Anomali Cyber Watch: APT Groups, Cobalt Strike, Russia, Malware, and More | Anomali

We are excited to announce Anomali Cyber Watch, your weekly intelligence digest. Replacing the Anomali Weekly Threat Briefing, Anomali Cyber Watch provides summaries of significant cybersecurity and threat intelligence events, analyst comments, and recommendations from Anomali Threat Research to increase situational awareness, and the associated tactics, techniques, and procedures (TTPs) to empower automated response actions proactively.

We hope you find this version informative and useful. If you haven’t already subscribed get signed up today so you can receive curated and summarized cybersecurity intelligence events weekly.

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, Emotet, Go, Masslogger, Mustang Panda, OilRig, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact

(published: February 26, 2021)

Recent reporting indicates that two prolific cybercrime threat groups, CARBON SPIDER and SPRITE SPIDER, have begun targeting ESXi, a hypervisor developed by VMWare to run and manage virtual machines. SPRITE SPIDER uses PyXie's LaZagne module to recover vCenter credentials stored in web browsers and runs Mimikatz to steal credentials from host memory. After authenticating to vCenter, SPRITE SPIDER enables ssh to permit persistent access to ESXi devices. In some cases, they also change the root account password or the host’s ssh keys. Before deploying Defray 777, SPRITE SPIDER’s ransomware of choice, they terminate running VMs to allow the ransomware to encrypt files associated with those VMs. CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access being gained using low-volume phishing campaigns against this sector. But throughout 2020 they were observed shifting focus to “Big Game Hunting” with the introduction of the Darkside Ransomware. CARBON SPIDER gains access to ESXi servers using valid credentials and reportedly also logs in over ssh using the Plink utility to drop the Darkside
Recommendation: Both CARBON SPIDER and SPRITE SPIDER likely intend to use ransomware targeting ESXi to inflict greater harm – and hopefully realize larger profits – than traditional ransomware operations against Windows systems. Should these campaigns continue and prove to be profitable, we would expect more threat actors to imitate these activities.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Hidden Files and Directories - T1158 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Scheduled Transfer - T1029 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Remote Desktop Protocol - T1076 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Credentials from Web Browsers - T1503 | [MITRE ATT&CK] Credential Dumping - T1003
Tags: PyXie, Cobalt Strike, REvil, Vatet, LaZagne, Sekur, PowerSploit, Mimikatz, Griffon, Darkside, Anunak, Target777, BokBot, Defray, RansomEXX, Vatet, Defray777, CARBON SPIDER, Group 24, Defray 2018, PINCHY SPIDER, LUNAR SPIDER, Target777, SPRITE SPIDER

Year of the Gopher: 2020 Go Malware Round-Up

(published: February 26, 2021)

Cybersecurity company Intezer reported that the number of malware strains coded in the Golang programming language has seen a sharp increase of around 2,000% since 2017. These findings highlight and confirm a general trend in the malware ecosystem, where malware authors have slowly moved away from C and C++ to Go, a programming language developed and launched by Google in 2007. The primary reasons for the increased use of Go are that it easily supports cross-platform compilation, its binaries remain hard to analyze and reverse engineer by security researchers, and Go supports working with network packets and requests.
Recommendation: Golang appears to be gaining popularity for the same reason any technology does; it's easier and more versatile than the previous standard. As we expect this trend to continue, we recommend that defensive cybersecurity organizations and threat researchers begin to investigate how they intend to fill any potential skills gaps they have in association to Golang.
MITRE ATT&CK: [MITRE ATT&CK] Security Software Discovery - T1063
Tags: APT28, APT29, Mustang Panda, Carbanak group, Glupteba, RobbinHood, WellMess, Nefilim, Zebrocy, CryptoStealer.GO, GOSH, Godlike12, Go Loader, EKANS, Russia, China

Russian Hackers Linked to Attack Targeting Ukrainian Government

(published: February 24, 2021)

Ukraine’s National Security and Defense Council (NSDC) has linked Russian-backed hackers to attempts to breach state agencies after compromising the government's document management system on 18 February 2021. While Ukraine did not directly accuse Russia of the denial-of-service (DDoS) attacks, they stated that the attackers' IP addresses were located on Russian networks. Ukrainian investigations uncovered a new malware planted on vulnerable government servers that adds the devices into an attacker-controlled botnet. The System of Electronic Interaction of Executive Bodies (SEI EB) hacked in this attack is used by most public authorities to share documents. The Russian-linked threat actors attempted to use the document sharing system "to disseminate malicious documents".
Recommendation: Tensions between Russia and Ukraine have been high for the better part of a decade, due in large part to Russia's annexation of Crimea in 2014. Cyber hostilities are not unusual and should be expected to continue.
MITRE ATT&CK: [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Remote File Copy - T1105
Tags: Russia, Ukraine, DDoS, Government, Egregor

Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion

(published: February 24, 2021)

Researchers have identified a set of threat actors (dubbed UNC2546 and UNC2582) with connections to the FIN11 and the Clop ransomware gang as the criminal group responsible for a February 2021 global zero-day attack on users of the Accellion File Transfer Appliance (FTA). The financially motivated FIN11 has been around for at least four years, conducting widespread phishing campaigns and adding point-of-sale malware to its arsenal in 2018. In 2019 FIN11 was also observed conducting routine ransomware attacks. In this ongoing campaign, as many as 100 companies have been victims so far, with approximately 25 reporting "significant data theft.” The global attack triggered four members of the Five Eyes intelligence-sharing alliance (US, UK, Canada, Australia, and New Zealand), in collaboration with Singapore, to issue a joint security advisory about ongoing attacks and extortion attempts targeting organizations using the Accellion FTA. The extortion attempts included emails tailored to specific victims, including contact information and a threat of data exposure if victims failed to cooperate. Monitoring of the CL0P^_- LEAKS shaming site revealed that UNC2582 followed through on at least one of those threats to publish stolen data.
Recommendation: This global campaign has so far been limited to exploiting the Accellion File Transfer Appliance, which was already heading towards end-of-life. Accellion has issued a strong recommendation for all users to migrate to kiteworks, Accellion’s enterprise content firewall platform. Additionall, USCERT issued Alert (AA21-055A), which included recommended mitigation for this threat.
MITRE ATT&CK: [MITRE ATT&CK] Web Shell - T1100 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: FRIENDSPEAK, CLOP, DEWMODE, FIN11, CL0P, UNC2546, UNC2582, Banking And Finance, Retail, Aviation, CVE-2021-27103, CVE-2021-27102, CVE-2021-27101, CVE-2021-27104, EU, UK, North America, Asia, Australasia

LazyScripter: From Empire to double RAT

(published: February 24, 2021)

Security researchers from Malwarebytes published reporting on 24 February that an unidentified Advanced Persistent Threat (APT) – who they dubbed “LazyScripter” – conducted a phishing campaign since at least 2018 that primarily targeted the airline industry and people seeking to immigrate to Canada for employment. Among LazyScripter’s reported targets were the International Air Transport Association (IATA) security, the Canada skilled worker program, and CanadaVisa[.]com (the online presence of the Campbell Cohen Immigration Law Firm). While confident attribution has yet to be made, LazyScripter displays similarities to both Russian (APT28) and Iranian APT34/OilRig) threats. The infrastructure supporting this long-term campaign remains active as LazyScripter. Additionally, this actor or group continues to evolve, including most recently delivering freely available Octopus and Koadic malware through malicious documents and ZIP archives that contained embedded objects as opposed to the more commonly seen macro code in phishing attacks.The infrastructure supporting this long-term campaign remains active as LazyScripter. Additionally, this actor or group continues to evolve, including most recently delivering freely available Octopus and Koadic malware through malicious documents and ZIP archives that contained embedded objects as opposed to the more commonly seen macro code in phishing attacks.
Recommendation: As with most newly discovered threat actors or groups, LazyScripter is a bit of a mystery to date. The target selection offers minimal insights into attribution that would be dangerous to speculate about. The similarities to both Russian and Iranian threat actors futher confuses attempts to attribute this activity to a particular nation or gorup. We will continue to monitor this group and recommend customers - especially those in the airline industry - be particularly vigilant regarding the progress of this newly minted APT.
MITRE ATT&CK: [MITRE ATT&CK] Scripting - T1064 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Remote File Copy - T1105
Tags: Fancy Bear, APT28, Sednit, Strontium, MuddyWater, Sofacy, APT 34/OilRig, RMS, Remcos, LuminosityLink, njRat, Koadic, PowerShell Empire, Octopus, Remcos, LuminosityLink, Koadic, PowerShell Empire, Empire, Octopus, CVE-2021-1367, CVE-2021-1231, CVE-2021-1387, CVE-2021-1368, CVE-2021-1361, North America, Russia, Middle East

Newly Discovered Ransomware Impacting Multiple Industries and Geographies

(published: February 23, 2021)

Babuk, a new ransomware threat discovered in 2021 has impacted at least five big enterprises, with one already paying criminals $85,000 after negotiations. The group is reportedly targeting the transportation, healthcare, plastic, electronics, and agricultural sectors across multiple geographies. Although not a sophisticated ransomware, Babuk’s codebase and artifacts (such as ransom notes) bear enough similarities to the Vasa Locker group to consider them aligned if not synonymous.
Recommendation: Although not a sophisticated ransomware, Babuk’s codebase and artifacts (such as ransom notes) bear enough similarities to the Vasa Locker group to consider them aligned if not synonymous. While this threat has targeted five industries so far, as financially motivated actors there are no industries that should consider themselves immune to threats like Babuk.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Disabling Security Tools - T1089
Tags: Babuk, Vasa Locker, Russia, Agricultural, Electronics, Healthcare, Plastic, Transportation

Chinese Hackers Used NSA Exploit Years Before Shadow Brokers Leak

(published: February 22, 2021)

Chinese state hackers cloned and started using a Windows zero-day exploit almost three years before the Shadow Brokers hacker group publicly leaked it in April 2017. However, APT 31 built their exploit, dubbed Jian, by replicating the functionality of the EpMe exploit stolen from the Equation Group's Tailored Access Operations (TAO) unit.
Recommendation: The public revealing of sophisticated offensive cyber tools widely believed to have originated inside the National Security Agency (NSA) was a shocking development in 2016. Not long after, one of those tools was used in the 2017 WannaCry attack that wreaked havoc on much of the world. Widely believed to be the work of hackers associated with the Russian government, the latest news that Chinese threat actors may have had access to NSA tools several years prior to Shadow Brokers is another embarrassment for one of the premier intelligence agencies in the world. NSA will likely face new scrutiny regarding both their cybersecurity practices and perhaps their vetting of personnel, as insider threat cannot be rules out as the potential cause of leaking data.
MITRE ATT&CK: [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Permission Groups Discovery - T1069 | [MITRE ATT&CK] Spearphishing Link - T1192
Tags: Confucius, Masslogger, DanderSpritz, EternalSynergy, UPSynergy, EternalRomance, EternalBlue, CVE-2021-21149, CVE-2021-21152, CVE-2021-21153, CVE-2021-21150, CVE-2021-21151, CVE-2017-0005, Shadow Brokers, APT31, Confucius, Zirconium, APT3, Equation Group, TAO, China, North America

French Cybersecurity Agency Discovers Self- Propagating Variant of Ryuk Ransomware

(published: February 21, 2021)

A French national cybersecurity agency reported their discovery on 25 February of a new variant of the Ryuk ransomware that has worm-like capabilities enabling it to autonomously spread from machine to machine. This discovery, reported by Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) as part of a 21-page report on the background, infection chains, and groups associated with Ryuk, was the result of an early 2021 investigation into an attack on an unnamed target.
Recommendation: The discovery of a new variant of Ryuk, a prominent ransomware, with the ability to distribute iteself inside a victim network is disconcerting. Anomali Threat Research strongly encourages clients - particularly those in the healthcare industry - to read the entire report from Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) to best understand Ryuk.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053
Tags: HYAS, schtasks.exe, Ryuk, Cobalt Strike, Trickbot, Emotet, BazarLoader, Mimikatz, Anchor, PowerTrick, PowerSploit, BloodHound, AdFind, Rubeus, Zerologon, TrickBot, BazarLoader, Wizard Spider, UNC 1878, EU, UK, Healthcare


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.