July 12, 2021
Anomali Threat Research

Anomali Cyber Watch: Global Phishing Campaign, Magecart Data Theft, New APT Group, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Data Theft, Malicious Apps, Middle East, Phishing, Targeted Campaigns,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-071321.png" /><br /> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.intezer.com/blog/research/global-phishing-campaign-targets-energy-sector-and-its-suppliers/" target="_blank">Global Phishing Campaign Targets Energy Sector and Its Suppliers</a></h3> <p>(published: July 8, 2021)</p> <p>Researchers at Intezer have identified a year-long global phishing campaign targeting the energy, oil and gas, and electronics industry. The threat actors use spoofed or typosquatting emails to deliver an IMG, ISO or CAB file containing an infostealer, typically FormBook, and Agent Tesla. The emails are made to look as if they are coming from another company in the same sector, with the IMG/ISO/CAB file attached, which when opened contains a malicious executable. Once executed, the malware is loaded into memory, helping to evade detection from anti-virus. The campaign appears to be targeting Germany, South Korea, United States, and United Arab Emirates (UAE).<br /> <b>Analyst Comment:</b> All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a><br /> <b>Tags:</b> FormBook, AgentTesla, Phishing, Europe, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.talosintelligence.com/2021/07/sidecopy.html" target="_blank">SideCopy Cybercriminals Use New Custom Trojans in Attacks Against India&#39;s Military</a></h3> <p>(published: July 7, 2021)</p> <p>SideCopy, an advanced persistent threat (APT) group, has expanded its activities and new trojans are being used in campaigns across India accordingaccodring Talos Intelligence. This APT group has been active since at least 2019 and appears to focus on targets of value in cyberespionage. SideCopy have also taken cues from Transparent Tribe (also known as PROJECTM, APT36) in how it uses tools and techniques against the targets. These targets include multiple units of the Indian military and government officials.<br /> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947145">[MITRE ATT&CK] Signed Binary Proxy Execution - T1218</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947189">[MITRE ATT&CK] Account Discovery - T1087</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&CK] Indicator Removal on Host - T1070</a><br /> <b>Tags:</b> Allakore, CetaRAT, DetaRAT, ReverseRAT, ActionRAT, njRAT, MargulasRAT, Lilith, Epicenter, Lavao, Xeytan, Nodachi, Government, Military, Asia</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/kaspersky-password-manager-caught-out-making-easily-bruteforced-passwords/#ftag=RSSbaffb68" target="_blank">Kaspersky Password Manager Caught Out Making Easily Bruteforced Passwords</a></h3> <p>(published: July 7, 2021)</p> <p>Kaspersky Password Manager (KPM) used a complex method to generate its passwords. This method aimed to create passwords hard to break for standard password crackers. The discovered flaw shows that KPM though was using the current system time in seconds as the seed into a Mersenne Twister pseudo random number generator. This allows for automated bruteforcing by malicious actors.<br /> <b>Analyst Comment:</b> In addition to using password managers, users should always enable two-factor authentication as an additional security measure to prevent further access in cases such as this. This adds a secondary protection against malicious attackers.<br /> <b>Tags:</b> Kaspersky Password Manager, Pseudo random, Brute force</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html" target="_blank">Magecart Swiper Uses Unorthodox Concatenation</a></h3> <p>(published: July 7, 2021)</p> <p>MageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites with the goal of stealing credit card numbers and selling them on underground forums. This concatenation technique involves breaking data up so that it’s more difficult to distinguish before and after runtime. An example of this is that instead of the code reading as ‘helloworld’, the attackers have changed it to be ""."h"."e"."".""."llo"."w"."o"."".""."r"."l"."d"."". This method is also encoded using several methods to allow MageCart to exfiltrate credit card data from Magento websites.<br /> <b>Analyst Comment:</b> Customer-facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these types of threats. In the case of infection, the affected networks should be repopulated. Furthermore, customers should be notified as soon as possible and potentially offered fraud protection to avoid negative media coverage and reputation.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a><br /> <b>Tags:</b> MageCart, Infostealer, Magento</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/install-immediately-microsoft-delivers-emergency-patch-for-printnightmare-security-bug/#ftag=RSSbaffb68" target="_blank">Install Immediately: Microsoft Delivers Emergency Patch for PrintNightmare Security Bug</a></h3> <p>(published: July 7, 2021)</p> <p>Microsoft has released an out-of-band patch for the security flaw known as PrintNightmare. It&#39;s a critical bug in the Windows print spooler with exploit code in the public domain. This would allow an attacker to run with SYSTEM level privileges on any system successfully exploited. Admins were advised to disable the Print Spooler service until a patch was made available. Security updates are not yet available for Windows 10, Windows Server 2016 or Windows Server 2012.<br /> <b>Analyst Comment:</b> Due to the severity of vulnerabilities such as these, every precaution should be taken in order to prevent additional attack vectors in a network. Any out-of-band patch should be installed as soon as possible, per your enterprise patch policy.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a><br /> <b>Tags:</b> CVE-2021-34527, CVE-2021-1675, PrintNightmare</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/ " target="_blank">Website of Mongolian Certificate Authority Served Backdoored Client Installer</a></h3> <p>(published: July 6, 2021)</p> <p>The official website of a Mongolian certification authority was harboring malware and facilitated downloads of a backdoored client to users. MonPass, the compromised certificate authority (CA) has potentially been breached up to eight times. The attackers used installers containing Cobalt Strike binaries, and steganography was used on a separately downloaded image file to unpack and decrypt hidden code.<br /> <b>Analyst Comment:</b> Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. In addition, supply chain attacks are becoming more frequent amongst threat actors as their Tactics, Techniques, and Procedures (TTPs) evolve. Therefore, it is paramount that all applications in use by your company are properly maintained and monitored for potential unusual activity.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a><br /> <b>Tags:</b> Cobalt Strike, Mongolia, MonPass</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://securelist.com/wildpressure-targets-macos/103072/" target="_blank">Wildpressure Targets The macOS Platform</a></h3> <p>(published: July 6, 2021)</p> <p>A campaign dubbed ‘WildPressure’ has been actively attacking industrial-related targets in the Middle East since 2019. As of yet, there is no attribution to the actors behind the attacks. Analysts have been tracking the malware techniques used and recently discovered new variants created in VBScript and Python. These payloads are able to target both Windows and macOS environments. Using multiple infection methods and sophisticated techniques, the group has deployed keyloggers, infostealers, and 2FA bypass to target the oil and gas industry within the Middle East.<br /> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947109">[MITRE ATT&CK] Security Software Discovery - T1063</a> | <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&CK] System Information Discovery - T1082</a><br /> <b>Tags:</b> Windows, macOS, WildPressure, Middle East, Oil & Gas</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://threatpost.com/android-apps-google-play-facebook-credentials/167563/" target="_blank">Android Apps in Google Play Harvest Facebook Credentials</a></h3> <p>(published: July 6, 2021)</p> <p>A set of nine malicious Android apps that steal Facebook credentials were found on Google Play, totalling 5.9 million installations before removal from the Play store, per Dr. Web. According to reports, the applications worked as intended and so users were kept unaware of the malicious actions taking place. Pop-ups informed users that to access all functionality and to disable in-app ads, a Facebook account would need to be linked. Once they did, their passwords and usernames were harvested.<br /> <b>Analyst Comment:</b> Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a><br /> <b>Tags:</b> Android, Joker, Clast82, AlienBot, MRAT, Banking & Finance</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.