Anomali Cyber Watch: EvilPlayout: Attack Against Iran’s State Broadcaster, Microsoft Teams Targeted With Takeover Trojans, ‘Ice phishing’ on the blockchain and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Emotet, Ice Phishing, Iran, Trickbot and Zoho. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
EvilPlayout: Attack Against Iran’s State Broadcaster
(published: February 18, 2022)
Checkpoint Researchers have released an article detailing their findings regarding a wave of cyber attacks directed at Iranian broadcast infrastructure during late January 2022. IRIB, an Iranian state broadcaster, was compromised, with malicious executables and wipers being responsible for the attack. Said malware had multiple functions, including hijacking of several tv stations to play recordings of political opposition leaders demanding the assassination of Iran’s supreme leader. Additional functionality includes custom backdoors, screenshot capability and several bash scripts to download other malicious executables. The malware appears new, with no previous appearances, nor has there been any actor attribution as of the date of publication.
Analyst Comment: Utilize all telemetry and feed it into a SIEM to help identify malicious activity within your network. Anomali Match can collide this telemetry against global intelligence to assist in identifying malicious indicators within your network. A defense in depth approach will also mitigate the damage any compromises can do to your infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Screen Capture – T1113
Tags: Iran, IRIB, Ava, Telewebion
Microsoft Teams Targeted With Takeover Trojans
(published: February 17, 2022)
Researchers at Avanan have documented a new phishing technique that threat actors are using that abuses the trust users of Microsoft Teams have for the platform to deliver malware. Threat Actors send phishing links to victims which initiate a chat on the platform, after which they will post a link to a dll file within the chat box. When clicked, it will install a trojan of choice on the target machine. With over 279 million users, this presents a new attack vector for threat actors to abuse.
Analyst Comment: Never click on a link or open attachments from untrusted senders when receiving email. Be skeptical of strangers attempting to move conversation to another platform, even if you use that platform. Be wary of links posted in apps that are used for communication, as links that are posted on trusted platforms are not trustworthy themselves.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Trusted Relationship – T1199
Tags: Microsoft Teams, trojan, phishing
Red Cross: State Hackers Breached our Network Using Zoho bug
(published: February 16, 2022)
The International Committee of the Red Cross (ICRC) suffered a data breach during January 2022. The incident led to the exfiltration of over 515,000 individual’s PII, linked to their Restoring Family Links program. The ICRC revealed that the attackers were utilizing code specifically targeting their systems, with their MAC addresses being used for exploitation. Furthermore, they note that the TTPs used indicate an APT group was responsible for the incident, though there has been no attribution yet. ICRC revealed that it was the exploitation of the critical vulnerability Zoho, tracked as CVE-2021-40539, which allowed the threat actors access to their systems for 70 days before discovery.
Analyst Comment: Create and follow the procedures of a patch management policy to ensure that critical vulnerabilities are patched in a timely manner. Threat actors will often exploit patched vulnerabilities as proof of exploit code is often made available for such vulnerabilities. Anomali Match can assist in detecting malicious activity within your network by correlating your logs against global telemetry of iocs.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041
Tags: data breach, ICRC, CVE-2021-40539, Zoho
A Modern Ninja: Evasive Trickbot Attacks Customers of 60 High-Profile Companies
(published: February 16, 2022)
Checkpoint researchers have documented the functionality of Trickbot, as well as compiled a heatmap of the companies per country most targeted by the malware. Trickbot is incredibly popular due to it’s modular nature, with over 20 modules that permits a variety of attacks. Since October 2020, the injectDll module, which injects malicious code into web browsers to steal banking and credential data, similar to Zeus malware, has been used frequently. Furthermore, Trickbot possesses a variety of anti-analysis techniques, many of which are incredibly sophisticated at a low level. This increased obfuscation makes it popular with threat actors wishing to hide their actions for an extended period of time.
Analyst Comment: 2 Factor authentication should be used to protect credentials that are associated with financial information. Monitor all outbound communications to identify potential C2 activity, as banking trojans such as Trickbot receive instructions and exfiltrate data over C2 channels. Anomali Match XDR can help with instant retrospective lookup for all known IOCs associated with Trickbot.
MITRE ATT&CK: [MITRE ATT&CK] Data Obfuscation – T1001 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Process Injection – T1055
Tags: Trickbot, Zeus, Banking, Crypto, North America
New Phishing Campaign Targets Monzo Online-banking Customers
(published: February 16, 2022)
A phishing campaign has been observed by a researcher named BushidoToken targeting users of the Monzo online banking platform. Phishing SMS messages are sent, informing that a session has expired or a logon attempt has been detected, and that users must click the link to resolve these issues. Clicking the link leads to one many fake domains created with the Cazanova Morphine kit, which request users to input their email address and account details, followed by their Monzo pin, full name and phone number. These details can be used to compromise the user’s email account, where the threat actor can then access the “golden link”, a link that is sent to a user’s email that allows access to their bank account.
Analyst Comment: Invest in education about phishing attacks, as education is the best defense against them. Be wary of emails or messages from unknown senders that have links or attachments, or pressure/attempts to scare users into action. For well known services, such as online banking, they will never request sensitive details to be inputted online. Check with their official policies on such matters; Monzo have released statements reaffirming their position on phishing.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566
Tags: Monzo, phishing, Banking And Finance, Cazanova Morphine kit
‘Ice Phishing’ on the Blockchain
(published: February 16, 2022)
Microsoft Defender Researchers have documented an attack dubbed the Badger DAO attack, which stole 121 million US dollars of cryptocurrency. The attack utilized a new form of phishing named ‘ice phishing’, where a user is tricked into giving approval for their tokens to be used in a transaction, as opposed to stealing the private key. The Badger attack timeline begins December 2021 with the compromise of the Badger smart contract infrastructure, achieved through gaining access to the Cloudflare API key. This allowed for the injection of malicious code, which requested users to sign off on ERC-20 transaction approvals. Once permission was granted, funds were drained to an anonymous crypto wallet.
Analyst Comment: Carefully review any smart contracts before you sign off permission, in particular verify the address of the transaction and ensure it’s integrity. Consider swapping crypto wallet addresses frequently or revoking token allowances to prevent their abuse and potential exploitation.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Trusted Relationship – T1199
Tags: phishing, ice phishing, cryptocurrency, Badger DAO, blockchain, smart contracts, ErC-20
New Emotet Infection Method
(published: February 15, 2022)
Emotet is a high-volume malware that often modifies its attack patterns in an attempt to avoid detection. In December 2021, it was seen spreading via emails with links to install a fake Adobe Windows App Installer Package. Starting on December 21, 2021 and onto the year 2022, Emotet started utilizing malicious Excel documents attached to an email directly or in a password-protected zip archive. The document contains an obfuscated Excel 4.0 macro. When activated, it executes cmd.exe to run mshta.exe to download and executes an HTML application. This obfuscated application downloads an obfuscated PowerShell script connecting to a remote PNG file. It returns a text-based script for a second-stage set of PowerShell code that goes through 14 URLs until the Emotet binary is successfully downloaded.
Analyst Comment: Anti-phishing training should include awareness for email thread hijacking often utilized by Emotet. Block macros from running in Office files from the Internet. Block Office applications from creating executable content and from injecting code into other processes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Email Collection – T1114 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: WildFire, Emotet, Banking And Finance
Charting TA2541’s Flight
(published: February 15, 2022)
Proofpoint researchers have documented a phishing campaign starting in 2017 by a threat actor dubbed TA2541. The group utilizes phishing attacks that target the aviation industry, with emails mentioning topics such as fuel, plane parts and transportation. These phishing emails contain links to google drive where a malicious Visual Basic file is stored. Once executed, these files run powershell commands that inject into RegScvs.exe, allowing the actor to disable Windows Antimalware Scan Interface (AMSI). With defenses compromised, the powershell command then connects to the actor’s C2 infrastructure to install Remote Access Trojans (RATs). Over the years, TA2541 has used numerous RATs including StrRAT and Revenge RAT, however, the current choice is AsyncRAT, which was used throughout 2021 and January 2022.
Analyst Comment: Training your employees is the best defense against phishing attacks. Never click links or open attachments from untrusted emails, and report any suspicious emails to the proper authority within the company. Anomali Match can assist in matching multiple log sources and correlating it against global intelligence to identify any iocs related to RATs within your organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Remote Access Tools – T1219 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Scheduled Task – T1053
Tags: TA2541, Phishing, AsyncRAT, Revenge RAT, StrRAT, Aviation
FBI: BlackByte Ransomware Breached US Critical Infrastructure
(published: February 14, 2022)
The FBI has released a statement documenting the fact that the BlackByte ransomware gang has compromised 3 critical infrastructure organizations during the period from November 2021 to February 2022. Additionally the ransomware-as-a-service has breached the NFL San Francisco 49ers football blog, exfiltrating 300MB of data and encrypting the system. The FBI notes that the ransomware has undergone some improvements, with the latest versions of BlackByte no longer requiring C2 communication during encryption.
Analyst Comment: Enforce a strong backup policy to ensure that files can be recovered in the event of encryption. Consider segmenting your network to prevent lateral movement that would spread the infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol – T1048 | [MITRE ATT&CK] Defacement – T1491
Tags: BlackByte, ransomware, raas, USA
Wazawaka Goes Waka Waka
(published: February 14, 2022)
Researchers at Krebsonsecurity have published a detailed analysis on Mikhail Pavlovich Matveev, an experienced ransomware threat actor from Abakan, Russia, who is known under underground aliases Wazawaka, Orange, and Boriselcin. Matveev was representing the Babuk ransomware affiliate program on hacker forums, he worked with LockBit and DarkSide affiliate programs, and founded ransomware-focused Dark Web forum RAMP. Wazawaka seems to be publishing any stolen data on Russian cybercrime forums if the victim organization fails to pay ransom.
Analyst Comment: Cybercriminals often find a safe haven in Russia, getting full protection from a possible arrest, or being formally arrested only for a short period of time.. Threat actors will often use vulnerabilities that have already been issued patches because information and proof-of-concept code of an exploit sometimes become available on public sources once a patch has been issued. Your company should have policies in place in regards to maintaining server software in such a way that new security updates are applied as soon as possible.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: Boriselcin, arestedByFbi, Orange, futurama, posholnarabotu, popalvprosak, gotowork, boriselcin, Alfredpetr, Uhodiransomwar, Biba99, mrbotnet, ebanatv2, m0sad, Ment0s, uhodiransomwar, donaldo, m1x, TetyaSluha, Wazawaka, ment0s, andry1976, Mixalen, LockBit, photo, DarkSide, Babuk, Maze Ransomware, CVE-2021-20028, North America, Russia
Observed Threats
Additional information regarding the threats discussed in this week’s Weekly Threat Briefing can be found below:
Mummy Spider
Mummy Spider is a cybercrime actor that was first identified by the security community in June 2014.1 Mummy Spider is associated with Emotet malware that they used initially as a banking trojan, but has been updated over time to function as a modular downloader. Mummy Spider operates Emotet as-a-service and it was used to delivers multiple malwares such as Cobalt Strike, IcedID, Gootkit, Trickbot among others.2 Mummy Spider targets all industries and on a global scale by distributing the Emotet trojan via wide-scale malspam campaigns with malicious attachments or hyperlinks embedded in email messages.3
Wizard Spider
Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families.1 Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH).2 Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use.3 Known associated groups are: Grim Spider – A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider – This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.
CVE-2021-40539
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.