Anomali Cyber Watch: Fractureiser Attempted Clipboard-Poisoning VM Escape, Asylum Ambuscade Spies as a Side Job, Stealth Soldier Connected with The Eye on The Nile Campaign, and More.

Trending Cyber News and Threat Intelligence

It’s Time to Patch Your MOVEit Transfer Solution Again!

(published: June 12, 2023)

On June 9, 2023, Progress Software uncovered additional SQL injection vulnerabilities that could potentially be used by unauthenticated attackers to grab data from the MOVEit Transfer database. The company released patches/fixed versions and deployed a new patch to all MOVEit Cloud clusters to address the new vulnerabilities. The Cl0p cyber extortion gang has been actively exploiting another recently-disclosed MOVEit Transfer vulnerability (CVE-2023-34362) and has targeted a variety of organizations from small businesses to big enterprises in a variety of sectors across the world. Aer Lingus, the BBC, Boots, British Airways, the government of Nova Scotia province (Canada), and Zellis are among the victim organizations. Kroll researchers have found evidence of similar activity occurring in April 2022 and July 2021, indicating that the attackers were testing access to organizations and grabbing information from the MOVEit Transfer servers to identify which organization they were accessing.
Analyst Comment: MOVEit Transfer 2020.0.x (12.0) or older must be upgraded to a supported version, for newer versions apply the security patches available from Progress Software since June 10, 2023 (Link). Organizations should seek confirmations from their suppliers, especially those handling data on their behalf, whether they utilize MOVEit in their services, and confirm any compromises and are up to date with recommended mitigation and patches.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1036 – Masquerading | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archive Via Utility
Tags: target-software:MOVEit Transfer, vulnerability:CVE-2023-34362, target-country:Canada, target-country:US, actor:Cl0p, technique:SQL injection, threat-type:Data leak, threat-type:Extortion, target-country:UK, target-country:Canada, target-system:Windows

Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware

(published: June 9, 2023)

A new four-stage infostealer malware dubbed Fractureiser has been identified in several Minecraft mods and plugins hosted on the CurseForge and Bukkit modding communities. Since April 2023, the malware has been spreading through malicious updates from compromised accounts and has been downloaded several million times. Fractureiser has been targeting both Windows and Linux systems predominantly located in the US. Its final stage was observed attempting sandbox escape through constant clipboard poisoning in Windows Sandbox instances that are often used for testing mods. Fractureiser steals cookies and login data from browsers, steals Minecraft and Discord authentication tokens, and swaps crypto-currency wallet addresses.
Analyst Comment: When a malware manipulates data and changes payment details in the clipboard or messages, it is crucial to detect and prevent the possible losses via payment information double-checking (including via alternative channels such as phone calls). All known Fractureiser indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1195 – Supply Chain Compromise | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] T1565 – Data Manipulation | [MITRE ATT&CK] T1555.003 – Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1539 – Steal Web Session Cookie | [MITRE ATT&CK] T1553.006 – Subvert Trust Controls: Code Signing Policy Modification
Tags: malware:Fractureiser, malware-type:Infostealer, detection:Trojan.Java.Fractureiser, target-identity:Minecraft user, technique:Supply chain compromise, technique:Sandbox escape, target-country:US, file-type:DLL, file-type:EXE, file-type:JAR, target-system:Linux, target-system:Windows

Asylum Ambuscade: Crimeware or Cyberespionage?

(published: June 8, 2023)

Asylum Ambuscade is a cybercrime group that has targeted all the inhabited continents and has been performing both cybercrime and cyberespionage operations since at least 2020. Its cybercrime operations typically start with a malicious redirect triggered either by a malicious Google Ad or through a specific traffic direction system dubbed 404 TDS. The most targeted regions were North America (the US followed by Canada) and Europe (especially Germany) – cryptocurrency traders, individuals and various small and medium businesses. Asylum Ambuscade cyberespionage operations have been targeting government entities in Europe and Central Asia with malicious spearphishing attachments. The following infection steps are similar for both kinds of campaigns: an MSI package installing a first-stage downloader (SunSeed) , followed by a second-stage downloader (AHKBOT, NODEBOT) and various downloaded plugins for screenshotting, password-stealing, and other activities. To avoid detection, the group rewrites its plugins and downloaders in different languages: AutoHotkey, JavaScript, Lua, Python, Tcl, and VBS.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and awareness regarding phishing attachments and malicious Google Ads. Indicators associated with recent (2022-Q1 2023) Asylum Ambuscade campaigns are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1583.003 – Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] Resource Development – Develop Capabilities: Malware [T1587.001] | [MITRE ATT&CK] T1189: Drive-by Compromise | [MITRE ATT&CK] T1566.001 – Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1059.005 – Command and Scripting Interpreter: Visual Basic | [MITRE ATT&CK] T1059.006 – Command and Scripting Interpreter: Python | [MITRE ATT&CK] T1059.007 – Command and Scripting Interpreter: Javascript | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique — T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1204.002 – User Execution: Malicious File | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] T1555.003 – Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1087.002 – Account Discovery: Domain Account | [MITRE ATT&CK] T1010 – Application Window Discovery | [MITRE ATT&CK] T1482 – Domain Trust Discovery | [MITRE ATT&CK] T1057 – Process Discovery | [MITRE ATT&CK] T1518.001 – Software Discovery: Security Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1016 – System Network Configuration Discovery | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1115 – Clipboard Data | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1041 – Exfiltration Over C2 Channel
Tags: actor:Asylum Ambuscade, malware:AHKBOT, malware:NODEBOT, malware-type:Downloader, malware-type:Infostealer, malware:SunSeed, malware:Cobalt Strike, malware-type:RAT, target-region:North America, target-region:Europe, target-region:Central Asia, target-country:Armenia, target-country:Canada, target-country:Germany, target-country:US, abused:Remote Utilities, abused:hVNC, abused:Google Ad, technique:TDS, abused:AutoHotkey, abused:JavaScript, abused:Lua, abused:Python, abused:Tcl, abused:VBS, vulnerability:Follina, vulnerability:CVE-2022-30190, file-type:AHK, file-type:DLL, file-type:DOC, file-type:EXE, file-type:Excel, file-type:MSI, file-type:JS, target-system:Windows

Stealth Soldier Backdoor Used in Targeted Espionage Attacks in North Africa

(published: June 8, 2023)

Check Point researchers have identified an ongoing espionage operation against targets in North Africa involving a previously-undisclosed, modular backdoor called Stealth Soldier. The malware is likely delivered using social engineering and its infection chain includes downloading six additional files. Stealth Soldier regularly checks for updates and supports functionality such as keystroke logging, screenshot and microphone recordings, and file exfiltration. Its versions were observed from October 2020 to February 2023 likely targeting government entities in Libya. Its hosting infrastructure and domain naming convention overlaps with the The Eye on the Nile campaign against Egyptian civilian society in 2019.
Analyst Comment: Stealth Soldier tend to re-use previously-detected infrastructure, use hard-coded XOR keys, and specific HTTP POST headers. Network defenders should train their users to recognize social engineering such as spear phishing. All known Stealth Soldier indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] Defense Evasion – Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1053.005 – Scheduled Task/Job: Scheduled Task | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] Discovery – File and Directory Discovery [T1083] | [MITRE ATT&CK] T1005: Data from Local System | [MITRE ATT&CK] T1555.003 – Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1112: Modify Registry
Tags: malware:Stealth Soldier, malware-type:Backdoor, detection:Trojan.Wins.StealthSoldier, detection:Backdoor.WIN32.StealthSoldier, malware-type:Downloader, malware-type:Loader, target-country:Libya, target-region:North Africa, abused:.NET, abused:PowerShell, file-type:EXE, file-type:TXT, target-system:Windows

Impulse Team’s Massive Years-Long Mostly-Undetected Cryptocurrency Scam

(published: June 6, 2023)

A Russian-speaking threat actor named Impulse Team has been running a massive, affiliate cryptocurrency scam campaign since at least January 2021, possibly going back to 2016. Trend Macro researchers identified more than a thousand websites handled by different affiliates who are being paid a percentage through a program called Impulse Project. The scam works via an advanced fee fraud that involves tricking victims into believing that they have won a certain amount of cryptocurrency and need to pay a smaller fee to open an account on the website. Different affiliates used different domain registration methods and different social engineering delivery methods that included Twitter and Mastodon personal messages, and TikTok videos and ads.
Analyst Comment: Users should avoid clicking on suspicious ads and links, especially if they are being sent directly through private messages and social media. Investigate the advertised company and be skeptical of too-good-to-be-true opportunities. All known domains associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
Tags: actor:Impulse Team, affiliate-program:Impulse Project, target-industry:Cryptocurrency, abused:Twitter, abused:Mastodon, abused:TikTok, threat-type:Scam, threat-type:Fraud, technique:Advanced fee fraud