November 28, 2022
Anomali Threat Research

Anomali Cyber Watch: Caller-ID Spoofing Actors Arrested, Fast-Moving Qakbot Infection Deploys Black Basta Ransomware, New YARA Rules to Detect Cobalt Strike, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Caller-ID spoofing, False-flag, Phishing, Ransomware, Russia, the UK,</b> and <b>Ukraine</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="" target="_blank">Voice-Scamming Site “iSpoof” Seized, 100s Arrested in Massive Crackdown</a></h3> <p>(published: November 25, 2022)</p> <p>iSpoof was a threat group offering spoofing for caller phone numbers (also known as Caller ID, Calling Line Identification). iSpoof core group operated out of the UK with presence in other countries. In the 12 months until August 2022 around 10 million fraudulent calls were made globally via iSpoof. On November 24, 2022, Europol announced a joint operation involving Australia, Canada, France, Germany, Ireland, Lithuania, Netherlands, Ukraine, the UK, and the USA, that led to the arrest of 142 suspects and seizure of iSpoof websites.<br /> <b>Analyst Comment:</b> Threat actors can spoof Caller ID (Calling Line Identification) similar to spoofing the “From:” header in an email. If contacted by an organization you should not confirm any details about yourself, take the caller’s details, disconnect and initiate a call back to the organization yourself using a trusted number. Legitimate organizations understand scams and fraud and do not engage in unsolicited calling.<br /> <b>Tags:</b> iSpoof, Teejai Fletcher, United Kingdom, source-country:UK, Caller ID, Calling Line Identification, Voice-scamming, Social engineering</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers</a></h3> <p>(published: November 25, 2022)</p> <p>On November 21, 2022, multiple organizations in Ukraine were targeted with new ransomware written in .NET. It was dubbed RansomBoggs by ESET researchers who attributed it to the Russia-sponsored Sandworm Team (aka Iridium, BlackEnergy). Sandworm distributed RansomBoggs from the domain controller using the same PowerShell script (PowerGap) that was seen in its previous attacks. RansomBoggs encrypts files using AES-256 in CBC mode using a randomly generated key. The key is RSA encrypted prior to storage and the encrypted files are appended with a .chsch extension.<br /> <b>Analyst Comment:</b> Ransomware remains one of the most dangerous types of malware threats and even some government-sponsored groups are using it. Sandworm is a very competent actor group specializing in these forms of attack. Organizations with exposure to the military conflict in Ukraine, or considered by the Russian state to be providing support relating to the conflict, should prepare offline backups to minimize the effects of a potential data-availability-denial attack.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a><br /> <b>Tags:</b> detection:RansomBoggs, detection:Filecoder.Sullivan, malware-type:Ransomware, AES-256, PowerShell, detection:PowerGap, mitre-group:Sandworm Team, actor:Iridium, Russia, source-country:RU, Ukraine, target-country:UA, APT</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies</a></h3> <p>(published: November 23, 2022)</p> <p>Cybereason researchers detected a new Qakbot campaign distributing the Black Basta ransomware. The attackers were targeting companies in the US in a fast-moving fashion, achieving domain administrator privileges in less than two hours and moving to ransomware deployment in less than 12 hours. The infection starts with a phishing email delivering an IMG or an ISO disk image file with a VBS script downloading Qakbot. The attackers proceed to steal credentials and Domain Administration accounts, deploying Cobalt Strike, moving laterally, and globally deploying the Black Basta ransomware.<br /> <b>Analyst Comment:</b> Organizations should invest in comprehensive anti-phishing training. Network defenders are advised to disable auto-mounting of disk image files (such as .IMG, .ISO, .VHD, and .VHDX). Network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&CK] Service Stop - T1489</a> | <a href="" target="_blank">[MITRE ATT&CK] Inhibit System Recovery - T1490</a> | <a href="" target="_blank">[MITRE ATT&CK] Impair Defenses - T1562</a> | <a href="" target="_blank">[MITRE ATT&CK] Credentials from Password Stores - T1555</a><br /> <b>Tags:</b> detection:QakBot, detection:Qbot, detection:Cobalt Strike, detection:Black Basta, malware-type:Ransomware, file-type:IMG, Windows, Disabling DNS, USA, target-country:US</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">RansomExx Upgrades to Rust</a></h3> <p>(published: November 22, 2022)</p> <p>The double-extortion DefrayX ransomware group (aka Hive0091) has rewritten its C++ RansomExx malware in the Rust programming language. It has allowed the studied RansomExx sample to stay undetected in the VirusTotal platform for at least 2 weeks after its initial submission. This sample detected by IBM researchers is targeting Linux, but the DefrayX group typically releases both Linux and Windows malware versions.<br /> <b>Analyst Comment:</b> Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable through segmentation, off-line storage, encrypting data at rest, and limiting the storage of personal and sensitive data.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a><br /> <b>Tags:</b> detection:RansomExx, detection:RansomExx2, detection:EXX, Rust, Linux, malware-type:Ransomware, actor:DefrayX, actor:Hive0091</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Yanluowang Ransomware Leaks Analysis: Organization, Collaboration with HelloKitty, Babuk and Conti</a></h3> <p>(published: November 22, 2022)</p> <p>Trellix researchers analyzed over 3,000 messages leaked from the Yanluowang ransomware group internal Matrix chat. The group communicates in Russian and appears to be from Russia, despite portraying themselves as Chinese and privately discussing a possibility to plant a Ukrainian false-flag. Yanluowang members include leader and payroll manager Saint, lead developer Killanas (aka coder0) and pen-testers Felix and Shoker. The group appears to be connected to Conti and HelloKitty ransomware groups, use Babuk ransomware code to develop their own Linux crypter and cooperate with LockBit for Bitcoin laundering.<br /> <b>Analyst Comment:</b> Researchers should be extremely mindful of false-flags and other attribution mistakes. Hidden cooperation between multiple ransomware groups allows for quick evolution and adaptability of threat actors.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> detection:Yanluowang, detection:YLW, malware-type:Ransomware, Russia, source-country:RU, Windows, Linux</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Google Seeks to Make Cobalt Strike Useless to Attackers</a></h3> <p>(published: November 21, 2022)</p> <p>Various threat actors often rely on abusing the Cobalt Strike attack framework. They mostly use leaked and cracked versions that are powerful but can not be upgraded easily. Google researchers analyzed various Cobalt Strike components: the stagers (small shellcode, diskless implants-downloaders), templates, and beacons (final stage implants), including the XOR encodings used by Cobalt Strike. This allowed them to create a collection of 165 Cobalt Strike-specific YARA rules (up to and including Cobalt Strike version 4.7).<br /> <b>Analyst Comment:</b> Despite the growing number of alternatives, Cobalt Strike remains one of the most frequently abused tools. Network defenders are advised to use <a href="" target="_blank"> the Yara rules shared by Google </a>to help with the Cobalt Strike detection.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a><br /> <b>Tags:</b> detection:Cobalt Strike, Cobalt Strike stager, Cobalt Strike Beacon, Windows, Attack framework</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.