Anomali Cyber Watch: Emotet Added Two New Modules, LofyGang Distributed 200 Malicious Packages, Bumblebee Loader Expanded Its Reach, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Brazil, China, Data loss, Infostealers, and Loaders. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
VMware Report Exposes Emotet Malware’s Supply Chain
(published: October 10, 2022)
VMware researchers analyzed the Emotet malware-as-a-service evolution and its command-and-control (C2) infrastructure. In June 2022, Emotet added two new modules: one stealing credit card information from Google Chrome browsers, and another one that leverages the SMB protocol to spread laterally. Emotet’s main component is a DLL file that stores a highly obfuscated list of C2 IP:port pairs. More than half of the ports counted were port 8080 used as a proxy port on compromised legitimate servers abused to proxy traffic to the real C2 servers.
Analyst Comment: For network defenders it is important to strengthen email security and implement network segmentation whenever possible. Despite its continuous evolution, Emotet botnets can reuse previously identified infrastructure. Block known network-based indicators available via Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Signed Script Proxy Execution – T1216 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Email Collection – T1114
Tags: mitre-software:Emotet, mitre-group:Wizard Spider, SMB, Proxy, Botnet, Malware-as-a-service, Windows
LofyGang Hackers Built a Credential-Stealing Enterprise on Discord, NPM
(published: October 7, 2022)
Checkmarx Security researchers described a financially-motivated threat actor group dubbed LofyGang (Lofy). This group aims at stealing credentials and credit card data by distributing approximately 200 malicious packages and fake hacking tools on code-hosting platforms, such as NPM and GitHub. LofyGang uses package name typosquatting and the starjacking technique of displaying fake popularity statistics. The first LofyGang package typically does not have a malicious behavior besides getting the second-stage malicious package. For its command-and-control communication the group often abuses legitimate services such as Discord, GitHub, glitch, Heroku, and Repl.it.
Analyst Comment: Developers should be extra cautious and sensitized to the growing exploitation of the open source ecosystem as a means to spread malicious code and malware – especially to typos and properly verifying the legitimacy of the download. Developers should also ensure they are adhering to the development practices and standards of their employer and customers. Anomali Platform helps block known LofyGang network indicators.
MITRE ATT&CK: [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140
Tags: actor:LofyGang, actor:Lofy, actor:PolarLofy, actor:Polar Lofy, actor:dyPolarLofy, NPM, GitHub, Discord, Trojanized app, Credit card theft, malware-type:Stealer, Brazil, source-country:BR, Software supply chain, Typosquatting, Starjacking, Anti-deobfuscation
Destructive Fake Ransomware Wiping Out System Drives
(published: October 6, 2022)
Cyble researchers discovered a new campaign targeting adult-themed site visitors with fake ransomware. Actors prompt a targeted user to activate the downloaded file with double extension .JPG.EXE. It drops four malicious payloads that achieve persistence via the startup folder. They rename certain file types giving them extension .LOCKED_FILLE, drop a ransom note, and try to delete all system drives except C: drive.
Analyst Comment: Since this fake ransomware/wiping campaign is run by a novice actor, it might be possible to restore your Windows to the previous state. Malware written by novice actors can often reveal their presence by causing visible error messages. This operation shows that at times, paying a ransom can be neither helpful nor necessary.
MITRE ATT&CK: [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Software Packing – T1045 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: Fake ransomware, malware-type:Wiper, .JPG.EXE, Startup folder, target-sector:Internet Entertainment 516210
Malware Analysis Report: CovalentStealer
(published: October 4, 2022)
The US Cybersecurity and Infrastructure Security Agency published details of the CovalentStealer malware objectives and host-based artifacts. CovalentStealer identifies file shares on a system, categorizes the files, and uploads them to an attacker-controlled Microsoft OneDrive cloud folder. This malware was created using code from several open-source projects, including ClientUploader. The studied infection chains included abuse of two open-source utilities: the Roshal archiver (RAR) and a PowerShell script used to extract the Master File Table from a system volume. CovalentStealer was identified as a part of advanced persistent threat activity targeting an organization in the defense-industrial-base sector.
Analyst Comment: Network defenders should monitor for anomalous command-line use, investigate suspicious PowerShell usage. Keep your Windows machines and antiviruses up-to-date.
MITRE ATT&CK: [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Archive Collected Data – T1560 | [MITRE ATT&CK] Data from Network Shared Drive – T1039 | [MITRE ATT&CK] Exfiltration Over Web Service – T1567
Tags: detection:CovalentStealer, detection:ClientUploader, malware-type:Infostealer, Data exfiltration, RAR, PowerShell, MFT, APT, target-industry:Defense industrial base, Microsoft OneDrive, Windows
OnionPoison: Infected Tor Browser Installer Distributed Through Popular YouTube Channel
(published: October 4, 2022)
Kaspersky researchers detected a campaign targeting Chinese users with a trojanized version of Tor Browser. Malicious download links are being placed on a popular Chinese Youtube channel together with the official Tor Browser website, which is blocked in China. This campaign, dubbed OnionPoison, leaves the basic Tor Browser appearance and functionality, but changes settings to be less secure: enables autofilling, browsing history, caching, and storing extra session data for websites. The attackers do not automatically collect user passwords, but collect data to identify the victims through social networking account IDs and other artifacts.
Analyst Comment: If downloading software from the official website is not an option, verify the authenticity of installers downloaded from third-party sources by examining their digital signatures. The observed malicious installer in the OnionPoison campaign does not have a digital signature.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] System Information Discovery – T1082
Tags: detection:OnionPoison, TOR, China, target-country:CN, file-type:EXE, file-type:DLL, PowerShell, Windows
Bumblebee: Increasing Its Capacity and Evolving Its TTPs
(published: October 3, 2022)
Checkpoint researchers analyzed various samples and infrastructure for the Bumblebee loader. Since March 2022, this new loader shows a constant evolution. In July 2022, it expanded its reach by removing the limitation of infecting a single victim per public IP address. Most common infection chain includes the packed Bumblebee DLL embedded directly inside an ISO file. Bumblebee uses its own packer both for the loader itself and for some of the payloads it deploys. If the target is connected to an active directory domain, the loader downloads and injects an advanced post-exploitation framework (such as CobaltStrike, Sliver, or Meterpreter). Otherwise, it downloads and executes a common stealer (like Vidar Stealer), or a banking trojan.
Analyst Comment: Indicators related to several Bumblebee botnets are available in the Anomali platform and customers are advised to block these on their infrastructure. Detection could be improved using the available Bumblebee packer YARA rule developed by Checkpoint. Detect and block post-exploitation framework traffic.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] System Information Discovery – T1082
Tags: detection:Bumblebee, malware-type:Loader, detection:Cobalt Strike, detection:Meterpreter, detection:Sliver, detection:Vidar, malware-type:Infostealer, malware-type:Banking trojan, file-type:ISO, file-type:VHD, file-type:DLL, PowerShell, Al-Khaser project, Bumblebee packer, Windows