Anomali Cyber Watch: Shadow Force Targets Korean Servers, Volt Typhoon Abuses Built-in Tools, CosmicEnergy Tests Electric Distribution Disruption
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DLL Side-Loading, Living off the Land, Operational technology, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shadow Force Group’s Viticdoor and CoinMiner
(published: May 27, 2023)
Shadow Force is a threat that has been targeting South Korean organizations since 2013. It primarily targets Windows servers. Ahnlab researchers analyzed the group’s activity in 2020-2022. Shadow Force activities are relatively easy to detect as the actors tend to reuse the same file names for their malware. At the same time, the group has evolved: after March its files often exceed 10MB due to binary packing. The actors also started introducing various cryptocurrency miners and a new backdoor dubbed Viticdoor.
Analyst Comment: Organizations should keep their servers updated and properly configured with security in mind. An unusually high CPU usage and overheating can be a sign of the malicious resource hijacking for cryptocurrency mining. Network and host-based indicators associated with Shadow Force are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1588.003 – Obtain Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1059.003 – Command and Scripting Interpreter: Windows Command Shell | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1546.008 – Event Triggered Execution: Accessibility Features | [MITRE ATT&CK] T1543.003 – Create or Modify System Process: Windows Service | [MITRE ATT&CK] T1554 – Compromise Client Software Binary | [MITRE ATT&CK] T1078.001 – Valid Accounts: Default Accounts | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1036.001 – Masquerading: Invalid Code Signature | [MITRE ATT&CK] T1553.002 – Subvert Trust Controls: Code Signing | [MITRE ATT&CK] T1036.004 – Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1574 – Hijack Execution Flow | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1003.001 – OS Credential Dumping: Lsass Memory | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1057 – Process Discovery | [MITRE ATT&CK] T1087.001 – Account Discovery: Local Account | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1021.002 – Remote Services: Smb/Windows Admin Shares | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1115 – Clipboard Data | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1219 – Remote Access Software | [MITRE ATT&CK] T1571 – Non-Standard Port | [MITRE ATT&CK] T1565.001 – Data Manipulation: Stored Data Manipulation | [MITRE ATT&CK] T1496 – Resource Hijacking
Tags: actor:Shadow Force, malware:Viticdoor, detection:Backdoor/Win.Viticdoor, malware-type:Backdoor, detection:CoinMiner/Win.ShadowForce, malware-type:Miner, target-country:South Korea, target-industry:Government, target-industry:Politics, target-industry:IT, target-industry:Food, target-industry:Outsourcing, file-type:EXE, file-type:DLL, target-system:Windows server, target-system:Windows
COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises
(published: May 25, 2023)
Mandiant researchers have discovered a new malware called COSMICENERGY, specifically designed to target Windows-based operational technology (OT) systems used in electric power distribution. Similar to previously-discovered OT malware INDUSTROYER and INDUSTROYER.V2, COSMICENERGY interacts with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), commonly found in Europe, the Middle East, and Asia. COSMICENERGY has two derivative disruption tools: PIEHOP and LIGHTWORK. PIEHOP is a Python-based disruption tool that connects to a remote MSSQL server to issue commands to an RTU, while LIGHTWORK is a C++ tool that uses the IEC-104 protocol to modify the state of RTUs over TCP, crafting configurable IEC-104 ASDU messages to control the state of RTU Information Object Addresses. The malware has been observed utilizing open-source libraries for OT protocol implementation, including IRONGATE, TRITON, and INCONTROLLER.
Analyst Comment: Although COSMICENERGY has some signs of being a Russian red-team tool under development, threat actors regularly adapt and make use of legitimate tools. Network defenders should monitor logs on critical systems, look for execution of packaged Python scripts and creation of temporary “_MEIPASS” PyInstaller folder. Detect enablement and usage of SQL extended stored procedures for Windows shell command execution. Host-based indicators associated with COSMICENERGY are available in the Anomali platform for historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T0807 – Command-Line Interface | [MITRE ATT&CK] T0809 – Data Destruction | [MITRE ATT&CK] T0831 – Manipulation Of Control | [MITRE ATT&CK] T0855 – Unauthorized Command Message | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique — T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1059.006 – Command and Scripting Interpreter: Python | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1070 – Indicator Removal On Host | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1083 – File And Directory Discovery
Signatures: PIEHOP – Yara by Mandiant | LIGHTWORK – YARA by Mandiant.
Tags: malware:COSMICENERGY, malware:PIEHOP, malware:LIGHTWORK, malware-type:Disruption tool, abused:PyInstaller, abused:Python, abused:C++, abused:IRONGATE, abused:TRITON, abused:INCONTROLLER, file-type:EXE, abused:IEC-104, target-system:OT, target-system:Windows
Buhti: New Ransomware Operation Relies on Repurposed Payloads
(published: May 25, 2023)
Buhti (Blacktail) is a relatively new ransomware operation targeting Windows and Linux systems with double-extortion attacks. The group is quick to utilize new exploits for initial access, it was seen abusing the vulnerability in PaperCut NG and MF (CVE-2023-27350) and IBM’s Aspera Faspex file-exchange application (CVE-2022-47986). Bihti developed its own custom data exfiltration tool, but for crypters the group utilizes variants of the leaked LockBit and Babuk ransomware families.
Analyst Comment: Keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Host-based indicators associated with Buhti campaigns are available in the Anomali platform for ongoing infections and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1005: Data from Local System | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1486: Data Encrypted for Impact
Tags: malware:Buhti, malware:LockBit, malware:Babuk, malware-type:Ransomware, actor:Blacktail, actor:Buhti, malware-type:Exfiltration tool, malware:Cobalt Strike Beacon, malware:Meterpreter, malware:Cobalt Strike, malware:Sliver, abused:AnyDesk, abused:ConnectWise, target-software:PaperCut, vulnerability:CVE-2023-27350, target-software:Aspera Faspex, vulnerability:CVE-2022-47986, target-system:Windows, target-system:Linux
People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection
(published: May 24, 2023)
International cybersecurity authorities (Australia, Canada, New Zealand, the UK, and the US) have issued a joint Cybersecurity Advisory regarding a recently-discovered activity attributed to the China-sponsored Volt Typhoon threat group. The group was targeting Windows-based systems across US critical infrastructure, while hiding behind previously-compromised small office/home office network devices in the geographic area of the target. The group primarily relied on Living off the Land: using built-in network administration tools such as netsh, ntdsutil, PowerShell, and Windows Management Instrumentation Command Line (WMIC). This allows Volt Typhoon to blend their activity while achieving objectives such as collecting information about the storage devices on the local host and exfiltrating password hashes from the main Active Directory database file. The actor has used several hacking tools: the Earthworm tunneling tool, custom Fast Reverse Proxy (FRP) clients, Impacket, Mimikatz, and various remote administration tools.
Analyst Comment: Network defenders should detect suspicious commands and discern from legitimate system administration commands. Activities such as using port proxies are not common for legitimate system administration, and should have a limited use on the need-to basis. Use the available indicators and detection signatures to spot and investigate potentially-suspicious activity.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1047 – Windows Management Instrumentation | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1059.003 – Command and Scripting Interpreter: Windows Command Shell | [MITRE ATT&CK] T1505.003 – Server Software Component: Web Shell | [MITRE ATT&CK] T1546 – Event Triggered Execution | [MITRE ATT&CK] T1070.001 – Indicator Removal on Host: Clear Windows Event Logs | [MITRE ATT&CK] T1003.003 – OS Credential Dumping: Ntds | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1110.003 – Brute Force: Password Spraying | [MITRE ATT&CK] T1003 – Os Credential Dumping | [MITRE ATT&CK] T1555 – Credentials From Password Stores | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1033 – System Owner/User Discovery | [MITRE ATT&CK] T1069.001 – Permission Groups Discovery: Local Groups | [MITRE ATT&CK] T1069.002 – Permission Groups Discovery: Domain Groups | [MITRE ATT&CK] T1016 – System Network Configuration Discovery | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1090.002 – Proxy: External Proxy
Signatures: ShellJSP – YARA | EncryptJSP – YARA | Volt Typhoon’s custom FRP tool – YARA | HACKTOOL_FRPClient – YARA.
Tags: actor:Volt Typhoon, target-country:US, target-sector:Critical infrastructure, source-country:China, technique:Living off the Land, malware:Earthworm, malware:Fast Reverse Proxy, malware:FRP, malware-type:Tunneling, malware:Mimikatz, abused:netsh, abused:ntdsutil, abused:PowerShell, abused:wmic, abused:Impacket, open-port:8080, open-port:8443, open-port:8043, open-port:8000, open-port:10443, target-system:Windows
Lazarus Group Targeting Windows IIS Web Servers
(published: May 23, 2023)
Lazarus Group, a North Korea-sponsored actor group, has been detected targeting Windows Internet Information Services (IIS) web servers. After getting access to a misconfigured or vulnerable IIS server, the threat actor places a DLL side-loading triad (DAT, DLL, and EXE files) via the Windows IIS web server process, w3wp.exe. For the second stage, it side-loads additional malware (diagn.dll) by exploiting the open-source Color Picker Plugin, and decodes an infostealer that performs LSASS memory credential dumping. After acquiring the system credentials, Lazarus Group performed internal reconnaissance before utilizing Remote Desktop Protocol (port 3389) to perform lateral movement into the internal network.
Analyst Comment: Network defenders are advised to monitor abnormal process execution relationships. Host-based indicators associated with the Lazarus Group IIS targeting are available in the Anomali platform for historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1003.001 – OS Credential Dumping: Lsass Memory | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information
Tags: mitre-group:Lazarus Group, detection:Trojan/Win.LazarLoader, target-software:IIS Web Server, abused:w3wp.exe, abused:Salsa20, open-port:3389, file-type:DLL, file-type:EXE, file-type:DAT, target-system:Windows
