No Pineapple! –DPRK Targeting of Medical Research and Technology Sector
(published: February 2, 2023)
Background:
North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer.
Takeaway:
Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators.
MalVirt: .NET Virtualization Thrives in Malvertising Attacks
(published: February 2, 2023)
Background:
This malvertising campaign uses a virtualized malware loader dubbed MalVirt. The loader uses KoiVM virtualization from the ConfuserEX .NET protector. It turns the .NET opcodes into new ones that only are understood by the KoiVM virtual machine. MalVirt has obfuscated namespace, class, and function names, it can patch the AmsiScanBuffer function to bypass the Anti Malware Scan Interface, and uses Base-64 encoding and AES-encryption for some strings that can raise suspicion. The final payload, an infostealer from the Formbook/XLoader family is disguising its C2 traffic camouflaging the true C2 domain through beaconing to multiple domains. It also employs anti-analysis and anti-detection techniques such as detecting the presence of user- and kernel-land debuggers using the NtQueryInformationProcess and NtQuerySystemInformation functions.
Takeaway:
Consider using an ad-blocker service. Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of redirect abuse, take extra caution with search results, especially promoted ones.
Learn about our Penetration Testing Services
No Macro? No Worries. VSTO Being Weaponized by Threat Actors
(published: February 1, 2023)
Background:
After Microsoft decided to block-by-default any VBA macro in Office files bearing the mark-of-the-web, threat actors started looking for new delivery methods including Visual Studio Tools for Office (VSTO). Deep Instinct detected in-the-wild samples abusing VSTO, a software development toolset available in Microsoft’s Visual Studio IDE. VSTO allows to develop .Net-based Office Add-In’s, incorporate them into an Office document for delivery and execution, and achieve persistence by associating with an Office application and run each time the application is booted.
Takeaway:
Security vendors should incorporate monitoring for VSTO. When handling a potential suspicious maldocs, users should be suspicious if prompted to install an Add-In and/or a customization.
Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It’s Biggest Gathering
(published: February 1, 2023)
Background:
Several incidents for the Operation Ice Breaker campaign have been detected, targeting the gaming and gambling industries. The unidentified attackers used typosquatted domains and targeted customer support chats with malicious links masquerading as error screenshot images. One attack chain used a VBS downloader to deliver the well-documented Houdini RAT, another used a LNK downloader to download and execute an additional MSI package. These MSI packages impersonated legitimate software installers for Avast Free Antivirus or Formware 3D and contained a set of decoy files and a CAB archive with a compressed version of the IceBreaker Backdoor. IceBreaker executable has a unique use for the overlay appended to the end of the original executable: it stores V8 Bytecode, an abstraction of machine code that represents the code of the script and is interpreted at runtime by the V8’s Ignition interpreter.
Takeaway:
Operation Ice Breaker used two specific social engineering techniques that could be taught to client-facing support agents. First, they complained to customer support without actually having an account with the company. Second, to mask their broken English, they were requesting support in different languages (Spanish, French) but communicated in English.
New Data Wipers Deployed Against Ukraine
(published: January 30, 2023)
Background:
The Computer Emergency Response Team of Ukraine (CERT-UA) reported a sophisticated, partially-successful, data-wiping attack against one of Ukraine’s news agencies. The reconnaissance started on December 7, 2022, or earlier, followed by the initial access. On January 17, 2023, the attacker attempted to deploy and execute five different wipers using a group policy object (GPO) for scheduled task creation. CaddyWiper and ZeroWipe malware, and the SDelete legitimate utility were targeting Windows. Additional two wipers were AwfulShred targeting Linux and BidSwipe targeting FreeBSD. The attack was advertised on the CyberArmyofRussia_Reborn Telegram channel associated with the Russia-sponsored Sandworm Team, likely responsible for the attack.
Takeaway:
Advanced data wiping campaigns can be spoiled by having proper safe-guards in place including, but not limited to online and offline backups, requiting proper authorization for data removal, and other protections. For legitimate tool abuse, network defenders are advised to establish a baseline for typical running processes and monitor for issues.
SwiftSlicer: New Destructive Wiper Malware Strikes Ukraine
(published: January 27, 2023)
Background:
Russia-sponsored group Sandworm Team have been detected targeting Ukraine with a new Go-based wiper dubbed SwiftSlicer. Sandworm deployed the wiper using Active Directory Group Policy. The initial intrusion vector used to compromise the organization is unknown. SwiftSlicer is capable of deleting shadow copies, recursively overwriting critical system files and drivers, and rebooting. For overwriting, it uses a 4096 bytes length random-data block.
Takeaway:
In 2022, Russian APT groups used several different wipers. SwiftSlicer shows that the data destruction threat continues to evolve. Organizations with exposure to the military conflict in Ukraine should prepare offline backups to minimize the effects of a potential data-wiping attack.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
