Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)

(published: October 27, 2022)

Background:

ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).

Takeaway:

Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.

Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity

(published: October 27, 2022)

Background:

The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243).

Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop).

Takeaway:

Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction.

Fodcha DDoS Botnet Reaches 1Tbps in Power, Injects Ransoms in Packets

(published: October 27, 2022)

Background:

The Fodcha DDoS botnet grew in power and sophistication after its first appearance on January 12, 2022. After Fodcha was publicly described by 360Netlab researchers, the actors made a number of steps to enable sandbox evasion and stealthy C2 communication. Fodcha uses two sets of C2 domains, one being rare OpenNIC’s top-level domains (TLDs) style C2s, that cannot be resolved by common DNS and use specific ones hard-coded in the ELF binary. Fodcha has global targeting, with most targeted being China, followed by the US. The botnet is estimated to have over 60,000 bots, it was seen targeting over 1,000 targets a day, generating up to 1Tbps of traffic.

Takeaway:

Organizations and users should keep updating and/or isolating their vulnerable Linux-based devices to stop those from being used by a DDoS botnet, or worse. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. In addition, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. A business continuity plan should be in place in the unfortunate case that your company is the target of a significant DDoS attack.

OpenSSL Warns of Critical Security Vulnerability with Upcoming Patch

(published: October 26, 2022)

Background:

On October 25, 2022, OpenSSL Project team preannounced an upcoming patch to a vulnerability that they assessed as an issue of critical severity that affects common configurations and is also likely exploitable. This vulnerability only affects OpenSSL versions 3.0.0 – 3.0.6. So, some older operating systems and devices are not at risk. The OpenSSL 3.0.7 update is scheduled for November 1, 2022.

Takeaway:

No technical details on the vulnerability were shared and no signs of ongoing exploitation. The ubiquity of OpenSSL use can potentially make the potential impact similar to the 2014’s HeartBleed OpenSSL vulnerability.

Learn about our Penetration Testing Services

Learn More

Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries

(published: October 23, 2022)

Background:

Blackberry researchers analyzed three campaigns by an unknown actor aiming at delivering the RomCom remote access trojan (RAT). The first two campaigns in July and October 2022, were utilizing fake apps and impersonating legitimate application websites for Advanced IP Scanner and pdfFiller. The latest campaign, detected on October 21, 2022, targeted the Ukrainian military via phishing links with the ultimate payload being the RomCom RAT.

Takeaway:

A separate report by Unit 42 in August 2022, connected RomCom to the Cuba ransomware, but these newly-described campaigns were not associated with dropping ransomware. It is possible that RomCom can be utilized as a final payload in information-stealing campaigns.

When Cops Hack Back: Dutch Police Fleece DEADBOLT Criminals (Legally!)

(published: October 21, 2022)

Background:

The DeadBolt ransomware group has been active for almost two years. Their preferred target is QNAP network-attached storage (NAS) devices. DeadBolt releases the ransomware decryption key in a Bitcoin transaction after receiving Bitcoin payment from the target. The Dutch police and Responders.NU researchers were able to receive the keys for 155 victims from 13 different countries without actually paying to the threat group. DeadBolt was not waiting for the ransom transaction confirmation by Bitcoin miners. So the police used conflicting transactions (double-spend method).

The first transaction was triggering the key release by sending to the attacker-controlled address with the required ransom but low chance of confirmation. The second transaction to override the first one was sending the same funds to a defenders-controlled address and had a priority-confirmation fee attached.

Takeaway:

Victims of DeadBolt can use this assistance and the double-spend method of getting the decryption key until the ransomware operators change their automation. To lessen the scope of potential NAS device compromise, create an offline copy of your important files.

Learn about our Penetration Testing Services

Learn More