Anomali Cyber Watch: Amadey Bot Started Delivering LockBit 3.0 Ransomware, StrelaStealer Delivered by a HTML/DLL Polyglot, Spymax RAT Variant Targeted Indian Defense, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, DDoS, Infostealers, Maldocs, Phishing, Ransomware, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
KmsdBot: The Attack and Mine Malware
(published: November 10, 2022)
KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations.
Analyst Comment: Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service – T1498 | [MITRE ATT&CK] Resource Hijacking – T1496
Tags: detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7
Massive ois[.]is Black Hat Redirect Malware Campaign
(published: November 9, 2022)
Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&A sites.
Analyst Comment: WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190
Tags: file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads
LockBit 3.0 Being Distributed via Amadey Bot
(published: November 8, 2022)
Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey Bot delivery. For one delivery option, they used a Word document to retrieve a remote template with a malicious VBA macro. If enabled by the user, it drops a malicious LNK file that runs a PowerShell command to download and run Amadey Bot. For the second delivery option, Amadey was delivered by an attached executable masquerading as a Word file.
Analyst Comment: The best defense against these Amadey Bot attacks is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Macros are a common method for executing malicious code therefore, never enable macros on suspicious documents.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140
Tags: detection:LockBit 3.0, malware-type:Ransomware, detection:Amadey Bot, malware-type:Loader, malware-type:Infostealer, VBA macro, file-type:DOCX, file-type:LNK, PowerShell, file-type:EXE, file-type:PS1, Windows, South Korea, target-country:KR
#ShortAndMalicious: StrelaStealer Aims for Mail Credentials
(published: November 8, 2022)
In November 2022, DCSO CyTec researchers detected a new malware dubbed StrelaStealer that steals email credentials from Thunderbird and Outlook. StrelaStealer infections start with an ISO file. One infection variant included a polyglot HTML file that was executed twice by the LNK file, once as a DLL and a second time as a benign HTML file. StrelaStealer’s current command-and-control (C2) IP address is hosted on known Russian bulletproof hosting “Kanzas LLC.”
Analyst Comment: Users should be cautious when opening attachments, especially with non-standard extensions such as .ISO files. Analysts should be on lookout for polyglot files that can avoid detection during basic sandbox execution.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Hijack Execution Flow – T1574
Tags: detection:StrelaStealer, malware-type:Infostealer, Kansas LLC, Russia, Polyglot file, file-type:HTML, file-type:DLL, file-type:ISO, Windows, Thunderbird, Outlook
Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time
(published: November 7, 2022)
Azov data wiper (self-named Azov Ransomware) was first detected in October 2022. It can be programmed to sit dormant on the infected machine until a certain date and then locks the computer and displays the ransom note to contact aliases that actually belong to security researchers and journalists. In reality, Azov does not encrypt but destroys data by overwriting files and alternating 666-byte chunks of garbage data. The wiper achieves persistence by backdooring some executable files with shellcodes encoded in a polymorphic way. Azov is distributed through the Smokeloader botnet, often found in fake pirated software and crack sites.
Analyst Comment: Smokeloader infection often delivers credential stealing malware that would be an additional concern for those with the Azov wiper infection. As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction – T1485 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: detection:Azov, malware-type:Wiper, Ukraine, Pirated software, detection:Smokeloader, malware-type:Loader
Unknown Nation-Based Threat Actor Using Android RAT to Target Indian Defence Personnel
(published: November 7, 2022)
Cyfirma researchers detected a state-sponsored campaign targeting Indian defense personnel. Since July 2021, the group has been using social engineering in the WhatsApp messenger conversations to deliver malicious APKs such as a variant of the Spymax remote access trojan. This Spymax variant is masquerading as a PDF application and has a highly obfuscated source code including class names obfuscation. It gets permissions to access camera, audio, internet, Wi-Fi, storage, and can determine user location.
Analyst Comment: Targeted industries such as defense should train their personnel to recognize targeted attacks via social media. Attackers abuse trust and curiosity to overcome hesitancy of opening a file sent by a stranger.
Tags: detection:Spymax, file-type:APK, Android, India, target-country:IN, target-industry:Defense
