August 23, 2022
Anomali Threat Research

Anomali Cyber Watch: Emissary Panda Adds New Operation Systems to Its Supply-Chain Attacks, Russia-Sponsored Seaborgium Spies on NATO Countries, TA558 Switches from Macros to Container Files, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>China, Cyberespionage, DDoS, Russia, Spearphishing, Supply chain, Taiwan,</b> and <b>Ukraine</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="" target="_blank">Reservations Requested: TA558 Targets Hospitality and Travel </a></h3> <p>(published: August 18, 2022)</p> <p>Since 2018, financially-motivated threat group TA558 has targeted hospitality and travel with reservation-themed, business-relevant phishing emails. The group concentrates on targeting Latin America using lures written in Portuguese and Spanish, and sometimes uses English and wider targeting (North America, Western Europe). TA558 was seen leveraging at least 15 different malware payloads, most often AsyncRAT, Loda RAT, Revenge RAT, and Vjw0rm. In 2022, Proofpoint researchers detected that TA558 increased its activity and moved from using malicious macros to URLs and container files (ISO, RAR).<br/> <b>Analyst Comment:</b> Microsoft’s preparations to disable macros by default in Office products caused multiple threat groups including TA558 to adopt new filetypes to deliver payloads. It is crucial for personnel working with invoices and other external attachments to use updated, secured systems and be trained on phishing threats. Anomali Match can be used to quickly search your infrastructure for known TA558 IOCs.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> TA558, AsyncRAT, Loda, RAT, Vjw0rm, BluStealer, Revenge RAT, XtremeRAT, Hospitality, Travel, Phishing, ISO, RAR, PowerShell, CVE-2017-11882, CVE-2017-8570</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Estonia Subjected to 'Extensive' Cyberattacks after Moving Soviet Monuments</a></h3> <p>(published: August 18, 2022)</p> <p>On August 17, 2022, Russian hacktivist group KillNet launched distributed denial-of-service (DDoS) attacks targeting Estonia. The Estonian government confirmed receiving the “most extensive” DDoS attacks in 15 years, but stressed that all services are back online after just some minor interruptions. Small and medium-sized DDoS attacks targeted 16 state and private organizations in the country, with seven of them experiencing downtime as a result. Specifically, the Estonian Tax and Customs Board website was unavailable for about 70 minutes.<br/> <b>Analyst Comment:</b> Russian cyber activity follows political tensions, this time coinciding with the removal of a Red Army memorial. Estonia seemingly easily fended off this Russian DDoS attack, but the country is one of the top in cyber preparedness, and Russia limited it’s strike to using hacktivist groups that give plausible deniability when attributing the cyber attack on a NATO country. Organizations that rely on stable work of their Internet properties should consider a comprehensive DDoS protection service. Other individuals and organizations should keep their systems updated to avoid being included into a malicious botnet.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> DDoS, Killnet, Russia, source-country:RU, Ukraine, Estonia, target-country:EE, Hacktivism, Government, Financial</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">How Google Cloud Blocked the Largest Layer 7 DDoS Attack at 46 Million RPS</a></h3> <p>(published: August 18, 2022)</p> <p>On June 1, 2022, an unnamed Google customer was targeted with the largest Layer 7 distributed denial-of-service (DDoS) reported to date. A series of HTTPS DDoS attacks originating from the Mēris botnet peaked at 46 million requests per second. The origin of the attack was obscured using unsecured proxies and TOR. The first smaller waves of the attack allowed the defenders to receive and adopt a mitigating filtering rule and block the attack.<br/> <b>Analyst Comment:</b> Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. In addition, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation techniques can vary depending on the specifics of the attack. For example, in the case of Mēris, which can target your organization HTTP/S load balancer, filtering rules and HTTP pipelining are recommended .<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> DDoS, Mēris, Proxy, TOR, HTTP pipelining, HTTP/S load balancer, HTTPS DDoS, Layer 7 DDoS</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">SocGholish: 5+ Years of Massive Website Infections</a></h3> <p>(published: August 16, 2022)</p> <p>The SocGholish (FakeUpdates) JavaScript malware framework has been active since at least 2017. Sucuri researchers detected SocGholish on over 25,000 sites since January 2022 and 61,000 sites in 2021. The goal of SocGholish is to prompt users to download and execute second stage remote access trojan (RAT) malware under the disguise of a browser update. The group profiles visitor user agents, typically targeting those on Windows machines coming from third party sites (search engines) for the first time. Many older SocGholish campaigns were targeting Android users as well. SocGholish changed its obfuscation routines over time and started introducing new domains on a weekly basis. The group typically relies on domain shadowing when a subdomain of a legitimate website is hosted on a different, attacker-controlled server.<br/> <b>Analyst Comment:</b> SocGholish website infections are a dominant threat. The infected users are being subjected to information stealing malware, and the corporate ones become a gateway for a ransomware infection. All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. Website owners should keep their website software up to date. Adhere to secure administration and password practices. Better protection can be achieved by a Web Application Firewall (WAF), a subresource integrity, and/or a third-party integrity monitoring service.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> SocGholish, NDSW/NDSX, FakeUpdates, Domain shadowing, RAT, Information stealer, EvilCorp, Cobalt Strike, Ransomware, Windows, Search engines traffic, PHP proxy, AWS, Android</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Disrupting SEABORGIUM’s Ongoing Phishing Operations</a></h3> <p>(published: August 15, 2022)</p> <p>Since 2017, Microsoft researchers have tracked campaigns launched by Russia-sponsored group Seaborgium (ColdRiver, Callisto Group). Prior to the February 2022 Russian invasion in Ukraine, Seaborgium attacked the Ukrainian government and other organizations in relation to the war effort. Still, the main target for the group are NATO countries, especially the US and the UK. Seaborgium uses documents stolen from previously-compromised organizations, intensive research and phishing for information to craft fake social profiles, impersonating email addresses and phishing pages ultimately asking for email credentials. Once successful, the group either exfiltrates emails and attachments once, or sets up a forwarding rule for continuous monitoring. Seaborgium often utilizes the EvilGinx phishing kit, and hides malicious phishing URLs behind URL shorteners, open redirects, or inside a PDF file in a cloud hosting such as OneDrive.<br/> <b>Analyst Comment:</b> Email remains one of the top means of communication, so it’s not a surprise that the main objective of Seaborgium campaigns is to phish for email credentials and exfiltrate the mailboxes. Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication, and frequent password changes can help protect trade secrets and other forms of sensitive data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> COLDRIVER, SEABORGIUM, Callisto Group, Government, Military, United Kingdom, target-country:UK, USA, target-country:US, Russia, source-country:RU, Ukraine, target-country:UA, APT, Spearphishing, Social engineering, Open redirect, EvilGinx</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Shuckworm: Russia-Linked Group Maintains Ukraine Focus</a></h3> <p>(published: August 15, 2022)</p> <p>Since 2014, Russia-sponsored group Gamaredon (Primitive Bear, Shuckworm) has been targeting Ukraine. Symantec researchers discovered additional infrastructure and on-host indicators for their latest ongoing campaign (July 15 – August 8, 2022). Gamaredon was detected using legitimate remote desktop protocol (RDP) tools Ammyy Admin and AnyDesk, in addition to well-documented custom Gamaredon’s malware: Backdoor.Pterodo and the Giddome backdoor. Additionally during a Gamaredon intrusion investigation an execution of three very similar versions of the same PowerShell stealer were detected, possibly as an attempt to evade detection.<br/> <b>Analyst Comment:</b> Gamaredon is not the most sophisticated cyberespionage group, but it compensates for this with its focus and persistence in constant spearphishing attacks. All targeted organizations should be educated on how to prevent phishing attacks. Email attachments should be treated as untrusted. Detection and prevention measures should be taken to ensure that users do not fall victim to phishing. Sophisticated, targeted attacks should be reported to the respective investigative government authorities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a><br/> <b>Tags:</b> Shuckworm, Gamaredon, Armageddon, Primitive Bear, FSB, Federal Security Service, APT, Pterodo, Giddome, PowerShell stealer, Ammyy Admin, AnyDesk, Russia, source-country:RU, Ukraine, target-country:UA, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users</a></h3> <p>(published: August 12, 2022)</p> <p>In 2020, Emissary Panda (APT27, Bronze Union, Iron Tiger, Luckymouse) compromised a business messaging application widely used in Mongolia in a supply chain attack operation. In May 2022, they repeated the supply chain attack by compromising Mimi, a cross-platform Chinese-speaking Electron app. This latest campaign continued targeting of Windows desktops with the HyperBro backdoor, while also expanding to target MacOS and Linux systems with a malware dubbed rshell. Trend Micro researchers identified that this campaign targeted Taiwan and the Philippines.<br/> <b>Analyst Comment:</b> This campaign was simultaneously discovered by Sekoia researchers who created the applicable Yara and Suricata rules. Organizations should prepare for potential supply-chain compromise. Review partner relationships to remove unrecognized ones and minimize any unnecessary permissions between your organization and upstream providers. Have systems in place to detect anomalous behavior following an update or new installation.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> LuckyMouse, Bronze Union, APT27, Emissary Panda, Luckymouse, Iron Tiger, HyperBro, rshell, China, source-country:CN, Taiwan, target-country:TW, Philippines, target-country:PH, Windows, MacOS, Linux</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:</p> <p><a href="" target="_blank">KillNet</a><br/> KillNet, a Russia-affiliated hacktivist group specialized in distributed denial of service (DDoS) attacks, originally created on the basis of a Russian-speaking DDoS-for-hire group with the same name. On February 26, 2022, KillNet formed an Anonymous-like collective to wage war on Anonymous (a loosely affiliated group of volunteer hacktivists), Ukraine, and countries that support Ukraine in a way hostile to Russia. The group united with other threat groups (XakNet Team), DDoS actors and services such as Stresser[.]tech, and its most popular media on Telegram messenger had over 80,000 users/subscribers. Anomali observed over 30,000 US Dollars in Bitcoin moved to KillNet during February-July, 2022, both for its DDoS-for-hire and politically-motivated DDoS activities.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.