September 7, 2021
Anomali Threat Research

Anomali Cyber Watch: FIN7 Using Windows 11 To Spread JavaScript Backdoor, Babuk Source Code Leaked, Feds Warn Of Ransomware Attacks Ahead Of Labor Day, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Babuk, Cryptocurrency, Data breach, FIN7, Proxyware, Ransomware</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="{page_5742}" target="_blank">Cybercrime Group FIN7 Using Windows 11 Alpha-Themed Docs to Drop Javascript Backdoor </a></h3> <p>(published: September 3, 2021)</p> <p>Researchers from the Anomali Threat Research team have identified six Windows 11 themed malicious Word documents, likely being used by the threat actor FIN7 as part of phishing or spearphishing attacks. The documents, dating from late June/early July 2021, contain malicious macros that are used to drop a Javascript backdoor, following TTPs to previous FIN7 campaigns. FIN7 are a prolific Eastern European cybercrime group, believed to be responsible for stealing over 15 million card records in the US alone. Despite several high profile arrests, activity like this illustrates they are more than capable of continuing to target victims.<br/> <b>Analyst Comment:</b> Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Account Discovery - T1087</a><br/> <b>Tags:</b> FIN7, phishing, spearphishing, maldoc, Windows 11, carding POS, javascript, backdoor, CIS</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="" target="_blank">Feds Warn of Ransomware Attacks Ahead of Labor Day</a></h3> <p>(published: September 1, 2021)</p> <p>The FBI and CISA put out a joint cybersecurity advisory Tuesday noting that ransomware actors often ambush organizations on holidays and weekends when offices are normally closed, making the upcoming three-day weekend a prime opportunity for threat activity. Often during holiday weekends, IT departments are staffed by skeleton crews, limiting their ability to respond and remediate to incidents. Holidays can also present tempting lures for phishing attacks. While the agencies haven't discovered any specific targeting, they did list a number of attacks that occurred over holiday weekends over the last several months including the Colonial Pipeline attack and several major ReVil ransomware attacks.<br/> <b>Analyst Comment:</b> Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a><br/> <b>Tags:</b> LockBit, RansomEXX, Defray777, Conti, DarkSide, PYSA, Phobos, LockFile, Crysis/Dharma, REvil, Zeppelin, Government, Oil And Gas, MilitaryNorth America</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="" target="_blank">Cyberattackers Are Now Quietly Selling Off Their Victim's Internet Bandwidth </a></h3> <p>(published: August 31, 2021)</p> <p>Researchers from Cisco Talos have published a report highlighting the growing presence of ‘proxyware’ in the cybercrime ecosystem being used for criminal activity. Proxyware applications are legitimate services that allow users to portion out their internet connection to other devices but also firewalls and antivirus software, some apps allow users to host hotspot connections and receive payment when users connect. According to Talos an attack chain begins with a legitimate software program bundled together with a Trojanized installer containing malicious code. When the software is installed, the malware is also executed. One campaign utilized a legitimate proxyware package patched to also drop separate, malicious files containing an XMRig cryptocurrency miner and to redirect the victim to a landing page connected to legitimate proxyware referral codes. Once the victim signs up for an account, this referral earns revenue for an attacker -- all the while a cryptocurrency miner is also stealing computer resources.<br/> <b>Analyst Comment:</b> Miners and proxyware cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners or proxyware are running unknowingly. In addition, it is not uncommon for mining and proxyware to be distributed via malicious plugins/add-ons that impersonate legitimate software. Therefore, it is important that your employees are educated about such tactics and that policies regarding which software are allowed on work machines are in place.<br/> <b>Tags:</b> XMRig, proxyware, mining, cryptomining, cryptojacking,</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="" target="_blank">Cream Finance Platform Pilfered for Over $34 million in Cryptocurrency </a></h3> <p>(published: September 1, 2021)</p> <p>Cream Finance has lost over $34 million in cryptocurrency after an attacker exploited a vulnerability in the project's market system. An attacker managed to exploit a vulnerability on August 31, leading to the theft of 462,079,976 AMP tokens and 2,804.96 ETH tokens, at September 1st prices this totals approximately $34 million. Cream Finance have stated that an error in how the platform integrated the AMP token led to a reentrancy bug which was the source of the exploit, they say that have ‘taken ownership of the error,’ but are offering 50% of the value of the stolen funds if someone can identify the attacker or will allow the actor to keep 10% if they return it. This is not the first time Cream FInance has lost money due to an attack, in February this year they lost $37.5 million due to a flash loan exploit made via IronBank. The organization has paused AMP supply and borrow functions until a patch can be deployed.<br/> <b>Analyst Comment:</b> As a buisness, regular pen testing and red teaming is recomended to understand the vulnerabilities and flaws in your systems as it can often be difficult to see the forrest for the trees. As a customer, undertand the difference between custodial and non-custodial wallets and do not keep more money on these platforms than you are comfortable losing. If they have your crypto keys and are hacked or go bankrupt, you will not get your money back.<br/> <b>Tags:</b> finance, DEFI, crypto, ETH. ethereum, exploit</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="" target="_blank">Bangkok Airways Admits Attackers Stole Passenger Data</a></h3> <p>(published: August 31, 2021)</p> <p>Bangkok Airways has admitted that a cyber-attack last week led to the compromise of an unspecified volume of passengers' personally identifiable information. The Thai airline claimed in a brief update late last week that although the incident didn't affect "operational or aeronautical security systems," it does appear as if personal data has been accessed. The airline itself didn't specify how the attackers compromised its IT systems or their intent behind it, however the attack timing did coincide with the LockBit 2.0 ransomware gang publishing information on the attack, claiming they have 103GB of stolen files from Bangkok Airways they plan to release. LockBit has already been blamed for another large compromise this year, targeting the global consulting firm Accenture. The Australian Cyber Security Centre (ACSC) released a report that LockBit 2.0 have been exploiting the CVE-2018-13379 vulnerability in Fortinet FortiOS and FortiProxy in an attempt to gain initial access into victim networks. This could possibly be the method used against Bangkok Airways.<br/> <b>Analyst Comment:</b> The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> LockBit, CVE-2018-13379, ransomware, leak, breach, LockBit 2.0</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="" target="_blank">Conti Ransomware Now Hacking Exchange Servers with ProxyShell Exploits </a></h3> <p>(published: September 3, 2021)</p> <p>The Conti ransomware gang is now hacking into Microsoft Exchange servers and breaching corporate networks using ProxyShell vulnerabilities. ProxyShell was recently disclosed by Orange Tsai, a researcher from Devcoe, and refers to an exploit that utilises three chained Exchange vulnerabilities. When exploited, these vulnerabilities allow unauthenticated, remote code execution on unpatched servers. Microsoft patched these vulnerabilities in May 2021, however technical details on the exploits were recently released allowing threat actors to abuse them, commonly dropping webshells, and backdoors. IT security company Sophos announced last week that it had responded to a customer who was compromised using ProxyShell, shortly after the attack the customer's details were uploaded to the Conti ransom site. Microsoft have recommended applying the most recent updates to Exchange to stay protected.<br/> <b>Analyst Comment:</b> ​​Some threat actors go to great lengths to created sophisticated exploits and malware for targeted attacks. However, sometimes proof-of-concept code for exploits exist on open source locations and quickly incorporated by actors in the timeframe prior to and post patch release. Ensure that your company has a patch policy in place to react quickly to sudden vulnerabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Transfer - T1029</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Web Shell - T1100</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> Cobalt Strike, AnyDesk, Conti, Conti ransomware, Remote Utilities, LockFile, CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, exploit</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="" target="_blank">Babuk Ransomware's Full Source Code Leaked on Hacker Forum </a></h3> <p>(published: September 3, 2021)</p> <p>An alleged member of the Babuk group released the source code for their ransomware on a Russian-speaking hacking forum. The post’s author claimed to be suffering from terminal cancer and decided to release the code while they have to 'live like a human'. The source code contains different Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors. The leak also contains 15 folders with encryptors and decryptors compiled for specific victims of the gang. The Babuk gang has a long history of fall outs and splintering, with opposing groups often attacking each other. Researchers do believe this leak to be legitimate.<br/> <b>Analyst Comment:</b> Be careful who you do buisness with and don't give them your source code.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Permission Groups Discovery - T1069</a><br/> <b>Tags:</b> Babuk Locker, Babuk, North America, Russia, ransomware, malware, leak</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.