May 16, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: Lancefly APT Adopts Alternatives to Phishing, BPFdoor Removed Hardcoded Indicators, FBI Ordered Russian Malware to Self-Destruct

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Backdoors, Credential theft, China, Exploits, Phishing, Ransomware,</b> and <b>Russia</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/1NQWgDJfQ3uJFjKH5vMU"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://symantec-enterprise-blogs.security.com/threat-intelligence/lancefly-merdoor-zxshell-custom-backdoor" target="_blank">Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors</a></h3> <p>(published: May 15, 2023)</p> <p>Symantec researchers detected a new cyberespionage campaign by the Lancefly China-sponsored group targeting organizations in South and Southeast Asia. From mid-2022 into 2023 the group has targeted the aviation, government, education, and telecom sectors. Indications of intrusion vectors show that Lancefly has possibly moved from phishing attacks to SSH brute force and exploiting publicly accessible devices such as load balancers. A small number of machines were infected in a highly-targeted fashion to deploy the custom Merdoor backdoor and a modification of the open-source ZXShell rootkit. Lancefly abuses a number of legitimate binaries for DLL side-loading, credential stealing, and other living-off-the-land (LOLBin) activities.<br/> <b>Analyst Comment:</b> Organizations are advised to monitor for suspicious SMB activity and LOLBin activities indicating a possible process injection or LSASS memory dumping. File hashes associated with the latest Lancefly campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&amp;CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&amp;CK] T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9750" target="_blank">[MITRE ATT&amp;CK] T1569 - System Services</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9891" target="_blank">[MITRE ATT&amp;CK] T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/9895" target="_blank">[MITRE ATT&amp;CK] T1095 - Non-Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9808" target="_blank">[MITRE ATT&amp;CK] T1003.001 - OS Credential Dumping: Lsass Memory</a> | <a href="https://ui.threatstream.com/attackpattern/9684" target="_blank">[MITRE ATT&amp;CK] T1003.002 - OS Credential Dumping: Security Account Manager</a> | <a href="https://ui.threatstream.com/attackpattern/9633" target="_blank">[MITRE ATT&amp;CK] T1003 - Os Credential Dumping</a> | <a href="https://ui.threatstream.com/attackpattern/9647" target="_blank">[MITRE ATT&amp;CK] T1021.002 - Remote Services: Smb/Windows Admin Shares</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&amp;CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9693" target="_blank">[MITRE ATT&amp;CK] T1560.001 - Archive Collected Data: Archive Via Utility</a> | <a href="https://ui.threatstream.com/attackpattern/10007" target="_blank">[MITRE ATT&amp;CK] T1046 - Network Service Scanning</a> | <a href="https://ui.threatstream.com/attackpattern/10002" target="_blank">[MITRE ATT&amp;CK] T1040 - Network Sniffing</a> | <a href="https://ui.threatstream.com/attackpattern/10019" target="_blank">[MITRE ATT&amp;CK] T1018 - Remote System Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&amp;CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/9818" target="_blank">[MITRE ATT&amp;CK] T1014 - Rootkit</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a><br/> <b>Tags:</b> actor:Lancefly, APT, malware:Merdoor, malware-type:Backdoor, malware:ZXShell, malware-type:Rootkit, target-sector:Government, target-sector:Aviation, target-sector:Education, target-sector:Telecom, source-country:China, target-region:South, target-region:Southeast Asia, technique:LSASS memory dumping, technique:LOLBin, file-type:EXE, file-type:DLL, file-type:SYS, file-type:PAK, target-system:Windows</p> <h3 id="article-2"><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a" target="_blank">Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG</a></h3> <p>(published: May 11, 2023)</p> <p>The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory in response to active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut servers (PaperCut NG/MF) and enables an unauthenticated actor to execute malicious code remotely without credentials. The Bl00dy Ransomware Gang has been observed exploiting the vulnerability to target the education facilities sub-sector since the early May 2023. The actors use the PaperCut server process pc-app.exe to execute other processes with SYSTEM- or root-level privileges. Bl00dy Ransomware Gang downloads legitimate remote access tools such as Atera RMM, uses Tor and/or other proxies, and additional malware such as Cobalt Strike Beacons, DiceLoader, and TrueBot.<br/> <b>Analyst Comment:</b> Education facilities maintained approximately 68% of exposed (but not necessarily vulnerable) US-based PaperCut servers. Users and administrators should immediately apply patches or workaround remediations. Look for child processes spawned from a PaperCut server’s pc-app.exe process. All known indicators related to the Bl00dy Ransomware Gang and their CVE-2023-27350 exploitation are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9893" target="_blank">[MITRE ATT&amp;CK] T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&amp;CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a><br/> <b>Signatures:</b> <a href="https://ui.threatstream.com/signature/107881" target="_blank">ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)</a><br/> <b>Tags:</b> malware:Bl00dy, malware-type:Ransomware, actor:Bl00dy Ransomware Gang, target-industry:Education, target-industry:611110 Elementary and Secondary Schools, target-country:US, vulnerability:CVE-2023-27350, target-system:PaperCut server, technique:Remote code execution, sub-technique:PowerShell, abused:Tox, abused:Atera, abused:TOR, malware:DiceLoader, malware:TrueBot, malware:Cobalt Strike Beacon, open-port:443, open-port:9100, file-type:EXE, file-type:TXT, file-type:DLL, target-system:Windows</p> <h3 id="article-3"><a href="https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness-already-seen-in-the-wild/" target="_blank">New Phishing-as-a-Service Tool “Greatness” Already Seen in the Wild</a></h3> <p>(published: May 10, 2023)</p> <p>Talos researchers detected a previously unreported phishing-as-a-service (PaaS) offering called Greatness that has been used in several phishing campaigns since mid-2022. Greatness is designed to compromise Microsoft 365 users. It makes phishing pages especially convincing and effective against businesses by prefilling the target address and displaying the appropriate company logo. An analysis of the domains targeted in several ongoing and past campaigns revealed that the victims were almost exclusively companies in the US, the UK, Australia, South Africa, and Canada, in that order. The most commonly targeted sectors in the order of targeting were manufacturing, health care, technology, and education. The attack starts when the victim receives a malicious email with an HTML file as an attachment that serves as a Microsoft 365 login phishing page. Greatness allows for multi-factor authentication (MFA) bypass, and IP filtering. The PaaS consists of three components: a phishing kit, the service API, and a Telegram bot or email address.<br/> <b>Analyst Comment:</b> Users should be cautious when an email has an HTML attachment which first results in a blurry image display. Indicators associated with this Greatness campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a><br/> <b>Tags:</b> malware:Greatness, malware-type:Phishing kit, target-industry:Manufacturing, target-industry:Health Care, target-industry:Technology, target-industry:Real Estate, target-identity:Microsoft 365 users, target-country:US, target-country:UK, target-country:Australia, target-country:South Africa, target-country:Canada, technique:Man-in-the-middle, technique:MFA bypass, technique:IP filtering, technique:URL redirection, abused:JavaScript, file-type:HTML, abused:Telegram</p> <h3 id="article-4"><a href="https://www.deepinstinct.com/blog/bpfdoor-malware-evolves-stealthy-sniffing-backdoor-ups-its-game" target="_blank">BPFDoor Malware Evolves – Stealthy Sniffing Backdoor Ups Its Game</a></h3> <p>(published: May 10, 2023)</p> <p>The BPFdoor Linux backdoor is attributed to China-sponsored threat group, Red Menshen (Red Dev 18). A new version of BPFdoor discovered by Deep Instinct researchers has compilation time October 2022, initial submission to VirusTotal in February 2023, and it was remaining fully undetected until the public reporting in May 2023. ​​BPFdoor can bypass any firewall restrictions on incoming traffic by creating a special packet-sniffing socket, searching for “Magic” byte sequence, and guiding the kernel to set up the socket to only read UDP, TCP, and SCTP traffic coming through ports 22, 80, and 443. The new BPFdoor variant became stealthier by removing many of its hardcoded indicators, including hardcoded commands and filenames. It also uses static library encryption instead of RC4 Encryption, and reverse-shell instead of bind shell and iptabes.<br/> <b>Analyst Comment:</b> Defense-in-depth is an effective way to help mitigate potential APT activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities. Organizations should keep their Linux system updated and properly configured to avoid the initial compromise that may lead to the BPFdoor installation.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9583" target="_blank">[MITRE ATT&amp;CK] T1205 - Traffic Signaling</a> | <a href="https://ui.threatstream.com/attackpattern/18589" target="_blank">[MITRE ATT&amp;CK] T1205.002 - Traffic Signaling: Socket Filters</a> | <a href="https://ui.threatstream.com/attackpattern/9716" target="_blank">[MITRE ATT&amp;CK] T1573 - Encrypted Channel</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&amp;CK] T1106: Native API</a><br/> <b>Tags:</b> malware:BPFDoor, detection:Linux/BpfDoor, malware-type:Backdoor, actor:Red Menshen, actor:Red Dev 18, source-country:China, abused:libtomcrypt, abused:popen, abused:Berkley Packet Filter, sub-technique:Magic value, technique:Traffic Signaling, sub-technique:Socket Filters, abused:UDP, abused:TCP, abused:SCTP, abused:SSH, abused:HTTP, abused:HTTPS, open-port:22, open-port:80, open-port:443, file-type:ELF, target-system:Linux</p> <h3 id="article-5"><a href="https://www.dragos.com/blog/deconstructing-a-cybersecurity-event/" target="_blank">Deconstructing a Cybersecurity Event</a></h3> <p>(published: May 10, 2023)</p> <p>Industrial cybersecurity vendor Dragos self-reported being targeted by an extortion attack on May 8, 2023. A known cybercriminal group that Dragos prefers not to name, gained access by compromising the personal email address of a new sales employee prior to their start date, and subsequently used their personal information to impersonate the Dragos employee and accomplish initial steps in the employee onboarding process. The actors were able to successfully access the Dragos SharePoint and contract management systems, exfiltrate general use data and 25 Dragos intel reports normally accessible to clients. The actors were reaching out to multiple publicly known Dragos contacts using emails and phone messaging. Threat to publish the company’s data was accompanied by additional threats and hints with relation to employee family members.<br/> <b>Analyst Comment:</b> Role-based access control (RBAC) was instrumental in restricting the actors in Dragos networks. Organizations should harden their identity and access management infrastructure and processes, implement separation of duties across the enterprise, and apply the principle of least privilege to all systems and services. Apply explicit blocks for known bad IP addresses - network indicators associated with this attack on Dragos are available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&amp;CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/12897" target="_blank">[MITRE ATT&amp;CK] T1621 - Multi-Factor Authentication Request Generation</a> | <a href="https://ui.threatstream.com/attackpattern/9979" target="_blank">[MITRE ATT&amp;CK] T1526 - Cloud Service Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9959" target="_blank">[MITRE ATT&amp;CK] T1530 - Data From Cloud Storage Object</a> | <a href="https://ui.threatstream.com/attackpattern/9746" target="_blank">[MITRE ATT&amp;CK] T1567 - Exfiltration Over Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/10046" target="_blank">[MITRE ATT&amp;CK] T1586.002 - Compromise Accounts: Email Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10074" target="_blank">[MITRE ATT&amp;CK] T1593 - Search Open Websites/Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10184" target="_blank">[MITRE ATT&amp;CK] T1591.004 - Gather Victim Org Information: Identify Roles</a><br/> <b>Tags:</b> malware-type:Ransomware, Data leak, target-company:Dragos, target-industry:Information Technology, abused:Tox</p> <h3 id="article-6"><a href="https://www.justice.gov/opa/press-release/file/1582991/download" target="_blank">In the Matter of the Search of Information Associated with Computers Constituting the Snake Malware Network</a></h3> <p>(published: May 9, 2023)</p> <p>Active since 2004, the Snake (Uroburos) malware is used by Turla (Uroburos, Venomous Bear) that is attributed to Center 16 of the Federal Security Service of the Russian Federation (FSB). Its communication travels between the Snake-compromised computers, where data is encrypted, fragmented, and sent using customized methodologies built atop common network protocols. In early May 2023, several countries coordinated in an effort to disrupt and clean up Snake infections in their jurisdictions. The US Federal Bureau of Investigation (FBI) identified eight compromised computers across several states. FBI has applied for search and seizure warrant to remotely probe and disable Snake malware while delaying target notification for up to 30 days following May 4, 2023. They developed the PERSEUS remote search technique for probing and Snake C2 impersonation. PERSEUS sends a Snake-HTTP or a Snake-TCP transmissions and the type of response confirms if the target is compromised by Snake. Then PERSEUS can send certain Snake built-in commands that will terminate the Snake application and overwrite its vital components without affecting any legitimate computer operation, applications, or files.<br/> <b>Analyst Comment:</b> Turla and other advanced persistent groups may use stealthy, hard-to-detect communication methods. As one compromised machine can be used in an attack against another target, it is important to engage in global defense measures that at times include centralized, court-permitted government efforts to remotely clean up identified infections. Organizations that were infected by Snake in the past should change all the previous credentials that could have been compromised by Turla.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a><br/> <b>Tags:</b> actor:Turla, actor:Venomous Bear, actor:Uroburos, source-country:Russia, actor-identity:FSB, actor-identity:Center 16, Remote search technique, Hacking back, malware:Uroburos, malware:Snake, malware-family:Turla, target-country:US, target-industry:Media, target-industry:Defense, target-organization:NATO, FBI, tool:PERSEUS, tool-type:Remote search technique, tool-type:Probing, tool-type:C2 impersonation</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.