March 8, 2022
Anomali Threat Research

Anomali Cyber Watch: Daxin Hides by Hijacking TCP Connections, Belarus Targets Ukraine and Poland, Paying a Ransom is Not a Guarantee, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Belarus, China, Data breach, Data leak, Oil and gas, Phishing, Russia,</b> and <b>Ukraine</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the attached IOCs and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="" target="_blank">Samsung Confirms Galaxy Source Code Breach but Says no Customer Information was Stolen</a></h3> <p>(published: March 7, 2022)</p> <p>South American threat actor group Lapsus$ posted snapshots and claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech company Samsung. On March 7, 2022, Samsung confirmed that the company recently suffered a cyberattack, but said that it doesn't anticipate any impact on its business or customers. Earlier, in February 2022, Lapsus$ had stolen 1TB data from GPU giant Nvidia and tried to negotiate with the company.<br/> <b>Analyst Comment:</b> Companies should implement cybersecurity best practices to guard their source code and other proprietary data. Special attention should be paid to workers working from home and the security of contractors who have access to such data.<br/> <b>Tags:</b> Lapsus$, South Korea, South America, Data breach</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Beware of Malware Offering “Warm Greetings From Saudi Aramco”</a></h3> <p>(published: March 5, 2022)</p> <p>Malwarebytes researchers discovered a new phishing campaign impersonating Saudi Aramco and targeting oil and gas companies. The attached pdf file contained an embedded Excel object which would download a remote template that exploits CVE-2017-11882 to download and execute the FormBook information stealer.<br/> <b>Analyst Comment:</b> Organizations should train their users to recognize and report phishing emails. To mitigate this Formbook campaign, users should not handle emails coming from outside of the organization while being logged on with administrative user rights.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Template Injection - T1221</a><br/> <b>Tags:</b> FormBook, CVE-2017-11882, Oil And Gas, Middle East, Saudi Aramco, Excel, Phishing, Remote template</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Paying a Ransom Doesn’t Put an End to the Extortion</a></h3> <p>(published: March 2, 2022)</p> <p>Venafi researchers conducted a survey regarding recent ransomware attacks and discovered that 83% of successful ransomware attacks include additional extortion methods, containing: threatening to extort customers (38%), stolen data exposure (35%), and informing customers that their data has been stolen (32%). 35% of those who paid the ransom were still unable to recover their data, 18% of victims had their data exposed despite the fact that they paid the ransom.<br/> <b>Analyst Comment:</b> This survey shows that ransomware payments are not as reliable in preventing further damages to the victimized organization as previously thought. Educate employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection. Read our blog for more information: <a href="{page_6010}" target="_blank">Prevent Ransomware with New Capabilities from Anomali.</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Ransomware, Double extortion, Data exfiltration</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Domains Linked to Phishing Attacks Targeting Ukraine</a></h3> <p>(published: March 2, 2022)</p> <p>The Computer Emergency Response Team of Ukraine (CERT-UA) shared a malicious infrastructure involved in phishing campaigns attributed to the Ministry of Defense of the Republic of Belarus whose cyber activity is being tracked under aliases UNC1151 and Ghostwriter. Secureworks researchers revealed connections to additional domains linked to phishing attacks targeting Ukrainian government and military personnel and Polish-speaking individuals. Secureworks attribute this activity to the MoonScape threat group.<br/> <b>Analyst Comment:</b> War and cyber actions between Russia and Ukraine are starting to involve more actors and targets to include Belarus and Poland. Organizations should assess their risks and exposure and implement a defense-in-depth approach to protect against advanced persistent threat (APT) attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Ghostwriter, UNC1151, MoonScape, Government, Military, Belarus, APT, Ukraine, Poland, Operation Bleeding Bear, Ukraine-Russia Conflict 2022</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Elections GoRansom – a Smoke Screen for The HermeticWiper Attack</a></h3> <p>(published: March 1, 2022)</p> <p>New Golang ransomware, HermeticRansom (aka Elections GoRansom) was first discovered on February 24, 2022. It was likely used as a smokescreen for some of the HermeticWiper attacks that were targeting Ukraine before the Russian invasion. Detailed technical analysis shows that this ransomware appears to be a last-minute operation with simple code, absence of code obfuscation, ineffective encryption workflow, and grammar errors in the ransom note.<br/> <b>Analyst Comment:</b> Just like DDoS attacks can be a smokescreen for ongoing intrusion, HermeticRansom was likely a smokescreen for lateral movement and complete data wiping. Defenders should be aware of coordinated multi-point attacks and don’t fall for tunnel-vision focusing on a single warning. Disaster recovery plans and backup systems should be in place.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Disk Wipe - T1561</a><br/> <b>Tags:</b> HermeticRansom, Elections GoRansom, Ransomware, HermeticWiper, Russia, Ukraine, Ukraine-Russia Conflict 2022, Operation Bleeding Bear</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">TeaBot Malware Slips Back Into Google Play Store to Target US Users</a></h3> <p>(published: March 1, 2022)</p> <p>The TeaBot banking trojan was first spotted targeting Android devices in May 2021, and has since expanded its reach beyond Europe to include Australia, China (Hong Kong), India, Iran, Russia, and the US, and it has also started supporting new languages for some of these regions. The number of applications targeted by TeaBot have grown from 60 to over 400, which now include banking, insurance applications, crypto wallets, and crypto exchanges. TeaBot implemented string obfuscation for evasion, and it has a low antivirus detection rate because the initial dropper application added to Google Store does not download the malicious app immediately.<br/> <b>Analyst Comment:</b> Dropper applications sideloading TeaBot are typically relatively new (less than one year old) on the Google Store. Do not grant your applications unnecessary permissions such as full control over your device. Do not download unknown applications from outside of the Google Store even if prompted by one of your existing applications.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> TeaBot, Android, Account takeover, USA, Russia, China, Italy, India, Iran, Spain, Github, Banking, Cryptocurrency, Financial</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Daxin Espionage Backdoor Ups the Ante on Chinese Malware</a></h3> <p>(published: March 1, 2022)</p> <p>The Daxin malware is the most advanced Chinese espionage backdoor yet. Discovered by Symantec in November 2021, it was already fully functional and in use since at least 2013. Daxin is an evolution of Backdoor.Zala (aka Exforel) that was used by the same China-sponsored advanced persistent threat (APT) group active since 2009. Daxin comes in the form of a Windows kernel driver. It focuses on stealthiness and communication capabilities and the ability to tunnel through several nodes to transfer data from computers not directly connected to the Internet. Daxin hijacks TCP connections and allows a single command creation of a new communications channel across multiple infected computers. It was used in targeted attacks against certain governments and critical infrastructure such as manufacturing, telecommunications, and transportation.<br/> <b>Analyst Comment:</b> The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that Daxin is optimized for use against hardened targets. It is recommended to harden your Windows systems to prevent the malware driver being deployed.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Protocol Tunneling - T1572</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a><br/> <b>Tags:</b> Daxin, Government, Espionage, China, Backdoor.Zala, Exforel, Windows, Windows kernel driver, Slug, Owlproxy, Stealth, Manufacturing, Telecommunications, Transportation</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:</p> <p><a href="" target="_blank">UNC1151</a><br/> UNC1151 alias Ghostwriter, a suspected Minsk-based advanced persistent threat (APT) group working for the Ministry of Defence of the Republic of Belarus.[1,3,4] UNC1151 has been involved in cyber espionage and online disinformation and influence campaigns throughout Europe known as "Ghostwriter". These activities involve anti-NATO disinformation campaigns, cyber espionage and politically damaging hack-and-leak operations.[2,3]</p> <p><a href="" target="_blank">PartyTicket Ransomware</a><br/> PartyTicket (HermeticRansom) is an unsophisticated and poorly designed Go programming language-based ransomware likely used as a decoy or distraction from HermeticWiper attacks used to attack organizations in Ukraine the day prior to the launch of a Russian invasion on February 24, 2022.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.