July 18, 2022
Anomali Threat Research

Anomali Cyber Watch: H0lyGh0st Ransomware Earns for North Korea, OT Unlocking Tools Drop Sality, Switch-Case-Oriented Programming for ChromeLoader, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, DDoS, North Korea, Obfuscation, Phishing, Ransomware, Russia, Trojans,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-071922.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/digium-phones-web-shell/" target="_blank">Digium Phones Under Attack: Insight Into the Web Shell Implant</a></h3> <p>(published: July 15, 2022)</p> <p>Palo Alto Unit42 researchers have uncovered a large-scale campaign targeting Elastix VoIP telephony servers used in Digium phones. The attackers were exploiting CVE-2021-45461, a remote code execution (RCE) vulnerability in the Rest Phone Apps (restapps) module. The attackers used a two-stage malware: initial dropper shell script was installing the PHP web shell backdoor. The malware achieves polymorphism through binary padding by implanting a random junk string into each malware download. This polymorphism allowed Unit42 to detect more than 500,000 unique malware samples from late December 2021 till the end of March 2022. The attackers use multilayer obfuscation, schedules tasks, and new user creation for persistence.<br /> <b>Analyst Comment:</b> Potentially affected FreePBX users should update their restapps (the fixed versions are 15.0.20 and 16.0.19, or newer). New polymorphic threats require a defense-in-depth strategy including malware sandbox detection and orchestrating multiple security appliances and applications.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947273" target="_blank">[MITRE ATT&CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a><br /> <b>Tags:</b> CVE-2021-45461, Digium Asterisk, PHP Web Shell, Binary padding, Rest Phone Apps, restapps, FreePBX, Elastix</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/" target="_blank">North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware</a></h3> <p>(published: July 14, 2022)</p> <p>Microsoft researchers have linked an emerging ransomware group, H0lyGh0st Ransomware (DEV-0530) to financially-motivated North Korean state-sponsored actors. In June-October 2021, H0lyGh0st used SiennaPurple ransomware family payloads written in C++, then switched to variants of the SiennaBlue ransomware family written in Go. Microsoft detected several successfully compromised small-to-mid-sized businesses, including banks, event and meeting planning companies, manufacturing organizations, and schools.<br /> <b>Analyst Comment:</b> Small-to-mid-sized businesses should consider enforcing multi-factor authentication (MFA) on all accounts, cloud hardening, and regular deployment of updates with Active Directory being the top priority.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a><br /> <b>Tags:</b> H0lyGh0st, HolyLocker, SiennaPurple, SiennaBlue, North Korea, source-country:KP, DEV-0530, Plutonium, Andariel, DarkSeoul, Manufacturing, Financial, Education, Ransomware, Double extortion, CVE-2022-26352, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/" target="_blank">The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators</a></h3> <p>(published: July 14, 2022)</p> <p>Dragos researchers discovered a campaign infecting industrial control systems (ICS) through password "cracking" software for programmable logic controllers (PLCs) and HMI (human-machine interface) terminals. Infection spreads through infrastructure advertising the password recovery tools to unlock PLC and HMI from a number of companies: ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, Vigor, and Weintek. The tool for AutomationDirect did try to extract the needed password by exploiting the now-fixed CVE-2022-2003 vulnerability. At the same time these tools drop a variant of the Sality malware that is looking to replace cryptocurrency addresses in the clipboard and causing the Central Processing Unit (CPU) utilization levels to spike to 100%.<br /> <b>Analyst Comment:</b> Network defenders should monitor for unexpected CPU usage spikes. Avoid installing password “cracking” software from unknown actors on any systems with access to sensitive operations.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&CK] Impair Defenses - T1562</a> | <a href="https://ui.threatstream.com/ttp/3905088" target="_blank">[MITRE ATT&CK] Data Manipulation - T1565</a><br /> <b>Tags:</b> Sality, CVE-2022-2003, Automation Direct, Fuji Electric, LG, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, Vigor, Weintek, PLC, ICS, HMI, Operational Technology, Clipboard hijacking, Password cracking, Cryptocurrency mining</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/" target="_blank">Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability</a></h3> <p>(published: July 13, 2022)</p> <p>Wordfence researchers discovered a spike in activity targeting Kaswara Modern WPBakery Page Builder Addons. All versions of the plugin are vulnerable to CVE-2021-24284 and they are no longer supported. Since July 4, 2022, Wordfence detects on average 443,868 attack attempts per day. Several thousand websites worldwide still have this vulnerable plugin installed. The attackers try to upload a zip file containing a PHP uploader and then proceed to upload more files to the compromised website. One of the campaign objectives is to use NDSW trojan to redirect site visitors to malicious websites.<br /> <b>Analyst Comment:</b> Website maintainers should remove unsupported and vulnerable plugins such as Kaswara Modern WPBakery Page Builder. Incident response for compromised websites should include removing malicious files uploaded by the attackers, removing unauthorized admin accounts, and reverting other changes made by the attackers.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a><br /> <b>Tags:</b> Kaswara Modern WPBakery Page Builder, CVE-2021-24284, Vulnerability, Web scanning, NDSW trojan, JavaScript</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/chromeloader-malware/" target="_blank">ChromeLoader: New Stubborn Malware Campaign</a></h3> <p>(published: July 12, 2022)</p> <p>Unit42 researchers describe evolution and versions of the ChromeLoader (Choziosi Loader, ChromeBack) malware. ChromeLoader multi-stage infection ends with a browser extension that acts as an adware and an infostealer, leaking all of the user’s search engine queries. The earliest ChromeLoader variant targeting Windows with AutoHotKey (AHK) executables was active in the wild in December 2021. By March 2022, two more major Windows-targeting and one MacOs-targeting ChromeLoader variants were used, starting infection with disk image files (ISO for Windows and DMG for MacOs). The ChromeLoader payload uses various obfuscation techniques and switch-case-oriented programming. It also addresses a vital function using a randomized sort algorithm permutations and not directly referencing it in the script, thus forcing deobfuscation tools to drop it as an unreferenced function.<br /> <b>Analyst Comment:</b> Check application reviews, developer information, and scan a downloaded file before making use of it. Defenders can monitor for PowerShell spawning chrome.exe containing load-extension and AppData\Local as a parameter.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/947129" target="_blank">[MITRE ATT&CK] Browser Extensions - T1176</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a><br /> <b>Tags:</b> ChromeLoader, Windows, MacOS, Choziosi Loader, ChromeBack, Malicious browser extension, AutoHotKey, ISO, PowerShell, DMG, QR code, Adware, Browser hijacker, Malvertising, Infostealer, Switch-case-oriented programming</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.infosecurity-magazine.com/news/lithuanian-energy-ddos-attack/" target="_blank">Lithuanian Energy Firm Disrupted by DDOS Attack</a></h3> <p>(published: July 12, 2022)</p> <p>Russia-based hacktivist group KillNet claimed responsibility for the distributed denial of service (DDoS) attack on Lithuanian energy company Ignitis Group. The company confirmed dealing with its “biggest cyber-attack in a decade”. KillNet targeted Lithuania when it began enforcing EU sanctions on goods traveling to Kaliningrad, a Russian exclave.<br /> <b>Analyst Comment:</b> Make sure that your mitigation techniques address the KillNet DDoS arsenal including CLAP, DNS Amplification, ICMP Flood, IP Fragmentation, NTP Flood, TCP RST Flood, TCP SYN Flood, and TCP SYN / ACK. Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&CK] Network Denial of Service - T1498</a><br /> <b>Tags:</b> KillNet, EU, NATO, Lithuania, target-country:LT, Russia, source-country:RU, Energy, DDoS, Hacktivism</p> </div> <div class="trending-threat-article"> <h3><a href="https://resecurity.com/blog/article/blackcat-aka-alphv-ransomware-is-increasing-stakes-up-to-25m-in-demands" target="_blank">BlackCat (Aka ALPHV) Ransomware Is Increasing Stakes Up To $2,5M In Demands</a></h3> <p>(published: July 10, 2022)</p> <p>BlackCat (ALPHV), is a well known Ransomware syndicate operating since 2021 with multiple disruptions to major organizations and companies which includes OilTanking GmbH, Swissport, and two US universities: Florida International University and the University of North Carolina. Built on Rust, a general purpose programming language, BlackCat was put on flash alert by the FBI as one of the emerging ransomware threats. Experts at Resecurity unveiled TTP’s where the approach includes using “SYSVOL” active directory component to store BlackCat Cryptor and also uses Windows Task Scheduler to deploy and configure ransomware to a defined group of users. Whilst infecting the target victim, actors perform mechanisms to ensure roll-back to normal operations is prevented. Average ransom demands ranged from $570,000 in early 2021 and the figure exceeding 2.5 Million US Dollars (£1,681,220 +) in 2022. BlackCat publishes new victims every 4 days on their dark web platform, using a practice called “quadruple extortion”. This includes Encryption, Data Theft, DDoS, and Harassment. Based on the attacks, BlackCat is known to include a randomized extension of 6 characters for their encryption and also includes a notably new feature of searching files and data of the potential victim’s employees and customers.<br /> <b>Analyst Comment:</b> Proper user account policies and having a strategy for recovery plan reduce the exposure of such attacks and the damages adhering to the organizations. Password management, user accounts security and administrative account management are basic but important points to further reduce exposure to such malicious actors. Usage of VPN, network segmentation, disabling remote access and regular backups are some of the other risk mitigation techniques.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/ttp/2402534" target="_blank">[MITRE ATT&CK] Inhibit System Recovery - T1490</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947121" target="_blank">[MITRE ATT&CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947222" target="_blank">[MITRE ATT&CK] Account Manipulation - T1098</a> | <a href="https://ui.threatstream.com/ttp/3297570" target="_blank">[MITRE ATT&CK] File and Directory Permissions Modification - T1222</a> | <a href="https://ui.threatstream.com/ttp/2784844" target="_blank">[MITRE ATT&CK] Transfer Data to Cloud Account - T1537</a> | <a href="https://ui.threatstream.com/ttp/947193" target="_blank">[MITRE ATT&CK] Automated Exfiltration - T1020</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947216" target="_blank">[MITRE ATT&CK] Exploitation for Credential Access - T1212</a><br /> <b>Tags:</b> BlackCat, AlphaV, ALPHV, Ransomware, Public universities, Encryption, Ransom, DoS, TOR, Dubai, target-region:Dubai, United Arab Emirates, target-country:AE, Japan, target-country:JP, USA, target-country:US, LockBit, ChaCha20, AES</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week&#39;s Anomali Cyber Watch can be found below:</p> <p><a href="https://ui.threatstream.com/actor/232781" target="_blank">KillNet</a><br /> Killnet, a Russia-affiliated hacktivist group specialized in distributed denial of service (DDoS) attacks, originally created on the basis of a Russian-speaking DDoS-for-hire group with the same name. On February 26, 2022, KillNet formed an Anonymous-like collective to wage war on Anonymous (a loosely affiliated group of volunteer hacktivists), Ukraine, and countries that support Ukraine in a way hostile to Russia. The group united with other threat groups (XakNet Team), DDoS actors and services such as Stresser[.]tech, and its most popular media on Telegram messenger had over 80,000 users/subscribers. Anomali observed over 30,000 US Dollars in Bitcoin moved to KillNet during February-July, 2022, both for its DDoS-for-hire and politically-motivated DDoS activities.</p> <p><a href="https://ui.threatstream.com/vulnerability/2475450" target="_blank">CVE-2022-26352</a><br /> An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.</p> <p><a href="https://ui.threatstream.com/vulnerability/1785528" target="_blank">CVE-2021-45461</a><br /> FreePBX, when restapps (aka Rest Phone Apps),,, or is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.</p> <p><a href="https://ui.threatstream.com/vulnerability/1356279" target="_blank">CVE-2021-24284</a><br /> The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the &#39;uploadFontIcon&#39; AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.