December 29, 2021
Anomali Threat Research

Anomali Cyber Watch: Equation Group's Post-Exploitation Framework, Decentralized Finance (DeFi) Protocol Exploited, Third Log4j Vulnerability, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Apache Log4j 2, APT, Malspam, Ngrok relay, Phishing, Sandbox evasion, Scam,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">A Deep Dive into DoubleFeature, Equation Group’s Post-Exploitation Dashboard</a></h3> <p>(published: December 27, 2021)</p> <p>Check Point researchers have published their findings on the Equation Group’s post-exploitation framework DanderSpritz — a major part of the “Lost in Translation” leak — with a focus on its DoubleFeature logging tool. DoubleFeature (similar to other Equation Group tools) employs several techniques to make forensic analysis difficult: function names are not passed explicitly, but instead a checksum of it; strings used in DoubleFeature are decrypted on-demand per function and they are re-encrypted once function execution completes. DoubleFeature also supports additional obfuscation methods, such as a simple substitution cipher and a stream cipher. In its information gathering DoubleFeature can monitor multiple additional plugins including: KillSuit (also known as KiSu and GrayFish) plugin that is running other plugins, providing a framework for persistence and evasion, MistyVeal (MV) implant verifying that the targeted system is indeed an authentic victim, StraitBizarre (SBZ) cross-platform implant, and UnitedRake remote access tool (UR, EquationDrug).<br/> <b>Analyst Comment:</b> It is important to study Equation Group’s frameworks because some of the leaked exploits were seen exploited by other threat actors. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="">[MITRE ATT&amp;CK] Rootkit - T1014</a> | <a href="">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> Equation Group, DanderSpritz, DoubleFeature, Shadow Brokers, EquationDrug, UnitedRake, DiveBar, KillSuit, GrayFish, StraitBizarre, MistyVeal, PeddleCheap, DiceDealer, FlewAvenue, DuneMessiah, CritterFrenzy, Elby loader, BroughtHotShot, USA, Russia, APT</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Dridex Affiliate Dresses Up as Scrooge</a></h3> <p>(published: December 23, 2021)</p> <p>Days before Christmas, an unidentified Dridex affiliate is using malspam emails with extremely emotion-provoking lures. One malicious email purports that 80% of the company’s employees have tested positive for Omicron, a variant of COVID-19, another email claims that the recipient was just terminated from his or her job. The attached malicious Microsoft Excel documents have two anti-sandbox features: they are password protected, and the macro doesn’t run until a user interacts with a pop-up dialog. If the user makes the macro run, it will drop an .rtf file into %programdata% and executes via mshta.exe, which is used to download the actual payload, hosted on a Discord server. The malware is called “Dridex,” which is a multi-purpose loader that can drop additional payloads, including ransomware.<br/> <b>Analyst Comment:</b> Education on frequently-used delivery methods such as malspam and phishing emails can help prevent infection. Users should stay particularly vigilant when opening emails, especially if those sound urgent and require immediate attention. If something looks suspicious, it is best to contact your IT or HR department to ask for more information and confirm whether the email is legitimate. In addition, maintain efficient log management policies to identify potentially abnormal network activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a> | <a href="">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Dridex, Phishing, Maldoc, COVID-19, Mshta, Macro, Discord, Anti-sandbox</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Elastic Security Uncovers BLISTER Malware Campaign</a></h3> <p>(published: December 23, 2021)</p> <p>Elastic researchers have discovered a malicious campaign that relies on a valid code-signing certificate issued for a company with an email address from the Russian provider, Mail Ru. They called the new malware “Blister” as a reference to “Blist LLC” in the certificate properties. Blister payload acts as a loader for other malware and appears to be a new threat with a low detection rate. It was used to execute second-stage malware payloads in-memory and maintain persistence. Blister’s bootstrapping code is heavily obfuscated and initially sleeps for 10 minutes to evade sandbox analysis. CobaltStrike and BitRat were observed as Blister’s payloads. These campaigns rely on infecting legitimate libraries to fool machine learning models. The threat actor behind Blister has been running campaigns since at least September 15, 2021.<br/> <b>Analyst Comment:</b> Blister intrusion set could be identified by hunting for renamed instances of rundll32.exe and by hunting for potential rogue instances of WerFault.exe (Windows Errors Reporting) with a single argument in process.command_line (while legit WerFault.exe will have more than one).<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a> | <a href="">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="">[MITRE ATT&amp;CK] Masquerading - T1036</a><br/> <b>Tags:</b> Blister, Blist LLC, Certificate abuse, Code signing, Fileless, Cobalt Strike, BitRAT, Anti-sandbox, Russia</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Third Log4J Bug Can Trigger DoS; Apache Issues Patch</a></h3> <p>(published: December 20, 2021)</p> <p>On Friday, December 17, 2021, Apache released a third patch for the ubiquitous log4j logging library, this time for a denial-of-service (DoS) vulnerability. The latest vulnerability affects the same component as the Log4Shell remote-code execution (RCE) vulnerability (CVE-2021-44228). The new vulnerability, tracked as CVE-2021-45105, is Context Map lookups instead of the Java Naming and Directory Interface (JNDI) lookups to an LDAP server. Previous (second) vulnerability was the RCE flaw CVE-2021-45046, which, in turn, stemmed from Apache’s incomplete fix for Log4Shell. Microsoft reported that nation-state groups from China, Iran, North Korea, and Turkey, are actively exploiting Log4Shell in targeted attacks. Non-government actors like the Conti ransomware gang are also actively exploiting Log4j 2 after Log4Shell was publicly disclosed on December 9, 2021.<br/> <b>Analyst Comment:</b> The discussed vulnerabilities were fixed in the log4j version 2.17. Enumerate and test all solution stacks in your organization accepting data input from the internet. Log4j is used all throughout the Internet and affects multiple deeply-embedded applications and systems. See Observed Threats below for additional information on Log4j 2 vulnerabilities and exploitation.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="">[MITRE ATT&amp;CK] Endpoint Denial of Service - T1499</a> | <a href="">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a> | <a href="">[MITRE ATT&amp;CK] Data from Local System - T1005</a><br/> <b>Tags:</b> CVE-2021-45105, CVE-2021-45046, CVE-2021-44228, Log4j2, Log4Shell, DoS, Conti, Charming Kitten, Phosphorus, Hafnium, Cobalt Strike, USA, Europe, China, North Korea, Turkey, Iran</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">FBI: State Hackers Exploiting New Zoho Zero-Day Since October</a></h3> <p>(published: December 20, 2021)</p> <p>The U.S. Federal Bureau of Investigation (FBI) is warning of an ongoing exploitation of Zoho's ManageEngine Desktop Central servers by advanced persistent threat (APT) groups. The vulnerability has been under active exploitation as a zero-day since at least October, 2021. It was registered as CVE-2021-44515 and patched by Zoho on December 3, 2021. CVE-2021-44515 is a critical authentication bypass vulnerability attackers could exploit to execute arbitrary code on vulnerable servers. APT actors have been observed compromising the servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.<br/> <b>Analyst Comment:</b> Zoho asks customers to update their installations to the latest build as soon as possible. Compromised servers require formatting and password resets for all connected accounts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="">[MITRE ATT&amp;CK] Create or Modify System Process - T1543</a><br/> <b>Tags:</b> Zoho, CVE-2021-44515, APT, Side-loading, ShadowPad, Mscoree, Webshell, BITSAdmin, Mimikatz, Pwdump, ManageEngine Desktop Central, RAT</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Meta Sues People Behind Facebook and Instagram Phishing</a></h3> <p>(published: December 20, 2021)</p> <p>Meta (formerly Facebook) has filed a federal lawsuit to disrupt phishing attacks targeting Facebook, Messenger, Instagram, and WhatsApp users with the help of Ngrok, a relay service. The attackers used over 39,000 phishing pages mimicking the four platforms' login pages. Ngrok prevented defenders from detecting and blocking their infrastructure by redirecting internet traffic to phishing sites, thus concealing both the identities of their online hosting providers and the phishing locations. Some Ngrok-generated phishing URLs were generic (such as hxxps://d32831ea3827[.]ngrok[.]io/login.html) other were customized for a fee to display Meta’s trademarks (such as hxxp://facebook[.]in[.]ngrok[.]io/). The Ngrok server software is self-hosted on a VPS or a dedicated server, it allows the attacker to create a long-lived TCP tunnel to the localhost with the ability to bypass NAT mapping and Firewall restriction.<br/> <b>Analyst Comment:</b> Refrain from opening untrusted links and email attachments without verifying their authenticity, pay attention to the full domain address of the login page before entering your credentials.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="">[MITRE ATT&amp;CK] Protocol Tunneling - T1572</a><br/> <b>Tags:</b> Ngrok, Meta, Phishing, Tunneling, Relay service, Facebook, Messenger, Instagram, WhatsApp</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Fantom DeFi Project Grim Finance Exploited for $30M</a></h3> <p>(published: December 20, 2021)</p> <p>A vulnerability in the decentralized finance (DeFi) protocol has been exploited by threat actors to steal approximately $30 million USD worth of Fantom blockchain tokens from the Grim Finance platform. The vulnerability was exploited via reentrancy, which allowed users to increase their shares in Grim’s vaults and withdraw more than they had deposited. The looping was enabled by the “depositFor” function, which allows users to input arbitrary addresses and have them called within the depositFor function. DeFi auditing firm Solidity Finance says they missed this vulnerability during their audit four month ago because they had a new analyst and CTO’s vacation. Grim Finance has contacted Circle, DAI, and AnySwap decentralized exchanges (DEX) regarding the attacker address, but the stolen funds are being routed to other Fantom-based exchanges such as AnySwap and SpookySwap, where the stolen tokens were exchanged for other tokens, such as USD coin.<br/> <b>Analyst Comment:</b> Adhere to secure coding practices, make sure that you addressed known issues such as reentrancy guard for before-after pattern. Having an external code auditor helps, but does not guarantee full security, especially if the auditor is a growing company in a relatively new field.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Data Manipulation - T1565</a> | <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> DeFi, Smart contracts, Cryptocurrency, Fraud, Grim Finance, Solidity, Before-after pattern, Reentrancy guard</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Police National Computer not Pwned by Clop Ransomware Crims, Insists Home Office</a></h3> <p>(published: December 20, 2021)</p> <p>The Clop ransomware group has published confidential data held by UK police on the Clop’s dark web domain. They leaked close-up images of speeding drivers taken from the UK's National Automatic Number Plate Recognition (ANPR) system. Clop gained unauthorized access via supply chain compromise after a successful phishing attack on IT services provider, Dacoll in October 2021. Dacoll also managed the whole Police National Computer (PNC) which is a British police's population database, and some researchers raised fear that the scope of the compromise can be larger. After the media drew attention to the breach on December 19, 2021, Clop removed the post from their website, possibly to avoid extra attention from law enforcement.<br/> <b>Analyst Comment:</b> Threat actors are willing to go to great lengths to abuse trust relationships in supply-chain attacks. Make sure your Managed Service Provider (MSP) follows security standards and has anti-phishing training and protections in place. It’s important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Anomali Targeted Threat Monitoring service can help you detect and block such suspicious domain registrations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a><br/> <b>Tags:</b> Clop, Ransomware, Police, UK, Data leak, Supply-chain compromise</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Fresh Phish: Phishers Impersonate Pfizer in Request for Quotation Scam</a></h3> <p>(published: December 20, 2021)</p> <p>Between August 15 and December 13, 2021, threat actors were conducting a phishing campaign impersonating Pfizer, a well-known pharmaceutical company that produces one of the mRNA vaccines against COVID-19. The actors behind this campaign typosquatted a few Pfizer domains using Namecheap, which accepts cryptocurrency as a payment method, allowing the actors to remain anonymous. The attachments do not contain malware, as this phishing scam relies on social engineering. Hiding behind urgency and Pfizer’s brand, attackers use the request for quotation to entice rapid responses with two goals: receive victim’s banking and other sensitive information to commit financial fraud, and/or receive the merchandise and resell it on a black market without actually paying for it. The identities behind this campaign are largely unknown, but WHOIS data for one domain suggested that at least one threat actor was possibly based in Lagos, Nigeria.<br/> <b>Analyst Comment:</b> Teach your staff on detecting phishing attempts. These actors abuse a common phishing theme of alleged urgency. It should raise a suspicion when a Reply-To field of the original email doesn’t match the company’s domain. These Pfizer impersonators were using free AOL accounts as their Reply-To. Moreover, sometimes they used free Gmail, Outlook, and Ziggo accounts as their From email address.<br/> <b>Tags:</b> Phishing, Scam, Request for quotation scam, Healthcare, EU, Netherlands, Nigeria, Manufacturing, COVID-19, Pfizer, Impersonation</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the Log4j 2 vulnerabilities discussed in this week's Anomali Cyber Watch can be found below:</p> <ul> <li>Threat Bulletin: <a href="" target="_blank">Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users</a></li> <li>Dashboard: <a href="" target="_blank">Log4Shell (CVE-2021-44228) and (CVE-2021-45046, CVE-2021-4104, CVE-2021-45105)</a></li> <li>Vulnerability: <a href="" target="_blank">CVE-2021-44228 (Log4Shell)</a></li> </ul>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.