Anomali Cyber Watch: Judgment Panda Steals from Air-Gapped Systems, Novel SUBMARINE Backdoor on Barracuda ESG, Nitrogen Framework Utilizes DLL Proxying, and More
<div id="weekly">
<p id="intro">
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Backdoors, China, North Korea, Phishing, Reverse shells, </b>and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
<img src="https://cdn.filestackcontent.com/HhdjAKPOTKX7FLVyywnC"/><br/>
<b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b>
</p>
<div class="trending-threats-article" id="trending-threats">
<h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2>
<h3 id="article-1"><a href="https://ics-cert.kaspersky.com/publications/reports/2023/07/31/common-ttps-of-attacks-against-industrial-organizations-implants-for-gathering-data/" target="_blank">Common TTPs of Attacks against Industrial Organizations. Implants for Gathering Data</a></h3>
<p>(published: July 31, 2023)</p>
<p>
In April-May 2022, Judgment Panda (APT31, Zirconium) conducted a series of attacks against industrial organizations in Eastern Europe to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. Kaspersky researchers detected over 15 implants and their variants, used in various combinations. First-stage implants for persistent remote access and initial data gathering included FourteenHi variants and the MeatBall backdoor. Second-stage implants were used to collect information about removable drives, shadow copy their contents and infect them with a worm, which was then used to exfiltrate data from air-gapped networks. Third-stage implants and tools were used for exfiltration, often abusing cloud services such as Dropbox and Yandex.<br/>
<b>Analyst Comment:</b> Network defenders should consider using Device Control technologies to ensure secure use of all removable devices. Indicators associated with this cyberespionage campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9860" target="_blank">[MITRE ATT&CK] T1543.003 - Create or Modify System Process: Windows Service</a> | <a href="https://ui.threatstream.com/attackpattern/9915" target="_blank">[MITRE ATT&CK] T1055.002 - Process Injection: Portable Executable Injection</a> | <a href="https://ui.threatstream.com/attackpattern/10089" target="_blank">[MITRE ATT&CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/10000" target="_blank">[MITRE ATT&CK] T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/23209" target="_blank">[MITRE ATT&CK] Discovery - File and Directory Discovery [T1083]</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9739" target="_blank">[MITRE ATT&CK] T1052.001 - Exfiltration Over Physical Medium: Exfiltration Over Usb</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a><br/>
<b>Tags:</b> actor:APT31, actor:Judgment Panda, mitre-group:Zirconium, malware:FourteenHi, malware:MeatBall, detection:Backdoor.Win32.MeatBall, malware-type:Backdoor, target-industry:Manufacturing, target-region:Eastern Europe, abused:Dropbox, abused:Yandex cloud, file-type:DLL, file-type:EXE, file-type:INI, file-type:TMP, technique:DLL hijacking, target-system:Windows
</p>
<h3 id="article-2"><a href="https://www.trendmicro.com/en_us/research/23/g/cherryblos-and-faketrade-android-malware-involved-in-scam-campai.html" target="_blank">Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns</a></h3>
<p>(published: July 28, 2023)</p>
<p>
Trend Micro researchers have discovered two Android malware families, CherryBlos and FakeTrade, involved in financially-motivated scam campaigns targeting Android users. The two families share infrastructure, possibly belonging (medium confidence) to a Chinese-speaking actor. Since 2021, FakeTrade has been targeting users with fraudulent money-earning apps. The CherryBlos activity in 2023 has roots back to November 2021. It relies on phishing impersonating various apps such as those related to cryptocurrency mining. Once the CherryBlos trojan is installed, it uses a variety of techniques for persistence and evasion: adding a 1*1 pixel view, automatically approving permission requests by auto-clicking the “allow” button, ignoring battery optimization, posting a notification for foreground service, and sending users back to the home screen when they enter the app setting. CherryBlos steals users' cryptocurrency credentials by overlaying legitimate applications for cryptocurrency wallets and exchanges. It also uses optical character recognition (OCR) to recognize potential mnemonic phrases in the pictures.<br/>
<b>Analyst Comment:</b> Users should only download apps from trusted sources and reputable developers, and be cautious when granting permissions to apps. Be cautious of get-rich-quick schemes. All known indicators associated with this CherryBlos banking trojan campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/18659" target="_blank">[MITRE ATT&CK] T1406.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/12252" target="_blank">[MITRE ATT&CK] T1424 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/18619" target="_blank">[MITRE ATT&CK] T1417.002 - Input Capture: Gui Input Capture</a> | <a href="https://ui.threatstream.com/attackpattern/18640" target="_blank">[MITRE ATT&CK] T1646 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/17835" target="_blank">[MITRE ATT&CK] T1516 - Input Injection</a> | <a href="https://ui.threatstream.com/attackpattern/18625" target="_blank">[MITRE ATT&CK] T1437.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/18629" target="_blank">[MITRE ATT&CK] T1641 - Data Manipulation</a><br/>
<b>Tags:</b> malware:CherryBlos, detection:AndroidOS_CherryBlos, malware:FakeTrade, malware-type:Banking trojan, detection:AndroidOS_FakeTrade, malware:Jiagubao, malware-type:Packer, target-industry:Financial, target-industry:Cryptocurrency, target-country:Malaysia, target-country:Vietnam, target-country:Indonesia, target-country:Philippines, target-country:Uganda, target-country:Mexico, target-system:Android
</p>
<h3 id="article-3"><a href="https://www.cisa.gov/news-events/alerts/2023/07/28/cisa-releases-malware-analysis-reports-barracuda-backdoors" target="_blank">CISA Releases Malware Analysis Reports on Barracuda Backdoors</a></h3>
<p>(published: July 28, 2023)</p>
<p>
CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) appliances that was exploited as a zero day as early as October 2022. The US Cybersecurity and Infrastructure Security Agency (CISA) has released three malware analysis reports detailing malware variants associated with the exploitation of CVE-2023-2868: the initial Barracuda exploit payload, the SEASPY backdoor, and the novel SUBMARINE (DepthCharge) backdoor. The actors delivered the exploit payload via phishing emails with malicious TAR attachments. Upon decoding, it triggers a command injection, drops and executes a reverse shell, and establishes backdoor communications via OpenSSL. The SUBMARINE backdoor lives in a Structured Query Language (SQL) database on the Barracuda ESG appliance. Several parts of this backdoor—a SQL trigger, shell scripts, and a loaded library for a Linux daemon—are being established in a multi-step process, and enable execution with root privileges, persistence, command and control, and cleanup. The malware was deployed by a suspected pro-China hacker group, UNC4841, in a series of data-theft attacks. <br/>
<b>Analyst Comment:</b> Barracuda has offered replacement devices to all affected customers (versions 5.1.3.001-9.2.0.006) at no charge and has advised customers to discontinue use of the compromised ESG appliance. YARA rules and indicators associated with this Barracuda ESG exploitation campaign are available in the Anomali platform for detection and historical reference.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&CK] Command and Control - Remote File Copy [T1105]</a><br/>
<b>Signatures. YARA rules:</b> <a href="https://ui.threatstream.com/signature/109809" target="_blank">CISA_10454006_08 : trojan backdoor remote_access_trojan accesses_remote_machines communicates_with_c2</a> | <a href="https://ui.threatstream.com/signature/109810" target="_blank">CISA_10452108_03 : backdoor communicates_with_c2</a> | <a href="https://ui.threatstream.com/signature/109811" target="_blank">SUBMARINE trojan backdoor - YARA rules - CISA_10454006</a> | <a href="https://ui.threatstream.com/signature/109813" target="_blank">rule CISA_10452108_01 : SEASPY backdoor communicates_with_c2 installs_other_components</a>
<br/>
<b>Tags:</b> malware:SUBMARINE, malware:DepthCharge, malware:SEASPY, malware-type:Backdoor, malware-type:Exploit, malware-type:Reverse shell, actor:UNC4841, vulnerability:CVE-2023-2868, target-system:Barracuda ESG, source-country:China, vulnerability-type:Remote command injection, exploit-type:Zero-day, technique:Reverse shell, technique:Named pipe, technique:SQL trigger, file-type:TAR, target-system:Linux
</p>
<h3 id="article-4"><a href="https://www.securonix.com/blog/detecting-ongoing-starkmule-attack-campaign-targeting-victims-using-us-military-document-lures/" target="_blank">Detecting Ongoing STARK#MULE Attack Campaign Targeting Victims Using US Military Document Lures</a></h3>
<p>(published: July 28, 2023)</p>
<p>
A new ongoing attack campaign, dubbed STARK#MULE, uses US military-related documents to lure victims and run malware from compromised Korean websites. The campaign appears to target Korean-speaking victims and may originate from North Korea. Securonix researchers were able to reconstruct first stages of the partial attack chain: the malware is delivered through phishing emails with a ZIP file attachment, followed by additional downloader and stager actions involving DB and LNK files, PowerShell execution, and persistence through scheduled tasks. The attack infrastructure is centered around compromised Korean e-commerce websites, allowing the threat actors to blend in with normal traffic and evade detection. The final persistent payload is a heavily-obfuscated Microsoft Visual C/C++ binary that opens communication over HTTP to exfiltrate target’s system details.<br/>
<b>Analyst Comment:</b> Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open and activate it. It is important to teach your users basic online hygiene and phishing awareness. Indicators associated with the STARK#MULE campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9717" target="_blank">[MITRE ATT&CK] T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9720" target="_blank">[MITRE ATT&CK] T1571 - Non-Standard Port</a> | <a href="https://ui.threatstream.com/attackpattern/10052" target="_blank">[MITRE ATT&CK] T1584.004 - Compromise Infrastructure: Server</a> | <a href="https://ui.threatstream.com/attackpattern/9746" target="_blank">[MITRE ATT&CK] T1567 - Exfiltration Over Web Service</a><br/>
<b>Tags:</b> campaign:STARK#MULE, source-country:North Korea, impersonated:US Military, target-country:South Korea, file-type:DB, file-type:EXE, file-type:LNK, file-type:PDF, file-type:PDF.LNK, file-type:PDF.ZIP, file-type:ZIP, technique:PowerShell, target-system:Windows
</p>
<h3 id="article-5"><a href="https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/" target="_blank">Into the Tank with Nitrogen</a></h3>
<p>(published: July 26, 2023)</p>
<p>
In mid-June 2023, Sophos researchers identified an initial-access malware campaign, dubbed Nitrogen. The Nitrogen campaign has targeted several organizations in the technology and non-profit sectors in North America by malvertising and impersonation of popular software such as AnyDesk (a remote desktop application), Cisco AnyConnect VPN, TreeSize Free, and WinSCP (an SFTP/FTP client for Windows). The campaign has been abusing Google and Bing ads, and trojanized installers were downloaded from compromised WordPress websites. The target users were tricked into downloading trojanized ISO installers that sideload the malicious NitrogenInstaller DLL while utilizing DLL proxying (forwarding exported functions to the legitimate DLL). It is followed by a malicious Python package using DLL preloading to execute the malicious NitrogenStager file, which connects to the threat actor’s command-and-control (C2) servers to drop a modified Meterpreter shell and Cobalt Strike Beacons. NitrogenStager is able to use four different protocols (TCP, TCP over SSL, HTTP, HTTPS) for its C2 communication. <br/>
<b>Analyst Comment:</b> While the infection was stopped before actors achieved their final objectives, a similar infection chain was previously observed leading to a BlackCat (ALPHV) ransomware infection. Consider using ad-blocking for “non-intrusive advertising,” restricting the capability to mount virtual file systems via Group Policy Objects, monitoring for downloading of abnormal file extensions (IMG, ISO, and VHD), and disabling auto-mounting of these disk image files. Avoid storing credentials within the Registry, or limit permissions for associated accounts. Indicators associated with the Nitrogen campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/>
<b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10051" target="_blank">[MITRE ATT&CK] T1584.001 - Compromise Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10107" target="_blank">[MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware</a> | <a href="https://ui.threatstream.com/attackpattern/10159" target="_blank">[MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9619" target="_blank">[MITRE ATT&CK] T1069.002 - Permission Groups Discovery: Domain Groups</a> | <a href="https://ui.threatstream.com/attackpattern/9595" target="_blank">[MITRE ATT&CK] T1552.002 - Unsecured Credentials: Credentials In Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/10020" target="_blank">[MITRE ATT&CK] T1553.005 - Subvert Trust Controls: Mark-Of-The-Web Bypass</a><br/>
<b>Tags:</b> campaign:Nitrogen, malware:Cobalt Strike, malware:Meterpreter, malware:NitrogenStager, malware:NitronetNativeStager, malware:NitroInstaller, malware:COFFLoader, abused:Google Ads, abused:Bing ads, file-type:DLL, file-type:EXE, file-type:ISO, file-type:PY, file-type:ZIP, impersonated:AnyDesk, impersonated:WinSCP, impersonated:Cisco AnyConnect VPN, impersonated:TreeSize Free, technique:DLL preloading, technique:DLL proxying, technique:DLL side-loading, target-region:North America, target-industry:IT, target-industry:Non-profit, target-system:Windows
</p>
</div>
</p></div>
Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox
Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.