March 20, 2023
Anomali Threat Research

Anomali Cyber Watch: Winter Vivern Impersonates Poland's Combating Cybercrime Webpage, Trojanized Telegram Steals Cryptocurrency Keys from Screenshots, and More

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, Data leak, Injectors, Packers, Phishing, Ransomware, Russia, </b> and <b>Ukraine</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="" target="_blank">Winter Vivern | Uncovering a Wave of Global Espionage</a></h3> <p>(published: March 16, 2023)</p> <p>Since December 2020, Winter Vivern was engaging in cyberespionage campaigns aligned with Belarus and Russian government objectives. Since January 2021, it targeted government organizations in Lithuania, India, Vatican, and Slovakia. During mid 2022 to December 2022, it targeted India and Ukraine: impersonated the Indian government’s email service website and sent macro-enabled Excel to target a project facilitating surrender of Russian military personnel. In early 2023, Winter Vivern created fake pages for Poland’s Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine. The group often relies on simply phishing for credentials. Another type of Winter Vivern activity include malicious Office documents with macros, loader script mimicking a virus scanner, and the installation of the Aperetif backdoor. The group’s malicious infrastructure includes typosquatted domains and compromised WordPress websites.<br /> <b>Analyst Comment:</b> Pay attention if a domain is asking for your passwords, try to establish its authenticity and ownership. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out <a href="" target="_blank">Anomali&#39;s Premium Digital Risk Protection service</a>. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachments that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="" target="_blank">[MITRE ATT&CK] T1059.001: PowerShell</a> | <a href="" target="_blank">[MITRE ATT&CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a><br /> <b>Tags:</b> actor:Winter Vivern, actor:UAC-0114, Cyberespionage, Phishing, Maldoc, malware-type:Loader, target-country:Ukraine, target-country:UA, target-country:Lithuania, target-country:LT, target-country:India, target-country:IN, target-country:Vatican, target-country:Holy See, target-country:VA, target-country:Slovakia, target-country:SK, target-country:Poland, target-country:PL, target-country:Italy, target-country:IT, target-industry:Government, target-industry:Telecom, Macros, Batch script, PowerShell, Visual C++, file-type:XLS, file-type:PHP, malware:APERETIF, detection:Alien, Compromised website, Acunetix vulnerability scanner, WordPress, Windows</p> <h3 id="article-2"><a href="" target="_blank">Not‑So‑Private Messaging: Trojanized WhatsApp and Telegram Apps Go After Cryptocurrency Wallets</a></h3> <p>(published: March 16, 2023)</p> <p>ESET researchers have discovered a cryptocurrency-stealing activity based on dozens of websites offering trojanized versions of Telegram and WhatsApp instant messaging apps. This activity consists of at least two distinct clusters, but the general techniques are similar. The attackers mostly used clipper malware - which replaces cryptocurrency addresses to ones controlled by the attacker. In some cases, the trojanized app was still displaying the original addresses for sent messages. Another type of attack involved information-stealing malware specifically looking to exfiltrate messages mentioning keywords such as “mnemonic” to find cryptocurrency wallet recovery phrases. The attackers were targeting Android, Windows to a lesser extent, and attempted iOS targeting. Some of these malicious apps use optical character recognition (OCR) to recognize text from screenshots.<br /> <b>Analyst Comment:</b> It is important to install your apps from official app stores (Google Play, Microsoft Store). If those are not available (such as in China), consider the risks and avoid using questionable apps on devices that you may use for financial transactions (including cryptocurrencies). Since double-checking the payment address prior to sending doesn’t stop these newer clipper operations, an alternative channel to confirm the payment address can be used (such as over a voice call).<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] T1418 - Application Discovery</a> | <a href="" target="_blank">[MITRE ATT&CK] T1409 - Access Stored Application Data</a> | <a href="" target="_blank">[MITRE ATT&CK] T1437.001 - Application Layer Protocol: Web Protocols</a> | <a href="" target="_blank">[MITRE ATT&CK] T1646 - Exfiltration Over C2 Channel</a> | <a href="" target="_blank">[MITRE ATT&CK] T1641.001 - Data Manipulation: Transmitted Data Manipulation</a> | <a href="" target="_blank">[MITRE ATT&CK] T1106: Native API</a> | <a href="" target="_blank">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="" target="_blank">[MITRE ATT&CK] T1134 - Access Token Manipulation</a> | <a href="" target="_blank">[MITRE ATT&CK] T1070.001 - Indicator Removal on Host: Clear Windows Event Logs</a> | <a href="" target="_blank">[MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="" target="_blank">[MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="" target="_blank">[MITRE ATT&CK] T1622 - Debugger Evasion</a> | <a href="" target="_blank">[MITRE ATT&CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="" target="_blank">[MITRE ATT&CK] T1056.001 - Input Capture: Keylogging</a> | <a href="" target="_blank">[MITRE ATT&CK] T1010 - Application Window Discovery</a> | <a href="" target="_blank">[MITRE ATT&CK] T1012: Query Registry</a> | <a href="" target="_blank">[MITRE ATT&CK] T1057 - Process Discovery</a> | <a href="" target="_blank">[MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082</a> | <a href="" target="_blank">[MITRE ATT&CK] T1113 - Screen Capture</a> | <a href="" target="_blank">[MITRE ATT&CK] T1115 - Clipboard Data</a> | <a href="" target="_blank">[MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="" target="_blank">[MITRE ATT&CK] T1095 - Non-Application Layer Protocol</a> | <a href="" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a> | <a href="" target="_blank">[MITRE ATT&CK] T1573 - Encrypted Channel</a> | <a href="" target="_blank">[MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel</a> | <a href="" target="_blank">[MITRE ATT&CK] T1529 - System Shutdown/Reboot</a> | <a href="" target="_blank">[MITRE ATT&CK] T1565.002 - Data Manipulation: Transmitted Data Manipulation</a> | <a href="" target="_blank">[MITRE ATT&CK] T1531 - Account Access Removal</a><br /> <b>Tags:</b> malware-type:Clipper, detection:Android/Clipper, malware:Gh0st RAT, detection:Win32/Farfli.CUO, Cryptocurrency, Wallet recovery phrase, Bitcoin, TRON, Etherium, Monero, Binance, Trojanized app, Telegram, WhatsApp, Instant messaging, OCR, iOS, Windows, Android</p> <h3 id="article-3"><a href="" target="_blank">BianLian Ransomware Gang Continues to Evolve</a></h3> <p>(published: March 16, 2023)</p> <p>The BianLian ransomware group double-extortion operations were first discovered in September 2022 and go back to December 2021. In January 2023, Avast publicized a decryptor for a BianLian ransomware variant. The group followed up by focusing its attacks on data-leak extortion as opposed to encryption. By March 2023, BianLian refreshed its infrastructure as the average life of its C2 domain is two weeks. BianLian brings over 25 new C2 domains each month and the new domains are used by its custom Golang-based backdoor immediately or within minutes. Among 118 victim organizations targeted by BianLian (as of March 13, 2023), the most common industries are healthcare, engineering, education, and IT (in that order), and the majority are from the US.<br /> <b>Analyst Comment:</b> Keep your systems updated to avoid BianLian exploiting known vulnerabilities. All known BianLian host and network-based indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] T1486: Data Encrypted for Impact</a> | <a href="" target="_blank">[MITRE ATT&CK] T1005: Data from Local System</a> | <a href="" target="_blank">[MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel</a><br /> <b>Tags:</b> actor:BianLian, malware-type:Ransomware, target-country:USA, target-country:US, target-country:United Kingdom, target-country:GB, target-country:Australia, target-country:AU, target-country:Canada, target-country:CA, target-country:India, target-country:IN, target-industry:Healthcare, target-industry:Education, target-industry:Engineering, target-industry:IT, Goland, malware-type:Backdoor, Windows</p> <h3 id="article-4"><a href="" target="_blank">DotRunpeX – Demystifying New Virtualized .NET Injector Used in the Wild</a></h3> <p>(published: March 15, 2023)</p> <p>Over the period of October 2022 - January 2023, Check Point researchers observed a new injector written in .NET dubbed dotRunpeX. It was involved as a second-stage malware in different commodity campaigns being loaded by variants of .NET loaders/downloaders delivered via phishing attachments and websites masquerading as regular program utilities. Less frequently, dotRunpeX was delivered via Google Ads or even via trojanized malware builders. DotRunpeX is protected by virtualization (a customized version of KoiVM) and obfuscation (ConfuserEx). To avoid debuggers, the malware authors hide crucial APIs related to unmapping and writing to remote process memory (D/Invoke framework) by using decoy routine, remapping, and syscall patching. Additionally, dotRunpeX can evade antiviruses by killing a hardcoded list of anti-malware services with the help of the Sysinternals Procexp process explorer driver. DotRunpeX is using the process hollowing technique to infect systems with a variety of known malware families, most common being Redline, Raccoon Stealer 2.0, Vidar, AgentTesla, and Formbook, in that order.<br /> <b>Analyst Comment:</b> Users should avoid questionable ads, tools, and attachments. Researchers can use injector_ZZ_dotRunpeX YARA rules developed by Check Point (linked below).<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] T1055.012 - Process Injection: Process Hollowing</a> | <a href="" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="" target="_blank">[MITRE ATT&CK] T1622 - Debugger Evasion</a> | <a href="" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="" target="_blank">[MITRE ATT&CK] T1204 - User Execution</a> | <a href="" target="_blank">[MITRE ATT&CK] T1497 - Virtualization/Sandbox Evasion</a><br /> <b>Signatures:</b> <a href="" target="_blank">dotRunpeX Injector. YARA by Jiri Vinopal</a> | <a href="" target="_blank">dotRunpeX Injector. Versions Oct.2022-Jan.2023. YARA by Jiri Vinopal</a><br /> <b>Tags:</b> malware:DotRunpeX, detection:injector_ZZ_dotRunpeX, .NET, malware-type:Injector, Google Ads, malware-type:Infostealer, malware-type:RAT, malware-type:Loader, malware-type:Downloader, malware:AgentTesla, malware:ArrowRAT, malware:​​AsyncRat, malware:AveMaria/WarzoneRAT, malware:BitRAT, malware:Formbook, malware:LgoogLoader, malware:Lokibot, malware:NetWire, malware:PrivateLoader, malware:QuasarRAT, malware:RecordBreaker, malware:Raccoon Stealer 2.0, malware:Redline, malware:Remcos, malware:Rhadamanthys, malware:SnakeKeylogger, malware:Vidar, malware:XWorm, file-type:EXE, KoiVM virtualizer, AMSI Bypass, UAC Bypass, RunpeX.Stub.Framework, Sysinternals Procexp, Windows</p> <h3 id="article-5"><a href="" target="_blank">SilkLoader : Journey of a Cobalt Strike Beacon Loader along the Silk Road</a></h3> <p>(published: March 15, 2023)</p> <p>WithSecure researchers analyzed a custom Cobalt Strike beacon loader dubbed SilkLoader. It was originally developed by China-based actors and used in attacks in mid-2022 targeting China and Hong Kong. In September 2022, SilkLoader reappeared after a short absence displaying new Russia-associated compilation times, malware, and metadata. It was likely sold to a Russian-based operator that is making it available standalone as a service (Packer-as-a-Service) or as a Cobalt Strike combo (Infrastructure-as-a-Service). In the last quarter of 2022, SilkLoader&#39;s new targeting included Brazil, France, and Taiwan. SilkLoader attacks up to February 2023 were associated with malware campaigns involving GootLoader delivery and/or trying to deploy the PLAY ransomware. SilkLoader acts as a shellcode loader leveraging DLL side-loading, it uses dynamic resolution for the API functions it needs, XOR encryption and Base64 encoding. SilkLoader checks for VirusTotal sandboxes by looking if the process command line contains the word “TRANSFER”. Additionally, even in the hands of Russia-based actors, SilkLoader continues checking for a default username used by ThreatBook Cloud Sandbox, a platform primarily used within the Chinese/East Asian cybersecurity sphere.<br /> <b>Analyst Comment:</b> All known indicators associated with SilkLoader activities are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="" target="_blank">[MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="" target="_blank">[MITRE ATT&CK] T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution</a> | <a href="" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="" target="_blank">[MITRE ATT&CK] T1497 - Virtualization/Sandbox Evasion</a><br /> <b>Signatures:</b> <a href="" target="_blank">SilkLoader. YARA by WithSecure</a><br /> <b>Tags:</b> malware:SilkLoader, malware-type:Loader, malware:Cobalt Strike beacon, source-country:Russia, source-country:RU, source-country:China, source-country:CN, file-type:EXE, file-type:DLL, XOR, Base64, Packer-as-a-Service, malware:Cobalt Strike, malware:GootLoader, malware:PLAY, malware-type:Ransomware, Infrastructure-as-a-Service, Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.