October 18, 2021
Anomali Threat Research

Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Cobalt Strike, Metasploit, Phishing, Ransomware,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-10192021.png" /><br /> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/harvester-new-apt-attacks-asia" target="_blank">Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia</a></h3> <p>(published: October 18, 2021)</p> <p>A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.<br /> <b>Analyst Comment:</b> Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&CK] Process Discovery - T1057</a><br /> <b>Tags:</b> Backdoor.Graphon, Cobalt Strike Beacon, Metasploit</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://unit42.paloaltonetworks.com/exploits-interactsh/" target="_blank">Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes</a></h3> <p>(published: October 14, 2021)</p> <p>Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.<br /> <b>Analyst Comment:</b> As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.<br /> <b>Tags:</b> Interactsh, Exploits</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-targeted-ransomware" target="_blank">New Yanluowang Ransomware Used in Targeted Attacks</a></h3> <p>(published: October 14, 2021)</p> <p>The Threat Hunter team at Symantec has discovered a new ransomware family called “Yanluowang” that is being used in targeted attacks, according to the Symantec Threat Hunter Team. In a recent attempted ransomware attack against a large organization, a number of malicious files were obtained that revealed the threat to be a new, if somewhat underdeveloped, ransomware family. It uses AdFind, a legitimate Active Directory tool, to map machines for lateral movement. Systems and processes are recorded, whereupon Yanluowang is deployed and begins its infection. A noteable item is that Veeam backup services are specifically targeted.<br /> <b>Analyst Comment:</b> Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br /> <b>Tags:</b> Yanluowang, Ransomware</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/" target="_blank">MysterySnail Attacks With Windows Zero-Day</a></h3> <p>(published: October 12, 2021)</p> <p>Kaspersky researchers have discovered a zero-day vulnerability in the Win32k kernel driver that is being exploited by the Advanced Persistent Threat (APT) group “IronHusky.” The vulnerability, registered as “CVE-2021-40449,” has been patched by Microsoft on October 12, 2021, as part of the October Patch Tuesday. The vulnerability is written to support the following Windows products: Windows Vista, Windows 7, Windows 8.1, Windows Server 2008, Server 2008 R2, Microsoft Windows Server 2012, and Server 2012 R2 R2. IronHusky is believed to be a Chinese-speaking APT group that has been active since at least 2012, according to the researchers. The exploit uses a technique to leak the base addresses of kernel modules to exploit the vulnerability.<br /> <b>Analyst Comment:</b> Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Threat actors are often observed to use vulnerabilities even after they have been patched by the affected company. Therefore, it is crucial that policies are in place to ensure that all employees install patches as soon as they are made available.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a><br /> <b>Tags:</b> MysterySnail, CVE-2021-40449, APT, IronHusky, Windows 7, Server 2008, China</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.bleepingcomputer.com/review/security/phishing-campaign-uses-math-symbols-to-evade-detection/" target="_blank">Phishing Campaign Uses Math Symbols to Evade Detection</a></h3> <p>(published: October 12, 2021)</p> <p>Phishing actors are now using mathematical symbols on impersonated company logos to evade detection from anti-phishing systems. One notable case spotted by analysts at INKY involves the spoofing of Verizon, a large U.S.-based telecommunication service provider. In this case, the actors are using a square root symbol, a logical NOR operator, or the checkmark symbol itself, all helping to create a slight optical differentiation that could trick AI-based spam detectors.<br /> <b>Analyst Comment:</b> Messages that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.<br /> <b>Tags:</b> Phishing, Verizon, Office 365</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://blog.talosintelligence.com/2021/10/vuln-spotlight-excel-code-execution.html#more" target="_blank">Vulnerability Spotlight: Use-After-Free Fulnerability in Microsoft Excel Could Lead to Code Execution</a></h3> <p>(published: October 12, 2021)</p> <p>Cisco Talos recently discovered a use-after-free vulnerability in the ConditionalFormatting functionality of Microsoft Office Excel 2019 that could allow an attacker to execute arbitrary code on the victim machine. Microsoft disclosed and patched this vulnerability in the popular spreadsheet creation and editing platform as part of its monthly security update. You can read more about Patch Tuesday here. TALOS-2021-1259 (CVE-2021-40474) could be exploited by an attacker if they tricked the target into opening a specially crafted Excel file. Proper heap grooming on the attacker’s part could give them full control of this use-after-free vulnerability and, as a result, could allow it to be turned into arbitrary code execution.<br /> <b>Analyst Comment:</b> Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.<br /> <b>Tags:</b> CVE-2021-40474, Microsoft Excel</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.bleepingcomputer.com/news/security/photo-editor-android-app-still-sitting-on-google-play-store-is-malware/" target="_blank">Known Android Malware is Still Available on Google Play Store</a></h3> <p>(published: October 12, 2021)</p> <p>**Edit: App has now been removed. An Android application called "Blender Photo Editor-Easy Photo Background Editor" has been discovered to contain malicious code that steals the user&#39;s Facebook credentials to potentially run ad campaigns on the user’s behalf, with their payment information. The application has been downloaded over 5,000 times to date, according to Kaspersky researchers. The malicious code is identical to similar malicious applications that were discovered by Maxime Ingrao, a security researcher at mobile payments cybersecurity firm Evina. The applications require Android users to sign in via their Facebook account to access the application, but then silently collect the credentials via encrypted JavaScript commands hidden within the app. The apps then make requests to the Facebook Graph API to peek into the Facebook account and look for any ad campaigns and stored payment information.<br /> <b>Analyst Comment:</b> Although Google Play is fairly diligent about removing or preventing malware from their platform, it’s important to always be mindful of the apps downloaded. Try to install from trusted developers and ensure that the software is always kept up to date. Check permissions carefully before installing and remove unused accounts and access on a regular basis.<br /> <b>Tags:</b> Blender Photo Editor-Easy Photo Background Editor, Android, Malware</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://www.zdnet.com/article/fontonlake-malware-strikes-linux-systems-in-targeted-attacks/#ftag=RSSbaffb68" target="_blank">FontOnLake Malware Strikes Linux Systems In Targeted Attacks</a></h3> <p>(published: October 11, 2021)</p> <p>A previously unknown malware variant has been discovered and dubbed FontOnLake, according to ESET Security. The malware has multiple parts but always consists of a rootkit, a backdoor, and legitimate binaries that have been trojanized. Attacks are currently targeting Southeast Asia and are not widespread as of yet. FontOnLake also utilizes non-standard ports with C2 communications.<br /> <b>Analyst Comment:</b> Ensure that proper account security is in place, along with update and patching schedules. As this malware uses several legitimate binaries in the infection chain, ensure that the system binaries used have not been recently compiled (unless done so by the user or colleagues) or is launched from an unknown location on the system. Trojanized programs require a new compile to integrate the malware into the legitimate source code.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/3905769" target="_blank">[MITRE ATT&CK] Native API - T1106</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947081" target="_blank">[MITRE ATT&CK] Logon Scripts - T1037</a> | <a href="https://ui.threatstream.com/ttp/3905064" target="_blank">[MITRE ATT&CK] Compromise Client Software Binary - T1554</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&CK] Hide Artifacts - T1564</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947092" target="_blank">[MITRE ATT&CK] Rootkit - T1014</a> | <a href="https://ui.threatstream.com/ttp/3905767" target="_blank">[MITRE ATT&CK] Modify Authentication Process - T1556</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/3905073" target="_blank">[MITRE ATT&CK] Dynamic Resolution - T1568</a> | <a href="https://ui.threatstream.com/ttp/947283" target="_blank">[MITRE ATT&CK] Fallback Channels - T1008</a> | <a href="https://ui.threatstream.com/ttp/947250" target="_blank">[MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="https://ui.threatstream.com/ttp/3904502" target="_blank">[MITRE ATT&CK] Non-Standard Port - T1571</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a><br /> <b>Tags:</b> FontOnLake, Rootkit, Backdoor, Linux, Asia</p> </div> <div class="trending-threat-article"> <h3 id="article-9"><a href="https://www.infosecurity-magazine.com/news/ransomware-intrusion-group-fin12/" target="_blank">Ransomware Intrusion Group FIN12 Ramps-Up in Europe</a></h3> <p>(published: October 11, 2021)</p> <p>A long-running threat group dubbed “FIN12” is increasing its operations in Europe and Asia Pacific (APAC), according to Mandiant researchers. The threat group, which has been active since 2018, has been known to target North American healthcare sector organizations. The group is known to use the “Ryuk” ransomware to target organizations with over $300 million in revenue, and has been observed to be targeting organizations located in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the UK. According to the researchers, FIN12 has increased its geographical focus in the first half of 2021, with twice as many victim organizations located outside of North America than in 2019 and 2020 combined.<br /> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a><br /> <b>Tags:</b> FIN12, Ransomware, Ryuk, Healthcare, EU, APAC, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-10"><a href="https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/" target="_blank">30 Mins or Less: Rapid Attacks Extort Orgs Without Ransomware</a></h3> <p>(published: October 11, 2021)</p> <p>A new threat group called “SnapMC” has been identified by the NCC Group’s threat intelligence team. The group has been observed breaching unpatched and vulnerable VPNs using the CVE-2019-18935 remote code execution bug in Telerik UI for ASPX.NET, and webserver apps using SQL injections. The actors behind SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate. If they fail to engage in negotiations within the timeframe, the actors threaten to publish the data and report the breach to customers and the media. As evidence the group has the data, SnapMC provides victims with a list of the exfiltrated data. The threat group has not been able to link the group to any known threat actors.<br /> <b>Analyst Comment:</b> As with other forms of cyber-attacks, it is crucial that organizations ensure that their systems are secure and protected. This includes patch management, enhanced security systems and practices, regular backups, and effective solutions to security problems. There still should be an avoidance to pay actors a ransom at all because it still does not ensure that they will not still release the information they accessed, or that they even have access to those files and are just using scare tactics to make an illicit profit.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3905082" target="_blank">[MITRE ATT&CK] Exfiltration Over Web Service - T1567</a><br /> <b>Tags:</b> SnapMC, CVE-2019-18935, VPN</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.