October 4, 2022
Anomali Threat Research

Anomali Cyber Watch: Canceling Subscription Installs Royal Ransomware, Lazarus Covinces to SSH to Its Servers, Polyglot File Executed Itself as a Different File Type, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>DLL side-loading, Influence operations, Infostealers, North Korea, Ransomware, Russia,</b> and <b>Social engineering</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/Bl0Si5NRGCzT3nJt1qy1"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges-in-multi-million-dollar-attacks/" target="_blank">New Royal Ransomware Emerges in Multi-Million Dollar Attacks</a></h3> <p>(published: September 29, 2022)</p> <p>AdvIntel and BleepingComputer researchers describe the Royal ransomware group. Several experienced ransomware actors formed this group in January 2022. It started with third-party encryptors such as BlackCat, switched to using its own custom Zeon ransomware, and, since the middle of September 2022, the Royal ransomware. Royal group utilizes targeted callback phishing attacks. Its phishing emails impersonating food delivery and software providers contained phone numbers to cancel the alleged subscription (after the alleged end of a free trial). If an employee calls the number, Royal uses social engineering to convince the victim to install a remote access tool, which is used to gain initial access to the corporate network.<br/> <b>Analyst Comment:</b> Use services such as Anomali's Premium Digital Risk Protection to detect the abuse of your brands in typosquatting and phishing attacks. Organizations should include callback phishing attacks awareness into their anti-phishing training.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> actor:Royal, detection:Zeon, detection:Royal, malware-type:Ransomware, detection:BlackCat, detection:Cobalt Strike, Callback phishing attacks, Spearphishing, Social Engineering</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/" target="_blank">ZINC Weaponizing Open-Source Software</a></h3> <p>(published: September 29, 2022)</p> <p>Microsoft researchers described recent developments in Lazarus Group (ZINC) campaigns that start from social engineering conversations on LinkedIn. Since June 2022, Lazarus was able to trojanize several open-source tools (KiTTY, muPDF/Subliminal Recording software installer, PuTTY, TightVNC, and Sumatra PDF Reader). When a target extracts the trojanized tool from the ISO file and installs it, Lazarus is able to deliver their custom malware such as EventHorizon and ZetaNile. In many cases, the final payload was not delivered unless the target manually established an SSH connection to an attacker-controlled IP address provided in the attached ReadMe.txt file.<br/> <b>Analyst Comment:</b> All known indicators connected to this recent Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Researchers should monitor for the additional User Execution step required for payload delivery. Defense contractors should be aware of advanced social engineering efforts abusing LinkedIn and other means of establishing trusted communication.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a><br/> <b>Tags:</b> mitre-group:Lazarus Group, actor:ZINC, detection:ZetaNile, detection:EventHorizon, North Korea, source-country:KP, USA, target-country:US, United Kingdom, target-country:UK, Russia, target-country:RU, India, target-country:IN, LinkedIn, Social engineering, Open-source software, target-industry:Aerospace NAICS 541715, target-industry:Defense NAICS 928110, target-industry:Media NAICS 516210, target-sector:Telecommunications NAICS 517</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/" target="_blank">More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID</a></h3> <p>(published: September 27, 2022)</p> <p>Palo Alto researchers discovered a malicious polyglot file that had two different file format types and a different behavior depending on the application executing it. It was a polyglot Microsoft Compiled HTML Help (CHM) file displaying a help window decoy when being executed as CHM. At the same time, it was triggering self-execution by the Mshta.exe utility that executes Microsoft HTML Application (HTA) files. This CHM file being executed as HTA, executed the IcedID infostealer DLL binary from the original archived ISO phishing attachment.<br/> <b>Analyst Comment:</b> Network defenders should not trust binaries based on their file types. Analysts can look for buried code such as an HTA code buried in an CHM file.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947145" target="_blank">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Polyglot file, mitre-software:IcedID, detection:Bokbot, file-type:ISO, file-type:CHM, file-type:CHM, malware-type:Infostealer, Phishing</p> </div> <div class="trending-threat-article"> <h3><a href="https://about.fb.com/news/2022/09/removing-coordinated-inauthentic-behavior-from-china-and-russia/" target="_blank">Taking Down Coordinated Inauthentic Behavior from Russia and China</a></h3> <p>(published: September 27, 2022)</p> <p>Facebook (Meta) researchers discovered disinformation networks operated by China- and Russia-sponsored actors. China’s operations were caught in an early growth phase targeting Chechia and online discussions related to the US midterm elections. Russia's coordinated operations were on a larger scale and included many typosquatted domains impersonating mass media, various social media accounts, and $105,000 in advertising spending to promote those inauthentic accounts and messaging. In June-September 2022, this campaign targeted Germany the most, spreading messages doubting sanctions on Russia and criticizing Ukrainian refugees.<br/> <b>Analyst Comment:</b> Many hostile nations look to establish coordinated inauthentic behavior operations. First, they can achieve a growth and captive audience, then, they may deliver propaganda, disinformation, and/or other messaging causing distrust and confusion. This research by Facebook shows that we need to remain critical when seeing an inauthentic behavior, whether it is on social media or on platforms such as Change[.]org. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out <a href="https://www.anomali.com/resources/data-sheets/anomali-premium-digital-risk-protection" target="_blank">Anomali's Premium Digital Risk Protection service.</a><br/> <b>Tags:</b> Typosquatting, Bots, Coordinated inauthentic behavior, China, source-country:CN. Russia, source-country:RU, Germany, target-country:DE, USA, target-country:US, Czechia, target-country:CZ, Facebook, Instagram, Telegram, Change.org, Avaaz, Twitter, Livejournal, Elections</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/unsigned-dlls/" target="_blank">Hunting for Unsigned DLLs to Find APTs</a></h3> <p>(published: September 26, 2022)</p> <p>Palo Alto researchers created two XQL queries to hunt for malicious unsigned DLLs that were loaded by rundll32.exe/regsvr32.exe or other signed processes. In February-August 2022, banking trojans and individual threat actors typically used rundll32.exe or regsvr32.exe, while government-sponsored groups preferred the DLL side-loading technique. China-sponsored group Mustang Panda has been dropping a three-file payload into the ProgramData folder: a benign EXE (a PDF loader or antivirus software such as Avast), a malicious DLL, and an encrypted DAT payload file. North Korea-sponsored Lazarus Group used the signed DreamSecurity MagicLine4NX process to write two files to a random directory in ProgramData: a new DLL and the native Windows binary wsmprovhost.exe.<br/> <b>Analyst Comment:</b> Anomali Match can enable you to detect past occurrences of such attacks using retrospective search capabilities. Loading unsigned DLLs by signed processes provides for defense evasion, but leaves important hunting opportunities for network defenders. Focus on known third-party software placed in non-standard directories, high-entropy files, low frequency of execution, and folders or files with scrambled names.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/947145" target="_blank">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a><br/> <b>Tags:</b> mitre-group:Lazarus Group, mitre-group:Mustang Panda, HoneyMyte, actor:PKPLUG, actor:Stately Taurus, actor:ZINC, actor:BRONZE PRESIDENT, detection:PlugX, actor:Raspberry Robin, North Korea, source-country:KP, China, source-country:CN, rundll32.exe, regsvr32.exe, wsmprovhost.exe, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/" target="_blank">NullMixer: Oodles of Trojans in a Single Dropper</a></h3> <p>(published: September 26, 2022)</p> <p>Kaspersky researchers described a malicious campaign leveraging the NullMixer downloader. The threat actors created malicious websites promoted with search engine optimization targeting users searching for “cracks” and “keygens”. After additional redirects the user is prompted to download a password-protected masqueraded archive. Upon user activation, three stages of the NullMixer malware are being dropped and executed. NullMixer drops and executes over a dozen of additional malware, some of each further downloads even more malware. As a result, the user's machine can be infected with dozens of malware families including ColdStealer, Disbuk, Fabookie, LgoogLoader, RedLine, and SmokeLoader.<br/> <b>Analyst Comment:</b> As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a><br/> <b>Tags:</b> detection:NullMixer, SEO, detection:Glupteba, detection:RedLine, detection:ColdStealer, detection:GCleaner, detection:Downloader.Bitser, detection:Azorult, NSIS, detection:DanaBot, detection:PseudoManuscrypt, detection:SmokeLoader, detection:FormatLoader, detection:Vidar, detection:PredatorTheThief, Brazil, target-country:BR, India, target-country:IN, Russia, target-country:RU</p> </div> <div class="trending-threat-article"> <h3><a href="https://asec.ahnlab.com/en/39152/" target="_blank">FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers</a></h3> <p>(published: September 23, 2022)</p> <p>AhnLab researchers described one of the prominent ransomware families that targets vulnerable MS-SQL servers: the FARGO (Mallox) ransomware. FARGO infection chain starts with brute-force attack or with exploitation of an outdated MS-SQL server. Initial downloader is built on .NET and is being downloaded by the MS-SQL process through cmd.exe and powershell.exe. After downloading additional malware, it is being injected into AppLaunch.exe, a Windows binary. FARGO file-extension exclusion list includes not only extensions for current and future FARGO versions, but also an extension for the Globeimposter ransomware that has similar targeting.<br/> <b>Analyst Comment:</b> If you manage a MS-SQL server, keep it updated with security patches and implement robust password policies to fight brute-force and dictionary attacks. Network and host-based indicators of compromise related to FARGO are available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402535" target="_blank">[MITRE ATT&amp;CK] Service Stop - T1489</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/2402534" target="_blank">[MITRE ATT&amp;CK] Inhibit System Recovery - T1490</a><br/> <b>Tags:</b> detection:FARGO, malware-type:Ransomware, detection:Mallox, MS-SQL server, Microsoft, PowerShell, Windows</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.