The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Critical infrastructure, Crypto mining, Delayed execution, Phishing, Ransomware, Reverse proxy, Russia, and Steganography. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: September 5, 2022)
Resecurity researchers analyzed EvilProxy, a phishing kit that uses reverse proxy and cookie injection methods to bypass two-factor authentication (2FA). EvilProxy uses extensive virtual machine checks and browser fingerprinting. If the victim passes the checks, Evilproxy acts as a proxy between the victim and the legitimate site that asks for credentials. EvilProxy is being sold as a service on the dark web. Since early May 2022, Evilproxy enables phishing attacks against customer accounts of major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex, and others.
Analyst Comment: EvilProxy is a dangerous automation tool that enables more phishing attacks. Additionally, EvilProxy targeting GitHub and npmjs accounts increases risks of follow-up supply-chain attacks. Anomali platform has historic EvilProxy network indicators that can help when investigating incidents affecting 2FA. With 2FA bypass, users need to be aware of phishing risks and pay even more attention to domains that ask for their credentials and 2FA codes.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Supply Chain Compromise - T1195
Tags: EvilProxy, Phishing, Phishing-as-s-service, Reverse proxy, Cookie injection, 2FA, MFA, Supply chain
(published: September 1, 2022)
Cybereason researchers investigated the Ragnar Locker ransomware that was involved in cyberattack on DESFA, a Greek pipeline company. On August 19, 2022, the Ragnar Locker group listed DESFA on its data leak site. The group has been active since 2019 and it is not the first time it targets critical infrastructure companies with the double-extortion scheme. Their Ragnar Locker ransomware shows the typical abilities of modern ransomware including system information and location collection, deleting shadow copies, identifying processes (antiviruses, backup solutions, IT remote management solutions, and virtual-based software), and encrypting the system with the exception list in mind.
Analyst Comment: Ragnar Locker appears to be an aggressive ransomware group that is not shy attacking critical infrastructure as far as they are not in the Commonwealth of Independent States (Russia and associated countries). Always be on high alert while reading emails, in particular those with attachments, URL redirection, false sense of urgency or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Ragnar Locker, Ransomware, Energy, Greece, target-country:GR, Critical infrastructure, RC4, RSA, Salsa, CIS countries
Montenegro Officials Point Fingers at Russia for Massive Cyberattack as FBI Sends Team to Help Investigate
(published: August 31, 2022)
On August 26-27, Montenegro started experiencing major interruptions caused by a cyber attack targeting online government services, transportation services, water supply systems, and others. Montenegro's Agency for National Security did not disclose the exact nature of this attack that it attributed to Russia. Later, the Cuba ransomware group claimed responsibility for at least part of the attack, infecting a parliamentary office. Overall according to the Directorate for Information Security, these cyberattacks on Montenegro affected "150 cells" in a dozen state institutions. These infected stations have been removed from the network for forensics and cleanup.
Analyst Comment: Ransomware groups and DDoS hacktivists loosely associated with the Russian government are not shy away from attacking government institutions. Geopolitical tensions such as involvement in supporting Ukraine increase chances of such attacks. Organizations involved in critical infrastructure and providing important services should have a business continuity plan including cyberattack scenarios.
Tags: Geopolitics, Montenegro, target-country:ME, Russia, source-country:RU, Cuba ransomware, Denial of service, Critical infrastructure, Financial, Government, Transportation, Water supply, Tax service
(published: August 31, 2022)
Researcher John Hammond detected a social engineering attack targeting YouTube content creators (video bloggers) with fake warnings of copyright strikes. The warning comes as a Google Drive email notice leading the target to the attached PDF document that mentions an actual video from the targeted Youtube channel. If the victim is tricked into clicking to download the alleged report and his/her browser fingerprint is not blocked by the attacker, an archived malicious executable masquerading as a Word document is being delivered. Executing it leads to RedLine Stealer infection.
Analyst Comment: Attackers often abuse legitimate cloud and notification services that allow them to deliver phishing email and phishing attachments using official email addresses and legitimate cloud domains. Anti-phishing training should help users recognize inconsistencies, spoofed accounts, and exploitation of fear and sense of urgency.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Credentials from Password Stores - T1555
Tags: RedLine Stealer, YouTube, Google Drive, Scam, Social engineering
(published: August 30, 2022)
Cisco Talos detected three related campaigns between March and June 2022 featuring a complex infection chain with the ModernLoader remote access trojan in the center. Victims in Eastern Europe were targeted by what appears to be a financially-motivated Russian-speaking attacker trying to deploy info-stealing and crypto-mining memory-only modules. The attacker used a wide variety of scripts, commodity and open-source malware. Some noticeable techniques included reliance on hidden registry key creation and patching of Microsoft's Antimalware Scan Interface (AMSI) AmsiScanBuffer function to prevent antimalware engines from scanning executed PowerShell code.
Analyst Comment: Despite heavily using other people's source code, the actor behind these ModernLoader campaigns has a potential to grow into a bigger threat, once the experimenting phase ends. Users should be trained to recognize phishing attempts, masquerading files, and other social engineering techniques. Anomali Platform was updated with the relevant indicators of compromise (IoCs).
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Masquerading - T1036
Tags: ModernLoader, Avatar bot, Botnet, SystemBC, XMRig, Cryptocurrency, Crypto mining, RedLine, RedLine stealer, DcRAT, PowerShell, .NET, HTA, VBS, HTML Guardian, Windows, target-region:Eastern Europe, Bulgarian, Polish, Hungarian, Russian, Amazon
Check Point Research Detects Crypto Miner Malware Disguised as Google Translate Desktop and Other Legitimate Applications
(published: August 29, 2022)
Check Point researchers detected a Türkiye-based crypto-miner malware campaign, dubbed Nitrokod, which was able to remain undetected since 2019. To spread the malware, Nitrokod was creating functional but not official apps such as Google Translate Desktop, Youtube Music Desktop, and other trojanized applications that were simply using Chromium Embedded Framework (CEF) to convert the appropriate official web page into a mobile app content. Its evasion techniques included a long infection chain with payload delivery delayed until at least four restarts on four different days, checks for a predefined user-agent, virtual machine and antivirus software artifacts, and removing early-stage malware artifacts before reaching the final stage. As a result the final-stage crypto-mining malware is first executed almost a month after the Nitrokod program was installed.
Analyst Comment: It seems that Nitrokod successfully used extensive time-based evasion, fingerprinting, indicator removal on host and similar techniques to remain undetected for years. Anomali Match retrospective search capabilities can enable you to detect past occurrences of known malware droppers even if they were already removed by the attackers.
MITRE ATT&CK: [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: Time-based evasion, Turkey, source-country:TR, XMRig, Nitrokod, Crypto mining, Google Translate, Youtube, Yandex, Chromium Embedded Framework, detection:Win.Nitrokod, Windows
New Golang Attack Campaign GO#WEBBFUSCATOR Leverages Office Macros and James Webb Images to Infect Systems
(published: August 29, 2022)
Securonix researchers detected a phishing campaign delivering a new Go-based malware dubbed Go#WebbFuscator. The infection starts with an attached maldoc that downloads a malicious template containing a Visual Basic script. Go#WebbFuscator, the final payload is being delivered as a malicious Base64 code disguised as an included certificate for a weaponized JPG file. Go#WebbFuscator C2 communication is Base64-encoded and sent using TXT DNS requests to the attacker-controlled name server.
Analyst Comment: Network defenders should monitor for the following alerts: rare process spawned from Office applications, large number of TXT DNS requests over a short period of time, and potential suspicious file download with Certutil process analytic.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: Go#WebbFuscator, Go, detection:Go_WEBB_Implant, Phishing, VBS, Steganography, ROT25, Gobfuscation, Windows
Topics:Anomali Cyber Watch