Anomali Cyber Watch: Cadet Blizzard – New GRU APT, ChamelDoH Hard-to-Detect Linux RAT, Stealthy DoubleFinger Targets Cryptocurrency
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Data leaks, Disruption, Extortion, Masquerading, Remote access trojans, Tunneling, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Anomali Global Security Event Intel – Progress Software Vulnerabilities – MOVEit & DataDirect Connect
(published: June 16, 2023)
Following the discovery of CVE-2023-34362 and its prior exploitation by a Clop ransomware affiliate, several additional vulnerabilities were discovered in MOVEit Transfer (CVE-2023-35036 and CVE-2023-35708) and other Progress Software products (CVE-2023-34363 and CVE-2023-34364). As the group’s darkweb leak site (>_CLOP^_-LEAKS) started addressing compromised entities, the original exploitation event was assessed as a global security event. This is based on the growing list of known breached organizations and the use of MOVEit among thousands of organizations around the world, including public, private, and government sectors.
Analyst Comment: Network defenders should follow the Progress Software Corporation remediation steps that include hardening, detection, clean-up, and installing the recent MOVEit Transfer security patches. YARA rules and host-based indicators associated with the observed MOVEit exploitation are available in the Anomali platform for detection and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1036 – Masquerading | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archive Via Utility
Signatures (Sigma Rules): Potential MOVEit Transfer Exploitation | MOVEit exploitation.
(YARA Rules) LEMURLOOT Webshell DLL Payloads – YARA by Mandiant | LEMURLOOT Webshell ASP.NET scripts – YARA by Mandiant | MOVEit Exploitation – YARA by Florian Roth | MOVEit_Transfer_exploit_webshell_aspx | MOVEit_Transfer_exploit_webshell_dll
Tags: target-software:MOVEit Transfer, vulnerability:CVE-2023-34362, vulnerability:CVE-2023-35036, vulnerability:CVE-2023-35708, vulnerability:CVE-2023-34363, vulnerability:CVE-2023-34364, target-country:US, actor:Cl0p, malware:Clop, malware-type:Ransomware, malware:LEMURLOOT, malware-type:Webshell, technique:SQL injection, threat-type:Data leak, threat-type:Extortion, target-country:UK, target-country:Canada, target-system:Windows
Cadet Blizzard Emerges as a Novel and Distinct Russian Threat Actor
(published: June 14, 2023)
Microsoft researchers have identified a new Russia-sponsored group dubbed Cadet Blizzard that has been active since at least 2020. It is attributed to the Russian General Staff Main Intelligence Directorate (GRU) but is separate from other more established and more active GRU-affiliated groups Fancy Bear (APT28, Forest Blizzard) and Sandworm Team (Seashell Blizzard). Cadet Blizzard starts by exploiting publicly-facing vulnerabilities in Confluence servers, mail servers, web servers, and management systems. The group can follow up with a number of commodity web shells (P0wnyshell, reGeorg, and PAS), tunneling tools (IVPN, NGROK, SurfShark, Teamviewer, and Tor), attack frameworks (Meterpreter), and living-of-the-land binaries (Impacket, PowerShell, and procdump). The group seeks and exfiltrates collected information, sometimes later exposing it via fictitious persona Free Civilian (via web or Telegram). Cadet Blizzard was also involved in disruption and destruction activities including site defacements and data wiping as in January 2022 WhisperGate data-wiper attack against Ukrainian government organizations. Overall the group has targeted government organizations, law enforcement, non-profit/non-governmental organizations, IT service providers/consulting, and emergency services in Ukraine, Europe, Central Asia, and Latin America.
Analyst Comment: Organizations in NATO member-states involved in providing military aid to Ukraine are at greater risk of Cadet Blizzard targeting. Network defenders should monitor and evaluate suspicious activity such as ongoing hands-on-keyboard attack via Impacket toolkit, suspicious PowerShell command line, and suspicious WMI process creation. Host-based indicators associated with Cadet Blizzard campaigns are available in the Anomali platform for ongoing infections and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] T1053.005 – Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1059.003 – Command and Scripting Interpreter: Windows Command Shell | [MITRE ATT&CK] T1070 – Indicator Removal On Host | [MITRE ATT&CK] T1562: Impair Defenses | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1003.001 – OS Credential Dumping: Lsass Memory | [MITRE ATT&CK] T1003.002 – OS Credential Dumping: Security Account Manager | [MITRE ATT&CK] T1573.002 – Encrypted Channel: Asymmetric Cryptography | [MITRE ATT&CK] T1090.003 – Proxy: Multi-Hop Proxy | [MITRE ATT&CK] T1561 – Disk Wipe
Tags: actor:Cadet Blizzard, source-country:Russia, actor:GRU, actor:DEV-0586, malware:WhisperGate, malware-type:Wiper, actor:Free Civilian, technique:Supply chain compromise, vulnerability:CVE-2021-26084, vulnerability:CVE-2022-41040, vulnerability:ProxyShell, malware:Meterpreter, malware:P0wnyshell, malware:reGeorg, malware:PAS, malware-type:Web shell, target-sector:Governments, target-industry:Police, target-industry:NGO, target-industry:IT, target-industry:Emergency services, target-country:Ukraine, target-region:Europe, target-region:Central Asia, target-region:Latin America, abused:Impacket, abused:PowerShell, abused:procdump, abused:IVPN, abused:NGROK, abused:SurfShark, abused:Teamviewer, abused:Tor, target-system:Windows
Understanding Ransomware Threat Actors: LockBit
(published: June 14, 2023)
LockBit ransomware is a ransomware-as-a-service (RaaS) operation that has been the leading global ransomware threat since 2022. Multi-government security advisory profiles profiled LockBit activity from 2020 to 2023 where it has been used to attack organizations of varying sizes in multiple countries and critical infrastructure sectors, resulting in the successful extortion of approximately $91 million. LockBit has been found to be associated with over 30 MITRE ATT&CK techniques and sub-techniques, a large list of 39 freeware and open-source tools, and eight commonly observed vulnerabilities and exposures (CVEs). In 2023 so far, the most prominent LockBit version was LockBit 3.0 (LockBit Black), although the attackers are starting to use a newer version called LockBit Green and experimented with encryptors targeting macOS.
Analyst Comment: Organizations should implement a defense-in-depth approach including regular update policy, segmenting networks, and following the least-privilege best practice. To lessen the potential extortion, don’t store personal data that is no longer needed and have immutable backups for the actively used data.
MITRE ATT&CK: [MITRE ATT&CK] T1569.002: Service Execution | [MITRE ATT&CK] T1547 – Boot Or Logon Autostart Execution | [MITRE ATT&CK] T1078 – Valid Accounts | [MITRE ATT&CK] T1548 – Abuse Elevation Control Mechanism | [MITRE ATT&CK] T1484.001 – Domain Policy Modification: Group Policy Modification | [MITRE ATT&CK] T1480.001 – Execution Guardrails: Environmental Keying | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1070.001 – Indicator Removal on Host: Clear Windows Event Logs | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1555.003 – Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1003 – Os Credential Dumping | [MITRE ATT&CK] T1003.001 – OS Credential Dumping: Lsass Memory | [MITRE ATT&CK] Discovery – Network Service Discovery[T1046] | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614.001 – System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1021.001 – Remote Services: Remote Desktop Protocol | [MITRE ATT&CK] T1021.002 – Remote Services: Smb/Windows Admin Shares | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archive Via Utility | [MITRE ATT&CK] T1071.002 – Application Layer Protocol: File Transfer Protocols | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1095 – Non-Application Layer Protocol | [MITRE ATT&CK] T1572 – Protocol Tunneling | [MITRE ATT&CK] T1219 – Remote Access Software | [MITRE ATT&CK] T1567 – Exfiltration Over Web Service | [MITRE ATT&CK] T1567.002 – Exfiltration Over Web Service: Exfiltration To Cloud Storage | [MITRE ATT&CK] T1485 – Data Destruction | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1491.001 – Defacement: Internal Defacement | [MITRE ATT&CK] T1490: Inhibit System Recovery | [MITRE ATT&CK] T1489 – Service Stop
Tags: actor:LockBit, malware:LockBit 3.0, malware:LockBit Black, malware:LockBit Red, malware:LockBit Green, malware-type:Ransomware, vulnerability:CVE-2021-22986, vulnerability:CVE-2023-0669, vulnerability:CVE-2023-27350, vulnerability:CVE-2021-44228, vulnerability:CVE-2021-22986, vulnerability:CVE-2020-1472, vulnerability:CVE-2019-0708, vulnerability:CVE-2018-13379, target-system:ESXi, target-system:macOS, target-system:Windows
ChamelGang and ChamelDoH: A DNS-over-HTTPS Implant
(published: June 13, 2023)
ChamelGang is a China-sponsored group previously-known for targeting energy, aviation, and government organizations with mostly Windows toolset. Stairwell researchers have discovered that ChamelGang has also developed a robust toolset for Linux intrusions, one of which is ChamelDoH, a C++ implant. It is designed to avoid traffic detection by using DNS-over-HTTPS (DoH) tunneling. First uploaded to VirusTotal in December of 2022, ChamelDoH sample was still undetected by antivirus machines as of June 2023. This implant exfiltrates system information and executes remote control capabilities including file deletion, downloading, execution, and exfiltration. ChamelDoH usage in-the-wild was accompanied by the FRP proxy tool configured with known ChamelGang infrastructure, and the LinuxPrivilegeElevator tool, also previously attributed to ChamelGang.
Analyst Comment: Researchers can detect samples using DoH and further use man-in-the-middling the traffic to identify malicious domain requests. Stairwell’s YARA rule and indicators associated with ChamelDoH are available in the Anomali platform for detection and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1572 – Protocol Tunneling | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1005: Data from Local System | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105]
Signatures (YARA Rule): Stairwell_ChamelDoH_01.
Tags: actor:ChamelGang, malware:ChamelDoH, technique:DNS-over-HTTPS, technique:Tunneling, malware-type:Implant, malware-type:RAT, source-country:China, malware:FRP, malware-type:Proxy tool, malware:LinuxPrivilegeElevator, malware-type:Privilege escalation tool, abused:AES128, abused:base64, abused:C++, target-system:Linux
Sneaky DoubleFinger Loads GreetingGhoul Targeting Your Cryptocurrency
(published: June 12, 2023)
DoubleFinger is a five-stage, shellcode-style loader that hides some of its payloads in PNG image files. It was described by Kaspersky researchers who noted the attack complexity including the use of Windows COM interfaces for stealthy execution, and the implementation of Process Doppelgänging for injection into remote processes. Two stages hide the malicious components in legitimate patched binaries. The final payloads were Remcos RAT and the GreetingGhoul infostealer that uses Microsoft WebView2 runtime to create counterfeit interfaces of cryptocurrency wallets. The targets were located in Europe, Latin America, and the US.
Analyst Comment: Users using their computers for financial operation should use layered defenses to avoid exploits, phishing, and scams. A hardware cryptocurrency wallets vendor should never ask you for your recovery seed, so be especially suspicious if you are asked to fill it on your computer. All known DoubleFinger and GreetingGhoul indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1566.001 – Phishing: Spearphishing Attachment | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] T1027.003 – Obfuscated Files or Information: Steganography | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1055.013 – Process Injection: Process Doppelgänging | [MITRE ATT&CK] T1053.005 – Scheduled Task/Job: Scheduled Task
Tags: malware:DoubleFinger, malware-type:Loader, malware:GreetingGhoul, malware-type:Infostealer, malware:Remcos RAT, malware-type:RAT, target-industry:Cryptocurrency, target-region:Europe, target-country:USA, target-region:Latin America, technique:Magic bytes, technique:Process Doppelgänging, technique:Steganography, file-type:DLL, file-type:EXE, file-type:PIF, file-type:PNG, target-system:Windows
RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine
(published: June 7, 2023)
The RomCom threat group (Tropical Scorpius, Void Rabisu) is associated with Cuba ransomware and the RomCom backdoor. BlackBerry researchers observe the group moving from predominantly financial operations to geopolitical. RomCom’s latest campaign (February – May 2023) has targeted politicians in Ukraine working with the West, and a US-based healthcare company providing aid to Ukrainian refugees. The group continues leveraging cloned typosquatted websites to spread trojanized software. This campaign saw impersonation of Devolutions Remote Desktop Manager, GoTo Meeting, and the WinSCP file-transfer tool. User execution leads to activation of the multistage RomCom backdoor and installation of an additional infostealer.
Analyst Comment: Users are advised against installing additional software after being prompted via unsolicited emails and personal messages. All indicators associated with this RomCom campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1598 – Phishing For Information | [MITRE ATT&CK] T1598.002 – Phishing for Information: Spearphishing Attachment | [MITRE ATT&CK] T1189: Drive-by Compromise | [MITRE ATT&CK] T1559 – Inter-Process Communication | [MITRE ATT&CK] T1218 – Signed Binary Proxy Execution | [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1546.015 – Event Triggered Execution: Component Object Model Hijacking | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] Defense Evasion – Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1036 – Masquerading | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1112: Modify Registry | [MITRE ATT&CK] T1057 – Process Discovery | [MITRE ATT&CK] Discovery – File and Directory Discovery [T1083] | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1217 – Browser Bookmark Discovery | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1041 – Exfiltration Over C2 Channel | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1071 – Application Layer Protocol | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1095 – Non-Application Layer Protocol | [MITRE ATT&CK] T1573.002 – Encrypted Channel: Asymmetric Cryptography | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] T1486: Data Encrypted for Impact
Tags: actor:RomCom, malware:RomCom, malware-type:Backdoor, malware-type:RAT, malware-type:Loader, malware-type:Infostealer, target-identity:Politician, target-country:Ukraine, target-industry:Health care, target-country:US, impersonated:Devolutions RDM, impersonated:GoTo Meeting, impersonated:WinSCP, target-system:Windows