Anomali Cyber Watch: AcidRain Wiped Viasat Modems, BlackMatter Rewritten into BlackCat Ransomware, SaintBear Goes with Go, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Information stealers, Phishing, Russia, Ukraine, Vulnerabilities, and Wipers. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

AcidRain | A Modem Wiper Rains Down on Europe

(published: March 31, 2022)

On February 24, 2022, Viasat KA-SAT modems became inoperable in Ukraine after threat actors exploited a misconfigured VPN appliance, compromised KA-SAT network, and were able to execute management commands on a large number of residential modems simultaneously. SentinelOne researchers discovered that a specific Linux wiper, dubbed AcidRain, likely used in that attack as it shows the same targeting and the same overwriting method that was seen in a Viasat’s Surfbeam2 modem targeted in the attack. AcidRain shows code similarities with VPNFilter stage 3 wiping plugin called dstr, but AcidRain’s code appears to be sloppier, so the connection between the two is still under investigation.
Analyst Comment: Internet service providers are heavily targeted due to their trust relationships with their customers and they should harden their configurations and access policies. Devices targeted by AcidRain can be brought back to service through flash memory/factory reset. Organizations exposed to Russia-Ukrainian military conflict should plan for backup options in case of a wiper attack.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] System Shutdown/Reboot - T1529 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: AcidRain, Viasat KA-SAT, Russia, Ukraine, Germany, target-country:UA, target-country:DE, Wiper, Modem, Supply-chain compromise, VPN appliance, VPNFilter

BlackCat Ransomware

(published: March 31, 2022)

BlackCat (ALPHV) ransomware-as-a-service surfaced on Russian-speaking underground forums in late 2021. The BlackCat ransomware is perhaps the first ransomware written entirely in Rust, and is capable of targeting both Windows and Linux machines. It targeted multiple industries in the US, Europe, the Philippines, and other regions, and Polyswarm researchers expect it to expand its operations. It is attributed to the BlackMatter/DarkSide ransomware threat group. BlackCat used some known BlackMatter infrastructure and shared the same techniques: reverse SSH tunnels and scheduled tasks for persistence, LSASS for credential access, lmpacket, RDP, and psexec for command and control.
Analyst Comment: It is crucial for your company to ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: BlackCat, ALPHV, Ransomware, BlackMatter, DarkSide, Russia, RaaS, USA, target-country:US, Europe, target-region:Europe, Philippines, target-country:PH, Reverse SSH tunnel, LSASS, Scheduled task, Impacket, RDP, psexec, Windows, Linux

Mars Stealer

(published: March 29, 2022)

Morphisec researchers were able to get an insider look into the new Mars infostealer customer operations as the threat actor keylogged himself. First discovered in June 2021, Mars is based on the Oski Stealer and is under constant development. In addition to regular password repositories, it is targeting over three dozen types of various cryptocurrency-related plugins (most targeted: Metamask, Coinbase, Binance, and Math wallets, in that order). Mars is sold on underground forums by Russian-speaking actors for $160 (USD) and doesn’t require any customer vetting. Customers deliver the stealer most commonly via phishing, and sometimes via typosquatted software sites promoted via Google Ads. These Mars payloads were packed by Babadeda crypter or Autoit loader. The studied campaign utilized anonymous VPS and proxy services, CloudFlare, and a GitLab account to host continuously updated latest Mars builds.
Analyst Comment: In addition to anti-phishing training users should be instructed to use caution when responding to online ads and searching for free software and documents. Pirated software carries an additional risk of being backdoored.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Proxy - T1090
Tags: Mars infostealer, Oski Stealer, Healthcare, Canada, Russia, source-country:RU, target-country:CA, Cryptocurrency wallet, Google Ads, Metamask, Coinbase wallet, Binance, Babadeda crypter, Autoit loader, Typosquatting, Phishing

New Phishing Campaigns Related to the Ukraine Military Conflict

(published: March 29, 2022)

Malwarebytes researchers discovered two new campaigns utilizing messages that are spoofing Russian online censorship agencies. The first campaign targeted the Russian Ministry of Internal Affairs, Ministry of Science and Higher Education of the Russian Federation, various Russian regional governments, and other users. It was the first time an attacker used RTF files to exploit the CAB-less version of the CVE-2021-40444 MSHTML exploit by embedding a malicious URL that downloads an HTML file which exploits the vulnerability in the MSHTML engine and executes the script in Windows Script Host (WSF) data back at the start of the RTF file. It leads to execution of the JScript, and spawning of PowerShell to download a CobaltStrike beacon. Another campaign, potentially related to Carbanak (Carbon Spider), used a similarly-themed lure to deliver a PowerShell-based Rat.
Analyst Comment: In times of crisis when users wonder about all the new regulations coming down, threat actors utilize these topics to craft phishing emails. Keep your systems updated, CAB-less version of CVE-2021-40444 is known to bypass some mitigations, but not the released patch itself.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: CABLESS, CAB-less 40444 exploit, CVE-2021-40444, MSHTML exploit, Cobalt Strike, PowerShell, Government, Russia, target-country:RU, Ukraine-Russia Conflict 2022, Carbanak, Carbon Spider

Cyber Actors Target US Election Officials with Invoice-Themed Phishing Campaign to Harvest Credentials

(published: March 29, 2022)

The Federal Bureau of Investigation (FBI) discovered a phishing campaign that targeted US election officials in at least nine states. This campaign had three waves of invoice-themed emails sent in October 2021. These emails contained attachments (either PDF or Microsoft Word documents) that were redirecting to a credential-harvesting website. The FBI expects increased targeting of the US election infrastructure in the lead-up to the November 2022 US midterm elections.
Analyst Comment: Network defenders should proactively monitor their infrastructure and establish proper communications with agencies helping with their defensive posture. Teach your users to recognize phishing, social engineering, and spoofing attempts, and encourage them to confirm, if possible, requests for sensitive information through secondary channels such as phone call. Implement multi-factor authentication (MFA), especially for webmail, virtual private networks (VPNs), and accounts that access critical systems.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: Government, Elections, Phishing, USA, target-country:US

Sophisticated New Loader Used in Low-level Attacks

(published: March 29, 2022)

Symantec researchers analyzed a sophisticated loader they first spotted in January 2022 and called it Verblecon. The malware comes as a server-side polymorphic JAR file; it looks different every time it is downloaded. When executed it conducts multiple checks to determine if it is being debugged or run in a sandbox environment, these checks include: Java command-line arguments of its own process, typical virtual machine directories, MAC address prefixes, processes, files, usernames, and registry strings. Verblecon has both hard-coded command-and-control (C2) domains and those using domain generation algorithm (DGA). The campaign objective is to install cryptocurrency miner and to spread by stealing Discord tokens and advertising trojanized videogame applications.
Analyst Comment: Users’ trust in chatting apps is often exploited to spread trojans. Don’t rush to download and install something just because somebody previously-trusted messaged you. Try to verify the authenticity of the messenger and the file provided.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: Verblecon, Java, DGA, Cryptominer, Discord, Sandbox evasion

UAC-0056 Cyberattack on Ukrainian Authorities Using GraphSteel and GrimPlant Malware

(published: March 28, 2022)

Russia-sponsored group SaintBear (UAC-0056, SaintBear, UNC2589, TA471, Lorec53) was detected attacking Ukrainian government organizations using GraphSteel and GrimPlant backdoors. This campaign starts with malicious macros in a salary-themed phishing attachment. Upon activation, the macros decodes embedded hex-encoded data to drop and execute the next-stage downloader written in Go. This will download and run another downloader, which in turn will download and run two backdoors written in Go: GraphSteel and GrimPlant.
Analyst Comment: Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: SaintBear, Russia, source-country:RU, Ukraine, target-country:UA, Ukraine-Russia Conflict 2022, Operation Bleeding Bear, UAC-0056, SaintBear, UNC2589, TA471, Lorec53, GraphSteel, GrimPlant, Golang, Macros

New Conversation Hijacking Campaign Delivering IcedID

(published: March 28, 2022)

Intezer researchers discovered a new phishing campaign that uses conversation hijacking to deliver IcedID (BokBot). By utilizing compromised Microsoft Exchange servers, the attackers forge a reply to a previously stolen email sending it from the email account from whom the email was stolen from. In March 2022, the group was attaching archived ISO files that included two files, a LNK file made to look like a document file and a DLL file. The observed tactics, techniques, and procedures (TTP) such as the use of conversation hijacking, IcedID, password-protected zip files, and regsvr32.exe for execution for malicious DLLs align with the threat group TA551 (Shathak, Gold Cabin).
Analyst Comment: Threat actors can improve their phishing success rates by making their replies to the hijacked conversations more convincing and by abusing specific file formats (such as ISO) to subvert Mark-of-the-Web (MOTW) controls. Organizations should respond by continuous user education and improving their endpoint security controls.
MITRE ATT&CK: [MITRE ATT&CK] Subvert Trust Controls - T1553 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: TA551, Shathak, Gold Cabin, BokBot, IcedID, Gziploader, Banking and finance, Healthcare, Energy, Law, Pharmaceutical, Initial access broker, Spearphishing, Signed binary proxy, Conversation hijacking, API hashing, Microsoft Exchange server, ISO, regsvr32.exe

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

The Carbanak group, which has been active since at least 2014, is primarily focused on attacking banks and companies in, and related to, the retail industry. Initially, the group focused only on attacking Russian banks, but in August 2015 they reportedly expanded their target scope to banks, hospitality, manufacturers of Point of Sale (PoS) systems, retailers, and restaurant industries worldwide. They are a sophisticated group that will compromise vendors employed by the primary target to use the vendor’s legitimate emails in spearphishing campaigns. In May 2021, Carbanak/DarkSide attack caused major US pipeline operator Colonial Pipeline to stop their operations.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.