A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity

Published April 28, 2022

Background:

ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security).

ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019.

Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor.

Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).

Takeaway:

Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated.

Educate your employees on handling suspected spearphishing attempts.

Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security.

Prevention and detection capabilities should also be in place.

BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX

Published April 27, 2022

Background:

Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President) targeting Russia.

They found overlapping infrastructure previously used by the same advanced persistent group (APT). In the last two years, Mustang Panda switched its targeting from Southeast Asia to Europe, and now, to Russia.

The latest attack starts by the threat actors somehow delivering a Windows executable file named in Russian that masquerades as a PDF file. It is heavily obfuscated and upon user execution it downloads four files from a staging server: decoy, legitimate but vulnerable signed executable, malicious DLL, and the PlugX payload.

Takeaway:

Suspicious malicious attachments and unwarranted files from the Internet should be reported to the system administrator and investigated.

Report abnormal file behaviours such as if the content of opened attachment doesn’t match its filename and/or email context.

Administrators should focus on detecting and blocking masquerading executable attachments.

Stonefly: North Korea-linked Spying Operation Continues to Hit High-Value Targets

Published April 27, 2022

Background:

Symantec researchers describe 2022 cyberespionage efforts by DarkSeoul (Stonefly, Silent Chollima), a North Korea-sponsored group first detected in 2009.

The attackers breached an engineering organization working in the energy and military sectors by exploiting the Log4j2 (CVE-2021-44228) vulnerability on a public-facing VMware View server.

During the attack, they relied on their updated custom backdoor Preft, a custom infostealer, and on a number of open-source tools: 3proxy tiny proxy server, Invoke-TheHash, Mimikatz, PuTTy, and WinSCP.

Preft works in four stages: main Python script (Stage 1) unpacks two shellcode scripts and the payload, first shellcode script (Stage 2) starts Internet Explorer and injects second shellcode (Stage 3) into it, final payload (Stage 4) acts as a HTTP remote access tool (RAT).

Takeaway:

Organizations should consider blocking certain open-source tools, scanners, and remote administration tools in their environments.

Keep your systems updated, segregate your networks, and limit accessibility of your servers from the Internet.

Manage your threats more easily

Discover Prism

New Black Basta Ransomware Springs into Action with a Dozen Breaches

Published April 27, 2022

Background:

Black Basta ransomware group first appeared in the second week of April 2022 and have since breached at least twelve companies.

One notable example is the attack on the US-based American Dental Association (ADA), when Black Basta started leaking ADA’s data, but then withdrew it, likely due to ransom negotiations.

Black Basta shows signs of being an experienced ransomware group that went through rebranding. MalwareHunterTeam and other researchers assess with medium confidence that Black Basta is a rebrand of Conti ransomware that is operated by the threat group Wizard Spider.

Takeaway:

As with other forms of cyber-attacks, it is crucial that organizations ensure that their systems are secure and protected. This includes patch management, enhanced security systems and practices, regular backups, and effective solutions to security problems.

Policies should be updated to include how to address these double-ransom attacks.

VMWare Identity Manager Attack: New Backdoor Discovered

Published April 25, 2022

Background:

On April 6, 2022, VMware addressed a number of vulnerabilities including VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability (CVE-2022-22957).

On April 11, a proof-of-concept for this RCE was published and on April 13, it started to be exploited in the wild. Morphisec researchers detected exploitation to launch reverse HTTPS backdoors—mainly Cobalt Strike, Core Impact, or Metasploit payloads. Core Impact is a penetration testing tool developed by Core Security and abused by the attackers.

The attack flow includes exploitation to deploy a PowerShell stager, which downloads a large, highly-obfuscated PowerShell script identified as the PowerTrash Loader, which decompresses the deflated payload: a Core Security Agent, and reflectively loads it in memory.

Takeaway:

VMWare’s identity access management should immediately apply the VMWare patches or consider virtual patching. Make sure your affected identity access management components are not accidentally published on the internet.

Emotet Malware Infects Users Again after Fixing Broken Installer

Published April 25, 2022

Background:

Threat group Mummy Spider adopted a new way to deliver Emotet, its modular stealer-downloader.

The first wave of malspam could not infect due to a file-referencing error in the LNK dropper code, but Mummy Spider fixed it by April 25, 2022.

This new malspam campaign includes password-protected ZIP archive attachments containing Windows shortcut (LNK) droppers masquerading as Microsoft Word documents.

After the user executes the LNK dropper, it finds a string in itself, copies the remainder into a Visual Basic Script (VBS) file and executes it.

Takeaway:

Defenders are advised against allowing .LNK files in incoming email attachments or password-protected archives.

Block .VBS executions out of temporary folders.

Encourage your users to report to sysadmin instead of clicking through unwarranted suspicious emails, especially with password-protected archives.

North Korean Hackers Targeting Journalists with Novel Malware

Published April 25, 2022

Background:

Stairwell researchers describe a multi-stage spear phishing attack on NK News, a US-based news media covering North Korea.

The attack is attributed to North Korea-sponsored group APT37 (Ricochet Chollima, ScarCruft).

Prior to the attack, APT37 compromised the computer of a former South Korean intelligence official, stole his past email correspondence with the NK News founder, and registered a similarly-looked email address.

They also typosquatted NK News domain by registering .US instead of .COM top-level domain (TLD).

The infection chain included user extracting and executing an attached LNK file leading to Powershell and shellcode scripts sequentially executing and downloading additional malware abusing Microsoft OneDrive and Google Drive file storages.

The final payload, Goldbackdoor, shares code similarities with Bluelight malware attributed to APT37 by Volexity in August 2021.

Takeaway:

Have offline antivirus capabilities available as APT37 pad their malicious attachments to make them too large for online analysis. Some foreign spear phishing attempts could be identified by minor inconsistencies in grammar or even cultural settings. In the described case, the target became suspicious of the request for help getting a book published in the US, something not so complicated.

Quantum Ransomware

Published April 25, 2022

Background:

Researchers with The DFIR Report detail a March 2022 domain-wide ransomware attack with an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes.

The first stage of the attack saw a user in the organization clicking a phishing ISO attachment and executing the embedded LNK file resulting in the IcedID infection. Actors gathered system and network information and created a scheduled task for IcedID persistence.

During the second hour of the attack, they created a cmd.exe process and injected Cobalt Strike into it, and proceeded with domain and network discovery and stealing credentials from LSASS memory.

During the third hour, attackers used stolen credentials to remotely (RDP) access an organization’s server, deploy a Cobalt Strike on it from second attempt, and move laterally to other Domain Controllers and file servers in the environment.

Finally during the fourth hour, attackers staged the Quantum ransomware executable on the Domain Controller, used Admin Shares to deliver it to individual machines, and executed it via WMIC and PsExec from the Domain Controller.

Takeaway:

Attackers can encrypt your organization machines just a couple hours after an employer activated a phishing email. Defenders should implement constant network monitoring and consider 24/7 security operation center (SOC) operations to respond to detected warnings in a timely manner.

Observed Threats

Mummy Spider

Mummy Spider is a cybercrime actor that was first identified by the security community in June 2014.

Mummy Spider is associated with Emotet malware that they used initially as a banking trojan, but has been updated over time to function as a modular downloader.

Mummy Spider operates Emotet as-a-service and it was used to delivers multiple malwares such as Cobalt Strike, IcedID, Gootkit, Trickbot among others.

Mummy Spider targets all industries and on a global scale by distributing the Emotet trojan via wide-scale malspam campaigns with malicious attachments or hyperlinks embedded in email messages.

Mustang Panda

Malicious activity conducted by the China-based cyberespionage group, Mustang Panda, was first identified by CrowdStrike in April 2017 and later published upon under the name of Mustang Panda in June 2018. The group is motivated by gaining access to information that appears to align with the strategic goals laid out by the government of the People’s Republic of China.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users

A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

CVE-2022-22954

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVE-2022-22957 & CVE-2022-22958

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

Manage your threats more easily

Discover Prism Platform