Anomali Cyber Watch: Cozy Bear TTPs, Darkside Ransomware Shuts Down US Pipeline, Operation TunnelSnake Uses New Moriya Rootkit, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Fileless Malware, Malspam, Phishing, Ransomware, Rootkits, Targeted Attacks and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this agazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Darkside Ransomware Caused Major US Pipeline Shutdown

(published: May 8, 2021)

DarkSide ransomware attack caused Colonial Pipeline to shut down the biggest US gasoline pipeline on Friday, May 7th, 2021. The pipeline is the main source of gasoline, diesel and jet fuel for the US East Coast and runs from Texas to Tennessee and New Jersey serving up to 50 Million people. DarkSide group began their attack against the company a day earlier, stealing nearly 100 gigabytes of data before locking computers with ransomware and demanding payment.
Analyst Comment: While DarkSide's first known activity goes back only to August 2020, it is likely backed by experienced Eastern-European actors. Ransomware protection demands a multi-layered approach to include isolation, air-gaps, backup solutions, anti-phishing training and detection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Scripting - T1064
Tags: DarkSide, ransomware, Oil and Gas, USA, Colonial Pipeline

Revealing The 'Cnip3' Crypter, A Highly Evasive RAT Loader

(published: May 7, 2021)

Morphisec has discovered a new stealthy crypter as a service dubbed Snip3. Its advanced anti-detection techniques include: 1) Executing PowerShell code with the ‘remotesigned’ parameter. 2) Validating the existence of Windows Sandbox and VMWare virtualization. 3) Using Pastebin and top4top for staging. 4) Compiling RunPE loaders on the endpoint in runtime. Several hackers were observed using Snip3 to deliver various payloads: AsyncRAT, NetWire RAT, RevengeRAT, and Agent Tesla.
Analyst Comment: The Snip3 Crypter’s ability to identify sandboxing and virtual environments make it especially capable of bypassing detection-centric solutions. It shows the value of investing in complex cybersecurity solutions.
MITRE ATT&CK: [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Process Injection - T1055
Tags: Snip3, crypter, Crypter-as-a-Service, VBS, RAT, AsyncRAT, NetWire RAT, RevengeRAT, Agent Tesla, NYANxCAT

Lemon Duck target Microsoft Exchange Servers, Incorporate New TTPs

(published: May 7, 2021)

The Lemon Duck cryptomining group has been active since at least the end of December 2018. In March 2021, Microsoft described them targeting Exchange Servers. On May 7th, 2021, Cisco Talos and Sophos independently published new TTPs for the group. Lemon Duck continues to incorporate new tools, such as Cobalt Strike, into their malware toolkit. The use of fake domains on East Asian top-level domains (TLDs) masks connections to the actual command and control (C2) infrastructure used in these campaigns.
Analyst Comment: The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable Lemon Duck to operate more effectively for longer periods within victim environments. Organizations should remain vigilant against this threat, as it will likely continue to evolve.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Uncommonly Used Port - T1065 | [MITRE ATT&CK] Web Shell - T1100
Tags: Lemon Duck, Microsoft Exchange, Cobalt Strike, China Chopper, CertUtil, cryptomining, Monero, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858

Russia’s SVR Uses Sliver Framework and Multiple Publicly Available Exploits

(published: May 7, 2021)

Cybersecurity experts monitor cyber activity from Russian Foreign Intelligence Service (SVR) under aliases Cozy Bear and APT29. SVR’s most recent attacks included the compromise of SolarWinds, MimeCast, and the targeting of COVID-19 vaccine developers. This joint report by the US and UK agencies provides additional tactics, techniques and procedures (TTPs) for these activities. SVR’s use of publicly-available tools included Cobalt Strike and Sliver framework. Their featured custom tools include GoldFinder, GoldMax backdoor, and Sibot malware. GoldFinder, GoldMax, and Sliver are written in Golang.
Analyst Comment: SVR operators appear to have changed their TTPs after previous reporting of their use of WellMess and WellMail malware. Despite the complexity of supply chain attacks, following basic cyber security principles will make it harder for even sophisticated actors to compromise target networks. By implementing good network security controls and effectively managing user privileges organizations will help prevent lateral movement between hosts.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Trusted Relationship - T1199 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: Cozy Bear, APT29, SVR, Russia, APT, GoldFinder, GoldMax, Sibot, Sliver, Cobalt Strike, Golang, CVE-2018-13379, CVE-2019-1653, CVE-2019-2725, CVE-2019-9670, CVE-2019-11510, CVE-2019-19781, CVE-2019-7609, CVE-2020-4006, CVE-2020-5902, CVE-2020-14882, CVE-2021-21972, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065

Operation TunnelSnake: Formerly Unknown Rootkit Used to Secretly Control Networks of Regional Organizations

(published: May 6, 2021)

The TunnelSnake campaign demonstrates the activity of a sophisticated Chinese actor that invests significant resources in designing an evasive toolset and highly targeted infiltration of networks of high-profile organizations. In 2018-2020, the campaign targeted diplomatic organizations in Asia and Africa. The group uses some old tools (e.g. China Chopper webshell, BOUNCER), as well its own rootkits (IISSPy active in 2018, ProcessKiller, and their newest, Moriya rootkit). Moriya ensures that the packet inspection happens in kernel mode with the use of a Windows driver, allowing attackers to drop the packets of interest before they are processed by the network stack, thus ensuring they are not detected by security solutions. Additionally, the fact that the Moriya rootkit waits for incoming traffic rather than initiating a connection to a server itself, avoids the need to incorporate a command and control (C2) address in the malware’s binary or to maintain a steady C2 infrastructure.
Analyst Comment: With Microsoft’s introduction of Driver Signature Enforcement and Kernel Patch Protection, the number of Windows rootkits in the wild has decreased dramatically, but high-profile advanced persistent threat (APT) groups still manage to operate sophisticated rootkits like TunnelSnake’s Moriya. Despite Moriya’s efforts in establishing covert communication channels, some other tools used during the TunnelSnake campaign (like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers) made it easier to detect intrusion.
MITRE ATT&CK: [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Hooking - T1179 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] System Information Discovery - T1082
Tags: Moriya rootkit, ProcessKiller, IISSPy, TunnelSnake, China, Asia, Africa, Government, APT, China Chopper, PSExec, BOUNCER, CVE-2017-7269

FiveHands Ransomware Comes With SombRAT

(published: May 6, 2021)

US Cybersecurity and Infrastructure Security Agency (CISA) released a report analyzing a cyberattack against an organization using a new ransomware variant, known as FiveHands. FiveHands uses a public key encryption scheme called NTRUEncrypt. These threat actors used FiveHands ransomware, SombRAT, and publicly available penetration testing and exploitation tools (such as SoftPerfect Network Scanner). They steal information, obfuscate files, and demand a ransom.
Analyst Comment: Decommission unused VPN servers, which may act as a point of entry for attackers. Monitor network traffic for unexpected and unapproved protocols, especially outbound to the internet (e.g., SSH, SMB, RDP). Disable unnecessary services on agency workstations and servers.
MITRE ATT&CK: [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Connection Proxy - T1090 | [MITRE ATT&CK] System Network Connections Discovery - T1049
Tags: FiveHands, SombRAT, NTRUEncrypt, SoftPerfect Network Scanner, ransomware, RAT

Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware

(published: May 5, 2021)

Roaming Mantis has been using SMS phishing (smishing) to steal SMS messages and contact lists from Asian Android users since 2018. In the second half of 2020, the campaign improved its effectiveness by adopting dynamic DNS services and spreading messages with phishing URLs that infected victims with the fake Chrome application MoqHao. Recently, since January 2021, Roaming Mantis started targeting Japanese Android users with new malware called SmsSpy. The malicious code infects Android users using one of two variants depending on the version of OS used: fake Google Play app on Android OS 10 or later, and fake Chrome app on Android 9 or earlier devices. The MoqHao family hides C2 (Command and Control) server locations in the user profile page of a blog service, yet some samples of SmsSpy use a Chinese online document service to hide C2 locations.
Analyst Comment: Cell phone users should always use caution when receiving a short message with a shortened link inside. If a page prompts you to update your browser or operating system, try updating through settings/regular update procedure instead. You should never install apps from untrusted sources.
MITRE ATT&CK: [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041
Tags: Roaming Mantis, China, Japan, smishing, MoqHao, SmsSpy, SpyAgent, FakeSpy, Android

The UNC2529 Triple Double: A Trifecta Phishing Campaign

(published: May 4, 2021)

In December 2020, Mandiant observed a widespread, global phishing campaign targeting numerous organizations across an array of industries. This new unknown actor (UNC2529) often used highly customized subject lines for their phishing emails, but sometimes failed to use proper American English. This blog post will discuss the campaign, identification of three new malware families, downloader DOUBLEDRAG, fileless dropper DOUBLEDROP and fileless backdoor DOUBLEBACK.
Analyst Comment: The threat actor made extensive use of hosting infrastructure, obfuscation and fileless malware to complicate detection to deliver a well coded and extensible backdoor. Organizations should work to build defence-in-depth starting from anti-phishing solutions and finishing with network-based detections.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] New Service - T1050 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Scripting - T1064
Tags: UNC2529, DOUBLEDRAG, BIFF8 macro, DOUBLEBACK, DOUBLEDROP, USA, Banking And Finance, Military, Engineering, Health, Telecom, Government, malware evolution, fileless

New Windows Pingback Malware Uses ICMP for Covert Communication

(published: May 4, 2021)

Pingback malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence. The malicious file in question is a DLL called oci.dll and was being dropped within Windows "System" folder. While the initial entry vector is still being investigated, another malware sample, with file name updata.exe was observed both dropping similar malicious oci.dll and configuring msdtc to run on every startup. The oci.dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server. The size of the ICMP data sent by the attacker is always 788 bytes. ICMP has no concept of "ports" and uses neither TCP nor UDP. As such, oci.dll may not be picked up by diagnostic tools like netstat.
Analyst Comment: Since ICMP also has legitimate use-cases as a diagnostic tool, the researchers' advice is not to disable it, but rather putting monitoring mechanisms in place to detect any suspicious ICMP traffic.
MITRE ATT&CK: [MITRE ATT&CK] DLL Search Order Hijacking - T1038 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048
Tags: Pingback, ICMP tunneling, DLL hijacking

Newer Generic Top-Level Domains a Security 'Nuisance'

(published: May 4, 2021)

Farsight Security analyzed a decade of passive DNS data for over 1 Billion effective 2nd-level domains across each of the 1,576 IANA-recognized TLDs. The data around TLD use suggests that adding more TLDs was rather pointless nuisance than valuable extension of the namespace. There is no evidence of the broad migration to sector-specific TLDs that many had expected initially. The analysts don't see entire sectors — for example, banks — dropping .com as a primary TLD and refocusing on .bank. From a security perspective, one concern with the growth in the number of TLDs over the past few years is that attackers have more opportunities for spoofing domains for phishing, cyber squatting, and other malicious activities.
Analyst Comment: CISOs should access TLDs based on their relevance and risk level to their organization. Following securities measures range from completely blocking certain unpopular frequently abused TLDs to defensive domain registering on various TLDs in varied grammatical formats and considering substring matching.
Tags: DNS, TLD, typosquatting


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.