Anomali Cyber Watch: Active Probing Revealed Cobalt Strike C2s, Black Basta Ransomware Connected to FIN7, Robin Banks Phishing-as-a-Service Became Stealthier, and More


The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Active scanning, EDR evasion, Infostealers, Phishing, and Typosquatting. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild

(published: November 3, 2022)

Cobalt Strike remains a popular post-exploitation tool for threat actors trying to evade threat detection. Cobalt Strike’s Beacons use advanced, flexible command-and-control (C2) communication profiles for stealth communication with an attacker-controlled Linux application called Team Server. Beacon implants can covertly utilize the DNS protocol or communicate via HTTP/HTTPs using the the default Malleable C2 profile or Malleable C2 Gmail profile. Palo Alto researchers probed the Internet for these three types of communication to find previously-unknown active Team Server instances. Researchers were preselecting suspicious IP addresses with Shodan, actively probing them with stager requests and initializing a connection with the netcat tool to test, verify and extract communication profile settings (such as the served stager bytes).
Analyst Comment: Network fingerprinting and active scanning technologies allow for proactive identification of threats such as Cobalt Strike’s C2 IP addresses. Network defenders and intelligence feed providers can get better coverage by improving their collaboration and coverage via threat intelligence platforms such as ThreatStream provided by Anomali.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol – T1071
Tags: detection:Cobalt Strike Beacon, detection:Cobalt Strike, detection:Cobalt Strike Team Server, Cobalt Strike stager, Active scanning, Shodan, netcat, Post-exploitation tool, Gmail, DNS, TCP, HTTP, Windows

Abusing Microsoft Customer Voice to Send Phishing Links

(published: November 3, 2022)

Avanan researchers detected a phishing campaign that abuses Microsoft Dynamics 365 Customer Voice since at least September 2022. These phishing emails come from legitimate email address surveys@email.formspro.microsoft.com, and clicking the link opens the Microsoft’s Customer Voice domain on a page with URL starting with: customervoice.microsoft.com/Pages/ResponsePage.aspx?id=… At the same time, a user clicking on the embedded “Play Voicemail” link redirects to an attacker-controlled phishing page asking for Microsoft account login credentials.
Analyst Comment: Organizations can use services like Anomali Digital Risk Protection, which defends your brand against brand abuse and continuously monitors domains for cybersquatters and domain hijacking to prevent phishing and malware attacks. Users are advised to always check the current domain by hovering over the URL, especially before entering credentials.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566
Tags: Customer Voice, Phishing, Microsoft, Forms Pro

Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor

(published: November 3, 2022)

Since its first appearance in April 2022, Black Basta ransomware breached over 90 organizations. Sentinel Labs researchers found that this private ransomware group is connected to Carbanak (aka FIN7). The groups use overlapping techniques, IP addresses, and a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022. One of the custom tools is a Visual Basic-compiled and UPX-packed executable showing a fake Windows Security GUI and tray icon with a “healthy” system status.
Analyst Comment: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable through segmentation, off-line storage, encrypting data at rest, and limiting the storage of personal and sensitive data.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: actor:Black Basta, detection:Black Basta, actor:Carbanak, actor:FIN7, malware-type:Ransomware, ZeroLogon, CVE-2020-1472, NoPac, CVE-2021-42287, CVE-2021-42278, PrintNightmare, CVE-2021-34527, AdFind, EDR evasion, Windows Security GUI, Windows

Crimson Kingsnake: BEC Group Impersonates International Law Firms in Blind Third-Party Impersonation Attacks

(published: November 3, 2022)

A business email compromise (BEC) group dubbed Crimson Kingsnake has recently been typosquatting and impersonating well-known international law firms. The group registered 92 malicious domains related to 19 law firms and debt collection agencies across Australia, the UK, and the US. A typical attack starts with an impersonating email requesting payment, often followed by a different email from the same typosquatted domain impersonating the alleged company executive. Crimson Kingsnake does a deep research on their victims and possibly uses previously-stolen invoices to craft their own.
Analyst Comment: Organizations should train their employees making financial decisions on BEC tactics including the creation of the artificial sense of urgency. It is recommended to proactively identify typosquatted domains targeting your brand with Anomali Premium Digital Risk Protection or similar service.
Tags: actor:Crimson Kingsnake, BEC, Phishing, Typosquatting, Fake invoice, Fraud, target-industry:Law, target-industry:Debt collection, target-country:US, target-country:UK, target-country:AU

Robin Banks Still Might Be Robbing Your Bank (Part 2)

(published: November 3, 2022)

The Robin Banks phishing-as-a-service (PhaaS) platform was first described by IronNet analysts in July 2022. It was blacklisted by Cloudflare and disrupted then, but it returned behind DDOS-GUARD, a notorious Russian provider. Robin Banks started using open-source and commodity tools: the Adspect bot filter, the evilginx2 reverse proxy cookie stealer, and the PHP obfuscator. Adspect places a specific PHP file that acts as an entry point for web traffic and is wired to Adspect servers which process clicks and make decisions as to whether to resolve to a phishing or benign site.
Analyst Comment: Despite basing its code on other available tools, Robin Banks is able to find clients for its PhaaS platform. Organizations are advised to require phishing training for employees and partners. Users are advised not to click on links sent through SMS and email, especially if asked to access their account or enter credentials. Using a password manager helps with unique credentials across all accounts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Steal Web Session Cookie – T1539
Tags: detection:Robin Banks, Phishing, Phishing-as-a-service, PhaaS, MFA, detection:Adspect, Cloaker, PHP obfuscator, evilginx2, Reverse proxy, Cookie-stealing, 2FA bypass, DDOS-GUARD, Russia

Google Ad for GIMP.org Served Info-Stealing Malware via Lookalike Site

(published: November 1, 2022)

Actors behind the Vidar infostealer have targeted users of at least 27 software products including Notepad++, Microsoft Visual Studio, and Brave browser. Their latest campaign, discovered on October 29, 2022, is targeting the well-known graphics editor, GNU Image Manipulation Program (GIMP). Threat actors were able to abuse Google Ads to display the legitimate GIMP website (GIMP.org) while forwarding users to typosquatted ones (gilimp[.]org and gimp[.]monster).
Analyst Comment: Users should always check the domain they are on before downloading the alleged application. Consider finding the official site directly instead of clicking on an advertisement.
MITRE ATT&CK: [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Credentials from Password Stores – T1555
Tags: detection:Vidar, Malvertising, Binary padding, malware-type:Infostealer, file-type:EXE, file-type:DLL, GNU, Typosquatting, Google Ads, Windows





Source link