DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads

(published: November 17, 2022)

Background:

From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.

Takeaway:

DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.

Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment

(published: November 16, 2022)

Background:

From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick’s, and Sam’s Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.

Takeaway:

Evasion through URI fragmentation hides the token value from traffic inspection tools because it is not being sent to the server. Users are advised to double-check domains that are asking for a payment or personal information. Learn the signs of an advanced-fee scam.

Learn about our Penetration Testing Services

Learn More

DTrack Activity Targeting Europe and Latin America

(published: November 15, 2022)

Background:

Since 2019, North Korea-sponsored Lazarus Group has used the DTrack backdoor to enable discovery, lateral movement, and stealing sensitive information. In 2022, DTrack was seen in a wider range of attacks targeting Brazil, Germany, India, Italy, Mexico, Saudi Arabia, Switzerland, Turkey, and the United States.

DTrack comes inside an executable, and there are three to four stages of decryption before the malware payload starts. First stage retrieves the second stage from the inside of the malware PE file using either offset-based or resource-based approaches. After being decrypted and executed, this heavily-obfuscated shellcode decrypts the next eight bytes after the final payload decryption key, to discover payload size and its entry point offset.

Takeaway:

Organizations are advised to block known DTrack C2 domains.

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries

(published: November 15, 2022)

Background:

Symantec researchers detected a new campaign by China-sponsored cyberespionage group Billbug (aka Thrip, Lotus Blossom, Spring Dragon). Starting in March 2022, the group targeted a certificate authority in Asia and a number of government and defense agencies across various countries in Asia. The group was using its custom backdoors first detected in 2019: Hannotog and Sagerunex, as well as a large number of publicly-available tools: AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR.

Takeaway:

Network defenders should plan for detecting anomalous behavior from signed but malicious binaries. Certificate authorities should be regarded as a critical target and be protected as such using the defense-in-depth approach.

Ukrainian CERT Discloses New Data-Wiping Campaign

(published: November 14, 2022)

Background:

Computer Emergency Response Team (CERT) reported a new data-wiping campaign that affected several Ukrainian organizations since spring 2022. The responsible group UAC-0118 (self-named as “From Russia with Love”, FRwL, and Z-Team) has been using a modified version of the Somnia ransomware that does not provide for the possibility of data decryption. It is likely that UAC-0118 has been acquiring access from another threat group (an initial access broker). Employees were targeted to download bogus software that led to the Vidar stealer installation.

The victim’s Telegram was used to transfer VPN connection configuration files (including certificates and authentication data) to users. The attackers used a number of tools for lateral movement and data exfiltration: Anydesk, Cobalt Strike Beacon, Netscan, Ngrok, and Rclone.

Takeaway:

Organizations with exposure to the military conflict in Ukraine should prepare offline backups to minimize the effects of a potential data-wiping attack.

Learn about our Penetration Testing Services

Learn More