Anomali Cyber Watch: Aggressively-Mutating Mantis Backdoors Target Palestine, Fake Cracked Packages Flood NPM, Rorschach Ransomware Is Significantly Faster Than LockBit v.3
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cryptocurrency, Data leak, Malvertising, Packers, Palestine, Phishing, Ransomware, and Software supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CryptoClippy Speaks Portuguese
(published: April 5, 2023)
Since at least early 2022, an opportunistic cryptocurrency clipper campaign has been targeting Portuguese speakers by prompting a download from an actor-controlled website promoted via SEO poisoning and malvertising abusing Google Ads. The file impersonates WhatsApp Web and delivers malware dubbed CryptoClippy with the aim of replacing cryptocurrency addresses in the targets clipboard. The first two files in the infection chain are either EXE and BAT or ZIP and LNK. The actors utilize extensive obfuscation and encryption (RC4 and XOR) techniques, log and file clearing, and thorough user profiling for narrow targeting and defense evasion. The use of the Invoke-Obfuscation obfuscation type may point to a Brazilian-based attacker.
Analyst Comment: The observed actor-controlled wallets gained a little over 1,000 US Dollars, but their complex, multi-stage malware can help them to extend this damage. Users are advised to verify the recipient information prior to sending a financial transaction. Indicators related to CryptoClippy are available in the Anomali platform. Organizations that publish applications for their customers are invited to use Anomali Premium Digital Risk Protection to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
MITRE ATT&CK: [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1620 – Reflective Code Loading | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1112: Modify Registry | [MITRE ATT&CK] T1136.001 – Create Account: Local Account | [MITRE ATT&CK] T1070.001 – Indicator Removal on Host: Clear Windows Event Logs | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1055 – Process Injection | [MITRE ATT&CK] T1053.005 – Scheduled Task/Job: Scheduled Task
Tags: malware:CryptoClippy, malware-type:Clipper, Google Ads, Traffic distribution system, SEO poisoning, WhatsApp, file-type:ZIP, file-type:EXE, file-type:LNK, file-type:BAT, RDP, RC4, XOR, PowerShell, target-industry:Cryptocurrency, Ethereum, Bitcoin, source-country:Brazil, source-country:BR, Character padding, Invoke-Obfuscation, Windows
Mantis: New Tooling Used in Attacks Against Palestinian Targets
(published: April 4, 2023)
The Mantis (Arid Viper, Desert Falcon, APT-C-23) advanced persistent threat is a Palestine-associated group that has been observed since 2011. In September 2022 – February 2023, Mantis engaged in a new campaign targeting organizations within the Palestinian territories. The campaign featured versions of custom Micropsia and Arid Gopher backdoors, and a variety of additional tools including the Putty SSH client, and the SetRegRunKey.exe registry modification persistence tool. Mantis has been aggressively mutating the logic between variants of its backdoors, at times replacing versions in the course of an ongoing compromise.
Analyst Comment: Historically, many Mantis attacks have started with spearhishing. It is important to teach your users basic online hygiene and phishing awareness. Pay attention to suspicious PowerShell executions, suspicious port connections (such as over port 4444), and signs of data exfiltration. All known Mantis indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archive Via Utility | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Tags: actor:Mantis, malware:Micropsia, malware-type:Backdoor, malware:Arid Gopher, PowerShell, PyArmor, Putty, SetRegRunKey.exe, actor:Arid Viper, actor:Desert Falcon, actor:APT-C-23, target-region:Palestine, source-region:Palestine, Cyberespionage, Data loss, Delphi, Golang, file-type:EXE, port:4444, Windows
Who Broke NPM?: Malicious Packages Flood Leading to Denial of Service
(published: April 4, 2023)
Several campaigns likely operated by the same threat actor have targeted the npm JavaScript software registry with automated user account and package creation. In March 2023, it resulted in the number of monthly package versions released going from 800,000 to over 1.4 million, at times causing denial-of-service for the npm website. The threat actor has been creating malicious websites and publishing attractive cracked software-related package descriptions with links to those websites. The user would download and execute an inflated, zero-padded EXE file starting an infection chain disabling security tools and firewalls, utilizing DLL side-loading and virtualization/sandbox evasion. It delivers various commodity tools such as Glupteba, RedLine, Smoke Loader, xmrig and more to steal credentials and to mine cryptocurrency. Additional fraud monetization comes from scams using AliExpress referrals and cryptocurrency schemes in Russian-speaking Telegram groups.
Analyst Comment: Open-source libraries and software supply chains are increasingly under attack. These campaigns are abusing the reputation of the npm code sharing environment to promote the malicious websites in search engines. As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company; supply the legitimate software and educate your employees about these risks. Network indicators associated with this recent npm targeting are available on the Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1027.001 – Obfuscated Files or Information: Binary Padding | [MITRE ATT&CK] T1629.003 – Impair Defenses: Disable Or Modify Tools | [MITRE ATT&CK] T1633 – Virtualization/Sandbox Evasion | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1555 – Credentials From Password Stores | [MITRE ATT&CK] T1496 – Resource Hijacking | [MITRE ATT&CK] T1499 – Endpoint Denial Of Service
Tags: npm, Spam, malware:Glupteba, malware:RedLine, malware-type:Infostealer, malware:Smoke Loader, detection:xmrig, malware-type:Miner, Open-source library, SEO, DoS, AliExpress, Referral scam, Software supply chain, Warez, Cracked, Telegram, target-country:Russia, target-country:RU, target-industry:Cryptocurrency, file-type:EXE, Windows
Rorschach – A New Sophisticated And Fast Ransomware
(published: April 4, 2023)
In February-March 2023, a new ransomware family dubbed Rorschach was spotted in the wild. While being unique overall, Rorscharch borrowed from several advanced ransomware families. Its hybrid-cryptography and some other routines are inspired or copied from Babuk. Similar to LockBit 2.0, it can spread from Windows Domain Controller by automatically creating a domain group policy. Finally, Rorschach ransomware notes were formatted in some cases similar to DarkSide and similar to Yanluowang in others. Rorschach does not brand its notes, but its exemption for Commonwealth of Independent States shows its likely origin. To avoid detection, Rorschach uses direct syscalls by finding, storing and using relevant syscall numbers for NT APIs. Rorschach achieves extremely fast encryption due to effective cryptography scheme, partial file encryption, effective thread scheduling via I/O completion ports, and compiler optimization, with much of the code being inlined.
Analyst Comment: Rorscharch’s ability to abuse a Palo Alto Networks security product, Cortex XDR Dump Service Tool, was reported to the vendor. Network defenders can consider setting up warning systems for new group policies, new scheduled tasks, and rogue encryption processes targeting honeypot/canary files. To constrain the autonomous capabilities of the ransomware, endpoint devices with admin privileges should be properly locked down, and a micro-segmentation of IT networks should be implemented where possible. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data.
MITRE ATT&CK: [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1490: Inhibit System Recovery | [MITRE ATT&CK] T1489 – Service Stop | [MITRE ATT&CK] T1070.001 – Indicator Removal on Host: Clear Windows Event Logs | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1053.005 – Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1484.001 – Domain Policy Modification: Group Policy Modification
Tags: malware:Rorschach, malware-type:Ransomware, VMProtect, source-region:CIS, curve25519, eSTREAM cipher hc-128, I/O completion port, Thread scheduling, Domain group policy, Cortex XDR Dump Service Tool, Palo Alto Networks, target-country:USA, target-county:US, file-type:EXE, file-type:DLL, file-type:INI, Windows
Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies
(published: April 4, 2023)
A new malicious extension dubbed Rilide targets cryptocurrency users on Chromium-based browsers. It was seen delivered through two infection chains: either starting with a malicious macros in a Publisher file delivering Ekipa RAT, or through Google Ads pushing the Aurora Stealer payload. The Rilide malware is impersonating a Google Drive extension. It loads additional JS scripts that collect information and make automatic fund withdrawal requests in the background. Dialogs for users are forged to reveal their two-factor authentication. It includes on-the-fly editing of withdrawal confirmation emails making them look like a device authorization request. Trustwave researchers found that threat actors were advertising malicious extensions with functionality similar to Rilide since at least March 2022, and partial code was leaked in February 2023.
Analyst Comment: Users are advised to keep an eye on their browser extensions and question those additions that were not authorized. All known indicators related to Rilide are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1565.003 – Data Manipulation: Runtime Data Manipulation
Tags: malware:Rilide, Malicious browser extension, target-industry:Cryptocurrency, Chromium-based browser, Google Chrome, Microsoft Edge, Brave, Opera, malware:Ekipa, malware-type:RAT, malware:Aurora, malware-type:Infostealer, Themida, VMProtect, file-type:PUB, file-type:EXE, file-type:JS, file-type:JSON, malware-type:Loader, PowerShell, Rust, Discord CDN, Malvertising, Google Ads, actor:gulantin, Macros, Windows