April 18, 2023
Anomali Threat Research

Anomali Cyber Watch: Cozy Bear Employs New Downloaders, RTM Locker Ransomware Seeks Privacy, Vice Society Automated Selective Exfiltration

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Clicker, Conversation hijacking, Data exfiltration, Malspam, Phishing, Ransomware, Russia, </b> and <b> Supply chain</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/HWSpDuPBSe2dMSUHEsUr"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://securelist.com/qbot-banker-business-correspondence/109535/" target="_blank">QBot Banker Delivered through Business Correspondence</a></h3> <p>(published: April 17, 2023)</p> <p>In early April 2023, an increased volume of malspam utilizing business-email thread hijacking was detected delivering the QBot (QakBot, QuackBot, Pinkslipbot) banking trojan. The observed lures in English, German, Italian, and French were targeting various countries with the top three being Germany, Argentina, and Italy, in that order. The attackers were spoofing a name in the hijacked conversation to prompt the target to open an attached PDF file. The target is then faced with a button, a password, and an instruction to download, unpack and execute a malicious Windows Script File (WSF) within a password-protected archive. User execution is followed by automated deobfuscation of a contained JScript producing an encoded PowerShell script aimed at downloading a QBot DLL from a compromised website and running it with the help of rundll32. QBot steals credentials, profiles systems to identify prospects for additional high-value targeting, and steals locally-stored emails for further proliferation via thread hijacking malspam.<br/> <b>Analyst Comment:</b> The spoofing of the sender’s name from the previous letters in the ‘From’ field can be identified in this campaign because it uses a sender’s fraudulent email address different from that of the real correspondent. Users should be cautious with password-protected archives and suspicious file types such as WSF. Network and host-based indicators associated with this QBot campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&amp;CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9944" target="_blank">[MITRE ATT&amp;CK] T1207 - Rogue Domain Controller</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&amp;CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&amp;CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9669" target="_blank">[MITRE ATT&amp;CK] T1114.001 - Email Collection: Local Email Collection</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a><br/> <b>Tags:</b> malware:QBot, malware-type:Banking trojan, malware:QakBot, malware:QuackBot, malware:Pinkslipbot, detection:Trojan-Banker.Win32.Qbot, target-country:Germany, target-country:DE, target-country:Argentina, target-country:AR, target-country:Italy, target-country:IT, campaign:Obama249, abused:PowerShell, file-type:WSF, file-type:DLL, file-type:PDF, file-type:ZIP, JScript, technique:Email thread hijacking, technique:Conversation hijacking, technique:Compromised website, abused:Base64, abused:rundll32, target-system:Windows</p> <h3 id="article-2"><a href="https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services" target="_blank">Espionage Campaign Linked to Russian Intelligence Services</a></h3> <p>(published: April 13, 2023)</p> <p>A new cyberespionage campaign attributed to Russia-sponsored group Cozy Bear (APT29, Nobelium) has been targeting NATO and European Union member countries, and to a lesser extent, Africa. An embassy-themed spearphishing link leads to a compromised website with a custom ​​EnvyScout script utilizing the HTML Smuggling technique. Three new downloaders were unique to this campaign: SnowyAmber, used since October 2022, QuarterRig, used since March 2023, and ​​HalfRig, used since February 2023. The final observed payload was an attack framework beacon, either Cobalt Strike or Brute Ratel.<br/> <b>Analyst Comment:</b> Many advanced attacks start with a spearphishing email. It is important to teach your users basic online hygiene and phishing awareness. indicators associated with this Cozy Bear campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. Network defenders can use the Polish government’s YARA rules identifying the custom backdoors associated with this campaign.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10043" target="_blank">[MITRE ATT&amp;CK] T1583.003 - Acquire Infrastructure: Virtual Private Server</a> | <a href="https://ui.threatstream.com/attackpattern/10044" target="_blank">[MITRE ATT&amp;CK] T1583.006 - Acquire Infrastructure: Web Services</a> | <a href="https://ui.threatstream.com/attackpattern/10048" target="_blank">[MITRE ATT&amp;CK] T1584 - Compromise Infrastructure</a> | <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&amp;CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&amp;CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/10105" target="_blank">[MITRE ATT&amp;CK] T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/12882" target="_blank">[MITRE ATT&amp;CK] T1027.006 - Obfuscated Files or Information: Html Smuggling</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/10020" target="_blank">[MITRE ATT&amp;CK] T1553.005 - Subvert Trust Controls: Mark-Of-The-Web Bypass</a> | <a href="https://ui.threatstream.com/attackpattern/10105" target="_blank">[MITRE ATT&amp;CK] T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9721" target="_blank">[MITRE ATT&amp;CK] T1102 - Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/9724" target="_blank">[MITRE ATT&amp;CK] T1102.003 - Web Service: One-Way Communication</a><br/> <b>Signatures:</b> <a href="https://ui.threatstream.com/signature/107417" target="_blank">APT29 HalfRig Obfuscation. YARA by CERT Polska</a> | <a href="https://ui.threatstream.com/signature/107416" target="_blank">APT29 QuarterRig. YARA by CERT Polska</a> | <a href="https://ui.threatstream.com/signature/107418" target="_blank">APT29 SnowyAmber downloader. YARA by CERT Polska</a><br/> <b>Tags:</b> actor:Cozy Bear, actor:Nobelium, mitre-group:APT29, target-region:NATO, target-region:European Union, target-region:Africa, source-country:Russia, source-country:RU, technique:HTML smuggling, malware:​​EnvyScout, malware:SnowyAmber, malware:QuarterRig, malware:​​HalfRig, malware:​​Cobalt Strike, malware:​​Brute Ratel, abused:NOTION collaboration service, target-system:Windows</p> <h3 id="article-3"><a href="https://www.trellix.com/en-us/about/newsroom/stories/research/read-the-manual-locker-a-private-raas-provider.html" target="_blank">Read The Manual Locker: A Private RaaS Provider</a></h3> <p>(published: April 13, 2023)</p> <p>The Read The Manual (RTM) Locker group is a new ransomware-as-a-service (RaaS) provider with likely connections to the Commonwealth of Independent States. The group operates Windows-targeting ransomware with a focus on double-extortion attacks on corporate environments. The RTM Locker malware requires an affiliate to provide administrative privileges in the compromised network. To increase the effect of encryption, the locker tries to mount all unmounted partitions to unused drives until all 26 drive letters are in use. RTM Locker uses Input/Output Completion Ports to enable multiple threads to work with the same file at the same time. The RTM Locker group avoids direct spreading via malspam, marks its builds to discourage premature leaks, clears the logs and removes the locker after the system is encrypted. Additionally, the group employs strict rules for its affiliates to adhere to targeting rules and be removed for unexcused inactivity of over 10 days.<br/> <b>Analyst Comment:</b> Multi-threading allows RTM Locker for fast encryption. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&amp;CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9768" target="_blank">[MITRE ATT&amp;CK] T1070.001 - Indicator Removal on Host: Clear Windows Event Logs</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&amp;CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/9718" target="_blank">[MITRE ATT&amp;CK] T1134.002 - Access Token Manipulation: Create Process With Token</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a><br/> <b>Tags:</b> actor:RTM Locker, malware:RTM Locker, malware-type:RaaS, malware-type:Ransomware, detection:RTMLocker, abused:TOX, abused:IOCP, source-region:Commonwealth of Independent States, source-region:CIS, target-system:Windows</p> <h3 id="article-4"><a href="https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/" target="_blank">Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land</a></h3> <p>(published: April 13, 2023)</p> <p>A new PowerShell data exfiltration script was detected in use by the Vice Society ransomware group. The attackers get access to the target's Domain Controller, which allows them to deploy this script to any endpoint within the network. It is started with the parameter to bypass Execution Policy restrictions and starts by ​​identifying mounted drives on the system via Windows Management Instrumentation. The script proceeds to automatically identify and process directory names for all directories on each mounted volume that do not match the ignore list. It then uses additional keywords and parameters to select which directories and files to pass to exfiltrate via HTTP POST requests to the threat actor’s web server. The script implements rate limiting to avoid overwhelming the host’s resources.<br/> <b>Analyst Comment:</b> The use of the living off the land binaries and scripts (LOLBAS) methods, such as PowerShell scripts and WMI creates difficulties for detection. Network defenders can check Windows Event Logs (WEL) Event IDs 400, 600, 800, 4103 and 4104. Monitor for HTTP POST events to /upload endpoints on unknown remote HTTP servers, and HTTP activity direct to external IP addresses. Use Palo Alto Networks YARA signature to detect this malicious PowerShell exfiltration activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9903" target="_blank">[MITRE ATT&amp;CK] T1020 - Automated Exfiltration</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&amp;CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a><br/> <b>Signatures:</b> <a href="https://ui.threatstream.com/signature/107415" target="_blank">Vice Society PS Exfil Script. YARA by PaloAltoNetworks </a><br/> <b>Tags:</b> actor:Vice Society, malware-type:ransomware, malware-type:Exfiltration tool, Data exfiltration, abosed:PowerShell, technique:Living off the land binaries and scripts, technique:LOLBAS, technique:Rate limiting, Windows Event Log, target-system:Windows</p> <h3 id="article-5"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/goldoson-privacy-invasive-and-clicker-android-adware-found-in-popular-apps-in-south-korea/" target="_blank">Goldoson: Privacy-Invasive and Clicker Android Adware Found in Popular Apps in South Korea</a></h3> <p>(published: April 12, 2023)</p> <p>A malicious Android library dubbed Goldoson has been found targeting predominantly South Korean users. McAfee researchers detected it in applications downloaded more than 100 million times from Google Play, and 8 million from the ONE store, an app store popular in South Korea. Goldoson collects information about users’ locations, connection history, and installed applications. The library either gets the permissions from the app or specifically asks the user to allow the location permission. Additionally, Goldoson produces hidden fraudulent traffic by loading HTML code and injecting it into a customized and hidden WebView and visiting the URLs recursively.<br/> <b>Analyst Comment:</b> All the identified affected applications were either updated or removed from the official stores. Users are advised to regularly review the list of installed applications to remove those that are no longer needed. Pay attention to signs of malicious resource utilizations such as device overheating and faster battery drain. Do not grant unnecessarily permissions such as location permission unless you know it is needed for the application to produce desired functionality. Network indicators associated with the Goldoson adware are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/18602" target="_blank">[MITRE ATT&amp;CK] T1474.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools</a> | <a href="https://ui.threatstream.com/attackpattern/17807" target="_blank">[MITRE ATT&amp;CK] T1406 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/17820" target="_blank">[MITRE ATT&amp;CK] T1430 - Location Tracking</a> | <a href="https://ui.threatstream.com/attackpattern/12252" target="_blank">[MITRE ATT&amp;CK] T1424 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/18640" target="_blank">[MITRE ATT&amp;CK] T1646 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/18630" target="_blank">[MITRE ATT&amp;CK] T1643 - Generate Traffic From Victim</a><br/> <b>Tags:</b> malware:Goldoson, malware-type:Clicker, malware-type:Adware, Supply-chain, target-country:South Korea, target-country:KR, malware-type:Compromised app, malware-type:Malicious library, target:Mobile, abused:Google Play, abused:ONE store, target-system:Android</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.