New Royal Ransomware Emerges in Multi-Million Dollar Attacks

Background:

AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware.

Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.

Takeaway:

Organizations should include callback phishing attacks awareness into their anti-phishing training.

ZINC Weaponizing Open-Source Software

Background:

Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn.

Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader).

When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.

Takeaway:

Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.

More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID

Background:

Palo Alto researchers discovered a malicious polyglot file that had two different file format types and a different behavior depending on the application executing it. It was a polyglot Microsoft Compiled HTML Help (CHM) file displaying a help window decoy when being executed as CHM. At the same time, it was triggering self-execution by the Mshta.exe utility that executes Microsoft HTML Application (HTA) files. This CHM file being executed as HTA, executed the IcedID infostealer DLL binary from the original archived ISO phishing attachment.

Takeaway:

Network defenders should not trust binaries based on their file types. Analysts can look for buried code such as an HTA code buried in an CHM file.

Taking Down Coordinated Inauthentic Behavior from Russia and China

Background:

Facebook (Meta) researchers discovered disinformation networks operated by China- and Russia-sponsored actors. China’s operations were caught in an early growth phase targeting Chechia and online discussions related to the US midterm elections.

Russia’s coordinated operations were on a larger scale and included many typosquatted domains impersonating mass media, various social media accounts, and $105,000 in advertising spending to promote those inauthentic accounts and messaging. In June-September 2022, this campaign targeted Germany the most, spreading messages doubting sanctions on Russia and criticizing Ukrainian refugees.

Takeaway:

Many hostile nations look to establish coordinated inauthentic behavior operations. First, they can achieve a growth and captive audience, then, they may deliver propaganda, disinformation, and/or other messaging causing distrust and confusion. This research by Facebook shows that we need to remain critical when seeing an inauthentic behavior, whether it is on social media or on platforms such as Change[.]org.

Learn about our Penetration Testing Services

Learn More

Hunting for Unsigned DLLs to Find APTs

Background:

Palo Alto researchers created two XQL queries to hunt for malicious unsigned DLLs that were loaded by rundll32.exe/regsvr32.exe or other signed processes

In February-August 2022, banking trojans and individual threat actors typically used rundll32.exe or regsvr32.exe, while government-sponsored groups preferred the DLL side-loading technique.

China-sponsored group Mustang Panda has been dropping a three-file payload into the ProgramData folder: a benign EXE (a PDF loader or antivirus software such as Avast), a malicious DLL, and an encrypted DAT payload file. North Korea-sponsored Lazarus Group used the signed DreamSecurity MagicLine4NX process to write two files to a random directory in ProgramData: a new DLL and the native Windows binary wsmprovhost.exe.

Takeaway:

Loading unsigned DLLs by signed processes provides for defense evasion, but leaves important hunting opportunities for network defenders. Focus on known third-party software placed in non-standard directories, high-entropy files, low frequency of execution, and folders or files with scrambled names.

NullMixer: Oodles of Trojans in a Single Dropper

Background:

Kaspersky researchers described a malicious campaign leveraging the NullMixer downloader. The threat actors created malicious websites promoted with search engine optimization targeting users searching for “cracks” and “keygens”.

After additional redirects the user is prompted to download a password-protected masqueraded archive. Upon user activation, three stages of the NullMixer malware are being dropped and executed. NullMixer drops and executes over a dozen of additional malware, some of each further downloads even more malware. As a result, the user’s machine can be infected with dozens of malware families including ColdStealer, Disbuk, Fabookie, LgoogLoader, RedLine, and SmokeLoader.

Takeaway:

As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose.

FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers

Background:

AhnLab researchers described one of the prominent ransomware families that targets vulnerable MS-SQL servers: the FARGO (Mallox) ransomware. FARGO infection chain starts with brute-force attack or with exploitation of an outdated MS-SQL server. Initial downloader is built on .NET and is being downloaded by the MS-SQL process through cmd.exe and powershell.exe.

After downloading additional malware, it is being injected into AppLaunch.exe, a Windows binary. FARGO file-extension exclusion list includes not only extensions for current and future FARGO versions, but also an extension for the Globeimposter ransomware that has similar targeting.

Takeaway:

If you manage a MS-SQL server, keep it updated with security patches and implement robust password policies to fight brute-force and dictionary attacks.

Learn about our Penetration Testing Services

Learn More