June 22, 2021
Anomali Threat Research

Anomali Cyber Watch: Klingon RAT Holding on for Dear Life, CVS Medical Records Breach, Black Kingdom Ransomware and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Black Kingdom, Darkside, Go, Klingon Rat, Microsoft PowerApps, Ransomware</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-062221.png" /><br /> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/" target="_blank">Andariel Evolves to Target South Korea with Ransomware</a></h3> <p>(published: June 15, 2021)</p> <p>Researchers at securelist identified ransomware attacks from Andariel, a sub-group of Lazarus targeting South Korea. Attack victims included entities from manufacturing, home network service, media and construction sectors. These attacks involved malicious Microsoft Word documents containing a macro and used novel techniques to implant a multi-stage payload. The final payload was a ransomware custom made for this specific attack.<br /> <b>Analyst Comment:</b> Users should be wary of documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protections should be implemented and kept up-to-date with the latest version to better ensure security.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947200" target="_blank">[MITRE ATT&CK] System Network Connections Discovery - T1049</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947079" target="_blank">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947250" target="_blank">[MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="https://ui.threatstream.com/ttp/947210" target="_blank">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> Lazarus group, Lazarus, Andariel, Hidden Cobra, tasklist, Manuscrypt, Banking And Finance, Malicious documents, Macros</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/" target="_blank">Matanbuchus: Malware-as-a-Service with Demonic Intentions</a></h3> <p>(published: June 15, 2021)</p> <p>In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures.<br /> <b>Analyst Comment:</b> Malware as a Service (MaaS) is a relatively new development, which opens the doors of crime to anyone with the money to pay for access. A criminal organization that wants to carry out a malware attack on a target no longer requires in-house technical expertise or infrastructure. Such attacks in most cases share tactics, techniques, and even IOCs. This highlights the importance of intelligence sharing for proactive protection.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a><br /> <b>Tags:</b> BelialDemon, Matanbuchus, Belial, WildFire, EU, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://securelist.com/black-kingdom-ransomware/102873/" target="_blank">Black Kingdom ransomware</a></h3> <p>(published: June 17, 2021)</p> <p>The Black Kingdom ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability. Post exploit, Black Kingdom installed a webshell in the compromised system and enabled execution of arbitrary commands or scripts. Researchers discovered several encryption mistakes that, depending on circumstances, can (in the worst case scenario) prevent normal decryption or (in the best case scenario) allow decryption without payment. Initial telemetry points to potential victims being from Italy & Japan.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947275" target="_blank">[MITRE ATT&CK] Remote System Discovery - T1018</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947098" target="_blank">[MITRE ATT&CK] Email Collection - T1114</a> | <a href="https://ui.threatstream.com/ttp/947252" target="_blank">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947269" target="_blank">[MITRE ATT&CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947130" target="_blank">[MITRE ATT&CK] Execution through API - T1106</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497</a><br /> <b>Tags:</b> Blackkingdom, DearCry, CVE-2019-11510, CVE-2021-26857, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, EU</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/" target="_blank">Klingon RAT Holding on for Dear Life</a></h3> <p>(published: June 17, 2021)</p> <p>Researchers at Intezer have identified a previously unknown GoLang RAT. The RAT, which has been named Klingon RAT, has been active since at least 2019 and is being used for financial gain. Klingon uses multiple methods for anti-AV, persistence and privilege escalation, running WMI to check for running processes and cross reference with anti-virus. Three Gzip files are dropped in the %temp% folder to be used by the threat actor once connection to the C2 has occurred. For persistence a registry key for current user and local machine are created, in addition a scheduled task named “OneDriveUpdate” can be dropped in APPDATA. The four options for privilege escalation are UAC bypass: computer defaults, fodhelper, disk cleanup and event viewer, although not actually implemented properly.<br /> <b>Analyst Comment:</b> To enable early identification of potential malware, it&#39;s important to set up EDR/SIEM alerts for logs/activities related to the use of Anti-AV, privilege escalation & persistence techniques used by adversaries. Along with this, network logs should be monitored for suspicious C2 traffic for connection & data exfiltration attempts.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947087" target="_blank">[MITRE ATT&CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947275" target="_blank">[MITRE ATT&CK] Remote System Discovery - T1018</a><br /> <b>Tags:</b> Go Lang, RAT, Klingon RAT, wizard spider, Go, malware, financial gain, scheduled task, privilege escalation</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://medium.com/tenable-techblog/stealing-tokens-emails-files-and-more-in-microsoft-teams-through-malicious-tabs-a7e5ff07b138" target="_blank">Microsoft Teams: Very Bad Tabs Could Have Led to BEC</a></h3> <p>(published: June 14, 2021)</p> <p>Tenable&#39;s Evan Grant reported a vulnerability in Microsoft Power Apps platform used for low-code/no-code rapid app development. The vulnerability could have been leveraged to establish persistent read/write access to a victim&#39;s Microsoft bubble, including email, Teams chats, OneDrive, Sharepoint and a variety of other services. Such attacks could be carried out via a malicious Microsoft Teams tab and Power Automate flows. There aren’t any known attacks actively trying to exploit this vulnerability and Microsoft already issued a patch for this.<br /> <b>Analyst Comment:</b> Many cloud applications from Google & Microsoft provide powerful interfaces for third-party app integrations. This, coupled with single sign-on across multiple services hosted on the same platform, exponentially increases the risk of damage caused if an adversary is able to exploit the vulnerability. Users should only enable/install trusted integrations & only provide them minimal required access.<br /> <b>Tags:</b> Microsoft, PowerApps, Vulnerability</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank">Smoking Out a DARKSIDE Affiliate&#39;s Supply Chain Software Compromise | FireEye Inc</a></h3> <p>(published: June 16, 2021)</p> <p>Mandiant researchers reported that DARKSIDE affiliate UNC2465 accessed at least one victim through a trojanized software installer downloaded from a legitimate website. The intrusion began on May 18, 2021, which occurred days after the publicly reported shutdown of the overall DARKSIDE program. While no ransomware was observed, Mandiant believes that affiliate groups may use multiple ransomware affiliate programs and can switch between them at will.<br /> <b>Analyst Comment:</b> In many cases attackers use trusted vendor sites to host malwares or use them for data exfiltration. All applications downloaded from both trusted and non-trusted sources need to be scanned for malware and also logged for forensic analysis. Outgoing traffic to trusted websites should be monitored for unusual network activity.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947266" target="_blank">[MITRE ATT&CK] Data Encrypted - T1022</a><br /> <b>Tags:</b> UNC2465, REvil, SODINOKIBI, SMOKEDHAM, BEACON, DARKSIDE, DARKSIDE Ransomware, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.zdnet.com/article/volkswagen-audi-disclose-data-breach-impacting-over-3-3-million-customers-interested-buyers/#ftag=RSSbaffb68" target="_blank">Volkswagen, Audi Disclose Data Breach Impacting Over 3.3 Million Customers, Interested Buyers</a></h3> <p>(published: June 14, 2021)</p> <p>Volkswagen has revealed a data breach impacting over 3.3 million customers. The majority of impacted individuals are either current or prospective buyers for Audi vehicles. 163,000 individuals are in Canada, whereas the rest are in the United States. An associate vendor has been identified as the source of the breach but the company has not been named.<br /> <b>Analyst Comment:</b> Organisations need to ensure proper security controls are in place at vendors when they are responsible for storing and processing critical customer data. Data needs to be available at the vendor system only for a minimal amount of time required to minimise the risk<br /> <b>Tags:</b> Data Breach, Supply Chain, North America</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://threatpost.com/cvs-health-records-billion-customers-exposed/167011/" target="_blank">CVS Health Records for 1.1 Billion Customers Exposed</a></h3> <p>(published: June 17, 2021)</p> <p>WebsitePlanet researchers, in cooperation with security researcher Jeremiah Fowler, discovered an exposed database containing more than one billion records for CVS Health customers. The database belonged to an unnamed third-party vendor and was not password protected. The compromised data could be strung together to create an extremely personal snapshot of someone&#39;s medical situation. After the report public access to the database is now restricted<br /> <b>Analyst Comment:</b> Proper security control needs to be in place for handling sensitive medical records. Wherever possible medical records and patient PII information should be stored separately to minimize the impact in case of a data leak.<br /> <b>Tags:</b> Data Compromise, HealthCare, North America, PII</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.