Discovery – T1069 | [MITRE ATT&CK] Domain Trust Discovery – T1482 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Event Triggered Execution – T1546 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Remote Services – T1021 | [MITRE ATT&CK] Steal Web Session Cookie – T1539 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] OS Credential Dumping – T1003
Tags: Cozy Bear, APT29, Nobelium, UNC2452, GoldMax, TrailBlazer
KP Snacks Giant Hit by Conti Ransomware, Deliveries Disrupted
(published: February 2, 2022)
The England-based snack producer Kenyon Produce (KP) Snacks was infected with the Conti ransomware on January 28, 2022, which caused disruptions to deliveries to grocery stores. In addition, BleepingComputer sources say that the threat actors breached internal KP Snacks’ networks and stole sensitive data, however this cannot be confirmed at the time of this writing. Conti is a ransomware-as-a-service (RaaS) that is operated by the Wizard Spider threat group, who also distributes other commodity malware like BazarLoader and Trickbot, among others.
Analyst Comment: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: Ransomware, Conti, Wizard Spider, Food Industry, Supply Chain
Zoom For You – SEO Poisoning to Distribute BatLoader and Atera Agent
(published: February 1, 2022)
Threat actors have been observed distributing commodity malware masquerading as legitimate tools like TeamViewer, Visual Studio, and Zoom through search engine optimization poisoning. The trojanized software contains the BatLoader malware and the legitimate software. BatLoader is then used to download other payloads like Atera Agent, Cobalt Strike Beacon, and Ursnif.
Analyst Comment: Legitimate tools are increasingly used by threat actors, especially advanced threat actors, as it allows them to remain undetected. Organizations would be better protected by only allowing a select few employees access to these tools or investing in technology that detects anomalous and unusual behavior on the end point.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets – T1558 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] Remote Access Tools – T1219
Tags: SEO Poisoning, BatLoader, Atera Agent, Cobalt Strike Beacon, Ursnif
Sneaky Spies and Backdoor RATs | SysJoker and DazzleSpy Malware Target macOS
(published: February 1, 2022)
SentinelOne researchers have published additional details and IOCs for the macOS-targeting malware DazzleSpy and SysJoker. Both malware families were discovered in January 2022. ESET researchers found DazzleSpy targeting Hong Kong pro-democracy activists via watering hole attacks. DazzleSpy uses a combination of public and private frameworks and is capable of dumping keychains, executing shell commands, writing files, running remote desktop, and stealing environment variables. Intezer researchers discovered SysJoker, which can target Linux, macOS, and Windows operating systems, on a server belonging to an unnamed educational institution. SysJoker will abort itself if the ‘/Users/root/Library/SystemNetwork’ path does not exist. This is interesting because researchers note that the root user is usually located in the ‘/var/root’, not ‘/Users/root’.
Analyst Comment: Ensure that your company monitors network traffic for potentially unusual connections. New malware can be difficult to detect if antivirus companies do not yet have signatures, however, suspicious connections or machine activity from a work system can be triaged for possible malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Create or Modify System Process – T1543 | [MITRE ATT&CK] Modify Registry – T1112
Tags: macOS, OSX.SysJoker, OSX.DazzleSpy
PowerLess Trojan Iranian APT Phosphorus Adds New PowerShell Backdoor
(published: February 1, 2022)
Cybereason researchers analyzed a sample communicating with an IP that was previously-attributed to the Iran-sponsored cyberespionage group, Phosphorous (APT35, Charming Kitten). Researchers found a new PowerShell backdoor attributed to Phosphorous dubbed PowerLess Backdoor. PowerLess can communicate with a C2 via encrypted channels, downloading and executing files, executing arbitrary commands, keylogging, killing processes, and stealing browser data.
Analyst Comment: Information-motivated threat actors will go to great lengths to disguise and hide their activity. Backdoors that are frequently-deployed in cyberespionage campaigns will often remain dormant for some time before conducting malicious activity, and then proceed to steal large amounts of data at a chosen time. Employ cybersecurity frameworks, such as NIST, to have guidelines in place to assist with infrastructure management, patch maintenance, and segregation policies.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Archive Collected Data – T1560 | [MITRE ATT&CK] Audio Capture – T1123 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Server Software Component – T1505 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Account Discovery – T1087
Tags: Charming Kitten, Phosphorous, PowerLess trojan
Iranian APT MuddyWater Targets Turkish Users via Malicious PDFs, Executables
(published: February 1, 2022)
The Iranian advanced persistent threat (APT) group called MuddyWater (Static Kitten) has been attributed to a campaign targeting Turkish governmental entities with malicious PDFs and XLS files and Windows executables, according to Cisco Talos researchers. MuddyWater was attributed to Iran’s Ministry of Intelligence and Security by the US Cyber Command in mid-January 2022. In this campaign, the group is delivering tailored PDF, XLS, and .exe files in attempts to infect users with PowerShell-based downloaders. The maldocs contained malicious macros that will create registry keys for persistence and called out to canarytokens[.]com via HTTP requests to track infected users. The final payload for this campaign was not identified.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Application Layer Protocol – T1071
Tags: APT, cyberespionage, MuddyWater, Static Kitten