Anomali Cyber Watch: Conti’s Talent Goes to Other Ransom Groups, China-Based Espionage Targets Russia, XorDdos Stealthy Linux Trojan is on the Rise, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Conti Ransomware, Disinformation, Internet of things, Phishing, VMware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

VMware Vulnerabilities Exploited in the Wild (CVE-2022-22954 and Others)

(published: May 20, 2022)

In April 2022, VMware publicly revealed several vulnerabilities affecting its products, and by May 2022 Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to mitigate two of the VMware vulnerabilities (CVE-2022-22954 and CVE-2022-22960). CVE-2022-22954 is a remote code execution (RCE) vulnerability using server-side template injection to target VMware Workspace ONE Access and Identity Manager. It can be easily exploited with a single HTTP request to a vulnerable device and was seen delivering various payloads including coinminers, Perl Shellbots, Scanning/Callbacks, and Webshells. CVE-2022-22954 is also being exploited to drop variants of the Mirai/Gafgyt, and in the case of the observed Enemybot variant, final payloads themselves embed CVE-2022-22954 exploits for further exploitation and propagation.
Analyst Comment: Update impacted VMware products to the latest version or remove impacted versions from organizational networks. If a compromise is detected, immediately isolate affected systems, collect relevant logs and artifacts, and consider incident response services.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: VMware, Perl Shellbot, Stealth Shellbot, Godzilla Webshell, Gafgyt, Mirai, XMRig, Coinminer, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2017-17215, CVE-2022-22961, CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22973, CVE-2022-22972, Linux, Server-side template injection, RCE

DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape

(published: May 20, 2022)

Advanced Intel researchers report that Conti ransomware group (Wizard Spider) is in the long-planned process of discontinuing its brand and has turned off its infrastructure including their negotiations service site and the admin panel of the Conti official website. The attack on Costa Rica was intentionally causing publicity for Conti, giving them an excuse for the planned exit. Conti is morphing into a horizontal network of loosely connected groups acting either independently or inside other ransomware groups. Some groups move completely into data-stealing operations without using crypters (lockers): BlackBasta, BlackByte, and Karakurt. Some groups become Conti-loyal collective affiliates within other ransomware groups (AlphV/BlackCat, AvosLocker, HelloKitty/FiveHands, and HIVE). And some groups completely assume existing small-brand ransomware operations.
Analyst Comment: The threat to organizations remains high because after a period of inactivity these actors are expected to resurface again with renewed tools and infrastructure. It is a common tactic for ransomware groups to rebrand after coming into a law enforcement spotlight. If Lapsus$ and many ex-Conti ransom groups indeed rely solely on information theft, protecting sensitive information becomes even more crucial.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: Conti, Conti ransomware, Ryuk, HelloKitty, Hive, BlackCat, AvosLocker, BlackBasta, BlackByte, Karakurt, Wizard Spider, Ransomware, Data exfiltration, Government, USA, target-country:US, Costa Rica, target-country:CR, Russia, source-country:RU

Fronton: A Botnet for Creation, Command, and Control of Coordinated Inauthentic Behavior

(published: May 19, 2022)

Nisos researchers discovered that the Fronton botnet developed for the Russian government can run social media influencing campaigns. In 2020, when the project documents started leaking, it was thought that Fronton was focused on DDoS capabilities. New data shows Fronton and its web-based dashboard SANA give capabilities to managed bots to promote certain informational campaigns on social media. The system allows for creation of fake users with set time-based and social activity and then make coordinated reaction to a certain news: varied by activity type (comment, like, repost), comments could be positive or negative, and based on a chosen style/template. The leaked materials showed that the Fronton/SANA system was initially tried targeting Kazakhstan, but the scope of its current use is not known.
Analyst Comment: Change the default credentials on your Internet of things (IoT) devices. Apply security updates once they become available.
Tags: Fronton, SANA, Disinformation, Social media, Bots, DDoS, IoT, VPN, TOR, Proxy, 0Dt, Zeroday Technologies, Pavel Sitnikov, FlatL1ne, Russia, Source-country:RU, FSB, Kazakhstan, target-country:KZ

Rise in XorDdos: A Deeper Look at the Stealthy DDoS Malware Targeting Linux Devices

(published: May 19, 2022)

Microsoft telemetry shows increasing targeting of Linux-based operating systems (OS), which are commonly deployed on cloud infrastructures and Internet of Things (IoT) devices. First discovered in 2014, the XorDdos Linux trojan has been observed to have increased its activity 254% in the last six months. XorDdos is known for its XOR-based encryption and for primary use for distributed denial-of-service (DDoS) attacks, but it steals sensitive data and can potentially serve as a gateway for other malware. XorDdos spreads via SSH brute force attacks and employs a number of stealthiness and anti-analysis methods: daemon process, process hiding, process name spoofing, and other.
Analyst Comment: Follow best password practices to make brute force attacks less dangerous, targeted devices can show an uptick in failed sign-ins. Organizations should implement endpoint detection and response (EDR) that will protect their Linux OS. Special focus can be on the use of a malicious shell script for initial access and drop-and-execution of binaries from a world-writable location.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Endpoint Denial of Service - T1499
Tags: XorDdos, XMRig, Tsunami, IoT, Cloud, DDoS, SSH, Brute force, Detection evasion, Daemon process, Process name spoofing, Process hiding, Persistence, Linux

Twisted Panda: Chinese APT Espionage Operation Against Russian’s State-Owned Defense Institutes

(published: May 19, 2022)

Checkpoint researchers discovered a novel malware named Spinner that was used in two China-sponsored, cyberespionage campaigns targeting state-owned defense institutes in Russia, and to a lesser extent, in Belarus. Observed phishing lures and decoy documents were themed around Russian government documents with topics such as government awards, Ukraine-related sanction lists, and even bioweapon allegations. The actors significantly improved their tactics between their first campaign (June 2021) and their second (March-April 2022). These improvements include splitting some functions between several components, adding complex compiler-level obfuscations to existing shellcode, and dynamic API resolving with name hashing.
Analyst Comment: Defense-in-depth (fail-safe defense processes, layering of security mechanisms, redundancy) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: Twisted Panda, Spinner, Windows, Government, Military, Defense, Russia, target-country:RU, Belarus, target-country:BY, China, source-country:CN, APT, Cyberespionage, Spearphishing, Anti-analysis, Ukraine

Interactive Phishing: Using Chatbot-Like Web Applications to Harvest Information

(published: May 19, 2022)

Trustwave researchers discovered a mail-delivery themed phishing campaign that utilizes an automated chatbot. Once a user gets on the phishing typosquatted website impersonating DHL (shipping company), the automated dialog box engages with questions, guidance, alleged photo of the parcel, and explanations why the victim needs to provide credit card data to pay a small delivery fee.
Analyst Comment: Users should verify the domain before entering sensitive information. Be especially suspicious regarding unwarranted emails, delivery notifications, and unexpected payment requests.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: Phishing, DHL, Chatbot, Typosquatting

Custom PowerShell RAT Targets Germans Seeking Information About The Ukraine Crisis

(published: May 16, 2022)

Threat actors, possibly connected to Russia, re-registered collaboration-bw[.]de, an expired German domain themed around Baden-Württemberg (a German state) and impersonated the state’s government website. The visitors of the spoofed website are prompted to download a ZIP archive allegedly to inform on the Ukraine crisis. Opening the containing HTM (Microsoft’s HTML help) file results in displaying a decoy error message while a malicious PowerShell script runs in the background. It results in an additional script being downloaded from the same domain, and dropping two files: a CMD file to run a TXT file containing a remote access trojan (RAT) written in PowerShell. Persistence is achieved by creating a scheduled task and Windows Antimalware Scan Interface (AMSI) bypassing is done by using an AES-encrypted function.
Analyst Comment: Organizations should teach their employees to detect spoofed government and other high-value websites. Pay attention to the domain name, certificate information, and possible typos and content miss-match.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] File and Directory Permissions Modification - T1222 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] System Owner/User Discovery - T1033
Tags: Germany, target-country:GE, EU, Russia, Ukraine, ZIP, HTM, CMD, PowerShell, RAT, AMSI, AES

Wizard Spider In-Depth Analysis

(published: May 16, 2022)

Prodaft researchers were able to uncover multiple details regarding Russia-based actor group Wizard Spider, and its work with affiliates regarding the Conti ransomware. Researchers were able to analyze Conti intrusion servers and to profile Conti’s hash-cracking station operation, cold-call center they use to additionally scare victims into paying the ransom. The details regarding their tools, virtual private network (VPN), and beacon configurations were also analyzed. While being flexible on intrusion techniques, first steps of the infection chain often contain QBot infection followed by System BC proxy malware and a Cobalt Strike beacon. Observed customizable Cobalt strike beacons were generated for each team on a daily basis, mostly sharing the same data center for command-and-control (C2) communication: ReliableSite (USA).
Analyst Comment: Defenders should block the observed indicators of compromise (available in ThreatStream and Match). Monitor for known Conti/Wizard Spider tools, especially when your employees do not have a legitimate reason to use those. Keep your systems patched and have resilient backup systems.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] OS Credential Dumping - T1003
Tags: Wizard Spider, Conti, Russia, source-country:RU, USA, target-country:US, VPN, QBot, SystemBC, Cobalt Strike, Cobalt Strike beacon, Cryptocurrency, Ransomware, Call-center, Hash cracking, VMware vCenter, Log4j2, ReliableSite, Wireguard VPN, Linux, Windows

UNITED STATES OF AMERICA - against - MOISES LUIS ZAGALA GONZALEZ, Also Known as “Nosophoros,” “Aesculapius” and “Nebuchadnezzar,” Defendant.

(published: May 16, 2022)

The US Department of Justice issued an arrest warrant for a citizen of France and Venezuela who resides in Venezuela and is responsible for two ransomware operations. In or around 1997, Moises Luis Zagala Gonzalez (Zagala), joined a criminal underground group called “High Cracking University” and started coding malware. More recently, in 2019-2022, he was creating ransomware and renting it to other actors. First, Zagala rewrote the Jigsaw ransomware and marketed it as “Jigsaw v .2”. Then he started the Thanos ransomware-as-a-service project.
Analyst Comment: Zagala’s conversations with confidential sources revealed heavy reliance on remote desktop protocol (RDP) access and that companies lacking backup pay ransom more readily. It highlights the necessity for defenders to have an unerasable backup and to limit and monitor remote access to their system.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Remote Services - T1021
Tags: Thanos, Ransomware, Jigsaw v .2, Aesculapius, Nosophoros, Nebuchadnezzar, Haron, Jigsaw, Thanos ransomware, Hakbit, Moises Luis Zagala Gonzalez, RaaS, USA, target-country:US, Venezuela, source-country:VE

Guidance on the Democratic People’s Republic of Korea Information Technology Workers

(published: May 16, 2022)

The U.S. authorities are warning that North Korea is dispatching its IT workers to get remote jobs at companies across the world. Not only can hiring a North Korean have legal consequences, the privileged access obtained by these IT workers is sometimes used to facilitate cyber intrusions. These actors go a long way to obfuscate their real identity. They are often located in China or Russia, less frequently in Africa or Southeast Asia. They often change their name, pretend to be from South Korea, the US, or another country. They use VPN services, dedicated machines, fake portfolio websites, forged documents, proxy identities, and try to avoid video communication.
Analyst Comment: Organizations should implement background checks, monitor for red flags, segment their networks and restrict access on the need-to-have basis. Warning signs include your remote employer changing multiple IPs geolocated in different countries over a short period of time, using port 3389 or other remote desktop sharing configuration, and frequent transfers to China-linked banks and digital payment systems. Monitor for requests to change address, phone number and email provided during original interview.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078
Tags: North Korea, source-country:KP, DPRK, China, Russia, IT workers, Insider threat

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Wizard Spider
Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families. Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use. Known associated groups are: Grim Spider - A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider - This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users
A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.


VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.