Anomali Cyber Watch: Brute Ratel C4 Framework Abused to Avoid Detection, OrBit Kernel Malware Patches Linux Loader, Hive Ransomware Gets Rewritten, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, India, Malspam, Ransomware, Russia, Spearhishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs

(published: July 7, 2022)

SentinelLabs researchers detected yet another China-sponsored threat group targeting Russia with a cyberespionage campaign. The attacks start with a spearphishing email containing Microsoft Office maldocs built with the Royal Road malicious document builder. These maldocs were dropping the Bisonal backdoor remote access trojan (RAT). Besides targeted Russian organizations, the same attackers continue targeting other countries such as Pakistan. This China-sponsored activity is attributed with medium confidence to Tonto Team (CactusPete, Earth Akhlut).
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: China, source-country:CN, Russia, target-country:RU, Ukraine, Pakistan, target-country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018-0798

OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow

(published: July 6, 2022)

Intezer researchers describe a new Linux malware dubbed OrBit, that was fully undetected at the time of the discovery. This malware hooks functions and adds itself to all running processes, but it doesn’t use LD_PRELOAD as previously described Linux threats. Instead it achieves persistence by adding the path to the malware into the /etc/ and by patching the binary of the loader itself so it will load the malicious shared object. OrBit establishes an SSH connection, then stages and infiltrates stolen credentials. It avoids detection by multiple functions that show running processes or network connections, as it hooks these functions and filters their output.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous SSH traffic associated with OrBit exfiltration attempts. Consider network segmentation, storing sensitive data offline, and deploying security solutions as statically linked executables.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Data Staged - T1074
Tags: OrBit, Linux, Hooking, detection:Orbit, Shared object,

Whatever Floats Your Boat – Bitter APT Continues to Target Bangladesh

(published: July 6, 2022)

Bitter (T-APT-17), is a group suspected of being sponsored by the Indian government. Since 2013, Bitter has targeted Bangladesh, China, Pakistan, and Saudi Arabia. Secuinfra researchers describe a new Bitter company that targeted Bangladeshi military organizations in or around May 2022. The observed infection chain included a malicious Excel file, ZxxZ (MuuyDownloader) downloader that the group was seen using earlier in 2022, and a new .Net-based remote access trojan (RAT) dubbed Almond.
Analyst Comment: All users should be informed of the threat phishing poses, and how to safely make use of email. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Non-Standard Port - T1571 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Transfer Size Limits - T1030 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Data Destruction - T1485
Tags: Bitter, T-APT-17, Almond RAT, ZxxZ, MuuyDownloader, CVE-2018-0798, Government, Military, APT, Bangladesh, target-country:BD, India, source-country:IN, Cyberespionage, Equation Editor exploits

Alert (AA22-187A). North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector

(published: July 6, 2022, revised: July 07, 2022)

US agencies alert that North Korea-sponsored groups have been using Maui ransomware to target Healthcare and Public Health (HPH) sector organizations since at least May 2021. The attackers used unidentified initial access vectors to eventually encrypt servers responsible for healthcare services such as diagnostics services, electronic health records services, imaging services, and intranet services. Maui ransomware is designed for manual execution by a remote actor. It uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption.
Analyst Comment: Targeted HPH organizations should try to avoid paying ransoms as doing so does not guarantee data recovery and may pose sanctions risks. Secure personal identifiable information (PII)/patient health information (PHI) and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TLS). Only store PII and PHI on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059
Tags: Maui ransomware, Healthcare, USA, target-country:US, Ransomware, HPH, North Korea, source-country:KP, Windows

When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors

(published: July 5, 2022)

Unit 42 researchers discovered an advanced persistent threat (APT) campaign that abused a relatively new, stealthy tool: Brute Ratel C4 (BRc4) pentesting framework. From February 2021 to May 2022, this campaign was mostly targeting large virtual private server (VPS) hosting providers in various countries and regions. BRc4 remote access payload was packaged in a self-contained ISO with a Windows shortcut (LNK) file, a malicious payload DLL and a legitimate Microsoft executable used by the actors for DLL search order hijacking. This packaging is consistent with known Cozy Bear (APT29) techniques, but the attribution is not definitive.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Anti-phishing employee training should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Brute Ratel C4, BRc4, APT29, Cozy Bear, Argentina, Mexico, Ukraine, target-region:North America, target-region:South America, DLL search order hijacking, ISO, LNK, Windows

Hive Ransomware Gets Upgrades in Rust

(published: July 5, 2022)

In February 2022, a possible trigger for rewriting the Hive ransomware, South Korean researchers defeated the old Hive encryption. Five days after the publication, the new Hive variant was detected by Microsoft with a new, unique encryption approach and other major upgrades. Hive ransomware was fully re-written from Go to Rust programming language, making it harder to reverse-engineer and providing fast and safe encryption. The new Hive variant stores its strings in the .rdata section encrypted by XORing with constants and they are only decrypted during runtime. Hive introduces command-line parameters, including one for supplying the username and the password used to access the Hive ransom payment website. Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 encryption with ChaCha20 symmetric cipher) are used to encrypt strings used to XOR victim files.
Analyst Comment: Defenders should consider requiring MFA from all devices, in all locations, at all times. Implement credential hygiene, update automation, and cloud hardening recommendations.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Ransomware, Hive, Rust, Ransomware-as-a-service, ChaCha20, ECDH, Curve25519, XChaCha20-Poly1305, String encryption, XOR, Healthcare

IconBurst NPM Software Supply Chain Attack Grabs Data from Apps Websites

(published: July 5, 2022, updated July 6, 2022)

ReversingLabs researchers have discovered an extensive supply-chain compromise campaign dubbed IconBurst that was based on malicious NPM modules that are harvesting sensitive data from forms embedded in mobile applications and websites. IconBust used misspelling of popular modules to hide their obfuscated, malicious modules with the jQuery ajax() function to exfiltrate serialized form data to domains controlled by the attacker. Since December 2021, IconBust has affected thousands of downstream mobile and desktop applications as well as websites, exposing their users and visitors to data theft.
Analyst Comment: Developers should be aware of the malicious typosquatting danger due to a library name being misspelled in the code. Organization defensive posture should include consideration for open-source dependencies and associated supply-chain risks.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Masquerading - T1036
Tags: IconBurst, npm, Supply chain, Malicious library, Typosquatting, jQuery, Javascript, Javascript obfuscator, ionic-io

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, aka "Microsoft Office Memory Corruption Vulnerability".


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.