May 1, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: APT37 Adopts LNK Files, Charming Kitten Uses BellaCiao Implant-Dropper, ViperSoftX Infostealer Unique Byte Remapping Encryption

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Byte remapping, Cloud C2s, Infostealers, Iran, North Korea, RATs, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/ekJYBlknQYeVMa5WO7vW"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://research.checkpoint.com/2023/chain-reaction-rokrats-missing-link/" target="_blank">Chain Reaction: RokRAT’s Missing Link</a></h3> <p>(published: May 1, 2023)</p> <p>Since 2022, North-Korea sponsored group APT37 (Group123, Ricochet Chollima) has mostly switched its delivering methods from maldocs to hiding payloads inside oversized LNK files. Check Point researchers have identified multiple infection chains used by the group from July 2022 until April 2023. These were used to deliver one of the APT37’s custom tools (GOLDBACKDOOR and ROKRAT), or the commodity malware Amadey. All of the studied lures appear to target Korean-speaking individuals with South Korea-related topics.<br/> <b>Analyst Comment:</b> Switching to LNK-based infection chains allows APT37 for less required user interaction as the chain can be triggered by a simple double click. The group continues the use of well-tried ROKRAT that remains a stealthy tool with its additional layers of encryption, cloud C2, and in-memory execution. Indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9853" target="_blank">[MITRE ATT&amp;CK] T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&amp;CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a><br/> <b>Tags:</b> malware:ROKRAT, mitre-software-id:S0240, malware-type:RAT, actor:Group123, mitre-group:APT37, actor:Ricochet Chollima, source-country:North Korea, source-country:KP, target-country:South Korea, target-country:KR, file-type:ZIP, file-type:DOC, file-type:ISO, file-type:LNK, file-type:BAT, file-type:EXE, file-type:VBS, malware:Amadey, malware:GOLDBACKDOOR, malware-type:Backdoor, abused:pCloud, abused:Yandex Cloud, abused:OneDrive, abused:​​Hangul Word Processor, abused:Themida, target-system:Windows</p> <h3 id="article-2"><a href="https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/" target="_blank">Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware</a></h3> <p>(published: April 26, 2023)</p> <p>The Charming Kitten Iran-sponsored group has been detected using the new BellaCiao implant-dropper. It was targeting North America (USA), Europe (Austria and Italy), and the Middle East (Israel and Turkey). Microsoft Exchange servers were compromised likely through exploitation of an unidentified vulnerability. Charming Kitten installs and sets persistence for BellaCiao and tries to download two Microsoft's Internet Information Services (IIS) backdoors: the native IIS-Raid module for remote command execution and a .NET IIS module for credential exfiltration. BellaCiao calls an actor-controlled server with a DNS resolution request for a target-specific domain. The resolved IP address is in fact a code to indicate further action: self-delete, skip, or drop additional components, and which file path to use. BellaCiao drops a web-shell downloader or the Plink tool with a PowerShell script for establishing a reverse proxy.<br/> <b>Analyst Comment:</b> Organizations should keep their critical publicly-available systems such as Microsoft Exchange servers updated with the latest security patch. Network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out <a href="https://www.anomali.com/resources/data-sheets/anomali-premium-digital-risk-protection" target="_blank">Anomali's Premium Digital Risk Protection service</a>.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9891" target="_blank">[MITRE ATT&amp;CK] T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/9767" target="_blank">[MITRE ATT&amp;CK] T1070 - Indicator Removal On Host</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10100" target="_blank">[MITRE ATT&amp;CK] T1124 - System Time Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a><br/> <b>Tags:</b> malware:BellaCiao, malware-type:Implant, malware-type:Dropper, actor:Charming Kitten, abused:IIS-Raid, malware-type:Backdoor, malware-type:Infostealer, abused:Plink, target-country:IL, target-country:Israel, target-country:TR, target-country:Turkey, target-country:AT, target-country:Austria, target-country:IN, target-country:India, target-country:IT, target-country:Italy, target-region:Europe, target-region:Middle East, target-country:United States of America, target-country:US, target-system:Windows</p> <h3 id="article-3"><a href="https://labs.withsecure.com/publications/fin7-target-veeam-servers" target="_blank">FIN7 Tradecraft Seen in Attacks against Veeam Backup Servers</a></h3> <p>(published: April 26, 2023)</p> <p>Since March 28, 2023, a new wave of attacks has been targeting Veeam Backup servers with TCP open port 9401. This wave is exploiting CVE-2023-27532, a high-severity vulnerability in Veeam Backup and Replication (VBR) software. The exploit was made available on March 23, 2023, and approximately 7,500 internet-exposed VBR hosts were thought to be vulnerable. Some of the malware, commands, and overall tactics, techniques, and procedures observed in the attacks were similar to those previously attributed to FIN7. The infection chain included several stages with the following scripts and malware: the DICELOADER backdoor, the DUBLOADER loader, the POWERHOLD persistence-establishing script, and the POWERTRASH obfuscated loader.<br/> <b>Analyst Comment:</b> Veeam/VBR users should update their servers with the latest security patches. FIN7 intrusions may lead to ransomware or data theft and we recommend blocking related indicators available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9914" target="_blank">[MITRE ATT&amp;CK] T1055.001 - Process Injection: Dynamic-Link Library Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&amp;CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a><br/> <b>Tags:</b> targeted:Veeam, actor:FIN7, vulnerability:CVE-2023-27532, tactic:Lateral movement, abused:PowerShell, malware:POWERTRASH, malware:POWERHOLD, malware:DICELOADER, malware:DUBLOADER, file-type:VBS, file-type:BAT, file-type:EXE, file-type:DLL, file-type:PS1, open-port:9401, target-system:Windows</p> <h3 id="article-4"><a href="https://blog.cyble.com/2023/04/26/threat-actor-selling-new-atomic-macos-amos-stealer-on-telegram/" target="_blank">Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram</a></h3> <p>(published: April 26, 2023)</p> <p>Cyble researchers have discovered a new infostealer called Atomic macOS Stealer (AMOS) sold over a Telegram channel. This Golang-based malware is being delivered using a user-activated DMG file. AMOS steals system information, files from the desktop and documents folder, keychain passwords, and the macOS password. The stealer is designed to target multiple browsers (Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Vivaldi, and Yandex) to extract auto-fills, passwords, cookies, cryptocurrency wallets, and credit card information. AMOS can target stand-alone crypto wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus, and over 50 crypto-wallet browser extensions.<br/> <b>Analyst Comment:</b> Users should download and install software only from the official Apple App Store. Be wary of opening any unsolicited links. Keep your devices, operating systems, and applications updated. Indicators associated with AMOS are available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9857" target="_blank">[MITRE ATT&amp;CK] T1110 - Brute Force</a> | <a href="https://ui.threatstream.com/attackpattern/9600" target="_blank">[MITRE ATT&amp;CK] T1555.001 - Credentials from Password Stores: Keychain</a> | <a href="https://ui.threatstream.com/attackpattern/10025" target="_blank">[MITRE ATT&amp;CK] T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9692" target="_blank">[MITRE ATT&amp;CK] T1560 - Archive Collected Data</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&amp;CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9622" target="_blank">[MITRE ATT&amp;CK] T1132.001 - Data Encoding: Standard Encoding</a> | <a href="https://ui.threatstream.com/attackpattern/9617" target="_blank">[MITRE ATT&amp;CK] T1041 - Exfiltration Over C2 Channel</a><br/> <b>Tags:</b> malware:Atomic macOS Stealer, malware:AMOS, malware-type:Infostealer, abused:Telegram, abused:Golang, malware-type:Infostealer, file-type:DMG, target-industry:Cryptocurrency, target-system:macOS</p> <h3 id="article-5"><a href="https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryption-steals-data.html" target="_blank">ViperSoftX Updates Encryption, Steals Data</a></h3> <p>(published: April 24, 2023)</p> <p>First documented in November 2022, the ViperSoftX infostealer received some major updates by April 2023. According to Trend Micro researchers, it incorporated DLL sideloading into its infection chain, and started using a unique byte remapping encryption. The actors behind ViperSoftX started rotating their second-stage C2 servers on a monthly basis. They use domain-generating algorithms (DGA) and browser traffic blocking to protect their infrastructure. ViperSoftX has been concentrating on stealing cryptocurrencies and added targeting for KeePass 2 and 1Password password managers. ViperSoftX campaigns represent global targeting with consumer targeting affecting Australia, Japan, and the US the most, and the enterprise sector making up over 40% of the total number of victims with top targeted countries: India, Pakistan, and Philippines, in that order.<br/> <b>Analyst Comment:</b> As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company; supply the legitimate software and educate your employees about these risks. Network indicators associated with the updated ViperSoftX targeting are available on the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9913" target="_blank">[MITRE ATT&amp;CK] T1568.002 - Dynamic Resolution: Domain Generation Algorithms</a> | <a href="https://ui.threatstream.com/attackpattern/10033" target="_blank">[MITRE ATT&amp;CK] T1555.005 - Credentials from Password Stores: Password Managers</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a><br/> <b>Tags:</b> malware:ViperSoftX, malware-type:Infostealer, detection:TrojanSpy.PS1.VIPERSOFTX, detection:Trojan.Win64.VIPERSOFTXA, abused:PowerShell, technique:DGA, file-type:DLL, file-type:EXE, technique:Byte remapping, target-country:Australia, target-country:Japan, target-country:US, target-country:India, target-country:Pakistan, target-country:Philippines, targeted:KeePass 2, targeted:1Password, target-system:Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.