<div id="weekly">
<p id="intro">
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Backdoors, China, Egypt, Ransomware, United Arab Emirates,</b> and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
<img src="https://cdn.filestackcontent.com/Jh0GeieSBu4vATMqzlpA"/><br/>
<b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b>
</p>
<div class="trending-threats-article" id="trending-threats">
<h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2>
<h3 id="article-1"><a href="https://citizenlab.ca/2023/09/predator-in-the-wires-ahmed-eltantawy-targeted-with-predator-spyware-after-announcing-presidential-ambitions/" target="_blank">Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions</a></h3>
<p>(published: September 23, 2023)</p>
<p>
From May to September 2023, a series of cyber attacks targeted Ahmed Eltantawy, a former Egyptian member of parliament who announced his intention to run for President in the 2024 Egyptian elections. Citizen Labs researchers have attributed the attacks to the Egyptian government. The malicious web content was delivered via SMS and WhatsApp, and through network injection when Eltantawy visited certain non-HTTPS websites. The latter was achieved with the use of the Sandvine’s PacketLogic middlebox placed in the Vodafone Egypt’s network. Google researchers have identified the exploitation of three iPhone zero-day vulnerabilities (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install the Predator spyware created by the Cytrox mercenary company. Citizen Labs also identified additional successful Predator infection delivered to Eltantawy in September 2021 via SMS message impersonating WhatsApp with a typosquatted domain.<br/>
<b>Analyst Comment:</b> The spyware was designed to install on iOS versions through 16.6.1. Apple users should immediately update their devices, patched versions are: macOS Ventura 13.6, macOS Monterey 12.7, watchOS 9.6.3, watchOS 10.0.1, iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1. Some indicators are withdrawn due to ongoing investigation, the remaining network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/17761" target="_blank">[MITRE ATT&CK] T1456 - Drive-By Compromise</a> | <a href="https://ui.threatstream.com/attackpattern/17774" target="_blank">[MITRE ATT&CK] T1474 - Supply Chain Compromise</a> | <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10157" target="_blank">[MITRE ATT&CK] T1588.005 - Obtain Capabilities: Exploits</a> | <a href="https://ui.threatstream.com/attackpattern/10158" target="_blank">[MITRE ATT&CK] T1588.001 - Obtain Capabilities: Malware</a> | <a href="https://ui.threatstream.com/attackpattern/9614" target="_blank">[MITRE ATT&CK] T1204.001 - User Execution: Malicious Link</a><br/>
<b>Tags:</b> malware:Predator, malware-type:Spyware, actor:Cytrox, actor-type:Mercenary, source-country:EG, exploit-type:Zero-day, vulnerability:CVE-2023-41991, vulnerability:CVE-2023-41992, vulnerability:CVE-2023-41993, threat-type:APT, abused:PacketLogic, abused:Vodafone Egypt, abused:WhatsApp, impersonated:WhatsApp, target-system:iOS
</p>
<h3 id="article-1"><a href="https://www.welivesecurity.com/en/eset-research/stealth-falcon-preying-middle-eastern-skies-deadglyph/" target="_blank">Stealth Falcon Preying over Middle Eastern Skies with Deadglyph</a></h3>
<p>(published: September 22, 2023)</p>
<p>
The UAE-sponsored Stealth Falcon (Project Raven) group has targeted political activists and journalists in the Middle East since at least 2012. ESET researchers have discovered a new Stealth Falcon activity targeting a governmental entity in the Middle East and an unknown entity in Qatar. Two stealthy newly-discovered malwares were a shellcode downloader and a modular backdoor dubbed Deadglyph. The backdoor used similarly-looking letters (Cyrillic and Greek) in the homoglyph attack mimicking Microsoft Corporation in the VERSIONINFO resource. It can self-pause or self-uninstall if a certain process is detected or if it is unable to establish C2 communication in a predefined period. Deadglyph’s periodical communication interval is randomized, based on a percentage specified in the configuration. After being loaded by its shellcode registry loader, Deadglyph components are encrypted with a machine-specific key and stored within a binary registry value.<br/>
<b>Analyst Comment:</b> Deadglyph appears to be a unique framework aimed at targets in Middle Eastern countries. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10043" target="_blank">[MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server</a> | <a href="https://ui.threatstream.com/attackpattern/23223" target="_blank">[MITRE ATT&CK] Resource Development - Develop Capabilities: Malware [T1587.001]</a> | <a href="https://ui.threatstream.com/attackpattern/10061" target="_blank">[MITRE ATT&CK] T1588.003 - Obtain Capabilities: Code Signing Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/23579" target="_blank">[MITRE ATT&CK] Picus: T1047 Windows Management Instrumentation of the MITRE ATT&CK Framework</a> | <a href="https://ui.threatstream.com/attackpattern/23233" target="_blank">[MITRE ATT&CK] Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/22184" target="_blank">[MITRE ATT&CK] Execution - User Execution: Malicious File [T1204.002]</a> | <a href="https://ui.threatstream.com/attackpattern/10016" target="_blank">[MITRE ATT&CK] T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/27796" target="_blank">[MITRE ATT&CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004]</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9602" target="_blank">[MITRE ATT&CK] T1134 - Access Token Manipulation</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/9993" target="_blank">[MITRE ATT&CK] T1480.001 - Execution Guardrails: Environmental Keying</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/12881" target="_blank">[MITRE ATT&CK] T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9632" target="_blank">[MITRE ATT&CK] T1007 - System Service Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/27810" target="_blank">[MITRE ATT&CK] Discovery - System Network Configuration Discovery [T1016]</a> | <a href="https://ui.threatstream.com/attackpattern/23222" target="_blank">[MITRE ATT&CK] Discovery - System Owner/User Discovery [T1033]</a> | <a href="https://ui.threatstream.com/attackpattern/24155" target="_blank">[MITRE ATT&CK] Discovery - Process Discovery [T1057]</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9985" target="_blank">[MITRE ATT&CK] T1518 - Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/27789" target="_blank">[MITRE ATT&CK] Discovery - Software Discovery: Security Software Discovery [T1518.001]</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/22189" target="_blank">[MITRE ATT&CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001]</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9717" target="_blank">[MITRE ATT&CK] T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/22191" target="_blank">[MITRE ATT&CK] Exfiltration - Exfiltration Over C2 Channel [T1041]</a><br/>
<b>Tags:</b> malware:Deadglyph, malware-type:Backdoor, malware-type:Shellcode downloader, malware-type:Registry shellcode loader, actor:Stealth Falcon, threat-type:Cyberespionage, target-region:Middle East, target-industry:Government, target-country:QA, source-country:AE, technique:Homoglyph attack, language:.NET, file-type:CPL, file-type:DLL, target-system:Windows
</p>
<h3 id="article-1"><a href="https://unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia/" target="_blank">Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government</a></h3>
<p>(published: September 22, 2023)</p>
<p>
The article discusses a series of cyberattacks carried out by the advanced persistent threat (APT) group known as Gelsemium. The group, which has been operational since 2014, targeted a Southeast Asian government over a six-month period between 2022 and 2023. Despite some of their malwares being stopped by security solutions, the group was persistently introducing alternative tools and adapting their attack as needed. The recent attacks were carried out using web shells (reGeorg, China Chopper, and AspxSpy web shell) installed after exploiting vulnerabilities in internet-facing servers. The group used a variety of tools for privilege escalation (BadPotato, JuicyPotato, SpoolFool, and SweetPotato) and following activities on compromised networks (Cobalt Strike, EarthWorm, and others). The main backdoors used by the threat actor were the OwlProxy HTTP proxy and the SessionManager IIS backdoor. <br/>
<b>Analyst Comment:</b> Gelsemium is known for its technical capacity and programming knowledge, which has allowed it to remain undetected for many years. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/24897" target="_blank">[MITRE ATT&CK] Initial Access - Exploit Public-Facing Application [T1190]</a> | <a href="https://ui.threatstream.com/attackpattern/22198" target="_blank">[MITRE ATT&CK] Persistence - Server Software Component: Web Shell [T1505.003]</a> | <a href="https://ui.threatstream.com/attackpattern/12880" target="_blank">[MITRE ATT&CK] T1505.004 - Server Software Component: Iis Components</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/26827" target="_blank">[MITRE ATT&CK] Command and Control - Standard Application Layer Protocol [T1071]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&CK] Command and Control - Remote File Copy [T1105]</a><br/>
<b>Tags:</b> actor:Gelsemium, malware:OwlProxy, malware:SessionManager, malware-type:Backdoor, malware:reGeorg, malware:China Chopper, malware:AspxSpy, malware-type:Webshell, malware:JuicyPotato, malware:BadPotato, malware:SweetPotato, malware-type:Privilege escalation, malware:OwlProxy, malware-type:HTTP proxy, malware:SessionManager, malware-type:IIS backdoor, malware:Cobalt Strike, malware:SpoolFool, tool:EarthWorm, tool-type:SOCKS tunneler, campaign:CL-STA-0046, threat-type:APT, target-region:Southeast Asia, target-industry:Government, file-type:DLL, file-type:EXE, target-system:Windows
</p>
<h3 id="article-1"><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a" target="_blank">#StopRansomware: Snatch Ransomware</a></h3>
<p>(published: September 20, 2023)</p>
<p>
The Snatch (formerly referred to as Team Truniger) ransomware-as-a-service group has been active since at least 2018. The Snatch ransomware (crypter) is known for rebooting devices into Safe Mode prior to the encryption that leaves file and folder names appended with a series of hexadecimal characters unique to each infection. The US Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have released a joint advisory covering Snatch’s evolving activities from mid-2021 to June 2023. Snatch intrusions typically start with Remote Desktop Protocol (RDP) targeting and brute forcing, and less frequently, the group was procuring valid credentials from other threat actors. C2 traffic is dependent on RDP connections from Russian bulletproof hosting and through virtual private network (VPN) services. Additional tools include legitimate Sc.exe command-line utility, and commodity tools such as Metasploit and Cobalt Strike. Snatch uses its data-leak sites to post exfiltrated data for its own targets, as well as for repeated exposure for targets of other ransomware groups such as Nokoyawa and Conti.<br/>
<b>Analyst Comment:</b> Network defenders should secure and closely monitor RDP, close unused RDP ports, and enable multifactor authentication for sensitive accounts. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data. Indicators associated with Snatch Ransomware are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10173" target="_blank">[MITRE ATT&CK] T1590 - Gather Victim Network Information</a> | <a href="https://ui.threatstream.com/attackpattern/10043" target="_blank">[MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server</a> | <a href="https://ui.threatstream.com/attackpattern/23217" target="_blank">[MITRE ATT&CK] Privilege Escalation - Valid Accounts [T1078]</a> | <a href="https://ui.threatstream.com/attackpattern/27743" target="_blank">[MITRE ATT&CK] Initial Access - External Remote Services [T1133]</a> | <a href="https://ui.threatstream.com/attackpattern/23233" target="_blank">[MITRE ATT&CK] Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]</a> | <a href="https://ui.threatstream.com/attackpattern/3718" target="_blank">[MITRE ATT&CK] T1569.002: Service Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9871" target="_blank">[MITRE ATT&CK] T1078.002 - Valid Accounts: Domain Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/26197" target="_blank">[MITRE ATT&CK] Defense Evasion - Masquerading [T1036]</a> | <a href="https://ui.threatstream.com/attackpattern/27796" target="_blank">[MITRE ATT&CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004]</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/12868" target="_blank">[MITRE ATT&CK] T1562.009 - Impair Defenses: Safe Mode Boot</a> | <a href="https://ui.threatstream.com/attackpattern/10091" target="_blank">[MITRE ATT&CK] T1110.001 - Brute Force: Password Guessing</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/24155" target="_blank">[MITRE ATT&CK] Discovery - Process Discovery [T1057]</a> | <a href="https://ui.threatstream.com/attackpattern/23212" target="_blank">[MITRE ATT&CK] Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/22189" target="_blank">[MITRE ATT&CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001]</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&CK] T1490: Inhibit System Recovery</a><br/>
<b>Tags:</b> malware:Snatch, malware-type:Ransomware, actor:Snatch, actor:Team Truniger, malware:Metasploit, malware:Cobalt Strike, abused:sc.exe, abused:Tox, technique:Double-extortion, threat-type:Ransomware, actor:Nokoyawa, actor:Conti, file-type:BAT, file-type:EXE, target-system:Windows
</p>
<h3 id="article-1"><a href="https://blog.talosintelligence.com/introducing-shrouded-snooper/" target="_blank">New ShroudedSnooper Actor Targets Telecommunications Firms in the Middle East with Novel Implants</a></h3>
<p>(published: September 19, 2023)</p>
<p>
A new threat actor group dubbed ShroudedSnooper has targeted telecommunication service providers in the Middle East in April-May 2023, and possibly earlier. This activity was associated with two novel backdoors, HTTPSnoop and PipeSnoop. HTTPSnoop appears to target exposed web servers, it interfaces with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs. PipeSnoop can operate further within a compromised enterprise as it receives communication by connecting to a pre-existing named pipe. ShroudedSnooper communicates with its backdoor by sending encoded shellcode payloads. The actor extensively uses masquerading by naming its backdoor files as components of Palo Alto Networks' Cortex XDR security products. HTTPSnoop communication URLs also abuse various benign themes mentioning Exchange Web Services, Location Based Services, or some of the targeted organization’s systems. <br/>
<b>Analyst Comment:</b> Earlier in September 2023, Anomali Cyber Watch already covered a similar use of the named pipe Inter-Process Communication mechanism, that time targeting booking engine software for the hospitality industry. ShroudedSnooper’s choice to target telecom matches the general trend for threat actors to abuse supply-chain relationships. All known host-based indicators associated with ShroudedSnooper are available in the Anomali platform for retrospective analysis.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/9629" target="_blank">[MITRE ATT&CK] T1090.001 - Proxy: Internal Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/26197" target="_blank">[MITRE ATT&CK] Defense Evasion - Masquerading [T1036]</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22189" target="_blank">[MITRE ATT&CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001]</a><br/>
<b>Tags:</b> actor:ShroudedSnooper, malware:HTTPSnoop, malware-type:Backdoor, malware:PipeSnoop, target-industry:Telecom, target-region:Middle East, technique:Named pipes, open-port:80, open-port:443, impersonated:Exchange Web Services, impersonated:Cortex XDR, file-type:EXE, file-type:DLL, target-system:Windows
</p>
</div>
</p></div>