January 18, 2023
Anomali Threat Research

Anomali Cyber Watch: FortiOS Zero-Day Has Been Exploited by an APT, Two RATs Spread by Four Types of JAR Polyglot Files, Promethium APT Continued Android Targeting

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, DDoS, Polyglot, RATs, Russia, Skimmers, Trojanized apps,</b> and <b>Ukraine</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/pKQZFsarRoOk8WUbbxRy"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packages-install-info-stealing-malware/" target="_blank">Malicious ‘Lolip0p’ PyPi Packages Install Info-Stealing Malware</a></h3> <p>(published: January 16, 2023)</p> <p>On January 10, 2023, Fortinet researchers detected actor Lolip0p offering malicious packages on the Python Package Index (PyPI) repository. The packages came with detailed, convincing descriptions pretending to be legitimate HTTP clients or, in one case, a legitimate improvement for a terminal user interface. Installation of the libraries led to infostealing malware targeting browser data and authentication (Discord) tokens.<br/> <b>Analyst Comment:</b> Free repositories such as PyPI become increasingly abused by threat actors. Before adding a package, software developers should review its author and reviews, and check the source code for any suspicious or malicious intent.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a><br/> <b>Tags:</b> actor:Lolip0p, Malicious package, malware-type:Infostealer, Discord, PyPi, Social engineering, Windows</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.fortinet.com/blog/psirt-blogs/analysis-of-fg-ir-22-398-fortios-heap-based-buffer-overflow-in-sslvpnd" target="_blank">Analysis of FG-IR-22-398 – FortiOS - Heap-Based Buffer Overflow in SSLVPNd</a></h3> <p>(published: January 11, 2023)</p> <p>In December 2022, the Fortinet network security company fixed a critical, heap-based buffer overflow vulnerability (FG-IR-22-398, CVE-2022-42475) in FortiOS SSL-VPN. The vulnerability was exploited as a zero-day by an advanced persistent threat (APT) actor who was customizing a Linux implant specifically for FortiOS of relevant FortiGate hardware versions. The targeting was likely aimed at governmental or government-related targets. The attribution is not clear, but the compilation timezone UTC+8 may point to China, Russia, and some other countries.<br/> <b>Analyst Comment:</b> Users of the affected products should make sure that the December 2022 FortiOS security updates are implemented. Zero-day based attacks can sometimes be detected by less conventional methods, such as behavior analysis, and heuristic and machine learning based detection systems. Network defenders are advised to monitor for suspicious traffic, such as suspicious TCP sessions with Get request for payloads.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&amp;CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&amp;CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9767" target="_blank">[MITRE ATT&amp;CK] T1070 - Indicator Removal On Host</a><br/> <b>Tags:</b> FG-IR-22-398, CVE-2022-42475, Heap-Based Buffer Overflow, malware-type:Backdoor, malware-type:Implant, detection:Elf/BakSo, detection:Bakso.Linux.Backdoor, file-type:ELF, port:80, port:443, port:444, port:20443, port:30080, port:30081, port:30443, port:8033, port:8443, APT, target-industry:Government, SSLVPNd, Fortinet, FortiOS, Zero-day, Linux</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.deepinstinct.com/blog/malicious-jars-and-polyglot-files-who-do-you-think-you-jar" target="_blank">Malicious JARs and Polyglot Files: “Who Do You Think You JAR?”</a></h3> <p>(published: January 11, 2023)</p> <p>Deep Instinct researchers have detected a number of malicious JAR files appended in the beginning to masquerade as being of a different file type. Some files were functional polyglot files: MSI+JAR and CAB+JAR polyglots. Other files had non-functioning PE or binary junk beginning. Two types of payloads were remote access trojans (RATs): StrRAT and Ratty. It is possible that all studied samples were created by the same actor, as some shared C2, and many shared the same BelCloud LTD hosting.<br/> <b>Analyst Comment:</b> Appended JAR files are misidentified by the Linux file command. Network defenders should monitor as JAR all files passed as an argument to the java or javaw process with -jar as an argument.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9598" target="_blank">[MITRE ATT&amp;CK] T1036.001 - Masquerading: Invalid Code Signature</a> | <a href="https://ui.threatstream.com/attackpattern/9872" target="_blank">[MITRE ATT&amp;CK] T1027.001 - Obfuscated Files or Information: Binary Padding</a> | <a href="https://ui.threatstream.com/attackpattern/9721" target="_blank">[MITRE ATT&amp;CK] T1102 - Web Service</a><br/> <b>Tags:</b> Polyglot file, file-type:JAR, file-type:MSI, MSI+JAR polyglot, ZIP file, file-type:CAB, CAB+JAR polyglot, BelCloud LTD, detection:StrRAT, detection:Ratty, malware-type:RAT</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://decoded.avast.io/martinchlumecky/ddosia-project/" target="_blank">DDosia Project: Volunteers Carrying out NoName(057)16’s Dirty Work</a></h3> <p>(published: January 11, 2023)</p> <p>A pro-Russian DDoS group called <i>NoName057(16)</i> has been targeting Poland, Latvia, Lithuania, and Ukraine (in the order of intensity). In September 2022, the group relied on a botnet of infected machines. After it was taken down, <i>NoName057(16)</i> started building a volunteer hacktivist DDoS collective. Their Python-based DDoS tool named DDosia has Linux/macOS and Windows versions. Avast researchers detected 2,200 DDoS targets and estimated the overall success rate at 13% and increasing. To incentivise its followers, the group regularly announces cryptocurrency payments to its top performers in the amount of several hundred US dollars.<br/> <b>Analyst Comment:</b> The current DDosia’s capability is relatively low, but it can be enough to take down web services that do not expect heavier network traffic. Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9990" target="_blank">[MITRE ATT&amp;CK] T1498 - Network Denial Of Service</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a><br/> <b>Tags:</b> detection:DDosia, actor:NoName(057)16, Hacktivism, malware-type:DDoS, Russia, source-country:RU, target-region:Europe, Poland, target-country:PL, Latvia, target-country:LT, Lithuania, target-country:LV, Ukraine, target-country:UA</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/" target="_blank">StrongPity Espionage Campaign Targeting Android Users</a></h3> <p>(published: January 10, 2023)</p> <p>ESET researchers identified a new campaign attributed to the Turkey-sponsored Promethium (StrongPity) APT. The attackers copied a video-chat service website and offered to download an Android app that actually is a trojanized version of the Telegram messenger. An installation leads to modular, fully-functional spyware, similar to the Android spyware used by Promethium in a previous campaign targeting Syria. If a targeted user gives the trojanized app accessibility services permission, it can expand its information-gathering to exfiltrate communication from 17 apps such as Gmail, Messenger, Skype, Tinder, and Viber.<br/> <b>Analyst Comment:</b> Always use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Accessibility services and other excessive permission requests from an app should raise concern. Install anti-virus software for your mobile device. Note that rooting your device lowers its protections against malware such as Android/StrongPity.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/17768" target="_blank">[MITRE ATT&amp;CK] T1398 - Modify Os Kernel Or Boot Partition</a> | <a href="https://ui.threatstream.com/attackpattern/18652" target="_blank">[MITRE ATT&amp;CK] T1624.001 - Event Triggered Execution: Broadcast Receivers</a> | <a href="https://ui.threatstream.com/attackpattern/17814" target="_blank">[MITRE ATT&amp;CK] T1407 - Download New Code At Runtime</a> | <a href="https://ui.threatstream.com/attackpattern/17807" target="_blank">[MITRE ATT&amp;CK] T1406 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/18650" target="_blank">[MITRE ATT&amp;CK] T1628.002 - Hide Artifacts: User Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/18613" target="_blank">[MITRE ATT&amp;CK] T1629.003 - Impair Defenses: Disable Or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/17765" target="_blank">[MITRE ATT&amp;CK] T1420 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/12247" target="_blank">[MITRE ATT&amp;CK] T1418 - Application Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/17834" target="_blank">[MITRE ATT&amp;CK] T1422 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/17824" target="_blank">[MITRE ATT&amp;CK] T1426 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/18653" target="_blank">[MITRE ATT&amp;CK] T1417.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/17840" target="_blank">[MITRE ATT&amp;CK] T1517 - Access Notifications</a> | <a href="https://ui.threatstream.com/attackpattern/17816" target="_blank">[MITRE ATT&amp;CK] T1532 - Data Encrypted</a> | <a href="https://ui.threatstream.com/attackpattern/17820" target="_blank">[MITRE ATT&amp;CK] T1430 - Location Tracking</a> | <a href="https://ui.threatstream.com/attackpattern/17806" target="_blank">[MITRE ATT&amp;CK] T1429 - Capture Audio</a> | <a href="https://ui.threatstream.com/attackpattern/17836" target="_blank">[MITRE ATT&amp;CK] T1513 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/18665" target="_blank">[MITRE ATT&amp;CK] T1636.002 - Protected User Data: Call Log</a> | <a href="https://ui.threatstream.com/attackpattern/18648" target="_blank">[MITRE ATT&amp;CK] T1636.003 - Protected User Data: Contact List</a> | <a href="https://ui.threatstream.com/attackpattern/18649" target="_blank">[MITRE ATT&amp;CK] T1636.004 - Protected User Data: Sms Messages</a> | <a href="https://ui.threatstream.com/attackpattern/18625" target="_blank">[MITRE ATT&amp;CK] T1437.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/18622" target="_blank">[MITRE ATT&amp;CK] T1521.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/18640" target="_blank">[MITRE ATT&amp;CK] T1646 - Exfiltration Over C2 Channel</a><br/> <b>Tags:</b> mitre-group:Promethium, actor:StrongPity, detection:Android/StrongPity, APT, Cyberespionage, Mobile, malware-type:Backdoor, malware-type:Spyware, Modular malware, Trojanized app, Accessibility services, HTTrack, Turkey, source-country:TR, Telegram, Shagle, Android</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.grc.com/sn/sn-905-notes.pdf" target="_blank">Security Now! #905: 1</a></h3> <p>(published: January 10, 2023)</p> <p>The LastPass password manager uses Password-based Key Derivation Function 2 (PBKDF2) to store user passwords. In January 2023, Security Now research community revealed that some user vaults in LastPass had PBKDF2 iteration count set to 5000, 500, or just 1. It makes brute-force attacks on the hashed memorized secrets practical, and these numbers are significantly lower than recommendations from OWASP (310,000 iterations for PBKDF2-HMAC-SHA256) and NIST (as large as verification server performance will allow, typically at least 10,000 iterations). Another concern around the previously-disclosed LastPass breach is unencrypted “LastTouch” field containing a time code that shows when the last logon at each stored domain occurred.<br/> <b>Analyst Comment:</b> Over the years, threat actors have the ability to accumulate more brute-forcing power through advances in technology and cloud abuse. It is important to follow the current best practices for password storing. If your passwords and secrets were potentially exposed in a breach while not hashed securely according to the modern day standards, it is safe to assume them compromised and change the passwords as soon as possible.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9858" target="_blank">[MITRE ATT&amp;CK] T1110.002 - Brute Force: Password Cracking</a><br/> <b>Tags:</b> LastPass, PBKDF2, Iteration count, Brute force, Data breach</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspired-magecart-skimmer-surfaces-via-digital-crime-haven" target="_blank">Crypto-Inspired Magecart Skimmer Surfaces via Digital Crime Haven</a></h3> <p>(published: January 9, 2023)</p> <p>A new skimming campaign using the Mr.SNIFFA framework was detected by Malwarebytes researchers. For its domains, the campaign utilizes the theme of cryptocurrency and public figures known in the cryptocurrency industry. Judging from the domain naming and hosting information, the same actor may be involved in crypto giveaway scams. Russian-based hosting provider DDoS-Guard hosts these domains together with other threats including Bitcoin mixers, carding and crimeware sites, fake e-commerce shops, and malware distribution sites.<br/> <b>Analyst Comment:</b> Site administrators should be aware of supply-chain dependencies and remove ones that are unsupported and/or abandoned. Keep your systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a><br/> <b>Tags:</b> Magecart, malware-type:Skimmer, Cryptocurrency, Mr.SNIFFA, target-industry:E-commerce, Credit card data, DDoS-Guard</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.