Anomali Cyber Watch: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Account takeover, APT, Banking trojans, China, Cyberespionage, India, Malspam, North Korea, Phishing, Skimmers, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Phishing Campaign Targets Chinese Nuclear Energy Industry
(published: March 24, 2023)
Active since 2013, the Bitter (T-APT-17) group is suspected of being sponsored by the Indian government. Intezer researchers discovered a new Bitter campaign targeting academic, government, and other organizations in the nuclear energy industry in China. The techniques are consistent with previously-observed Bitter campaigns. The intrusion starts with a phishing email purported to be from a real employee in the Embassy of Kyrgyzstan. Observed malicious attachments were either Microsoft Compiled HTML Help (CHM) files, or Microsoft Excel files with Equation Editor exploits. The purpose of the payloads are to create persistence via scheduled tasks and download further malware payloads (previous Bitter campaigns used browser credential stealer, file stealer, keylogger, and remote access tool plugins). The attackers relied on LZX compression and string concatenation for detection evasion.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it. It is important to teach your users basic online hygiene and phishing awareness. It is safe to recommend never opening attached CHM files and keeping your MS Office fully updated. All known indicators associated with this Bitter campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1589.002 – Gather Victim Identity Information: Email Addresses | [MITRE ATT&CK] T1566.001 – Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1203 – Exploitation For Client Execution | [MITRE ATT&CK] T1053.005 – Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1218.007 – Signed Binary Proxy Execution: Msiexec | [MITRE ATT&CK] T1036 – Masquerading | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1041 – Exfiltration Over C2 Channel
Tags: actor:Bitter, APT, Cyberespionage, Spearphishing, source-country:India, source-country:IN, target-country:China, target-country:CN, target-industry:Nuclear, target-industry:Energy, target-industry:Research, target-industry:Government, file-type:RAR, file-type:CHM, file-type:XLS, file-type:EXE, file-type:MSI, Equation Editor exploit, LZX compression, String concatenation, PowerShell, malware-type:Downloader, Windows
North Korean Hackers Using Chrome Extensions to Steal Gmail Emails
(published: March 22, 2023)
North Korea-sponsored Kimsuky (Thallium, Velvet Chollima) group has been observed chaining two attack methods — a malicious Chrome extension and Android applications. A spearphishing email urges the target to install an extension for their Chromium-based browser (Chrome, Microsoft Edge, Naver Whale). This malicious extension steals Google account credentials and Gmail content, abusing the Devtools API for exfiltration. With the Google account access, the actors abuse the web-to-phone synchronization feature of Google Play to install a malicious app on target’s linked Android devices. Kimsuki uses the “internal testing only” setting to place the app on Google Play. It is a custom Android RAT dubbed FastViewer (Fastfire, Fastspy DEX) seen in previous Kimsuki campaigns. It can activate the camera, drop, create, delete, or steal files, get contact lists, monitor or send SMS, perform calls, perform keylogging, and view the desktop.
Analyst Comment: This attack was targeting experts on the Korean Peninsula and North Korea issues, but it has potential to expand to other entities in Europe, North America, and South Korea, while remaining narrowly-targeted to a limited number of targets. It is important to have protocols in place to follow precautions when receiving emails and identify the malicious ones. A regular review of the lists of installed extensions and apps is good to limit the possible exposure and detect the malicious additions. All known indicators associated with this Kimsuki campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1566 – Phishing | [MITRE ATT&CK] T1114 – Email Collection | [MITRE ATT&CK] T1616 – Call Control | [MITRE ATT&CK] T1533 – Data From Local System | [MITRE ATT&CK] T1417.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1636.004 – Protected User Data: Sms Messages | [MITRE ATT&CK] T1636.003 – Protected User Data: Contact List | [MITRE ATT&CK] T1512 – Capture Camera
Tags: mitre-group:Kimsuky, actor:Thallium, actor:Velvet Chollima, source-country:North Korea, source-country:KP, target-country:South Korea, target-country:KR, Devtools API, file-type:JSON, file-type:JS, Chrome Extension, malware:AF, Microsoft Edge, Whale browser, Gmail, malware:FastViewer, malware:Fastfire, malware:Fastspy DEX, malware-type:RAT, Web-to-phone synchronization, Mobile, Android
New Kritec Magecart Skimmer Found on Magento Stores
(published: March 22, 2023)
While verifying previously-reported injections of a WebSocket skimmer abusing Google Tag Manager, Malwarebytes researchers detected a completely new skimmer dubbed Kritec. The Kritec skimmer is being injected near the Google Tag Manager script, but it is not embedded in the Google Tag Manager library itself and it does not use WebSocket. Kritec calls out a first domain (encoded in Base64), gets a Base64 response containing a URL pointing to the actual skimming code, which is heavily obfuscated (likely via Obfuscator[.]io). Kritec infrastructure is hidden behind the Cloudflare protection.
Analyst Comment: Site administrators should keep their systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files. All known network indicators associated with Kritec are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information
Tags: malware:Kritec, Magecart, malware-type:Skimmer, Google Tag Manager, WebSockets, Base64, Cloudflare, Obfuscator[.]io, Magento store, Website compromise
Bad Magic: New APT Found in the Area of Russo-Ukrainian Conflict
(published: March 21, 2023)
Since October 2022, a new advanced persistent threat (APT) group dubbed Bad Magic has been able to breach an unnamed amount of government, agriculture and transportation organizations in Donetsk, Lugansk, and Crimea regions (parts of Ukraine currently controlled by Russia). The attack starts with a URL pointing to a ZIP archive containing a decoy document and a malicious LNK file with a double extension (such as .PDF.LNK). Its execution triggers a download and execution of an MSI dropper package with a VBS dropper script and a PowerShell-based backdoor dubbed PowerMagic. The same targets were also infected with the CommonMagic malicious framework (likely deployed by the PowerMagic backdoor). CommonMagic has standalone modules communicating via named pipes: information-stealing (screenshotting module, collecting data from removable USB drives module), traffic encryption, and networking modules. CommonMagic uses OneDrive remote folders, Microsoft Graph API, the RapidJSON library, and the RC5Simple encryption library.
Analyst Comment: Users are advised to parse their mail on their desktop/notebook computers where they would be able to spot the extensions of files they are prompted to open. Avoid opening LNK and double-extension files. All known indicators associated with this Bad Magic campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1218.007 – Signed Binary Proxy Execution: Msiexec | [MITRE ATT&CK] T1204.002 – User Execution: Malicious File | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1053 – Scheduled Task/Job | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1025 – Data From Removable Media | [MITRE ATT&CK] T1573 – Encrypted Channel
Tags: actor:Bad Magic, malware:PowerMagic, malware-type:Backdoor, PowerShell, malware:CommonMagic, malware-type:Framework, APT, target-industry:Government, target-industry:Agriculture, target-industry:Transportation, target-region:Lugansk, target-region:Crimea, target-region:Donetsk, Named pipes, WindowsActiveXTaskTrigger, OneDrive remote folder, Microsoft Graph API, OAuth refresh token, RapidJSON, RC5Simple, file-type:ZIP, file-type:PDF, file-type:XLSX, file-type:DOCX, file-type:MSI, file-type:DAT, file-type:VBS, file-type:EXE, Windows
Nexus: a New Android Botnet?
(published: March 21, 2023)
Cleafy researchers analyzed a new Android banking botnet named Nexus that was first detected in August 2022. It has some overlaps with the source code originally stolen from the Sova banking botnet. In January 2023, the actors behind Nexus started offering it on the Malware-as-a-Service basis. The malware is offered for a steep price and detected infections are in the hundreds, but it still has the marks of a testing/beta version. Nexus terminates itself if the location is in ten ex-Soviet countries or Indonesia. Its main focus is credentials stealing, injections for account takeover attacks targeting banking portals and cryptocurrency services (450 financial applications), and SMS interception.
Analyst Comment: Users should keep their mobile devices updated and avail of mobile antivirus and VPN protection services. Install only applications that you actually need, use the official Google Play store and check the app description and reviews. All known indicators associated with this Nexus campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1417.002 – Input Capture: Gui Input Capture | [MITRE ATT&CK] T1582 – Sms Control
Tags: malware:Nexus, malware-type:Botnet, malware-type:Banker, malware-type:Trojan, detection:Sova, detection:Boogr, Account takeover, Malware-as-a-Service, target-industry:Financial, target-industry:Cryptocurrency, Mobile, Android