Anomali Cyber Watch: Costa Rica in Ransomware Emergency, Charming Kitten Spy and Ransom, Saitama Backdoor Hides by Sleeping, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Conti ransomware, India, Iran, Russia, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

COBALT MIRAGE Conducts Ransomware Operations in U.S.

(published: May 12, 2022)

Secureworks researchers describe campaigns by Iran-sponsored group Cobalt Mirage. These actors are likely part of a larger group, Charming Kitten (Phosphorus, APT35, Cobalt Illusion). In 2022, Cobalt Mirage deployed BitLocker ransomware on a US charity systems, and exfiltrated data from a US local government network. Their ransomware operations appear to be a low-scale, hands-on approach with rare tactics such as sending a ransom note to a local printer. The group utilized its own custom binaries including a Fast Reverse Proxy client (FRPC) written in Go. It also relied on mass scanning for known vulnerabilities (ProxyShell, Log4Shell) and using commodity tools for encryption, internal scanning, and lateral movement.
Analyst Comment: However small your government or NGO organization is, it still needs protection from advanced cyber actors. Keep your system updated, and employ mitigation strategies when updates for critical vulnerabilities are not available.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Cobalt Mirage, Phosphorous, Cobalt Illusion, TunnelVision, Impacket, wmiexec, Softperfect network scanner, LSASS, RDP, Powershell, BitLocker, Ransomware, Fast Reverse Proxy client, FRP, FRPC, Iran, source-country:IR, USA, target-country:US, Cyberespionage, Government, APT, Go, Log4j2, ProxyShell, CVE-2021-34473, CVE-2021-45046, CVE-2021-44228, CVE-2020-12812, CVE-2021-31207, CVE-2018-13379, CVE-2021-34523, CVE-2019-5591

SYK Crypter Distributing Malware Families Via Discord

(published: May 12, 2022)

Morphisec researchers discovered a new campaign abusing popular messaging platform Discord content distribution network (CDN). If a targeted user activates the phishing attachment, it starts the DNetLoader malware that reaches out to the hardcoded Discord CDN link and downloads a next stage crypter such as newly-discovered SYK crypter. SYK crypter is being loaded into memory where it decrypts its configuration and the next stage payload using hardcoded keys and various encryption methods. It detects and impairs antivirus solutions and checks for debugging environment, achieves persistence through startup folder, and runs the payload using process hollowing technique. For final payloads the actors used the RedLine stealer and various remote access trojans: AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, and WarzoneRAT.
Analyst Comment: As threat actors increasingly abuse popular cloud services, it is not always feasible to block all their staging domains. Organizations need to implement layered defenses starting from phishing awareness and finishing with network segmentation.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: SYK Crypter, DNetLoader, Discord CDN, Quasar RAT, AsyncRAT, NanoCore RAT, QuasarRAT, WarZone RAT, RedLine, njRAT, Agent Tesla, Crypter, WarzoneRAT, RedLine Stealer, Async RAT, Phishing, Windows, Debugger evasion, Process hollowing

Bitter APT Adds Bangladesh to Their Targets

(published: May 11, 2022)

Bitter (T-APT-17), is a group suspected of being sponsored by the Indian government. Since 2013, Bitter targeted China, Pakistan, and Saudi Arabia. From August 2021 to at least February 2022, their new cyberespionage campaign targeted the government of Bangladesh with spearphishing emails impersonating Pakistani officials. Upon a user opening the attached maldoc, the Equation Editor application is launched to run the embedded objects with shellcode to exploit known Microsoft Office vulnerabilities. It allows the attackers to download and execute their custom Trojan-downloader that Cisco Talos researchers called ZxxZ for the string common in its command-and-control (C2) communication.
Analyst Comment: The impersonation of government agencies continues to be an effective spearphishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. Email attachments should be treated as untrusted regardless of the sender's credibility. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Bitter, ZxxZ, T-APT-17, APT, JavaMail, Zimbra, cURL, CVE-2018-0798, CVE-2018-0802, CVE-2017-11882, Equation Editor, Spearphishing, Government, Police, Pakistan, Bangladesh, target-country:BD, India, source-country:IN, Cyberespionage

Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques

(published: May 11, 2022)

Proofpoint researchers describe Nerbian RAT, a new malware written in the Go programming language. It was spreading via malicious email campaigns using COVID-19 lures impersonating the World Health Organization (WHO). Nerbian reuses multiple open-source libraries, it reaches out to Github code of Chacal, a Golang anti-virtual-machine framework designed to make debugging and reverse engineering more difficult. It stops if the size of the hard disk is too small or certain functions take too long to execute, and if it detects certain MAC addresses, processes, and strings in the disk name. Nerbian RAT has additional checks not provided by Chacal that query network interface names and if the executable is being debugged.
Analyst Comment: Defenders should monitor for strings referring to offensive GitHub repositories such as Chacal. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: Nerbian RAT, Chacal, COVID-19 lures, WHO, Phishing, NerbianRAT, Go, EU, target-region:Europe, Italy, target-country:IT, Spain, target-country:ES, United Kingdom, target-country:UK

Info-Stealer Campaign Targets German Car Dealerships and Manufacturers

(published: May 10, 2022)

Checkpoint researchers discovered a years-long phishing campaign that targeted German companies in the automotive industry. In February 2021, the actor behind this campaign started registering typosquatted domains. From July 2021 to mid-March 2022, phishing emails were sent enticing users to open attached ISO files and then the dropped .HTA (HTML Applications) file. The final payload was one of the various MaaS (Malware as a Service) info-stealers: AZORult, BitRAT, or Raccoon.
Analyst Comment: Employees should be trained to report suspicious emails to IT. Network defenders advised to configure a system to explode suspicious emails in a sandbox environment, for example, as provided by Anomali XDR (ThreatStream). Anomali Targeted Threat Monitoring service reports newly registered typosquatted domains which then can be blocked through Email Security Solution using Anomali Integrator to help you protect from such targeted phishing attacks.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: AZORult, Raccoon Stealer, BitRAT, EU, Germany, target-country:DE, Iran. source-country:IR, Automotive, Car dealership, Infostealer, ISO, HTA, PowerShell, Phishing, Windows

APT34 Targets Jordan Government Using New Saitama Backdoor

(published: May 10, 2022)

On April 26, 2022, Iran-sponsored actor Helix Kitten (OilRig, APT34) targeted Jordan’s foreign ministry with a phishing attachment dropping a new backdoor named Saitama. The backdoor is written in .Net and communicates via DNS protocol. Saitama command-and-control (C2) includes hardcoded domains with subdomains generated using the Mersenne Twister pseudorandom number generator (PRNG). The backdoor also has a hardcoded list of possible command-line commands that include internal IP and domain addresses, showing the highly-targeted nature of the attack and some previous knowledge about the victim’s internal infrastructure. Saitama is implemented as a finite-state machine meaning it will change its state depending on the command sent to every state. For example, unsuccessful DNS requests puts the backdoor in sleep mode for a time between 6 and 8 hours, and Saitama has ​​different sleep time for every situation.
Analyst Comment: Defense-in-depth is an effective way to help mitigate potential advanced persistent threat (APT) activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Dynamic Resolution - T1568 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: Saitama, Helix Kitten, OilRig, APT34, UAC-0056, Saitama.Agent, Backdoor, Macro, APT, Cyberespionage, Iran, source-country:IR, Jordan, target-country:JO, Middle East, Government, Windows, Mersenne Twister, PRNG, DGA, .Net, Base36

Costa Rica Declares National Emergency after Conti Ransomware Attacks

(published: May 9, 2022)

The Costa Rican President has declared a national emergency following cyber attacks from Conti ransomware group (threat actor Wizard Spider) on multiple government bodies. The country was cripled since the April 2022 attack and denying the ransom demand, its Treasury IT systems has been down for three weeks. Additionally, Conti started publishing the 672 GB dump of the data stolen from the Costa Rican government agencies. As Conti threatens many US organizations as well, the US Department of State has offered a multimillion-dollar reward for information to bring Conti co-conspirators to justice.
Analyst Comment: Cleaning up after ransomware attacks involves restoration of backup data and IT systems, often purchasing at least some new equipment. A thorough investigation needed regarding the potential of abuse of leaked data in the future impersonation/phishing attacks.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Data from Local System - T1005
Tags: Conti, BazarLoader, Wizard Spider, Conti ransomware group, TrickBot, Conti ransomware, Ryuk, Government, Financial, Costa Rica, target-country:CR, Russia, Social Security

Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains

(published: May 9, 2022)

Blackberry researchers analyzed a commodity malware called DCRat (DarkCrystal RAT). DCRat is a modular malware that receives regular updates even though its lowest price point is just $5 dollars (USD) for two months. DCRat is maintained by a developer in Russia. DCRat’s administration tool is programmed in a rarely seen JPHP programming language whose integrated development environment (IDE) is available only in the Russian language version. Subscribers have access to over two dozens of developer’s and third-party plugins with various functions including persistence, cryptomining, and stealing from various information stores.
Analyst Comment: Defenders are advised to block known DCRat C2 domains. Potentially infected machines can be checked for presence of DCRat by identifying specific scheduled tasks and Windows registry entries
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal Application Access Token - T1528 | [MITRE ATT&CK] Endpoint Denial of Service - T1499 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Data Manipulation - T1565 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: DCRat, DCRat Stealer, Windows, JPHP, DevelNext, PHP, JVM, .NET, Dark Crystal RAT, DCRat Studio, DarkCrystal RAT, boldenis44, crystalcoder, DarkCrystalRAT, DCRatSeller_bot, Russia, source-country:RU

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Wizard Spider
Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families. Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use. Known associated groups are: Grim Spider - A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider - This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.

The Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.

Charming Kitten
The Cyber Espionage group “Charming Kitten” is believed to be an Iranian-based group that has been active since at least 2014. Charming Kitten conducts cyber espionage operations on many entities, particularly diplomatic, media, and military organizations. The group is known for creating fake social media profiles, to use in an attempt to social engineer their targets. Charming Kitten also creates multiple fake news outlets, that copy news articles, from other legitimate sources, in order to use as a platform for attacks. The group has been observed to use gathered information to blackmail certain targets.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users
A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-31196, CVE-2021-31206.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.