July 26, 2022
Anomali Threat Research

Anomali Cyber Watch: Cozy Bear Abuses Google Drive API, Complex Lightning Framework Targets Linux, Google Ads Hide Fraudulent Redirects, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Bots, China, Linux, Malspam, Mobil, Russia,</b> and <b>Spearhishing</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-072722.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/" target="_blank">Lightning Framework: New Undetected “Swiss Army Knife” Linux Malware</a></h3> <p>(published: July 21, 2022)</p> <p>Intezer researchers discovered a new Linux malware called Lightning Framework (Lightning). It is a modular framework able to install multiple types of rootkits and to run various plugins. Lightning has passive and active capabilities for communication with the threat actor, including opening up SSH service via an OpenSSH daemon, and a polymorphic command and control (C2) configuration. Lightning is a newly discovered threat, and there is no information about its use in the wild and the actors behind it.<br /> <b>Analyst Comment:</b> Defenders should block known Lightning indicators. Monitor for file creation based on the Lightning naming convention.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947081" target="_blank">[MITRE ATT&CK] Logon Scripts - T1037</a> | <a href="https://ui.threatstream.com/ttp/947222" target="_blank">[MITRE ATT&CK] Account Manipulation - T1098</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&CK] Hide Artifacts - T1564</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947092" target="_blank">[MITRE ATT&CK] Rootkit - T1014</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947121" target="_blank">[MITRE ATT&CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947250" target="_blank">[MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a><br /> <b>Tags:</b> Lightning Framework, Linux, Lightning.Downloader, Lightning.Core, Typosquatting, Masquerading, Timestomping, Port:33229</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/threat-intelligence/2022/07/google-ads-lead-to-major-malvertising-campaign/" target="_blank">Google Ads Lead to Major Malvertising Campaign</a></h3> <p>(published: July 20, 2022)</p> <p>Malwarebytes researchers discovered a malvertising campaign abusing Google Search advertisements for popular keywords such as “amazon,” “facebook,” “walmart,” “youtube,” and other world top brands. The malicious ad points to the Google domain and displays the legitimate domain of the company allegedly advertised, so there is no way for users to see from the Google Search page that the destination will be inauthentic. Clicking on the malicious ad leads to several redirects and includes so-called cloaking when the final destination for crawlers and research IP addresses will be the legitimate website, while residential IPs tend to be redirected to a tech support scam page.<br /> <b>Analyst Comment:</b> Users should use caution when clicking on paid positions in Google Search. Use security systems that recognize browser locker features such as forced fullscreen and auto-playing an audio warning.<br /> <b>Tags:</b> Browser locker, Browlock, Malvertizing, Google Ads, Cloaking, Tech support scam, Iframe</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/" target="_blank">Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive</a></h3> <p>(published: July 19, 2022)</p> <p>Unit42 researchers discovered two spearphsihing campaigns that targeted several Western diplomatic missions between May and June 2022. This cyberespionage activity is attributed to Russia’s Foreign Intelligence Service (SVR) tracked as Cozy Bear (APT29). Multi-stage infection used PDF attachments leading to the EnvyScout HTML malware, and a malicious ISO image file with an LNK shortcut. Upon user execution, the first-stage payload uses Google Drive API to communicate with a Google Drive share to exfiltrate victim data and get the second-stage payload, Cobalt Strike Beacon.<br /> <b>Analyst Comment:</b> Defenders should employ a layered approach including anti-phishing training, concentrating on identifying Cobalt Strike traffic and known APT infrastructure. Consider limiting non-administrative accounts&#39; ability to execute certain file types when downloaded from the Internet.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&CK] Hijack Execution Flow - T1574</a><br /> <b>Tags:</b> Cozy Bear, APT29, Cloaked Ursa, Nobelium, Spearphishing, EnvyScout, Cobalt Strike Beacon, Cobalt Strike, Government, Diplomatic, SVR, Russia, source-country:RU, Turkey, Portugal, Brazil, Egypt, NATO, Cyberespionage</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/" target="_blank">I See What You Did There: A Look At The CloudMensis MacOS Spyware</a></h3> <p>(published: July 19, 2022)</p> <p>First discovered in April 2022, CloudMensis, a macOS backdoor which was analyzed and exposed by ESET researchers has capabilities to gather sensitive information on victim’s compromised systems. This malware is specifically designed for macOS and is developed in Objective-C. Primary intentions of the actors include gathering of user critical information through exfiltrating documents, screen captures, keystrokes and other means. CloudMensis utilizes cloud storage for both, receiving commands and exfiltrating documents. This includes but is not limited to pCloud, Yandex Disk, and Dropbox. Apple has acknowledged these kinds of malware and is previewing Lockdown Mode on its operating system which disables entry points for such threats reducing the overall attack surface.<br /> <b>Analyst Comment:</b> Updating and keeping your mac up to date are the basic mitigation techniques. Heavily targeted users and organizations should consider new features such as the Lockdown Mode once released, that will reduce the overall attack surface for such threats.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3905372" target="_blank">[MITRE ATT&CK] Subvert Trust Controls - T1553</a> | <a href="https://ui.threatstream.com/ttp/3905097" target="_blank">[MITRE ATT&CK] Archive Collected Data - T1560</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947100" target="_blank">[MITRE ATT&CK] Data from Removable Media - T1025</a> | <a href="https://ui.threatstream.com/ttp/947098" target="_blank">[MITRE ATT&CK] Email Collection - T1114</a> | <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/3905082" target="_blank">[MITRE ATT&CK] Exfiltration Over Web Service - T1567</a><br /> <b>Tags:</b> CloudMensis, Spyware, macOS, Apple, pCloud, Yandex Disk, Dropbox</p> </div> <div class="trending-threat-article"> <h3><a href="https://krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/" target="_blank">A Deep Dive Into the Residential Proxy Service ‘911’</a></h3> <p>(published: July 18, 2022)</p> <p>VPN services offered for free online, such as 911 (domain 911[.]re) often sell their users’ traffic history and other private information. Moreover, the 911 VPN tool makes them part of the botnet network that sells access to those nodes for proxying. Researchers at the University of Sherbrooke uncovered that 911 also enables the end user to probe the LAN network of the infected node, making it possible to poison the DNS cache of the LAN router of the infected node. 911 started seven years ago, and has roughly 120,000 Windows PCs for rent via the service, mostly in the United States. 911 actively promotes its proxying services to cybercriminals and it has a history of connections with criminal pay-per-install and pay-per-click services.<br /> <b>Analyst Comment:</b> Users should avoid suspicious, free VPN offerings as those often sell their traffic information, turn the user’s PC into a traffic relay for other users, and expose their networks for further attacks.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&CK] Proxy - T1090</a><br /> <b>Tags:</b> 911[.]re, Free VPN, Proxy, USA, target-country:US, China, Romania, Wugaa Enterprises LLC, Gold Click Limited, Pay-per-click, Pay-per-install, Windows, Socks5 proxy</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/" target="_blank">8220 Gang Massively Expands Cloud Botnet to 30,000 Infected Hosts</a></h3> <p>(published: July 18, 2022)</p> <p>Active since 2017, the 8220 cryptomining threat group increased its botnet from around 2,000 bots in mid-2021 to 30,000 bots in July 2022. This Chinese-speaking group is specializing in attacking Linux machines to mine Monero. They use generic infection scripts, the IRC Botnet, and the PwnRig Monero-mining malware. In 2022, the group added a special file containing 450 hardcoded credentials for SSH brute forcing. 8220 also shifted their honeypot evasion blocklist from direct IPs listed in the script to a list in an additionally-downloaded file.<br /> <b>Analyst Comment:</b> Protection from opportunity groups like 8220 should involve regular maintenance and patch deployment to your servers and systems including but not limited to Apache, Confluence, Docker, Drupal, Hadoop, and Redis. Always change default administrative passwords. Monitor for a sudden increase in your CPU utilization.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&CK] Impair Defenses - T1562</a><br /> <b>Tags:</b> 8220, Cryptomining, XMRig, Monero miner, Linux, Botnet, China, source-country:CN, Tsunami IRC Botnet, PwnRig, Honeypot evasion, Jira</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.sekoia.io/ongoing-roaming-mantis-smishing-campaign-targeting-france/" target="_blank">Ongoing Roaming Mantis Smishing (SMS Phishing) Campaign Targeting France</a></h3> <p>(published: July 18, 2022)</p> <p>Roaming Mantis (FLINT 2022-037), is a Chinese threat group discovered by SEKOIA.IO researchers in early 2022 with a majority of targets being in France. Depending on the victim&#39;s mobile phone operating system, malicious activity includes either deployment of an Android remote access trojan (RAT) named MoqHao or redirects to a fake Apple iCloud page. MoqHao, when deployed, has capabilities of stealing browser information and other user sensitive information. This campaign was also discovered in regions like Japan, South Korea, and Taiwan. The main motivation behind the campaign is financial, which is why developed nations are being targeted.<br /> <b>Analyst Comment:</b> SMS Phishing has been around for a while and the best possible mitigation is to never respond to unknown links received via SMS. Regularly updating the browser and operating system, and also reporting unknown SMS to telecom companies are the best mitigation techniques.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a><br /> <b>Tags:</b> Roaming Mantis, MoqHao, Wroba, XLoader, Android malware, RAT, SMS, Phishing, Smishing, target-country:FR, France, iOS, iPhone</p> </div> <div class="trending-threat-article"> <h3><a href="https://citizenlab.ca/2022/07/geckospy-pegasus-spyware-used-against-thailands-pro-democracy-movement/" target="_blank">GeckoSpy: Pegasus Spyware Used Against Thailand’s Pro-Democracy Movement</a></h3> <p>(published: July 17, 2022)</p> <p>CitizenLab researchers describe a wide spyware campaign targeting the opposition to the Thai government with the Pegasus spyware. From October 2020 to November 2021, over 30 key figures associated with pro-democracy protests were targeted: activists, academics, lawyers, and NGO workers. The campaign slowed down after Apple made patches for the ForcedEntry exploit in late September 2021. It stopped after Apple notified the targeted individuals and filed a lawsuit against NSO Group that was providing Pegasus. NSO operations and domain infrastructure targeting Thailand go back to May 2014.<br /> <b>Analyst Comment:</b> Political figures and heavily targeted individuals can consider keeping their devices updated and maximally locked/hardened, not trusting unwarranted messages and web-links, or minimizing their use of apps and IT technologies when dealing with sensitive information altogether.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a><br /> <b>Tags:</b> GeckoSpy, NSO Group, Pegasus, Spyware, Government, Thailand, source-country:TH, target-country:TH, Apple, iPhone, ForcedEntry exploit, CVE-2021-30860, CVE-2021-30858</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week&#39;s Anomali Cyber Watch can be found below:</p> <p><a href="https://ui.threatstream.com/actor/12600" target="_blank">APT29</a><br /> The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.</p> <p><a href="https://ui.threatstream.com/vulnerability/1542613" target="_blank">CVE-2021-30860</a><br /> An integer overflow was addressed with improved input validation. This issue is fixed in Security Update 2021-005 Catalina, iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6, watchOS 7.6.2. Processing a maliciously crafted PDF may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.</p> <p><a href="https://ui.threatstream.com/vulnerability/1542615" target="_blank">CVE-2021-30858</a><br /> A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.