Anomali Cyber Watch: Information-Stealing and Wiping Campaigns Target Ukraine, Electron Bot Is After Social Media Accounts, Attackers Poison Application and Library Repositories, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Iran, Russia, Spearphishing, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
(published: February 25, 2022)
Researchers at Unit 42 identified an attack targeting an energy organization in Ukraine. Ukrainian CERT has attributed this attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to organization employees containing a malicious JavaScript file that would download and install a downloader known as SaintBot and a document stealer called OutSteel. Actors leverage Discord’s content delivery network (CDN) to host their payload. Goal of this attack was data collection on government organizations and companies involved with critical infrastructure.
Analyst Comment: Administrators can block traffic to discordapp[.]com if their organization doesn’t have a current legitimate use of Discord. Implement attack surface reduction rules for Microsoft Office. Train users to recognize, safely process, and report potential spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Modify Registry – T1112
Tags: Russia, Ukraine, OutSteal, SaintBot, UAC-0056, TA471, Lorec53, SaintBear, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
Disruptive HermeticWiper Attacks Targeting Ukrainian Organizations
(published: February 25, 2022)
Researchers at Secureworks have identified and investigated reports of Ukrainian government and financial organizations being impacted by distributed denial of service and wiper attacks. Between 15-23 Feb intermittent loss of access to a large number of government websites belonging to the Ukrainian Ministry of Foreign Affairs, Ministry of Defense, Security Service, Ministry of Internal Affairs, and Cabinet of Ministers. PrivatBank and Oschadbank. Along with this, the threat actors also targeted some government and financial organizations in Ukraine to deploy a novel wiper dubbed ‘HermeticWiper’ which abuses a legitimate & signed EaseUS partition management driver. In other attacks targeting Ukraine researchers also observed 13 Ukrainian government websites defaced and Tor forums listing data for Ukrainian citizens being available for sale.
Analyst Comment: Organizations exposed to war between Russia and Ukraine should be on high alert regarding the ongoing cyberattacks. Implement defense-in-depth approach including patch management, anti-phishing training, disaster recovery plans, and backing up your information and systems.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction – T1485 | [MITRE ATT&CK] Impair Defenses – T1562
Tags: Ukraine, Russia, EaseUS, DarkSeoul, HermeticWiper, Wiper, Government, Banking And Finance, DDoS, FreeCivilian, Ukraine-Russia Conflict 2022, Operation Bleeding Bear
New Malware Capable of Controlling Social Media Accounts Infects 5,000+ Machines and is actively being Distributed via Gaming Applications on Microsoft’s Official Store
(published: February 24, 2022)
Check Point researchers detected a new malware, dubbed Electron Bot that is actively being distributed through Microsoft’s official store and has infected over 5,000 active machines worldwide. Attackers uploaded malicious games on legitimate Microsoft stores with a popular game title and are able to generate a lot of fake reviews. Then use search engine optimisation (SEO) poisoning to trick users into believing it is a legitimate game from a well known game publisher. This malware is mainly used for social media account takeover but is also capable of providing full control of the victim’s machine to attackers. Most of reported victims are from Sweden, Bulgaria, Russia, Bermuda, and Spain.
Analyst Comment: Avoid downloading applications with a small number of reviews and suspicious looking names. It is always better to verify uploader details like email addresses, contact details etc and check what other applications they host on store. For companies which host apps on stores and are worried about misuse of their brand to carry out malicious activities against their customers, Anomali provides Targeted Threat Monitoring service which can detect suspicious apps from 40+ stores worldwide.
MITRE ATT&CK: [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: Electron Bot, SEO poisoning
SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors
(published: February 24, 2022)
Unit 42 research team has identified a custom backdoor dubbed SockDetour used by China-based APT campaign TiltedTemple which is known to be using recently released Zoho (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077) vulnerabilities. SockDetour is filelessly loaded in legitimate service processes and uses legitimate processes’ network sockets to establish its own encrypted C2 channel. Based on compilation timestamp SockDetour has likely been in the wild since July 2019 and most likely was able to successfully stay undetected for a long time. Unit 42 has evidence that at least 4 US government defense contractors are targeted by campaign with at least one successful compromise.
Analyst Comment: In this case the malware potentially remained undetected for over 2.5 years. Anomali Match can quickly perform retrospective lookup of all new indicators with upto 5 years of log data to detect such threats. It is also important to patch newly released RCE vulnerabilities as early as possible as these in many cases are used to get an initial foothold inside the network.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection – T1055
Tags: APT, Backdoor, TiltedTemple, SockDetour, CVE-2021-28799, CVE-2021-40539, CVE-2021-44077
MuddyWater Analysis Report From CISA
(published: February 24, 2022)
A Malware Analysis Report conducted by a joint effort between the FBI, CISA, CNMF, NSA, and NCSK-UK revealed details about 23 files linked to the MuddyWater group (Static Kitten). This Iranian, state sponsored advanced persistent threat (APT) group engages in cyberespionage, particularly against Africa, Asia, Europe, and North America, targeting various industries including defense, government and telecommunications. The analyzed files revealed a plethora of malware, consisting of 14 POWGOOP malware files, 2 JavaScript Powershell beacons, 1 Mori backdoor and 2 excel files containing Canopy malware. This suite of malware allows for various tactics, including persistence, exfiltration, and C2 communication.
Analyst Comment: State sponsored APT groups utilize sophisticated malware and multiple TTPs, therefore a defense in depth approach to security is recommended as the best defense. Collate all telemetry sources into your SIEM to identify potential malicious indicators of C2 traffic and initial compromise.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Hijack Execution Flow – T1574
Tags: POWGOOP, Static Kitten, MuddyWater, Mori, Canopy, Iran, Africa, Asia, Europe, North America, Defense, Government, Telecommunications
Malware Civil War – Malicious npm Packages Targeting Malware Authors
(published: February 23, 2022)
The JFrog Security research team has identified an interesting case of supply chain attack where malware authors are targeting other novice malware authors using malicious npm packages. Researchers identified 25 malicious packages mainly with names typosquatting or masquerading both commonly used packages like ‘colors’ as well as npm packages designed to hijack discord tokens. For libraries which are already used for malicious purposes it is expected to have an obfuscated code, so it is easy for novice malware authors to ignore that and become a victim.
Analyst Comment: Even though in this particular case, victims were mostly other malware authors, masquerading attacks leveraging package repositories like npm are also targeting enterprise users in large numbers. Strict controls should be in place to only allow install of trusted and verified third party libraries inside your code to ensure both legal risks due to licensing misuse and security risk due to malicious packages are in check.
MITRE ATT&CK: [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Obfuscated Files or Information – T1027
Tags: npm, Supply chain, Typosquatting, Masquerading
DeadBolt Ransomware Now Targets ASUSTOR Devices, Asks 50 BTC for Master Key
(published: February 23, 2022)
Deadbolt ransomware, infamous for targeting QNAP NAS devices in January 2022 has now switched its attack surface to ASUSTOR NAS devices. The ransom notes left on encrypted devices claim that a zero day exploit was used to gain access to the devices, though users suspect that a vulnerability in PLEX media server or EZ Connect is responsible. All encrypted files have the .deadbolt extension attached, with the ransom asking for 0.03 BTC ($1,150) for the encryption key. Additionally, they offer to sell information regarding the zero day exploit for 7.5 BTC ($290,000) and the master decryption key for 50 BtC ($1.9 million). Currently, reports indicate that models AS6602T, AS-6210T-4K, AS5304T, AS6102T, and AS5304T are not affected by DeadBolt.
Analyst Comment: Enforce a backup policy to ensure that you are able to recover files in the event of encryption. Quarantine all vulnerable devices from the internet to prevent infection if they are being actively targeted. Additionally, guidance has been released to help prevent DeadBolt infections. Change any default ports, particularly NAS web access ports 8000 and 8001, and remote access ports 80 and 443.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190
Tags: DeadBolt, Zero day, PLEX, EX Connect, ASUSTOR, NAS, Cryptocurrency
Xenomorph Banking Trojan Downloaded Over 50,000 Times From Play Store
(published: February 22, 2022)
Researchers at MalwareBytes detected a new banking trojan they named as Xenomorph which is distributed on the Google Play Store with name ‘Fast Cleaner’ with more than 50,000 installations. This is closely related to the Alien banking trojan and primarily used to steal credentials, intercepting SMS and notification to bypass 2FA. This trojan is primarily targeting banking apps from Spain, Portugal, Italy, and Belgium along with some additional applications like emailing services and crypto wallets.
Analyst Comment: Proper security controls need to be in place to monitor and block unwanted application downloads on enterprise mobile devices. Only relevant permissions should be granted to the application. From the point of view of companies which host applications and are wary about phishing attacks impersonating their legitimate applications, Anomali Targeted Threat Monitoring service can help identify suspicious applications published in over 40 app stores worldwide and provide takedown steps to protect your customers.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Two-Factor Authentication Interception – T1111
Tags: Xenomorph, Banking Trojan, Europe, Google Play Store, Android
Devious Phishing Method Bypasses MFA Using Remote Access Software
(published: February 22, 2022)
Security researcher mr.d0x has publicized a phishing technique that allows adversaries to bypass multi-factor authentication (MFA) by secretly having victims log into their accounts directly on attacker-controlled servers using the VNC screen sharing system. First discovered in 2021 by security researchers from the University of Salento who named it ‘Browser-in-the-Middle (BitM) attack,’ this technique uses the noVNC program to connect to a VNC server directly from within a browser by simply clicking a link. The attacker’s VNC server is configured to run a browser in kiosk mode, which runs the browser in full-screen mode; when the victim clicks on a link they will simply see a login screen for the targeted email service and login as normal. This technique allows to bypass MFA and dwarf reverse proxies or man-in-the-middle (MiTM) attack detections because the user will enter the one-time passcode directly on the attacker’s server.
Analyst Comment: This is a clever technique to be able to carry out successful phishing despite MFA and reverse proxy detection controls being in place. This highlights the importance of threat intelligence as a primary protection to block previously reported phishing domains and urls. It is also important to properly train your employees against phishing.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Remote Services – T1021
Tags: Phishing, VNC, noVNC, MFA, MiTM
Observed Threats
Additional information regarding the threats discussed in this week’s Weekly Threat Briefing can be found below:
MuddyWater
Researchers from Palo Alto Networks and FireEye discovered the Advanced Persistent Threat (APT) group, “MuddyWater” to have been active since at least February 2017. The group was initially dubbed “TEMP.Zagros” by FireEye, and was suspected to be connected to the financially-motivated group, “FIN7;” however, researchers determined this group was Iranian-based with espionage as their main motivation.