June 21, 2022
Anomali Threat Research

Anomali Cyber Watch: GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool, DragonForce Malaysia OpsPatuk / OpsIndia and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT35, CrescentImp, Follina, Gallium, Phosphorous,</b> and <b>Sandworm</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/Biq3eLepRUWKofUki5sr"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://pixmsecurity.com/blog/blog/phish-goes-on/" target="_blank">Update: The Phish Goes On - 5 Million Stolen Credentials and Counting</a></h3> <p>(published: June 16, 2022)</p> <p>PIXM researchers describe an ongoing, large-scale Facebook phishing campaign. Its primary targets are Facebook Messenger mobile users and an estimated five million users lost their login credentials. The campaign evades Facebook anti-phishing protection by redirecting to a new page at a legitimate service such as amaze.co, famous.co, funnel-preview.com, or glitch.me. In June 2022, the campaign also employed the tactic of displaying legitimate shopping cart content at the final page for about two seconds before displaying the phishing content. The campaign is attributed to Colombian actor BenderCrack (Hackerasueldo) who monetizes displaying affiliate ads.<br/> <b>Analyst Comment:</b> Users should check what domain is asking for login credentials before providing those. Organizations can consider monitoring their employees using Facebook as a Single Sign-On (SSO) Provider.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Facebook, Phishing, Facebook Messenger, Social networks, Mobile, Android, iOS, Redirect, Colombia, source-country:CO, BenderCrack, Hackerasueldo</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.f5.com/labs/articles/threat-intelligence/f5-labs-investigates-malibot" target="_blank">F5 Labs Investigates MaliBot</a></h3> <p>(published: June 15, 2022)</p> <p>F5 Labs researchers describe a novel Android trojan, dubbed MaliBot. Based on re-written SOVA malware code, MaliBot is maintaining its Background Service by setting itself as a launcher. Its code has some unused evasion portions for emulation environment detection and setting the malware as a hidden app. MaliBot spreads via smishing, takes control of the device and monetizes using overlays for certain Italian and Spanish banks, stealing cryptocurrency, and sometimes sending Premium SMS to paid services.<br/> <b>Analyst Comment:</b> Users should be wary of following links in unexpected SMS messages. Try to avoid downloading apps from third-party websites. Be cautious with enabling accessibility options.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> MaliBot, Android, MFA bypass, SMS theft, Premium SMS, Smishing, Binance, Trust wallet, VNC, SOVA, Sality, Cryptocurrency, Financial, Italy, target-country:IT, Spain, target-country:ES</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/extortion-gang-ransoms-shoprite-largest-supermarket-chain-in-africa/" target="_blank">Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa</a></h3> <p>(published: June 15, 2022)</p> <p>On June 10, 2022, the African largest supermarket chain operating in twelve countries, Shoprite Holdings, announced a possible cybersecurity incident. The company notified customers in Eswatini, Namibia, and Zambia that their data could have been stolen. Extortion group RansomHouse took the responsibility, claiming to have stolen 600GB of data. RansomHouse posted 356 files (~400MB) to its Onion website containing customer identity data. RansomHouse relies on data theft and extortion, and does not deploy crypters (ransomware) itself, but was allegedly cooperating with other ransomware groups such as White Rabbit in the past.<br/> <b>Analyst Comment:</b> Companies working with clients' personal and financial information should make steps to protect such information. When possible, sensitive information should be stored in encrypted form or taken offline. Network segmentation should be used to make exfiltration attempts harder to execute.<br/> <b>Tags:</b> RansomHouse, Data leak, Extortion, Shoprite, target-region:Africa, Eswatini, target-country:SZ, Namibia, target-country:NA, Zambia, target-country:ZM</p> </div> <div class="trending-threat-article"> <h3><a href="https://cyware.com/news/crescentimp-malware-targets-ukraines-media-organisations-a33f3adf" target="_blank">CrescentImp Malware Targets Ukraine’s Media Organisations</a></h3> <p>(published: June 15, 2022)</p> <p>Ukraine's Computer Emergency Response Team (CERT-UA) reported a new campaign by Russia-sponsored group Sandworm that targeted 500 Ukrainians across the mass media sector. The observed malicious attachment was exploiting the Follina (CVE-2022-30190) vulnerability, a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that went unpatched until the June 14, 2022 cumulative update. Opening of the attached DOCX file leads to loading of the HTML-file and executing JavaScript-code, which, in turn, will download and execute the final executable: CrescentImp. The CrescentImp trojan has capabilities to steal sensitive information and download additional malware.<br/> <b>Analyst Comment:</b> Install June 2022 cumulative Windows Updates to address the Follina zero-day vulnerability. Educate your users on the handling of suspected spearphishing emails.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> Follina, CrescentImp, Windows, CVE-2022-30190, UAC-0113, Sandworm, DOCX, HTML, JavaScript, Russia, source-country:RU, Ukraine, target-country:UA, Mass media</p> </div> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/" target="_blank">Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials</a></h3> <p>(published: June 14, 2022)</p> <p>Iran-sponsored group Charming Kitten (APT35, Phosphorous) continues its spearphishing activity against high-ranking targets in Israel and in the US. Checkpoint researchers discovered that the newest campaigns rely heavily on stolen email chains. The attackers impersonated Bitly URL-shortener with their malicious domain Litby[.]us. Clicking on a malicious link sent by Charming Kitten eventually redirects to one of the many phishing pages. In some cases, the attackers were after account password and second factor authentication code, in other cases, they were trying to receive identity documents by abusing a legitimate customer’s identity validation service (provided by NameCheap).<br/> <b>Analyst Comment:</b> Users should pay attention to a sudden tone change in the email chains as well as a sudden email address change. Verify the authenticity of conversation via alternative means such as via a telephone call. Be extra-caution when asked to provide a password or send your identity documents.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947098" target="_blank">[MITRE ATT&amp;CK] Email Collection - T1114</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Charming Kitten, APT35, Phosphorous, Iran, source-country:IR, Israel, target-country:IL, USA, target-country:US, Spearphishing, Email chains, Yahoo, OneDrive, Google Drive, Validation.com</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.cloudflare.com/26m-rps-ddos/" target="_blank">Cloudflare Mitigates 26 Million Request per Second DDoS Attack</a></h3> <p>(published: June 14, 2022)</p> <p>Cloudflare reported the largest HTTPS DDoS attack on record, peaking at a 26 million request per second (rps). This attack originated mostly from cloud service providers (virtual machines and servers). It made this DDoS botnet, on average, 4,000 times stronger per node (5,200 rps compared to 1.3 rps from a typical DDoS node). Additionally, attacking over HTTPS (as opposed to unencrypted HTTP) costs the victim more in computational resources to mitigate it because of the higher cost of establishing a secure TLS encrypted connection.<br/> <b>Analyst Comment:</b> Organizations that rely on stable work of their Internet properties should consider a comprehensive DDoS protection service. Other individuals and organizations should keep their systems updated to avoid being included into a malicious botnet.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> DDoS, HTTPS DDoS, TLS, Cloud, CSP</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.radware.com/getattachment/bde65cb6-ace4-4dea-bce3-5f3b6cc1c951/Advisory-DragonForce-OpsPatuk-OpsIndia-final.pdf.aspx" target="_blank">DragonForce Malaysia OpsPatuk / OpsIndia</a></h3> <p>(published: June 14, 2022)</p> <p>Hacktivist, religion-motivated group DragonForce Malaysia filled the void in the Anonymous movement and became the driving force behind #OpsPatuk / #OpsIndia operation in mid-June 2022. The attackers deface Indian websites in government and other sectors, and wage DDoS attacks using Slowloris, DDoSTool, DDoS-Ripper, Hammer, and other open-source scripts. At the same time, DragonForce Malaysia worked with close to a dozen of affiliated groups and engaged in skill sharing on DragonForce Forum. On June 10, 2022, the group was able to leverage the Atlassian Confluence unauthenticated remote code execution vulnerability (CVE-2022-26134) that was disclosed just seven days earlier.<br/> <b>Analyst Comment:</b> Website administrators should keep their systems updated, including servers, content management systems and plugins. Review your servers for unwanted admin accounts and unwarranted files such as shell artifacts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3297595" target="_blank">[MITRE ATT&amp;CK] Server Software Component - T1505</a><br/> <b>Tags:</b> DragonForce Malaysia, OpsPatuk, OpsIndia, Hacktivism, India, target-country:IN, Malaysia, source-country:MY, DDoS, Defacement, Atlassian, Confluence, CVE-2022-26134, Slowloris, DDoSTool, DDoS-Ripper, Hammer</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank">GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool</a></h3> <p>(published: June 13, 2022)</p> <p>Unit 42 researchers discovered a new remote access trojan (RAT) dubbed PingPull. It was detected in use by the China-sponsored Gallium (Softcell) group while targeting government, financial, and telecom organizations. Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam were observed to be targeted. Depending on the PingPull variant, it was observed to conduct command and control (C2) via one of three protocols (ICMP, HTTP(S) and raw TCP).<br/> <b>Analyst Comment:</b> Defenders should consider implementing inspection of ICMP traffic on their organization networks. Block the current PingPull C2 infrastructure that was uncovered through certificate and domain reuse analysis.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/3905040" target="_blank">[MITRE ATT&amp;CK] Create or Modify System Process - T1543</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/3904502" target="_blank">[MITRE ATT&amp;CK] Non-Standard Port - T1571</a> | <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/947250" target="_blank">[MITRE ATT&amp;CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947291" target="_blank">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a><br/> <b>Tags:</b> Gallium, China, source-country:CN, APT, PingPull, ICMP, Raw TCP, RAT, Softcell, Soft Cell, Windows, Telecommunications, Government, Finance, Southeast Asia, Europe, Africa, Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, Philippines, Russia, Vietnam</p> </div> <div class="trending-threat-article"> <h3><a href="https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/" target="_blank">Linux Threat Hunting: ‘Syslogk’ a Kernel Rootkit Found under Development in the Wild</a></h3> <p>(published: June 13, 2022)</p> <p>A new Linux kernel rootkit, dubbed Syslogk, was detected by Avast researchers in the wild. Despite being in development and targeting only Linux kernels version 2.x-3.x, Syslogk has powerful functionality and can achieve stealthiness by hiding its process, directories containing malicious files, and its network activity. Syslogk works in tandem with the Rekoobe backdoor that is being started and controlled via magic packets that allow the attacker to send commands without having a specific listening port on the victim machine.<br/> <b>Analyst Comment:</b> Analysts and defenders can reveal the Syslogk rootkit by writing value 1 into the file /proc/syslogk and then checking if Syslogk present among loaded kernel modules (lsmod | grep commands). Once revealed, it is possible to remove Sylogk from the memory by using the rmmod command intended to remove a module from the Linux kernel.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/947144" target="_blank">[MITRE ATT&amp;CK] Port Knocking - T1205</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&amp;CK] Hide Artifacts - T1564</a><br/> <b>Tags:</b> Syslogk, Kernel rootkit, Adore-Ng, Rekoobe, Magic packet, TinySHell, Linux</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:</p> <p><a href="https://ui.threatstream.com/actor/1822" target="_blank">TeleBots</a><br/> The threat group called “TeleBots” is believed to be based in Russia and has been active since at least 2007.</p> <p><a href="https://ui.threatstream.com/vulnerability/2211727" target="_blank">CVE-2022-30190</a><br/> Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.</p> <p><a href="https://ui.threatstream.com/vulnerability/2218804" target="_blank">Atlassian Confluence CVE-2022-26134</a><br/> CVE-2022-26134 is a critical severity unauthenticated remote code execution (RCE) vulnerability.1 The vulnerability affects Confluence Server version 7.18.0 and all Confluence Data Center versions &gt;= 7.4.0 (as of June 3d, 2022).2 It was exploited as a 0-day vulnerability by multiple threat groups likely based in China since the end of May 2022.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.