March 23, 2021
Anomali Threat Research

Anomali Cyber Watch: APT, Malware, Vulnerabilities, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>BlackRock, CopperStealer, Go, Lazarus, Mirai, Mustang Panda, Rust, Tax Season,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Bogus Android Clubhouse App Drops Credential-Swiping Malware</a></h3> <p>(published: March 19, 2021)</p> <p>Researchers are warning of a fake version of the popular audio chat app Clubhouse, which delivers malware that steals login credentials for more than 450 apps. Clubhouse has burst on the social media scene over the past few months, gaining hype through its audio-chat rooms where participants can discuss anything from politics to relationships. Despite being invite-only, and only being around for a year, the app is closing in on 13 million downloads. The app is only available on Apple's App Store mobile application marketplace - though plans are in the works to develop one.<br/> <b>Analyst Comment:</b> Use only the official stores to download apps to your devices. Be wary of what kinds of permissions you grant to applications. Before downloading an app, do some research.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a><br/> <b>Tags:</b> LokiBot, BlackRock, Banking, Android, Clubhouse</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="" target="_blank">Trojanized Xcode Project Slips XcodeSpy Malware to Apple Developers</a></h3> <p>(published: March 18, 2021)</p> <p>Researchers from cybersecurity firm SentinelOne have discovered a malicious version of the legitimate iOS TabBarInteraction Xcode project being distributed in a supply-chain attack. The malware, dubbed XcodeSpy, targets Xcode, an integrated development environment (IDE) used in macOS for developing Apple software and applications. The malicious project is a ripped version of TabBarInteraction, a legitimate project that has not been compromised. Malicious Xcode projects are being used to hijack developer systems and spread custom EggShell backdoors.<br/> <b>Analyst Comment:</b> Researchers attribute this new targeting of Apple developers to North Korea and Lazarus group: similar TTPs of compromising developer supply chain were discovered in January 2021 when North Korean APT was using a malicious Visual Studio project. Moreover, one of the victims of XcodeSpy is a Japanese organization regularly targeted by North Korea. A behavioral detection solution is required to fully detect the presence of XcodeSpy payloads.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Lazarus, XcodeSpy, North Korea, EggShell, Xcode, Apple</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="" target="_blank">Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware</a></h3> <p>(published: March 18, 2021)</p> <p>Cybereason detected a new campaign targeting US taxpayers with documents that purport to contain tax-related content, ultimately delivering NetWire and Remcos - two powerful and popular RATs (remote access trojans) which can allow attackers to take control of the victims’ machines and steal sensitive information. The attackers dwarf heuristic detection by using unusually large files, they further conceal payloads by using a combination of steganography and public cloud services.<br/> <b>Analyst Comment:</b> Social engineering via phishing emails continues to be the preferred infection method among actors targeting US taxpayers. Despite various anti-detection tactics, these attacks can be stopped both by better detection and by teaching users of the dangers of enabling macros in a suspicious document.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a><br/> <b>Tags:</b> Remcos, NetWire, Banking, Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="" target="_blank">Convuster: MacOS Adware Now in Rust and Swift</a></h3> <p>(published: March 18, 2021)</p> <p>Convuster is a new adware program targeting the macOS platform. Two kinds of Convuster samples were found: those written in Rust and written in Swift. Rust samples could be recognized from the frequent use of the language's standard library, as well as several code lines containing paths to files with the .rs extension. From the victim’s point of view the Convuster installer mimics a Flash Player update.<br/> <b>Analyst Comment:</b> Actors have been paying increased attention to new programming languages, seemingly in the hope that such code will be more opaque to virus analysts who have little or no experience with the newer languages. It is interesting to note that Convuster would instal even if the user tries to refuse the fake Flash installation prompt.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a><br/> <b>Tags:</b> Convuster, macOS, adware, Rust, Swift, fake-Flash</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="" target="_blank">New CopperStealer Malware Steals Google, Apple, Facebook Accounts</a></h3> <p>(published: March 18, 2021)</p> <p>The malware, dubbed CopperStealer by Proofpoint researchers, is an actively developed password and cookie stealer with a downloader feature. The malware is being distributed via fake software crack sites. The malware attempts to steal the account passwords to Facebook, Instagram, Google, and other major service providers. The stolen passwords are used to run malicious ads for profit and spread more malware such as Smokeloader. The earliest discovered samples date back to July 2019, after which CopperStealer was developing with increased speed totaling in 80 currently known versions.<br/> <b>Analyst Comment:</b> CopperStealer’s active development and use of DGA based C2 servers demonstrates operational maturity as well as redundancy. Proofpoint, Facebook, Cloudflare, and others, used sinkholing to disrupt CopperStealers current activities, but we will likely see new versions in the wild soon.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Account Discovery - T1087</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a><br/> <b>Tags:</b> CopperStealer, Smokeloader, DGA, Social-Media, Facebook, sinkhole, PUA</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="" target="_blank">Operation Dianxun</a></h3> <p>(published: March 16, 2021)</p> <p>McAfee ATR disclosed an espionage campaign named Operation Dianxun. The tactics, techniques and procedures used in the attack are similar to those observed in earlier campaigns which were publicly attributed to the threat actors RedDelta and Mustang Panda. Users are targeted with fake Flash phishing with DotNet downloader, that installs Cobalt Strike Beacon. Most probably this threat is targeting people working in the telecommunications industry and has been used for espionage purposes to spy on companies related to 5G technology.<br/> <b>Analyst Comment:</b> Companies dealing with sensitive telecommunication technologies should be able to block these attacks based on the malware samples and malicious domains identified. Furthermore, they should monitor their networks for a more general Cobalt Strike and DotNet malware activities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a><br/> <b>Tags:</b> Dianxun, Operation-Dianxun, DotNet payload, DotNet, Cobalt-Strike</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="" target="_blank">Hackers Hide Credit Card Data From Compromised Stores in JPG File</a></h3> <p>(published: March 16, 2021)</p> <p>Researchers at website security company Sucuri found the new exfiltration technique when investigating a compromised online shop running version 2 of the open-source Magento e-commerce platform. Instead of sending the card info to a server they control, hackers hide it in a JPG image and store it on the infected website. These incidents are also known as Magecart attacks and have started years ago.<br/> <b>Analyst Comment:</b> As these actors hide their exfiltration traffic in a benign-looking image file, the malicious activity might be hard to detect. A complex system doing integrity checks and monitoring new file creation might be necessarily.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a><br/> <b>Tags:</b> Magecart, Magento, Skimming, Skimmer</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="" target="_blank">One-Click Microsoft Exchange On-Premises Mitigation Tool</a></h3> <p>(published: March 15, 2021)</p> <p>This month, Microsoft disclosed that four zero-day vulnerabilities were being actively used in attacks against Microsoft Exchange. These vulnerabilities are collectively known as ProxyLogon and are being used by threat actors to drop web shells, cryptominers, and more recently, the DearCry ransomware on exploited servers. On March 15, 2021, Microsoft released the EOMT one-click PowerShell script so that small business owners can get further help securing their Microsoft Exchange servers.<br/> <b>Analyst Comment:</b> This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Web Shell - T1100</a><br/> <b>Tags:</b> ProxyLogon, DearCry, CVE-2021-26855, Microsoft-Exchange</p> </div> <div class="trending-threat-article"> <h3 id="article-9"><a href=" " target="_blank">New Mirai Variant Targeting Network Security Devices</a></h3> <p>(published: March 15, 2021)</p> <p>Palo Alto Unit 42 security researchers have discovered a Mirai variant campaign that was quickly evolving to include additional vulnerabilities. Five known vulnerabilities and three unknown vulnerabilities were exploited in this attack. Among the targets were SonicWall, D-Link, Yealink, Netgear, and is likely to include other unknown devices. After getting the initial foothold the malware installs GoLang v1.9.4 and downloads binaries written in that language.<br/> <b>Analyst Comment:</b> We recommend patching your IoT devices, filtering malicious domains, using next-generation firewalls. More research is needed regarding unknown and unidentified vulnerabilities used by this Mirai variant.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a><br/> <b>Tags:</b> Mirai, IoT, GoLangC, VisualDoor, CVE-2019-19356, CVE-2021-22502, CVE-2021-27562, CVE-2021-27561, CVE-2021-25502, CVE-2020-25506, CVE-2020-26919</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.