March 15, 2022
Anomali Threat Research

Anomali Cyber Watch: Government and Financially-Motivated Targeting of Ukraine, Conti Ransomware Active Despite Exposure, Carbanak Abuses XLL Files, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Excel add-ins, Phishing, Russia, Ukraine,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div lass="trending-threat-article"> <h3><a href="" target="_blank">Webinar on Cyberattacks in Ukraine – Summary and Q&amp;A</a></h3> <p>(published: March 14, 2022)</p> <p>As the military conflict in Ukraine continues, the number of cyberattacks in Ukraine is expected to rise in the next six months, according to Kaspersky researchers. Most of the current attacks on Ukraine are of low complexity, but advanced persistent threat (APT) attacks exist too. Gamaredon (Primitive Bear) APT group continues its spearphishing attacks. Sandworm APT targets SOHO network devices with modular Linux malware Cyclops Blink. Other suspected APT campaigns use MicroBackdoor malware or various wipers and fake ransomware (HermeticRansom, HermeticWiper, IsaacWiper, WhisperGate). Honeypot network in Ukraine detected over 20,000 attacking IP addresses, and most of them were seen attacking Ukraine exclusively.<br/> <b>Analyst Comment:</b> Harden your infrastructure against DDoS attacks, ransomware and destructive malware, phishing, targeted attacks, supply-chain attacks, and firmware attacks. Install all the latest patches. Install security software. Consider strict application white-listing for all machines. Actively hunt for attackers inside the company’s internal network using the retrospective visibility provided by Anomali XDR.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Shared Modules - T1129</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Pre-OS Boot - T1542</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Fallback Channels - T1008</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Disk Content Wipe - T1488</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Inhibit System Recovery - T1490</a><br/> <b>Tags:</b> Gamaredon, Sandworm, MicroBackdoor, Hades, HermeticWiper, HermeticRansom, IsaacWiper, Pandora, Cyclops Blink, Government, Russia, Ukraine, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">Alert (AA21-265A) Conti Ransomware (Updated)</a></h3> <p>(published: March 9, 2022)</p> <p>The U.S. Cybersecurity and Infrastructure Security Agency (CISA), with assistance from the U.S. Secret Service has updated the alert on Conti ransomware with 98 domain names used in malicious operations. Conti ransomware-as-a-service (RaaS) operation is attributed to the threat group Wizard Spider also known for its Trickbot malware. The group’s internal data and communications were leaked at the end of February 2022 after they announced support for Russia over the conflict in Ukraine.<br/> <b>Analyst Comment:</b> Despite the increased attention to Conti ransomware group, it remains extremely active. Ensure that your server is always running the most current software version. Intrusion detection systems and intrusion prevention systems can also assist in identifying and preventing attacks against your company's network. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Conti, TrickBot, BazarBackdoor, Cobalt Strike, Ransomware, USA, Russia, Canada, Germany, Switzerland, UK, Italy, Serbia, Saudi Arabia</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">Raccoon Stealer: “Trash panda” Abuses Telegram</a></h3> <p>(published: March 9, 2022)</p> <p>Raccoon Stealer, which first appeared in-the-wild in April 2019, has added the ability to store and update its own actual command-and-control (C2) addresses on Telegram’s infrastructure. This malware is offered for purchase by native Russian speakers, and buyers use various ways to distribute it including: crack patches, Buer Loader and GCleaner downloaders, fake game cheats, and game mods, among others. Initial attempts to install Raccoon Stealer are seen globally with most instances in Brazil, India, and Russia. However, the malware won’t work if it detects Russian or one of the following user locales: Armenian, Belarusian, Kazakh, Kyrgyz, Tajik, Ukrainian, or Uzbek. Raccoon Stealer was seen distributing other malware including various downloaders, clipboard crypto stealers, and WhiteBlackCrypt Ransomware.<br/> <b>Analyst Comment:</b> While Raccoon Stealer’s code is not the most sophisticated, some actors use Themida and other packers to lower the detection rate. The new trick of initially-calling the Telegram messenger profiles makes it harder to identify and block all of its C2 IPs. Users should be aware that downloading conterfeight software often results in malware infection and the theft of information and funds.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Multi-Stage Channels - T1104</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Raccoon, Raccoon Stealer, Russia, Cryptostealer, Telegram, C2, Buer Loader, GCleaner, Banking And Finance, Cryptocurrency, WhiteBlackCrypt, Ransomware</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector</a></h3> <p>(published: March 8, 2022)</p> <p>Joint research by Akamai SIRT, Cloudflare, Lumen Black Lotus Labs, NetScout ASERT, Team Cymru, TELUS, and The Shadowserver Foundation describe a new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1. This attack leverages CVE-2022-26143 on misconfigured Mitel’s collaboration systems (Mitel MiCollab and MiVoice Business Express) that were left exposed to the public Internet. Since mid-February 2022, this technique has been abused by attackers in-the-wild to launch multiple high-impact DDoS attacks targeting broadband access ISPs, financial institutions, logistics companies, and other industries.<br/> <b>Analyst Comment:</b> Companies should maintain a pulse on registered CVEs to ensure that proper measures can take place should a vulnerability affect one of your products or a used software. Defenders can use standard DDoS detection and mitigation techniques aiming at TP-240 reflection/amplification DDoS attacks that are sourced from UDP/10074 and destined for the UDP port of the attacker’s choice.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Endpoint Denial of Service - T1499</a><br/> <b>Tags:</b> CVE-2022-26143, TP240PhoneHome, DDoS, Amplification, Reflection, Mitel, Mitel MiCollab, MiVoice Business Express, UDP port 10074</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">Emotet Redux. What Global Network Visibility Reveals About The Resurgence of One of The World’s Most Notorious Botnets</a></h3> <p>(published: March 8, 2022)</p> <p>Lumen’s Black Lotus Lab researchers report that since Emotet came back online in November 2021, the botnet victimized 130,000 unique bots spread across 179 countries. Asia is the most targeted, namely Japan, India, Indonesia, and Thailand, and the remaining top 10 include (in order): South Africa, Mexico, the United States, China, Brazil, and Italy. Emotet’s command-and control (C2) pool has continued to grow to an average of 77 unique C2s per day from late February through March 4, 2022. The botnet is still lower than its 2019 numbers, but the malware is changing the network traffic cryptography it uses, and adding functionality to gather additional information about the infected host. Emotet has abandoned (as of this writing) the Bot C2 proxying model when a subset of bots would receive a UPnP module to act as a C2 by opening a port on the user’s router, which would then allow it to proxy traffic from Emotet bots to a higher-tier C2.<br/> <b>Analyst Comment:</b> Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated. Disable all except digitally signed macros. Block macros from running in Office files from the Internet. Enforce attack surface reduction rules for Microsoft Office.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Non-Standard Port - T1571</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a><br/> <b>Tags:</b> Emotet, Mummy Spider, Botnet, Asia, Japan, India, Indonesia, Thailand, South Africa, Mexico, the United States, China, Brazil, Italy</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">Excel Add-ins Deliver JSSLoader Malware</a></h3> <p>(published: March 8, 2022)</p> <p>Threat group Carbanak (also known as Carbon Spider, Gold Niagara) has been using the JSSLoader RAT since 2019, but around February 2022, they started a new delivery method by spoofing legitimate Microsoft Excel add-ins. When a user clicks on a malicious link in an invoice-themed phishing email, a malicious XLL file is being downloaded with the ExcelDna.xll filename, mimicking a legitimate Excel add-in project of the same name. Executing the XLL file launches Excel which may show a security warning, but if the user enables the add-in anyway, its code executes within the context of the Excel process, attempts to download a JSSLoader binary to the %TEMP% directory, and then executes the binary.<br/> <b>Analyst Comment:</b> Users should be trained to recognize phishing attacks and discouraged to install unwarranted software and add-ins especially those that are not properly signed.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Office Application Startup - T1137</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a><br/> <b>Tags:</b> JSSLoader, Carbanak, Carbon Spider, Gold Niagara, RAT, Microsoft Excel add-in, XLL</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">The Dirty Pipe Vulnerability</a></h3> <p>(published: March 7, 2022)</p> <p>Dirty Pipe, registered as CVE-2022-0847, is a new high-severity privilege escalation vulnerability that became easily-exploitable in Linux kernel version 5.8. A local attacker could exploit this vulnerability to take control of an affected system. Dirty Pipe works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). It is similar to the Dirty Cow vulnerability (CVE-2016-5195), which has been actively exploited by malicious actors since its disclosure in 2016.<br/> <b>Analyst Comment:</b> The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the Dirty Pipe vulnerability recognizing its threat level. Update your Linux systems (update to Linux kernel versions 5.16.11, 5.15.25, and 5.10.102 or later), check if your Android systems are vulnerable.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> Dirty Pipe, CVE-2022-0847, Linux, Vulnerability, Android, Privilege escalation</p> </div> <div lass="trending-threat-article"> <h3><a href="" target="_blank">An Update on the Threat Landscape</a></h3> <p>(published: March 7, 2022)</p> <p>Google’s Threat Analysis Group (TAG) describes three active advanced persistent threat (APT) groups from Belarus, China, and Russia that were either targeting Ukraine or exploited the topic of the military conflict in Ukraine. Fancy Bear (APT28), a threat group attributed to Russia’s GRU (Main Intelligence Directorate) was targeting Ukrainian users with phishing links to newly-created Blogspot domains, which were redirecting targets to credential phishing pages. UNC1151 (Ghostwriter), associated with Belarus, targeted Polish and Ukrainian government and military organizations with credential phishing. Finally, a campaign targeting European countries with Ukraine-themed emails and malicious attachments was conducted by Chinese APT group Mustang Panda or Temp.Hex.<br/> <b>Analyst Comment:</b> Google blocks the discovered phishing pages through Google Safe Browsing, unfortunately the attackers register new domains. Users should be vigilant for phishing emails, and ignore or report suspicious unwarranted emails with links or attachments. Pay attention to the address of the website that asks for your credentials, unusual top level domain (TLD) such as .io, site, .space, .top, or .website should add to the concern about a potential phishing attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Fancy Bear, APT28, GRU, Russia, UNC1151, Ghostwriter, Belarus, Ukraine-Russia Conflict 2022, Operation Bleeding Bear, Mustang Panda, Temp.Hex, China, Phishing, Credential phishing</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:</p> <p><a href="" target="_blank">APT28</a><br/> The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.</p> <p><a href="" target="_blank">Carbanak</a><br/> The Carbanak group, which has been active since at least 2014, is primarily focused on attacking banks and companies in, and related to, the retail industry. Initially, the group focused only on attacking Russian banks, but in August 2015 they reportedly expanded their target scope to banks, hospitality, manufacturers of Point of Sale (PoS) systems, retailers, and restaurant industries worldwide. They are a sophisticated group that will compromise vendors employed by the primary target to use the vendor’s legitimate emails in spearphishing campaigns. In May 2021, Carbanak/DarkSide attack caused major US pipeline operator Colonial Pipeline to stop their operations.</p> <p><a href="" target="_blank">Mustang Panda</a><br/> Malicious activity conducted by the China-based cyberespionage group, Mustang Panda, was first identified by CrowdStrike in April 2017 and later published upon under the name of Mustang Panda in June 2018. The group is motivated by gaining access to information that appears to align with the strategic goals laid out by the government of the People’s Republic of China.</p> <p><a href="" target="_blank">UNC1151</a><br/> UNC1151 alias Ghostwriter, a suspected Minsk-based advanced persistent threat (APT) group working for the Ministry of Defence of the Republic of Belarus. UNC1151 has been involved in cyber espionage and online disinformation and influence campaigns throughout Europe known as "Ghostwriter". These activities involve anti-NATO disinformation campaigns, cyber espionage and politically damaging hack-and-leak operations.</p> <p><a href="" target="_blank">Wizard Spider</a><br/> Wizard Spider is a financially-motivated APT group operating out of Russia that has been active since 2016. Their primary activities involve the development and administration of Trickbot, Conti, Diavol, and Ryuk malware families. Wizard Spider targets large organizations for a high-ransom return. This is a technique known as big game hunting (or BGH). Their main tool, Trickbot, is a banking trojan that harvests financial credentials and Personal Identifiable Information (PII). While phishing is the main method of malware propagation, other methods such as exposed RDP services are seeing an increase in use. Known associated groups are: Grim Spider - A group that has been operating Ryuk ransomware since August 2018; reported to be a cell of Wizard Spider, and Lunar Spider - This threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID). Main activities involve data theft and wire fraud.</p> <p><a href="" target="_blank">CVE-2022-26143</a><br/> The TP-240 (aka tp240dvr) component in Mitel MiCollab before 9.4 SP1 FP1 and MiVoice Business Express through 8.1 allows remote attackers to obtain sensitive information and cause a denial of service (performance degradation and excessive outbound traffic). This was exploited in the wild in February and March 2022 for the TP240PhoneHome DDoS attack.</p> <p><a href="" target="_blank">CVE-2022-0847</a><br/> A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.