COBALT MIRAGE Conducts Ransomware Operations in U.S.

Published: May 12, 2022

Background:

Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.

Takeaway:

However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.

SYK Crypter Distributing Malware Families Via Discord

Published: May 12, 2022

Background:

Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter.

SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for debugging environment, achieves persistence through startup folder, and runs the payload using process hollowing technique. For final payloads the actors used the RedLine stealer and various remote access trojans: AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, and WarzoneRAT.

Takeaway:

As threat actors increasingly abuse popular cloud services, it is not always feasible to block all their staging domains. Organizations need to implement layered defenses starting from phishing awareness and finishing with network segmentation.

Bitter APT Adds Bangladesh to Their Targets

Published: May 11, 2022

Background:

Bitter (T-APT-17), is a group suspected of being sponsored by the Indian government. Since 2013, Bitter targeted China, Pakistan, and Saudi Arabia. From August 2021 to at least February 2022, their new cyberespionage campaign targeted the government of Bangladesh with spearphishing emails impersonating Pakistani officials.

Upon a user opening the attached maldoc, the Equation Editor application is launched to run the embedded objects with shellcode to exploit known Microsoft Office vulnerabilities. It allows the attackers to download and execute their custom Trojan-downloader that Cisco Talos researchers called ZxxZ for the string common in its command-and-control (C2) communication.

Takeaway:

The impersonation of government agencies continues to be an effective spearphishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. Email attachments should be treated as untrusted regardless of the sender’s credibility. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing.

Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques

Published: May 11, 2022

Background:

Proofpoint researchers describe Nerbian RAT, a new malware written in the Go programming language. It was spreading via malicious email campaigns using COVID-19 lures impersonating the World Health Organization (WHO). Nerbian reuses multiple open-source libraries, it reaches out to Github code of Chacal, a Golang anti-virtual-machine framework designed to make debugging and reverse engineering more difficult.

It stops if the size of the hard disk is too small or certain functions take too long to execute, and if it detects certain MAC addresses, processes, and strings in the disk name. Nerbian RAT has additional checks not provided by Chacal that query network interface names and if the executable is being debugged.

Takeaway:

Defenders should monitor for strings referring to offensive GitHub repositories such as Chacal. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.

Info-Stealer Campaign Targets German Car Dealerships and Manufacturers

Published: May 10, 2022

Background:

Checkpoint researchers discovered a years-long phishing campaign that targeted German companies in the automotive industry. In February 2021, the actor behind this campaign started registering typosquatted domains. From July 2021 to mid-March 2022, phishing emails were sent enticing users to open attached ISO files and then the dropped .HTA (HTML Applications) file. The final payload was one of the various MaaS (Malware as a Service) info-stealers: AZORult, BitRAT, or Raccoon.

Takeaway:

Employees should be trained to report suspicious emails to IT.

Manage your threats more easily

Discover Prism

APT34 Targets Jordan Government Using New Saitama Backdoor 

Published: May 10, 2022

Background:

On April 26, 2022, Iran-sponsored actor Helix Kitten (OilRig, APT34) targeted Jordan’s foreign ministry with a phishing attachment dropping a new backdoor named Saitama. The backdoor is written in .Net and communicates via DNS protocol.

Saitama command-and-control (C2) includes hardcoded domains with subdomains generated using the Mersenne Twister pseudorandom number generator (PRNG). The backdoor also has a hardcoded list of possible command-line commands that include internal IP and domain addresses, showing the highly-targeted nature of the attack and some previous knowledge about the victim’s internal infrastructure. Saitama is implemented as a finite-state machine meaning it will change its state depending on the command sent to every state. For example, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours, and Saitama has ​​different sleep time for every situation.

Takeaway:

Defense-in-depth is an effective way to help mitigate potential advanced persistent threat (APT) activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.

 

Costa Rica Declares National Emergency after Conti Ransomware Attacks 

Published: May 9, 2022

Background:

The Costa Rican President has declared a national emergency following cyber attacks from Conti ransomware group (threat actor Wizard Spider) on multiple government bodies. The country was cripled since the April 2022 attack and denying the ransom demand, its Treasury IT systems has been down for three weeks. Additionally, Conti started publishing the 672 GB dump of the data stolen from the Costa Rican government agencies. As Conti threatens many US organizations as well, the US Department of State has offered a multimillion-dollar reward for information to bring Conti co-conspirators to justice.

Takeaway:

Cleaning up after ransomware attacks involves restoration of backup data and IT systems, often purchasing at least some new equipment. A thorough investigation needed regarding the potential of abuse of leaked data in the future impersonation/phishing attacks.

 

Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains 

Published: May 9, 2022

Background:

Blackberry researchers analyzed a commodity malware called DCRat (DarkCrystal RAT). DCRat is a modular malware that receives regular updates even though its lowest price point is just $5 dollars (USD) for two months. DCRat is maintained by a developer in Russia. DCRat’s administration tool is programmed in a rarely seen JPHP programming language whose integrated development environment (IDE) is available only in the Russian language version. Subscribers have access to over two dozens of developer’s and third-party plugins with various functions including persistence, cryptomining, and stealing from various information stores.

Takeaway:

Defenders are advised to block known DCRat C2 domains. Potentially infected machines can be checked for presence of DCRat by identifying specific scheduled tasks and Windows registry entries

 

Observed Threats

Wizard Spider 

Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families.

Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use.

Known associated groups are: Grim Spider – A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider – This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.

OilRig 

The Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.

Charming Kitten 

The Cyber Espionage group “Charming Kitten” is believed to be an Iranian-based group that has been active since at least 2014. Charming Kitten conducts cyber espionage operations on many entities, particularly diplomatic, media, and military organizations. The group is known for creating fake social media profiles, to use in an attempt to social engineer their targets. Charming Kitten also creates multiple fake news outlets, that copy news articles, from other legitimate sources, in order to use as a platform for attacks. The group has been observed to use gathered information to blackmail certain targets.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users 

A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

CVE-2021-34473 

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.

Manage your threats more easily

Discover Prism