Anomali Cyber Watch: KilllSomeOne Folders Invisible in Windows, Everything APIs Abuse Speeds Up Ransomware, APT38 Experiments with Delivery Vectors and Backdoors
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cryptocurrency, Data leak, Iran, North Korea, Phishing, Ransomware, and USB malware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Chinese PlugX Malware Hidden in Your USB Devices?
(published: January 26, 2023)
Palo Alto researchers analyzed a PlugX malware variant (KilllSomeOne) that spreads via USB devices such as floppy, thumb, or flash drives. The variant is used by a technically-skilled group, possibly by the Black Basta ransomware. The actors use special shortcuts, folder icons and settings to make folders impersonating disks and a recycle bin directory. They also name certain folders with the 00A0 (no-break space) Unicode character thus hindering Windows Explorer and the command shell from displaying the folder and all the files inside it.
Analyst Comment: Several behavior detections could be used to spot similar PlugX malware variants: DLL side loading, adding registry persistence, and payload execution with rundll32.exe. Incidents responders can check USB devices for the presence of no-break space as a folder name.
MITRE ATT&CK: [MITRE ATT&CK] T1091 – Replication Through Removable Media | [MITRE ATT&CK] T1559.001 – Inter-Process Communication: Component Object Model | [MITRE ATT&CK] T1547.009 – Boot or Logon Autostart Execution: Shortcut Modification | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036 – Masquerading | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1105 – Ingress Tool Transfer
Tags: detection:PlugX, detection:KilllSomeOne, USB, No-break space, file-type:DAT, file-type:EXE, file-type:DLL, actor:Black Basta, Windows
Abraham’s Ax Likely Linked to Moses Staff
(published: January 26, 2023)
Cobalt Sapling is an Iran-based threat actor active in hacking, leaking, and sabotage since at least November 2020. Since October 2021, Cobalt Sapling has been operating under a persona called Moses Staff to leak data from Israeli businesses and government entities. In November 2022, an additional fake identity was created, Abraham’s Ax, to target government ministries in Saudi Arabia. Cobalt Sapling uses their custom PyDCrypt loader, the StrifeWater remote access trojan, and the DCSrv wiper styled as ransomware.
Analyst Comment: A defense-in-depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical systems should be segregated from each other to minimize potential damage, with any attack surface closely monitored for malicious activity. A strong and enforced backup policy will assist in a fast recovery of compromised systems.
MITRE ATT&CK: [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1583.001 – Acquire Infrastructure: Domains
Tags: actor:Cobalt Sapling, actor:Abraham’s Ax, actor:Moses Staff, Iran, source-country:IR, Israel, target-country:IL, Saudi Arabia, target-country:SA, detection:StrifeWater, malware-type:RAT, detection:PyDCrypt, malware-type:Loader, detection:DCSrv, malware-type:Wiper, detection:DiskCryptor, malware-type:Crypter, detection:DriveGuard, file-type:EXE, target-industry:Government, target-industry:Signal intelligence, Data leak site, Windows
New Mimic Ransomware Abuses Everything APIs for its Encryption Process
(published: January 26, 2023)
New Mimic ransomware has been active since June 2022. At least some of its functions have significant code similarity to the Conti ransomware source code leaked in March 2022. Mimic is unique in a way that it uses Everything32.dll, a legitimate Windows filename search engine. It uses the Everything_SetSearchW function to search for files to be encrypted (and to retrieve the file’s path) or avoided.
Analyst Comment: Multi-threading and abusing Everything’s APIs optimises Mimic for fast encryption. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.
MITRE ATT&CK: [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1490: Inhibit System Recovery | [MITRE ATT&CK] T1489 – Service Stop | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1548.002: Bypass User Access Control | [MITRE ATT&CK] T1070 – Indicator Removal On Host
Tags: detection:Ransom.Win32.MIMIC, malware-type:Ransomware, Everything API, file-type:EXE, file-type:DLL, file-type:QUIETPLACE, Windows
TA444: The APT Startup Aimed at Acquisition (of Your Funds)
(published: January 25, 2023)
The North Korea-sponsored, financially-motivated group APT38 (Bluenoroff, Stardust Chollima, TA444) and related clusters stole nearly $400 million dollars’ worth of cryptocurrency-related assets in 2021, and more than $1 billion during 2022, according to Proofpoint estimates. The group extensively experimented with new delivery methods, continuing with remote templates and LNK shortcuts, while trying MSI Installer, Virtual Hard Drive, ISO image, and compiled HTML files. APT38 operates multiple post-exploitation backdoors as well. In 2021-2022, the group was detected using browser extensions, Cardinal, CheeseTray, DyePack, msoRAT, passive backdoors, the Rantankba suite, and virtualized listeners.
Analyst Comment: All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1583.001 – Acquire Infrastructure: Domains | [MITRE ATT&CK] T1566.002 – Phishing: Spearphishing Link | [MITRE ATT&CK] T1204.002 – User Execution: Malicious File | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1033 – System Owner/User Discovery | [MITRE ATT&CK] T1555 – Credentials From Password Stores
Tags: mitre-group:APT38, actor:Bluenoroff, actor:Stardust Chollima, actor:TA444, APT, North Korea, source-country:KP, Cryptocurrency, file-type:LNK, file-type:MSI, file-type:VHD, file-type:ISO, file-type:HTML, Remote template, SendInBlue, SendGrid, detection:CageyChameleon, detection:CabbageRAT, malware-type:RAT, detection:Astraeus, detection:Cardinal, Browser extension, detection:CHEESETRAY, detection:DYEPACK, detection:msoRAT, Passive backdoor, detection:Rantankba, Virtualized listener, malware-type:backdoor, Windows
DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
(published: January 24, 2023)
An unknown Chinese-speaking attacker is utilizing the multiplatform, open-source, remote access tool SparkRAT. To evade detection by static analysis, the DragonSpark campaign uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary. DragonSpark infrastructure is mostly based on compromised web servers and MySQL database servers in Eastern Asia (China, Hong Kong, Singapore, and Taiwan). DragonSpark has been dropping the China Chopper webshell, utilizing custom Loaders, and additional open-source tools including the GotoHTTP cross-platform remote access tool, and the BadPotato and SharpToken privilege escalation tools.
Analyst Comment: The use of SparkRAT by various threat actors is likely to increase in the future. Always practice defense-in-depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information
Tags: DragonSpark, detection:SparkRAT, malware-type:RAT, Golang, China, source-country:CN, actor:XZB-1248, target-country:CN, target-region:East Asia, target-country:Taiwan, target-country:TW, Web server compromise, MySQL database server, detection:China Chopper, malware-type:Webshell, detection:SharpToken, detection:BadPotato, malware-type:Privilege escalation tool, detection:GotoHTTP, detection:ShellCode_Loader, Python, m6699.exe, malware-type:Loader, WebSocket, PowerShell, Linux, Windows, Yaegi framework
Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network
(published: January 24, 2023)
New Violetlovelines campaign is a continuation of a larger multi-year WordPress infection campaign that was seeking to redirect users to tech support scam. Violetlovelines expands to new types of redirects to include promotion of suspicious apps and outright drive-by malware compromise delivering Racoon stealer. Sucuri researchers estimate over 5,600 affected WordPress websites, and over 190,000 applications installed through fake browser update warnings.
Analyst Comment: Site administrators should keep their systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.
MITRE ATT&CK: [MITRE ATT&CK] T1190 – Exploit Public-Facing Application | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1555 – Credentials From Password Stores | [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1078 – Valid Accounts
Tags: WordPress, Violetlovelines, detection:Racoon, malware-type:Stealer, TDS, CHR obfuscation, Script tag injection, Compromised website