Anomali Cyber Watch: Hospital Ransoms Pay for Attacks on Defense, Nodaria Got Upgraded Go-Based Infostealer, TA866 Moved Screenshot Functionality to Standalone Tool
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Infostealers, Malicious packages, Malicious redirects, North Korea, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities
(published: February 9, 2023)
The US and South Korea issued a joint advisory on ongoing, North Korea-sponsored ransomware activity against healthcare and other critical infrastructure. The proceedings are used to fund North Korea’s objectives including further cyber attacks against the US and South Korean defense and defense industrial base sectors. For initial access, the attackers use a trojanized messenger (X-Popup) or various exploits including those targeting Apache log4j2 and SonicWall appliances. Despite having two custom ransomware crypters, Maui and H0lyGh0st, the attackers can portray themselves as a different ransomware group (REvil) and/or use publicly-available crypters, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom.
Analyst Comment: Organizations in the healthcare sector should consider following the Cross-Sector Cybersecurity Performance Goals developed by the U.S. Cybersecurity and Infrastructure Security Agency and the U.S. National Institute of Standards and Technology. Follow the principle of least privilege by using standard user accounts on internal systems instead of administrative accounts. Turn off weak or unnecessary network device management interfaces.
MITRE ATT&CK: [MITRE ATT&CK] T1583 – Acquire Infrastructure | [MITRE ATT&CK] T1583.003 – Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1133 – External Remote Services | [MITRE ATT&CK] T1195 – Supply Chain Compromise | [MITRE ATT&CK] T1083 – File And Directory Discovery | [MITRE ATT&CK] T1021 – Remote Services | [MITRE ATT&CK] T1486: Data Encrypted for Impact
Tags: malware-type:Ransomware, source-country:North Korea, source-country:DPRK, source-country:KP, target-industry:Healthcare, target-sector:Critical infrastructure, target-industry:Defense, target-industry:Defense Industrial Base, Log4Shell, SonicWall, CVE-2021-44228, CVE-2021-20038, CVE-2022-24990, X-Popup, malware:Maui, malware:H0lyGh0st, malware:BitLocker, malware:Deadbolt, malware:ech0raix, malware:GonnaCry, malware:Hidden Tear, malware:Jigsaw, malware:LockBit 2.0, malware:My Little Ransomware, malware:NxRansomware, malware:Ryuk, malware:YourRansom
Open-Source Repository Malware Sows Havoc
(published: February 9, 2023)
In February 2023, ReversingLabs researchers detected a new supply-chain campaign dubbed Aabquerys. A small number of malicious npm packages were testing and using package name typosquatting (such as “aabquerys” instead of the legitimate “aabquery” package). These malicious packages were obfuscated using the JavaScript obfuscator. The infection chain included at least three levels: a typosquatted website prompting to download a trojan that in turn would execute a side-loading of a malicious DLL, ending with downloading and running of a remote access trojan generated with the Havoc command-and-control framework.
Analyst Comment: The npm repository has removed these malicious packages, but it is difficult to prevent threat actors from adding new ones. Developers should monitor for the presence of obfuscated code and the use of known vulnerable components in the code they are incorporating into their projects. Pay attention to external communication and the correct spelling of package names and websites.
MITRE ATT&CK: [MITRE ATT&CK] T1195.001 – Supply Chain Compromise: Compromise Software Dependencies And Development Tools | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information
Tags: campaign:Aabquerys, npm package, Typosquatting, Open-source, Javascript obfuscator, file-type:JS, file-type:EXE, InnoSetup, DLL side-loading, file-type:BIN, malware-type:RAT, malware:Havoc, malware-type:C2 framework, actor:C5pider, Windows
NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool
(published: February 9, 2023)
NewsPenguin, a previously-unknown, state-sponsored group without clear attribution targeted government, defense, and maritime sectors in Pakistan. In June and October 2022, the group has registered Windows Update typosquatting domains later used in the attack. NewsPenguin used spearphishing attachments purporting to be an exhibitor manual for February 2023 Pakistan International Maritime Expo & Conference that is organized by the Pakistan Navy and the Ministry of Maritime Affairs. The maldoc employs a remote template injection, asks to enable content, and executes a Visual Basic for Applications macro. The final payload is a Win32 executable with no name, dubbed Updates.exe. This agent is designed to discover and exfiltrate any file, and to download additional malware. It has multiple anti-sandbox checks: using GetTickCount, checking the hard drive size, requiring more than 10GB of RAM, and sleeping for 5 minutes between commands.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target. Education is the best defense, employees should also be aware of whom to contact when they suspect they are the target of a possible spearphishing attack. If an unknown document prompts to “Enable Editing” users should be advised against doing so unilaterally.
MITRE ATT&CK: [MITRE ATT&CK] T1566.001 – Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1204.002 – User Execution: Malicious File | [MITRE ATT&CK] T1059.005 – Command and Scripting Interpreter: Visual Basic | [MITRE ATT&CK] T1059.003 – Command and Scripting Interpreter: Windows Command Shell | [MITRE ATT&CK] T1203 – Exploitation For Client Execution | [MITRE ATT&CK] T1047 – Windows Management Instrumentation | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1559.001 – Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1055 – Process Injection | [MITRE ATT&CK] T1055.002 – Process Injection: Portable Executable Injection | [MITRE ATT&CK] T1480 – Execution Guardrails | [MITRE ATT&CK] T1221 – Template Injection | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1221 – Template Injection | [MITRE ATT&CK] T1112: Modify Registry | [MITRE ATT&CK] T1036.005 – Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1132.001 – Data Encoding: Standard Encoding | [MITRE ATT&CK] T1573.001 – Encrypted Channel: Symmetric Cryptography | [MITRE ATT&CK] T1041 – Exfiltration Over C2 Channel | [MITRE ATT&CK] T1029 – Scheduled Transfer | [MITRE ATT&CK] T1083 – File And Directory Discovery | [MITRE ATT&CK] T1057 – Process Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion
Tags: actor:NewsPenguin, target-country:Pakistan, target-country:PK, PIMEC-23, VBA, Macros, DDNS, target-industry:Maritime, target-industry:Government, target-industry:Defense, file-type:RTF, file-type:BAT, file-type:DOTX, file-type:WSF, file-type:CRT, file-type:EXE, file-type:DLL, malware:Updates.exe, Windows
Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign
(published: February 9, 2023)
A new wave of Google AdSense Fraud has already abused over 2,600 compromised WordPress websites in 2023. The attackers were observed using over 70 new malicious domains masquerading as URL shorteners, some of them typosquatting reputable ones like Bitly (for example, bitly[.]best, b-i-t-l-y[.]co, and bit-ly[.]mobi). To make traffic appear as legitimate, they additionally redirect the traffic through Google or Bing search results URLs, or through Twitter short URLs.
Analyst Comment: WordPress site administrators should keep their installations up-to-date, along with any additional plug-ins. Secure your wp-admin panels with 2FA or other access restrictions.
MITRE ATT&CK: [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information
Tags: Google AdSense, AdSense Fraud, Compromised websites, Typosquatting, Malicious redirect, Pseudo-short URL domain, DDoS-Guard, WordPress
Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine
(published: February 8, 2023)
From October 2022 and into 2023, a new information stealing malware dubbed Graphiron has been used by the Russia-sponsored Nodaria (UAC-0056) group against targets in Ukraine. Similar to previous infostealers used by Nodaria, Graphiron is written in Go, uses PowerShell to steal credentials, and communicates via AES-encrypted channel using port 443. At the same time, with Graphiron the attackers added obfuscation and exfiltration functionality for screenshots and SSH keys.
Analyst Comment: Network and host-based indicators associated with Graphiron and its downloader are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1622 – Debugger Evasion | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1573.001 – Encrypted Channel: Symmetric Cryptography
Tags: malware:Graphiron, malware-type:Infostealer, detection:Infostealer.Graphiron, detection:Downloader.Graphiron, malware-type:Downloader, actor:Nodaria, actor:UAC-0056, source-country:Russia, source-country:RU, target-country:Ukraine, target-country:UA, Cyberespionage, Golang, file-type:EXE, PowerShell, port:443, AES, Windows
Screentime: Sometimes It Feels Like Somebody’s Watching Me
(published: February 8, 2023)
In October 2022 – January 2023, a newly-identified threat group dubbed TA866 targeted a wide variety of mostly US companies. The group’s recent activity seems financially-motivated, but its earlier attacks going back to 2019 were focused on cyberespionage. The attack chain starts with a phishing email. It utilizes user agent profiling via a third-party traffic distribution system (404 TDS) and the group’s own domains. The target (email recipient) is facing a Publisher (.PUB) file with macros or a malicious JavaScript file. A malicious MSI package with the WasabiSeed installer inside it is being downloaded. WasabiSeed then downloads secondary MSI files, one of them is the custom Screenshotter screenshotting tool. Post-exploitation payloads involve custom AHK Bot and public Rhadamanthys Stealer. In 2019-2020, versions of AHK Bot included screenshotting and infostealing modules, but TA866 moved to standalone tools since.
Analyst Comment: Phishing education training should bring awareness that attackers may utilize stolen email chains. Consider blocking macros from running in files downloaded from the Internet. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion.
MITRE ATT&CK: [MITRE ATT&CK] T1566.001 – Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1566.002 – Phishing: Spearphishing Link | [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1547.009 – Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1113 – Screen Capture | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1555.003 – Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1539 – Steal Web Session Cookie | [MITRE ATT&CK] T1005: Data from Local System
Tags: malware:Screentime, malware:WasabiSeed, malware-type:Downloader, malware:AHK Bot, malware:Rhadamanthys, malware-type:Infostealer, actor:TA866, 404 TDS, JavaScript, file-type:JS, file-type:VBS, file-type:LNK, file-type:PDF, file-type:PUB, Macros, Thread hijacking, Google Ads, JavaScript, AutoHotKey, Python, AutoIT, IrfanView, file-type:MSI, file-type:EXE, file-type:DLL, Active Directory, target-country:United States, target-country:US, target-country:Germany, target-country:DE, Windows