May 9, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: Custom Virtual Environment Hides FluHorse, BabyShark Evolved into ReconShark, Fleckpe-Infected Apps Add Expensive Subscriptions

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Defense evasion, Infostealers, North Korea, Spearphishing, </b> and <b>Typosquatting</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/KJ3Pw1uySuT3WdaGPs9x"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/deconstructing-amadeys-latest-multi-stage-attack-and-malware-distribution/" target="_blank">Deconstructing Amadey’s Latest Multi-Stage Attack and Malware Distribution</a></h3> <p>(published: May 5, 2023)</p> <p>McAfee researchers have detected a multi-stage attack that starts with a trojanized wextract.exe, Windows executable used to extract files from a cabinet (CAB) file. It was used to deliver the AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To avoid detection, the attackers use obfuscation and disable Windows Defender through the registry thus stopping users from turning it back on through the Defender settings.<br/> <b>Analyst Comment:</b> Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioral analysis defenses and social engineering training. Users should report suspicious files with double extensions such as .EXE.MUI. Indicators associated with this campaign are available in the Anomali platform and users are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&amp;CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a><br/> <b>Tags:</b> malware:Amadey, malware-type:Botnet, malware:RedLine, malware:AgentTesla, malware-type:Infostealer, malware:LockBit, malware-type:Ransomware, abused:Wextract.exe, file-type:CAB, file-type:EXE, file-type:MUI, target-program:Windows Defender, target-system:Windows</p> <h3 id="article-2"><a href="https://research.checkpoint.com/2023/eastern-asian-android-assault-fluhorse/" target="_blank">Eastern Asian Android Assault – FluHorse</a></h3> <p>(published: May 4, 2023)</p> <p>Active since May 2022, a newly-detected Android stealer dubbed FluHorse spreads mimicking popular apps or as a fake dating application. According to Check Point researchers, FluHorse was targeting East Asia (Taiwan and Vietnam) while remaining undetected for months. This stealthiness is achieved by sticking to minimal functions while also relying on a custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via emails that prompt the recipient to install the app and once installed, it asks for the user’s credit card or banking data. If a second factor authentication is needed to commit banking fraud, FluHorse tells the user to wait for 10-15 minutes while intercepting codes by installing a listener for all incoming SMS messages.<br/> <b>Analyst Comment:</b> FluHorse's ability to remain undetected for months makes it a dangerous threat. Users should avoid installing applications following download links received via email or other messaging. Verify the app authenticity on the official company (bank, toll) website. Indicators associated with the FluHorse campaigns are available in the Anomali platform for ongoing infections and historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/17840" target="_blank">[MITRE ATT&amp;CK] T1517 - Access Notifications</a> | <a href="https://ui.threatstream.com/attackpattern/18619" target="_blank">[MITRE ATT&amp;CK] T1417.002 - Input Capture: Gui Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/18640" target="_blank">[MITRE ATT&amp;CK] T1646 - Exfiltration Over C2 Channel</a><br/> <b>Tags:</b> malware:FluHorse, detection:Stealer.Android.FluHorse.TC, malware-type:Infostealer, technique:Custom virtual environment, target-language:Chinese, target-country:Taiwan, target-country:Vietnam, target-region:Eastern Asia, target-industry:Banks, abused:Flutter, abused:Dart, target-system:Android</p> <h3 id="article-3"><a href="https://www.sentinelone.com/labs/kimsuky-evolves-reconnaissance-capabilities-in-new-global-campaign/" target="_blank">Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign</a></h3> <p>(published: May 4, 2023)</p> <p>North Korea-sponsored group Kimsuky (Thallium, Velvet Chollima) has been involved in cyberespionage operations since at least 2012. SentinelOne researchers describe its new campaign targeting the Korea Risk Group analysis firm with likely broad targeting involving Asia, Europe, and the United States, including government entities, research universities, and think tanks. The group starts with a meticulously-crafted spearphishing email with a link to a password-protected maldoc containing Microsoft Office macros that activate on document close. The group uses the ReconShark infostealer-downloader, which is a new variant of the group’s custom BabyShark malware family.<br/> <b>Analyst Comment:</b> Defense-in-depth is the best way to ensure safety from advanced persistent groups. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. All known indicators associated with this Kimsuky campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9614" target="_blank">[MITRE ATT&amp;CK] T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9831" target="_blank">[MITRE ATT&amp;CK] T1137.001 - Office Application Startup: Office Template Macros</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&amp;CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9986" target="_blank">[MITRE ATT&amp;CK] T1518.001 - Software Discovery: Security Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9853" target="_blank">[MITRE ATT&amp;CK] T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/14432" target="_blank">[MITRE ATT&amp;CK] picus-security: The Most Used ATT&amp;CK Technique — T1059 Command and Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a><br/> <b>Tags:</b> actor:Kimsuki, malware:ReconShark, malware-type:Infostealer, malware-type:Downloader, technique:Spearphishing, source-country:North Korea, target-country:South Korea, abused:OneDrive, abused:WMI, file-type:DOC, file-type:VBS, file-type:HTA, file-type:GIF, file-type:DLL, file-type:DOTM, target-system:Windows</p> <h3 id="article-4"><a href="https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/" target="_blank">Not Quite an Easter Egg: a New family of Trojan Subscribers on Google Play</a></h3> <p>(published: May 4, 2023)</p> <p>Active since 2022, a new subscription Trojans dubbed Fleckpe spreads via Google Play via trojanized photo-editing, smartphone-wallpaper, and other similar apps. Eleven Fleckpe-infected apps on Google Play have been installed on more than 620,000 devices, according to Kaspersky researchers. This campaign focused on Thailand, with additional targeting in Indonesia, Malaysia, Poland, and Singapore. The trojanized app loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets. The payload contacts the C2 with information about the infected device’s country and carrier. The C2 server returns a paid subscription page that is being opened in an invisible web browser. Fleckpe extracts confirmation codes from notifications and attempts to subscribe on the user’s behalf.<br/> <b>Analyst Comment:</b> All eleven Fleckpe-infected apps had been removed from Google Play but the actors might be publishing others. Indicators are available in the Anomali platform for ongoing infections and historical reference. Users should use caution when installing applications and giving them extra permissions. Regularly monitor your statements to identify rogue subscriptions.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/17807" target="_blank">[MITRE ATT&amp;CK] T1406 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/18640" target="_blank">[MITRE ATT&amp;CK] T1646 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/17783" target="_blank">[MITRE ATT&amp;CK] T1437 - Standard Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/17840" target="_blank">[MITRE ATT&amp;CK] T1517 - Access Notifications</a> | <a href="https://ui.threatstream.com/attackpattern/17834" target="_blank">[MITRE ATT&amp;CK] T1422 - System Network Configuration Discovery</a><br/> <b>Tags:</b> malware:Fleckpe, malware-type:Subscription Trojan, detection:Trojan.AndroidOS.Fleckpe, technique:Native library, target-country:Thailand, target-country:Indonesia, target-country:Malaysia, target-country:Poland, target-country:Singapore, abused:Google Play, target-system:Android</p> <h3 id="article-5"><a href="https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/" target="_blank">New KEKW Malware Variant Identified in PyPI Package Distribution</a></h3> <p>(published: May 3, 2023)</p> <p>Cyble researchers have detected a number of malicious packages on Python Package Index (​​PyPI) that were delivering the KEKW infostealer-clipper. These packages are archives in wheel distribution format (WHL files). Once activated they install additional libraries, perform virtual environment checks, stop certain anti-malware and debugging processes, and achieve persistence via startup entry. KEKW replaces cryptocurrency wallet addresses, and steals cookies, credentials, and other sensitive information from various sources including browsers, popular applications (email, gaming, retail, ridesharing, and streaming), and text files.<br/> <b>Analyst Comment:</b> Software developers should be aware of ongoing index-poisoning campaigns relying on typosquatting of popular libraries. After compromised systems were cleaned from KEKW, the targeted users are advised to change passwords immediately, replace compromised banking cards, and make steps to secure their banking and cryptocurrency deposits. Indicators associated with this campaign are available in the Anomali platform for ongoing infections and historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9800" target="_blank">[MITRE ATT&amp;CK] T1047 - Windows Management Instrumentation</a> | <a href="https://ui.threatstream.com/attackpattern/9588" target="_blank">[MITRE ATT&amp;CK] T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/3709" target="_blank">[MITRE ATT&amp;CK] T1562: Impair Defenses</a> | <a href="https://ui.threatstream.com/attackpattern/9673" target="_blank">[MITRE ATT&amp;CK] T1056 - Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&amp;CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&amp;CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&amp;CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a><br/> <b>Tags:</b> malware:KEKW, malware-type:Infostealer, malware-type:Clipper, abused:PyPI, file-type:WHL, target-industry:Cryptocurrency, Bitcoin, actor:KEKW LTD, target-system:Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.