Anomali Cyber Watch: Russia Targets Ukraine with New Malware, Targeted Phishing Campaigns Give Way to Wizard Spider, Certificates Stolen by Lapsus$ Are Being Abused, and More


The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Code signing, Naver, Phishing, Russia, Ukraine, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Double Header: IsaacWiper and CaddyWiper

(published: March 18, 2022)

Data destruction is one of the common objectives for Russia in its ongoing cyberwar with Ukraine. During the February-March 2022 military escalation, three new wipers were discovered. On February 23, 2022, HermeticWiper, on February 24, 2022, IsaacWiper, and, later in March 2022, CaddyWiper. Malwarebytes researchers assess that all three wipers have been written by different authors and have no code overlap. IsaacWiper and CaddyWiper are light in comparison to the more complex HermeticWiper. CaddyWiper has an additional check to exclude wiping Domain Controllers probably to leave an opportunity for malware propagation.
Analyst Comment: Focus on intrusion prevention and having a proper disaster recovery plan in place: have anti-phishing training, keep your systems updated, regularly backup your data to an offline storage.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction – T1485
Tags: CaddyWiper, IsaacWiper, HermeticWiper, Wiper, Data destruction, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear

UAC-0035 (InvisiMole) Attacks Ukrainian Government Organizations

(published: March 18, 2022)

The Computer Emergency Response Team for Ukraine (CERT-UA) detected a new UAC-0035 (InvisiMole) phishing campaign targeting Ukrainian government organizations. InvisiMole is likely a subgroup connected to the Russia-sponsored Gamaredon (Primitive Bear) group. The new campaign features an attached archive, together with a shortcut (LNK) file. If the LNK file is opened, an HTML Application file (HTA) downloads and executes VBScript designed to deploy the LoadEdge backdoor. LoadEdge deploys additional malware and modules including TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution, and RC2CL backdoor module.
Analyst Comment: Users should be trained to recognize spearphishing attempts. Attachments with rare attachment extensions (LNK, ISO, BAT to name a few) should be reported.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Protocol Tunneling – T1572 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] User Execution – T1204
Tags: InvisiMole, UAC-0035, TunnelMole, Gamaredon, Primitive Bear, Russia, Ukraine, LNK, HTA, DNS, Ukraine-Russia Conflict 2022, Operation Bleeding Bear

Exposing Initial Access Broker with Ties to Conti

(published: March 17, 2022)

Exotic Lily (DEV-0413) is an initial access broker group detected by the Google Threat Analysis Group. Exotic Lily is capable of sending 5,000 emails a day, and has been observed targeting 650 organizations globally. The threat group relies heavily on human operations with manually spoofing organizations, creating fake employee profiles and personal websites. Exotic Lily tries to avoid detection by uploading their malicious payload to public file-sharing services such as OneDrive, TransferNow, TransferXL, or WeTransfer. In September 2021, Exotic Lily was sending an exploit for CVE-2021-40444. In or around November 2021, they switched to delivering ISO files with hidden BazarLoader DLLs and LNK shortcuts. Next infection stages include Cobalt Strike and deployment of Conti and Diavol ransomware. Exotic Lily has close relationships with Wizard Spider (FIN12) but seems to operate as a separate entity.
Analyst Comment: Users should be made aware that a malicious link can come even from somebody that they had an established communication with. Financially-motivated groups like Exotic Lily show a high level of persistence and resourcefulness and a defense-in-depth approach is needed on defenders’ side.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] System Information Discovery – T1082
Tags: Exotic Lily, DEV-0413, TransferNow, TransferXL, WeTransfer, OneDrive, CVE-2021-40444, Bumblebee loader, BazarLoader, Bazar, ISO, DLL, LNK, Cobalt Strike, Conti, Diavol, Ransomware, Wizard Spider, FIN12

Suspected DarkHotel APT Activity Update

(published: March 17, 2022)

An IP address reported in December 2021 as a part of the South Korean threat actor DarkHotel, remained active as part of spearphishing campaign targeting luxury hotels in Macao, China. This campaign started in November 2021 and lasted through January 18, 2022, possibly stopping as the planned conferences in the targeted area were canceled due to COVID-19-related measures. The campaign featured attached Excel documents with malicious, obfuscated macroses containing multiple loops to make the analysis more complex. When executed by the user the macros creates a scheduled task to collect and exfiltrate data. Additionally, the macros utilizes a known LOLBAS (living off the land binaries and scripts) technique to perform PowerShell command lines as trusted scripts.
Analyst Comment: Hotel guests using hotel WiFi should use a VPN to keep their network traffic encrypted. Hotel administrators should be trained to recognize spearphishing attempts and avoid enabling macroses in the non-warranted attachments.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Native API – T1106 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059
Tags: China, Hospitality, Spearphishing, PowerShell, Scheduled task, Suspected-DarkHotel

Gh0stCringe RAT Being Distributed to Vulnerable Database Servers

(published: March 16, 2022)

Gh0stCringe RAT (CirenegRAT) was first detected in December 2018 being distributed via a SMB vulnerability. ASEC researchers have found that recent Gh0stCringe RAT infections were targeting database servers (Microsoft SQL and MySQL) that had account credentials vulnerable to brute force or dictionary attacks. Gh0stCringe code is based on the source code of publicly-released Gh0st RAT. For keylogging, Gh0stCringe uses Windows Polling method (GetAsyncKeyState() API), as opposed to Windows Hooking (SetWindowsHookEx() API) in Gh0st RAT. The malware can change its file size when copying itself, set the hidden or system attributes, terminate itself to disrupt analysis, and achieve persistence via registering a service and registry key.
Analyst Comment: Use long passwords with sufficient entropy and change them periodically. Maintain the latest patch for your systems. Use firewalls for database servers accessible from outside.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Brute Force – T1110 | [MITRE ATT&CK] Create or Modify System Process – T1543 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Obfuscated Files or Information – T1027
Tags: Gh0stCringe, CirenegRAT, Gh0st RAT, ZombieBoy, SMB, MS-SQL, MySQL, Database server, Brute force attack, Dictionary attack

Stolen Nvidia Certificates Used to Sign Malware—Here’s What to Do

(published: March 15, 2022)

In March 2022, the extortionist threat group, Lapsus$ leaked Nvidia’s internal data including two of Nvidia’s code signing certificates. Those certificates are already being used to sign malware. Leaked signing certificates have expired (in 2014 and 2018) but Windows doesn’t require a valid timestamp when signing kernel drivers if the certificate was issued before July 29, 2015.
Analyst Comment: System administrators are advised to configure Windows Defender Application Control (WDAC) policies in regards to Nvidia drivers. You can check if you have files signed with the leaked certificates in your environment: use the serial numbers 43BB437D609866286DD839E1D00309F5 and 14781bc862e8dc503a559346f5dcc518, or use Neo23x0’s Yara rule.
MITRE ATT&CK: [MITRE ATT&CK] Subvert Trust Controls – T1553
Tags: Lapsus$, Nvidia, Certificate, Code signing, Windows driver, Kernel driver

What Wicked Webs We Un-Weave: Wizard Spider

(published: March 15, 2022)

Prevailion researchers detected a large-scale phishing campaign using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea that provides email, payment, search, social, and other customer-facing services. 532 unique domains belonging to the ongoing phishing campaign targeting Naver logins were registered from August 2021 to February 2022. Prevailion didn’t make a final attribution call, but notes that this Naver-targeting phishing infrastructure overlaps with Russia-based, financially-motivated threat actor group Wizard Spider, and shares similarities with some of the characteristics of Wizard Spider’s associate, initial access broker Exotic Lily.
Analyst Comment: It’s important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Anomali Targeted Threat Monitoring service can help you detect and block such suspicious domain registrations.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566
Tags: Naver, Wizard Spider, TrickBot, Conti ransomware, Cobalt Strike beacon, Conti, CVE-2021-40444, Phishing, South Korea, Russia

Threat Advisory: Opportunistic Cyber Criminals Take Advantage of Ukraine Invasion

(published: March 14, 2022)

Cisco Talos researchers observed scam and malware distribution actors using email lures with themes related to the military conflict in Ukraine, including humanitarian assistance and various types of fundraising. As Ukraine remains in the top news topics, this abuse is expected to increase. One of the often observed threats is a commodity remote access trojan (RAT) called Remcos that is known for its persistence via a registry run key and utilizations of a Dynamic DNS server for command and control (C2) communications.
Analyst Comment: Organizations should start proactively hunting for scam threats in their environment by building a word list to search for. Users should be trained to recognize phishing threats, and to check for possible web link spoofing by hovering the mouse over the highlighted area.
MITRE ATT&CK: [MITRE ATT&CK] Dynamic Resolution – T1568 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: Remcos, RAT, DDNS, CVE-2017-11882, Scam, Phishing, Bitcoin, Cryptocurrency, Ukraine-Russia Conflict 2022, Ukraine

Observed Threats

Additional information regarding the threats discussed in this week’s Anomali Cyber Watch can be found below:

Gamaredon Group
The Advanced Persistent Threat (APT) group “Gamaredon,” is believed to be a Russia-based group that has been active since at least 2013. The group is known for conducting cyber espionage campaigns targeting the Ukrainian government, law enforcement officials, media, and military. The Lookingglass Cyber Threat Intelligence Group first reported Gamaredon in their report on a cyberespionage campaign dubbed “Operation Armageddon” in April 2015, according to Palo Alto Networks Unit 42 researchers. This led Unit 42 researchers, in February 2017, to name the group “Gamaredon Group” because they believe the group conducted Operation Armageddon.

Wizard Spider
Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families. Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use. Known associated groups are: Grim Spider – A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider – This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.

IsaacWiper
IsaacWiper alias Lasainraw is wiper malware that enumerates the physical drive and wipes out the MBR to make the system inaccessible. On February 24, 2022, security vendor ESET observed IsaacWiper being used to target the Government of Ukraine networks. It can either be a DLL or an EXE file dropped and executed in the %programdata% or system32 location.

HermeticWiper
HermeticWiper (FoxBlade) is a sophisticated disk-wiping malware used to attack organizations in Ukraine the day prior to the launch of a Russian invasion on February 24, 2022. The malware features behavioral characteristics similar to the WhisperGate data-wiping malware first reported on January 15, 2022 by Microsoft in a destructive malware operation targeting multiple Ukraine-based organizations. HermeticWiper has two main destructive components that corrupts data and renders infected systems inoperable by damaging the Master Boot Record (MBR) and EaseUS Partition Master software.

Exploited Windows MSHTML Vulnerability (CVE-2021-40444) Was Unpatched Until September 2021
A remote code execution (RCE) vulnerability in MSHTML that affects Microsoft Windows (CVE-2021-40444) was recently reported publicly by Microsoft Threat Intelligence Center (MTIC) on 7 September, 2021. To exploit this vulnerability, a would-be attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The original exploit vector has been determined to be externally-targeted OLEObject relationship definition bearing an MHTML handler prefix pointed at an HTML file hosted on an actor infrastructure. A typical exploit for this vulnerability would use documents crafted with embedded JavaScript that downloads a cabinet file (.cab) containing a dynamic-link library (DLL) from a remote host. Once the DLL function is executed, shellcode is loaded from an attacker’s remote source and into the “wabmig.exe” process (Microsoft address import tool). Observed campaigns leveraging CVE-2021-40444 were connected to spreading various malware, including but not limited to BazaLoader, Conti ransomware, Cobalt Strike, and Trickbot.





Source link