June 28, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>API hammering, APT, China, Phishing, Ransomware, Russia,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/jaFIle2QayHa6JdQsU5a"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://asec.ahnlab.com/en/35822/" target="_blank">Lockbit Ransomware Disguised as Copyright Claim E-mail Being Distributed</a></h3> <p>(published: June 24, 2022)</p> <p>ASEC researchers have released their analysis of a recent phishing campaign, active since February 2022. The campaign aims to infect users with Lockbit ransomware, using the pretense of a copyright claim as the phishing lure. The phishing email directs the recipient to open the attached zip file which contains a pdf of the infringed material. In reality, the pdf is a disguised NSIS executable which downloads and installs Lockbit. The ransomware is installed onto the desktop for persistence through desktop change or reboot. Prior to data encryption, Lockbit will delete the volume shadow copy to prevent data recovery, in addition to terminating a variety of services and processes to avoid detection.<br/> <b>Analyst Comment:</b> Never click on suspicious attachments or run any executables from suspicious emails. Copyright infringement emails are a common phishing lure. Such emails will be straight forward to rectify if legitimate. If a copyright email is attempting to coerce you into opening attachments, such emails should be treated with extreme caution.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a><br/> <b>Tags:</b> malware:Phishing, malware:Lockbit, Lockbit, Copyright, Ransomware</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/api-hammering-malware-families/" target="_blank">There is More Than One Way To Sleep: Deep Dive into the Implementations of API Hammering by Various Malware Families</a></h3> <p>(published: June 24, 2022)</p> <p>Researchers at Palo Alto Networks have released their analysis of new BazarLoader and Zloader samples that utilize API Hammering as a technique to evade sandbox detection. API Hammering makes use of a large volume of Windows API calls to delay the execution of malicious activity to trick sandboxes into thinking the malware is benign. Whilst BazarLoader has utilized the technique in the past, this new variant creates large loops of benign API using a new process. Encoded registry keys within the malware are used for the calls and the large loop count is created from the offset of the first null byte of the first file in System32 directory. Zloader uses a different form of API Hammering to evade sandbox detection. Hardcoded within Zloader are four large functions with many smaller functions within. Each function makes an input/output (I/O) call to mimic the behavior of many legitimate processes.<br/> <b>Analyst Comment:</b> Defense in depth is the best defense against sophisticated malware. The Anomali Platform can assist in detection of malware and Match anomalous activity from all telemetry sources to provide the complete picture of adversary activity within your network.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> malware:BazarLoader, malware:Zloader, BazarLoader, Zloader, API Hammering</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/ar22-174a" target="_blank">Malware Analysis Report (AR22-174A)</a></h3> <p>(published: June 23, 2022)</p> <p>The Cybersecurity and Infrastructure Security Agency (CISA) have released a new malware analysis report on a malicious version of XMRIG Cryptominer which functions as a remote access trojan (RAT). The loader for the malware is only decrypted during execution, and is only executed within memory. C2 instructions for the RAT are received from a hardcoded ip address and always on port 443. Functionality for the RAT includes data exfiltration, desktop monitoring, keylogging, lateral movement and reverse shell access.<br/> <b>Analyst Comment:</b> Malware signatures are provided within the report; an up to date antivirus solution is a critical component of a robust defense in depth protection policy.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a><br/> <b>Tags:</b> malware:XMRIG, XMRIG Cryptominer, XMRIG, RAT, CISA</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.rapid7.com/blog/post/2022/06/23/cve-2022-31749-watchguard-authenticated-arbitrary-file-read-write-fixed/" target="_blank">CVE-2022-31749: WatchGuard Authenticated Arbitrary File Read/Write (Fixed)</a></h3> <p>(published: June 23, 2022)</p> <p>Researchers at Rapid7 have reported that as of 23rd of June, a patch had been released for an exploit they discovered, recorded as CVE-2022-31749. The vulnerability allows users of a low privilege level of Watchguard Firebox or XTM users to read system files arbitrarily via argument injection if using SSH. If using the diagnose or import pac commands, arguments can be passed to ftpput and ftpget commands bypassing credential authentication. Whilst it is still unconfirmed if remote code execution (RCE) is possible with this vulnerability, proof of concept exploitations have shown that the configd-hash.xml file can be exfiltrated, containing user password hashes.<br/> <b>Analyst Comment:</b> A patch management policy will ensure that critical systems and vulnerabilities are patched in a timely manner with minimal downtime. Always change standard passwords, as they are weak and their hashes can be reversed into usable passwords by threat actors easily if they are stolen.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3906164" target="_blank">[MITRE ATT&amp;CK] Abuse Elevation Control Mechanism - T1548</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> vulnerability:CVE-2021-26855, Watchguard, XTM, CVE-2021-26855, ssh</p> </div> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2022/chinese-actor-takes-aim-armed-with-nim-language-and-bizarro-aes/" target="_blank">Chinese Actor Takes Aim, Armed with Nim Language and Bizzaro AES</a></h3> <p>(published: June 22, 2022)</p> <p>Checkpoint Researchers have identified a campaign of activity by a Chinese-speaking actor that is likely closely linked to the threat actor Tropic Trooper (PIRATE PANDA, APT23). Whilst the initial infection vector the group employs is unknown, the dropper being used after infection in this campaign is written in Nim and executes 2 instructions. The first is to download a Mandarin based app named SMS Bomber, used to conduct DDOS attacks on phones, but additionally it injects some Shellcode into a notepad.exe process, effectively making SMS Bomber a trojanized app. The Shellcode contacts an obfuscated IP before downloading the Yahoyah trojan and TClient backdoor, both previously used by Tropic Trooper. To disrupt analysis, strings that are usually encrypted with AES are instead encrypted with an inverted sequence of AES operations, resulting in an increase to researcher time to deobfuscate.<br/> <b>Analyst Comment:</b> A defense in depth approach to security is the best defense against APT groups. The Anomali Platform can assist in detecting APT activity within your networks, correlating your logs against global intelligence to detect malicious activity and launch investigations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904523" target="_blank">[MITRE ATT&amp;CK] Rogue Domain Controller - T1207</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a><br/> <b>Tags:</b> actor:Tropic Trooper, actor:PIRATE PANDA, mitre-group:APT23, Tropic Trooper, PIRATE PANDA, APT23, malware:Yahoyah, malware:TClient, Yahoyah, TClient, AES, DDOS, SMS Bomber, Shellcode</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.talosintelligence.com/2022/06/avoslocker-new-arsenal.html" target="_blank">Avos Ransomware Group Expands with New Attack Arsenal</a></h3> <p>(published: June 21, 2022)</p> <p>Cisco Talos researchers have documented the recent activity of Avos, a threat actor who is typically involved in Ransomware as a Service (RaaS) activities. The threat actor maintains AvosLocker as the ransomware of choice. Whilst spam campaigns are often the initial infection vector, from late 2021 onward Avos was seen exploiting Log4j vulnerabilities for arbitrary code injection, specifically CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832. Once the threat actors gain access to the victim’s machine, an encoded Powershell script is used to download AvosLocker. As of publication date, Avos is still operating on a RaaS model of operations.<br/> <b>Analyst Comment:</b> Critical vulnerabilities should be patched at the earliest possible opportunity to reduce the risk of exploitation. A patch management process should facilitate and oversee patch deployment to minimize downtime for vulnerable systems.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> actor:Avos, Avos, AvosLocker, malware:AvosLocker, Powershell, Log4j, RaaS, Spam</p> </div> <div class="trending-threat-article"> <h3><a href="https://securelist.com/toddycat/106799/" target="_blank">Unveiling an Unknown APT Actor Attacking High-Profile Entities in Europe and Asia</a></h3> <p>(published: June 21, 2022)</p> <p>Kaspersky researchers have released their analysis of a new APT group dubbed ToddyCat. Active since December 2020, ToddyCat has been linked to multiple campaigns exploiting ProxyLogon (CVE-2021-26855) to compromise Microsoft Exchange servers initially in Taiwan and Vietnam. New countries they have targeted include Afghanistan, India, Indonesia, Iran, Kyrgyzstan, Malaysia, Pakistan, Russia, Slovakia, Thailand, United Kingdom and Uzbekistan. Additionally, ToddyCat utilizes two unique, custom malware; a backdoor named Samurai and a trojan named Ninja. Samurai is a sophisticated backdoor operated on ports 80 and 443 and it allows for the deployment of additional malware (mostly Ninja) and lateral movement. It features anti-analysis functionality, being heavily encrypted and using complicated switch cases to confuse instruction flow. Ninja is a powerful trojan that boasts functionality including file system management, process enumeration, multiple reverse shell sessions and arbitrary code injection.<br/> <b>Analyst Comment:</b> Patch management policies should be enforced to ensure that critical vulnerabilities are patched as soon as possible. The Anomali platform can help identify malicious Indicators of Compromise within your system and provide insight into the threat actors targeting you.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904549" target="_blank">[MITRE ATT&amp;CK] Remote Service Session Hijacking - T1563</a> | <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><br/> <b>Tags:</b> actor:ToddyCat, vulnerability:CVE-2021-26855, Samurai, Ninja, ToddyCat, ProxyLogon, target-region:Asia, target-region:Europe, malware:Samurai, malware:Ninja</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/" target="_blank">Russia’s APT28 Uses Fear of Nuclear War to Spread Follina Docs in Ukraine</a></h3> <p>(published: June 21, 2022)</p> <p>Malwarebytes researchers have documented a new campaign by Russia-sponsored threat actor APT28 (Fancy Bear), utilizing Follina (CVE-2022-30190), a remote code execution vulnerability affecting Microsoft Support Diagnostic Tool (MSDT) to steal information. Phishing emails were distributed that contain a Microsoft Word document whose contents were copied from an Atlantic Council article. The document contained an embedded Document.xml.rels to retrieve a HTML file which, in turn, executes an encoded Powershell Script. Once executed, a custom stealer is installed which targets usernames, passwords and urls on Chrome and Edge, and cookie data on Firefox. Stolen data is exfiltrated to a C2 domain using IMAP email protocol.<br/> <b>Analyst Comment:</b> Never open documents from suspicious emails. Fear is a common tactic to pressure victims into making a hasty decision, thus scare attempts to open attachments should be treated with a high degree of caution.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947224" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947216" target="_blank">[MITRE ATT&amp;CK] Exploitation for Credential Access - T1212</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3297610" target="_blank">[MITRE ATT&amp;CK] Steal Web Session Cookie - T1539</a><br/> <b>Tags:</b> mitre-group:APT28, Fancy Bear, vulnerability:CVE-2022-30190, Atlantic Council, Russia, Follina, Powershell, Chrome, Edge, Firefox</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/threat-intelligence/2022/06/client-side-magecart-attacks-still-around-but-more-covert/" target="_blank">Client-Side Magecart Attacks Still Around, but More Covert </a></h3> <p>(published: June 20, 2022)</p> <p>Research from Malwarebytes has detected a new wave of Magecart skimmers, which have been active since November 2021. These still function client side, but come with additional functionality. Variable names, once in plain text with names reflecting the data they contained, are now obfuscated to make analysis more difficult. Additionally, the skimmers check for the presence of a VM, stopping their execution if they detect a sandbox.<br/> <b>Analyst Comment:</b> Ensure endpoint security is up to date and security patches are installed in a timely manner to minimize the risk of skimmer injection. Monitor network traffic for strange behavior to detect possible C2 activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> Magecart, skimmers, credential theft, sandbox evasion</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/microsoft-365-credentials-targeted-in-new-fake-voicemail-campaign/" target="_blank">Microsoft 365 Credentials Targeted in New Fake Voicemail Campaign</a></h3> <p>(published: June 20, 2022)</p> <p>ZScaler researchers have discovered a new phishing campaign targeting organizations within the US, specifically those within the Healthcare, Manufacturing, Military and Security Software industries. The emails are routed through Japanese email services to spoof targeted organizations. Each phishing email contains a HTML attachment with a musical note inside the file text to masquerade as a voice note file. When opened, embedded Javascript within the file triggers, redirecting victims to a phishing site with a CAPTCHA security to feign legitimacy. Following this, a fake Microsoft login portal is presented that will steal any credentials entered.<br/> <b>Analyst Comment:</b> Never click on attachments from suspicious emails. Education is the best defense against phishing attacks. Always check the domain and url are correct before entering in any private or personal information. If you are logged in already, and you are asked to log in an additional time, it is a possible indicator that the website is illegitimate.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Phishing, Healthcare, Manufacturing, Military,Security Software, HTML, CAPTCHA, Microsoft, Javascript</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.