September 18, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: APT33 Sprays Passwords on Iranian Time, NodeStealer Hides Behind Wrong Encoding, and More

<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Cyberespionage, Iran, Infostealers, Russia, Spearphishing, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img alt="Image" src="https://cdn.filestackcontent.com/Cw81tjWTQGfbasS2eU0q"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/" target="_blank">Threat Group Assessment: Turla (aka Pensive Ursa)</a></h3> <p>(published: September 15, 2023)</p> <p> Turla, a Russian-sponsored group linked to the Russian Federal Security Service (FSB), has been active since 2004 and is known for its targeted intrusions and innovative stealth. Its targeting included over 45 countries and a wide range of sectors, including government entities, embassies, and military organizations, as well as education, research and pharmaceutical companies. Since February 2022, Turla has played an active part in the Russian-Ukraine war, primarily spying on the Ukrainian defense sector. Palo Alto Networks researchers has analyzed most recently active malware in Turla's arsenal including the Topinambour dropper, the Kopiluwak spreader/downloader, and a number of backdoors (Carbon, Capibar, ComRAT, Crutch, HyperStack, Kazuar, Snake, TinyTurla, and QUIETCANARY).<br/> <b>Analyst Comment:</b> Turla's arsenal includes a variety of malware, demonstrating the importance of using a multilayered protection model against advanced threats. It should include behavioral-based detections, protection against post-exploit activities, credential-gathering, and webshells. Indicators associated with Turla are available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9700" target="_blank">[MITRE ATT&amp;CK] T1087 - Account Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/23209" target="_blank">[MITRE ATT&amp;CK] Discovery - File and Directory Discovery [T1083]</a> | <a href="https://ui.threatstream.com/attackpattern/12875" target="_blank">[MITRE ATT&amp;CK] T1615 - Group Policy Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9878" target="_blank">[MITRE ATT&amp;CK] T1201 - Password Policy Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9708" target="_blank">[MITRE ATT&amp;CK] T1120 - Peripheral Device Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9618" target="_blank">[MITRE ATT&amp;CK] T1069 - Permission Groups Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/24155" target="_blank">[MITRE ATT&amp;CK] Discovery - Process Discovery [T1057]</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&amp;CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/23219" target="_blank">[MITRE ATT&amp;CK] Discovery - Remote System Discovery [T1018]</a> | <a href="https://ui.threatstream.com/attackpattern/9985" target="_blank">[MITRE ATT&amp;CK] T1518 - Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/27810" target="_blank">[MITRE ATT&amp;CK] Discovery - System Network Configuration Discovery [T1016]</a> | <a href="https://ui.threatstream.com/attackpattern/27820" target="_blank">[MITRE ATT&amp;CK] Discovery - System Network Connections Discovery [T1049]</a> | <a href="https://ui.threatstream.com/attackpattern/9632" target="_blank">[MITRE ATT&amp;CK] T1007 - System Service Discovery</a><br/> <b>Tags:</b> actor:Turla, actor:Pensive Ursa, mitre-group:Turla, actor:Uroburos, actor-identity:FSB, source-country:RU, target-country:UA, target-sector:Defence, target-sector:Government, malware:Topinambour, malware-type:Dropper, malware:Kopiluwak, malware-type:Spreader, malware-type:Downloader, malware:Capibar, malware:Kazuar, malware:Snake, malware:QUIETCANARY, malware:Crutch, malware:ComRAT, malware:Carbon, malware:HyperStack, malware:TinyTurla, malware-type:Backdoor, file-type:ASPX, file-type:DLL, file-type:EXE, file-type:PHP, target-system:Windows </p> <h3 id="article-1"><a href="https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/" target="_blank">Peach Sandstorm Password Spray Campaigns Enable Intelligence Collection at High-Value Targets</a></h3> <p>(published: September 14, 2023)</p> <p> Between February and July 2023, the Iran-sponsored group APT33 (Peach Sandstorm, Refined Kitten) carried out a wave of opportunistic attacks targeting organizations in the defense, pharmaceutical, and satellite sectors globally. Microsoft researchers observed the group primarily using a series of password-spray attacks targeting thousands of organizations. The password-spray activity was primarily conducted between 9 AM and 5 PM Iran Standard Time, from TOR IPs, and used a specific user agent, “go-http-client”. A smaller subset of activity utilized vulnerabilities with a public proof-of-concept in Zoho ManageEngine (CVE-2022-47966) or Confluence Server and Data Center (CVE-2022-26134). After the initial access the group had an option to use a combination of publicly-available (abusing AnyDesk, Azure Arc, AzureHound, or Roadtools) and custom tools (the EagleRelay tunneling tool). Only a small number of compromised targets were subjected to eventual data exfiltration.<br/> <b>Analyst Comment:</b> Network administrators are encouraged to implement “multi-factor authentication always-on” for privileged accounts, RDP and Windows Virtual Desktop endpoints. All known network indicators associated with this recent APT33 campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. In addition, cyber-campaign news like this, along with other Advisory, News and Blog sources are available as RSS feeds, and for AutoLens+ subscribers these are also tagged and summarized.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10006" target="_blank">[MITRE ATT&amp;CK] T1110.003 - Brute Force: Password Spraying</a> | <a href="https://ui.threatstream.com/attackpattern/24897" target="_blank">[MITRE ATT&amp;CK] Initial Access - Exploit Public-Facing Application [T1190]</a> | <a href="https://ui.threatstream.com/attackpattern/10026" target="_blank">[MITRE ATT&amp;CK] T1606.002 - Forge Web Credentials: Saml Tokens</a> | <a href="https://ui.threatstream.com/attackpattern/10105" target="_blank">[MITRE ATT&amp;CK] T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/23212" target="_blank">[MITRE ATT&amp;CK] Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]</a><br/> <b>Tags:</b> actor:Peach Sandstorm, actor:APT33, mitre-group:APT33, actor:Elfin, actor:Refined Kitten, source-country:IR, technique:Password spray, technique:Golden SAML, target-software:Microsoft Entra ID, target-software:Zoho ManageEngine, target-software:Confluence Server and Data Center, vulnerability:CVE-2022-47966, vulnerability:CVE-2022-26134, malware:EagleRelay, malware-type:Tunneling, tool:AnyDesk, malware-type:RAT, target-industry:Satellite, target-industry:Defense, target-industry:Pharmaceutical </p> <h3 id="article-1"><a href="https://www.netskope.com/blog/new-python-nodestealer-goes-beyond-facebook-credentials-now-stealing-all-browser-cookies-and-login-credentials" target="_blank">New Python NodeStealer Goes Beyond Facebook Credentials, Now Stealing All Browser Cookies and Login Credentials</a></h3> <p>(published: September 14, 2023)</p> <p> The NodeStealer credential stealer was first identified in January 2023. In August 2023, a new, advanced NodeStealer version was identified targeting Facebook Business accounts, primarily in Southern Europe and North America. This NodeStealer version was ported from JavaScript to Python, and aims at all available credentials and cookies, not just those of Facebook. The attack starts with a bogus Facebook message with an attached archive with batch files. User execution leads to a decoy browser Window and a malicious PowerShell script downloading final archived payloads in the background. Attackers use an interesting evasion technique making their script files open with a wrong encoding scheme.<br/> <b>Analyst Comment:</b> This campaign may serve as a precursor to a future, more focused attack, given the valuable data already acquired. Attackers with stolen Facebook cookies and credentials can potentially seize control of accounts and conduct fraudulent transactions through legitimate business pages. To safeguard their data, users should exercise caution when downloading content from the Internet. All known network indicators associated with this NodeStealer campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/22184" target="_blank">[MITRE ATT&amp;CK] Execution - User Execution: Malicious File [T1204.002]</a> | <a href="https://ui.threatstream.com/attackpattern/23233" target="_blank">[MITRE ATT&amp;CK] Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9681" target="_blank">[MITRE ATT&amp;CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/27796" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004]</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&amp;CK] T1614 - System Location Discovery</a><br/> <b>Tags:</b> malware:NodeStealer, language:Python, malware-type:Credential stealer, abused:Facebook, abused:Facebook CDN, abused:Telegram, file-type:BAT, file-type:EXE, file-type:RAR, file-type:TXT, file-type:ZIP, target-dentity:Facebook Business account, target-region:Southern Europe, target-region:North America, target-sector:Manufacturing, target-sector:Technology, target-software:Microsoft Edge, target-software:Brave, target-software:Opera, target-software:Cốc Cốc, target-software:Firefox, target-system:Windows </p> <h3 id="article-1"><a href="https://www.trendmicro.com/en_us/research/23/i/redline-vidar-first-abuses-ev-certificates.html" target="_blank">RedLine/Vidar Abuses EV Certificates, Shifts to Ransomware</a></h3> <p>(published: September 13, 2023)</p> <p> In July-August 2023, an unknown threat actor was able to use a record number of malware payloads signed with Extended Validation (EV) code signing certificates. EV code-signing involves extended identity verification and private key generation with a hardware token. Trend Micro researchers assess that either this threat actor owns the hard token itself or has access to the host that the hardware token is connected to. Two waves of attacks were detected: first, delivering a stealer (RedLine and Vidar), then, in some cases - a ransomware. In both cases, the actors used similar delivery and social engineering methods including spearphishing emails with topics related to health and hotel accommodations, EV code-signing, and double-extension files masquerading as PDF.<br/> <b>Analyst Comment:</b> Users encountering infostealers should exercise caution against ransomware, as threat actors are increasingly skilled at adapting their techniques for various cybercrimes. To enhance security, individuals and organizations should abstain from downloading files or software from unverified sources and implement a robust multilayered protection system. Additionally, it is essential for Certificate Authorities to ensure proper revocation dates are set for abused certificates, as an incorrect date can leave valid signatures in place. All known indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9596" target="_blank">[MITRE ATT&amp;CK] T1553.002 - Subvert Trust Controls: Code Signing</a> | <a href="https://ui.threatstream.com/attackpattern/24158" target="_blank">[MITRE ATT&amp;CK] Initial Access - Phishing: Spearphishing Attachment [T1566.001]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/12870" target="_blank">[MITRE ATT&amp;CK] T1036.007 - Masquerading: Double File Extension</a><br/> <b>Tags:</b> malware:RedLine, malware:Vidar, detection:TrojanSpy.Win32.VIDAR.SMA, malware-type:Infostealer, malware-type:Ransomware, detection:Ransom.Win64.CYCLOPS.A, technique:EV Certificates, file-type:EXE, file-type:HTM, file-type:JS, file-type:LNK, file-type:PDF.EXE, file-type:PDF.HTM, file-type:TXT, file-type:XLL, file-type:ZIP, target-system:Windows </p> <h3 id="article-1"><a href="https://securelist.com/cuba-ransomware/110533/" target="_blank">From Caribbean Shores to Your Devices: Analyzing Cuba Ransomware</a></h3> <p>(published: September 11, 2023)</p> <p> The Cuba ransomware gang first came to attention in late 2020. It provides ransomware-as-a-service and was seen operating under a number of aliases: ColdDraw, Cuba, Fidel, Tropical Scorpius, and possibly, V Is Vendetta. Kaspersky researchers analyzed Cuba-associated Bitcoin wallets and estimated over $100 Million US Dollars of ransom payments. The group targets across North America, Europe, Oceania, and Asia, with most of its targets being of US origin. Cuba exfiltrates financial documents, company accounts details, and source code, if the company is a software developer. Cuba was observed extensively using timestomping: backdating compilation timestamps. The group is flexible in its infection chains and relies on a number of commodity (Cobalt Strike Beacon, Metasploit, and Mimikatz) and custom tools (Bughatch, Burntcigar, Veeamp, and others).<br/> <b>Analyst Comment:</b> Network defenders should aim to deploy regular updates and mitigate critical vulnerabilities. Enhance your organization's phishing awareness and block known indicators associated with Cuba (detection rules and indicators are available in the Anomali platform). <br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9772" target="_blank">[MITRE ATT&amp;CK] T1070.006 - Indicator Removal on Host: Timestomp</a> | <a href="https://ui.threatstream.com/attackpattern/24158" target="_blank">[MITRE ATT&amp;CK] Initial Access - Phishing: Spearphishing Attachment [T1566.001]</a> | <a href="https://ui.threatstream.com/attackpattern/22384" target="_blank">[MITRE ATT&amp;CK] Initial Access - Phishing: Spearphishing Link [T1566.002]</a> | <a href="https://ui.threatstream.com/attackpattern/24897" target="_blank">[MITRE ATT&amp;CK] Initial Access - Exploit Public-Facing Application [T1190]</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/23233" target="_blank">[MITRE ATT&amp;CK] Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]</a> | <a href="https://ui.threatstream.com/attackpattern/3718" target="_blank">[MITRE ATT&amp;CK] T1569.002: Service Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9927" target="_blank">[MITRE ATT&amp;CK] T1072 - Software Deployment Tools</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&amp;CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/9588" target="_blank">[MITRE ATT&amp;CK] T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/10003" target="_blank">[MITRE ATT&amp;CK] T1078.003 - Valid Accounts: Local Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9871" target="_blank">[MITRE ATT&amp;CK] T1078.002 - Valid Accounts: Domain Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/27800" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Create or Modify System Process: Windows Service [T1543.003]</a> | <a href="https://ui.threatstream.com/attackpattern/23230" target="_blank">[MITRE ATT&amp;CK] Persistence - Create Account: Local Account [T1136.001]</a> | <a href="https://ui.threatstream.com/attackpattern/23228" target="_blank">[MITRE ATT&amp;CK] Persistence - Account Manipulation [T1098]</a> | <a href="https://ui.threatstream.com/attackpattern/24895" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Exploitation for Privilege Escalation [T1068]</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&amp;CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/9920" target="_blank">[MITRE ATT&amp;CK] T1055.012 - Process Injection: Process Hollowing</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&amp;CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9818" target="_blank">[MITRE ATT&amp;CK] T1014 - Rootkit</a> | <a href="https://ui.threatstream.com/attackpattern/9850" target="_blank">[MITRE ATT&amp;CK] T1564.002 - Hide Artifacts: Hidden Users</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/10091" target="_blank">[MITRE ATT&amp;CK] T1110.001 - Brute Force: Password Guessing</a> | <a href="https://ui.threatstream.com/attackpattern/23810" target="_blank">[MITRE ATT&amp;CK] Picus: Kerberoasting Attack Explained - MITRE ATT&amp;CK T1558.003</a> | <a href="https://ui.threatstream.com/attackpattern/23234" target="_blank">[MITRE ATT&amp;CK] Credential Access - OS Credential Dumping: LSASS Memory [T1003.001]</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/24155" target="_blank">[MITRE ATT&amp;CK] Discovery - Process Discovery [T1057]</a> | <a href="https://ui.threatstream.com/attackpattern/23209" target="_blank">[MITRE ATT&amp;CK] Discovery - File and Directory Discovery [T1083]</a> | <a href="https://ui.threatstream.com/attackpattern/10100" target="_blank">[MITRE ATT&amp;CK] T1124 - System Time Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/23222" target="_blank">[MITRE ATT&amp;CK] Discovery - System Owner/User Discovery [T1033]</a> | <a href="https://ui.threatstream.com/attackpattern/27810" target="_blank">[MITRE ATT&amp;CK] Discovery - System Network Configuration Discovery [T1016]</a> | <a href="https://ui.threatstream.com/attackpattern/9985" target="_blank">[MITRE ATT&amp;CK] T1518 - Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/23219" target="_blank">[MITRE ATT&amp;CK] Discovery - Remote System Discovery [T1018]</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&amp;CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9647" target="_blank">[MITRE ATT&amp;CK] T1021.002 - Remote Services: Smb/Windows Admin Shares</a> | <a href="https://ui.threatstream.com/attackpattern/23212" target="_blank">[MITRE ATT&amp;CK] Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]</a> | <a href="https://ui.threatstream.com/attackpattern/9648" target="_blank">[MITRE ATT&amp;CK] T1570 - Lateral Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9803" target="_blank">[MITRE ATT&amp;CK] T1074 - Data Staged</a> | <a href="https://ui.threatstream.com/attackpattern/28384" target="_blank">[MITRE ATT&amp;CK] Credential Access - Input Capture: Keylogging [T1056.001]</a> | <a href="https://ui.threatstream.com/attackpattern/27807" target="_blank">[MITRE ATT&amp;CK] Command and Control - Encrypted Channel [T1573]</a> | <a href="https://ui.threatstream.com/attackpattern/22189" target="_blank">[MITRE ATT&amp;CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001]</a> | <a href="https://ui.threatstream.com/attackpattern/26827" target="_blank">[MITRE ATT&amp;CK] Command and Control - Standard Application Layer Protocol [T1071]</a> | <a href="https://ui.threatstream.com/attackpattern/27808" target="_blank">[MITRE ATT&amp;CK] Command and Control - Standard Non-Application Layer Protocol [T1095]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/26498" target="_blank">[MITRE ATT&amp;CK] Command and Control - Application Layer Protocol: DNS [T1071.004]</a> | <a href="https://ui.threatstream.com/attackpattern/9733" target="_blank">[MITRE ATT&amp;CK] T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a><br/> <b>Signatures: </b>YARA Rules: <a href="https://ui.threatstream.com/signature/110722" target="_blank">BURNTCIGAR_NEW</a>. <br/> <b>Tags:</b> malware:Cuba, malware-type:Ransomware, actor:Cuba, threat-type:RaaS, malware:komar65, malware:BugHatch, malware-type:Backdoor, malware:BurntCigar, malware:Cobalt Strike Beacon, malware:Hancitor, malware:Termite, malware:SystemBC, malware:Veeamp, malware:Wedgecut, malware:RomCOM RAT, malware:Mimikatz, actor:ColdDraw, actor:Fidel, actor:Tropical Scorpius, actor:V Is Vendetta, technique:Timestomp, vulnerability:ProxyShell, vulnerability:CVE-2021-31207, vulnerability:CVE-2021-34473, vulnerability:CVE-2021-34523, vulnerability:ProxyLogon, vulnerability:CVE-2021-26855, vulnerability:CVE-2021-26857, vulnerability:CVE-2021-26858, vulnerability:CVE-2021-27065, target-software:Veeam, vulnerability:CVE-2022-26501, vulnerability:CVE-2022-26504, vulnerability:CVE-2022-26500, vulnerability:ZeroLogon, vulnerability:CVE-2020-1472, target-country:US, target-region:Europe, target-country:CA, target-region:Asia, target-country:AU, file-type:BAT, file-type:DLL, file-type:EXE, file-type:ZIP, target-system:Windows </p> </div> </p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.