June 6, 2023
Anomali Threat Research

Anomali Cyber Watch: LEMURLOOT on Exploited MOVEit Transfers, Zero-Click iOS Exploit Targeted Kaspersky, Qakbot Turns Bots into Proxies

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Adware, Botnets, Data leak, Obfuscation, Phishing, Zero-day vulnerabilities, </b>and <b>Zero-click exploits</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://anomali-labs-public.s3.amazonaws.com/img/7265536.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft" target="_blank">Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft</a></h3> <p>(published: June 2, 2023)</p> <p>A zero-day vulnerability in the MOVEit Transfer secure managed file transfer software (CVE-2023-34362) was announced by Progress Software Corporation on May 31, 2023. Mandiant researchers have observed a wide exploitation that had already started on May 27, 2023. This opportunistic campaign affected Canada, Germany, India, Italy, Pakistan, the US, and other countries. The attackers have been using the custom LEMURLOOT web shell masquerading as a legitimate component of the MOVEit Transfer. It is used to exfiltrate data previously uploaded by the users of individual MOVEit Transfer systems. This actor activity is dubbed UNC4857 and it has a low confidence similarity to FIN11-attributed data theft extortion via the CL0P ransomware data leak site.<br /> <b>Analyst Comment:</b> The US Cybersecurity and Infrastructure Security Agency added CVE-2023-34362 to its list of known exploited vulnerabilities, ordering US federal agencies to patch their systems by June 23, 2023. Network defenders should follow the Progress Software Corporation remediation steps that include hardening, detection, clean-up, and installing the recent MOVEit Transfer security patches. YARA rules and host-based indicators associated with the LEMURLOOT webshell are available in the Anomali platform for detection and historical reference.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10037" target="_blank">[MITRE ATT&CK] T1587.003 - Develop Capabilities: Digital Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9642" target="_blank">[MITRE ATT&CK] T1136 - Create Account</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9693" target="_blank">[MITRE ATT&CK] T1560.001 - Archive Collected Data: Archive Via Utility</a><br /> <b>Signatures:</b> <a href="https://ui.threatstream.com/signature/108237" target="_blank">LEMURLOOT Webshell DLL Payloads - YARA by Mandiant</a> | <a href="https://ui.threatstream.com/signature/108238" target="_blank">LEMURLOOT Webshell ASP.NET scripts - YARA by Mandiant</a> | <a href="https://ui.threatstream.com/signature/108301" target="_blank">MOVEit Exploitation - YARA by Florian Roth</a>.<br /> <b>Tags:</b> malware:LEMURLOOT, malware-type:Webshell, target-software:MOVEit Transfer, actor:​​UNC4857, exploit-type:Zero-day, vulnerability:CVE-2023-34362, target-country:Canada, target-country:India, target-country:Italy, target-country:Pakistan, target-country:Germany, target-country:US, target-software:Azure Blob Storage, abused:C#, abused:gzip, actor:FIN11, actor:Clop, technique:SQLi attack, file-type:DLL, file-type:ASPX, file-type:HTML, target-system:Windows</p> <h3 id="article-2"><a href="https://blog.avast.com/malicious-extensions-chrome-web-store" target="_blank">Unmasking Malicious Extensions: Avast Detects New Threats on the Chrome Web Store</a></h3> <p>(published: June 2, 2023)</p> <p>Wladimir Palant and Avast researchers have discovered 32 malicious extensions on the Chrome Web Store. The extensions provide legitimate functionality, but contain an obfuscated code with adware and search result hijacker functionalities. 24,000 of Avast&#39;s users were affected and these extensions had a combined 75 million installs on the Chrome Web Store, although the install counts may have been artificially inflated.<br /> <b>Analyst Comment:</b> It takes time to detect additional malicious functionality. Random redirects from Google results can be the sign of this campaign infection. Network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a><br /> <b>Tags:</b> malware-type:Adware, malware-type:Search result hijacker, technique:Malicious browser extension, target-software:Chrome</p> <h3 id="article-3"><a href="https://securelist.com/operation-triangulation/109842/" target="_blank">Operation Triangulation: iOS Devices Targeted with Previously Unknown Malware</a></h3> <p>(published: June 1, 2023)</p> <p>Kaspersky researchers have detected an advanced iOS malware on iPhones connected to their own corporate network. This campaign dubbed Operation Triangulation starts with an unidentified, zero-click exploit attached to an iMessage. It downloads subsequent stages with additional exploits for privilege escalation. The initial message and the exploit attachment are then deleted to avoid detection. The final payload runs with root privileges, collects system and user information, and downloads additional plugin modules. It does not have persistence, but previously-infected devices were observed being reinfected. The most recent version of iOS successfully targeted is iOS 15.7 (released on September 12, 2022). Operation Triangulation is ongoing and is traced back to 2019.<br /> <b>Analyst Comment:</b> Network defenders are advised to check backups of potentially-targeted devices for indicators of compromise, the most reliable being the presence of data-usage lines in timeline.csv mentioning the process named BackupAgent. All known C2 domains associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure and check their DNS logs for historical information.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/18637" target="_blank">[MITRE ATT&CK] T1630 - Indicator Removal On Host</a> | <a href="https://ui.threatstream.com/attackpattern/17826" target="_blank">[MITRE ATT&CK] T1544 - Remote File Copy</a> | <a href="https://ui.threatstream.com/attackpattern/17824" target="_blank">[MITRE ATT&CK] T1426 - System Information Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/18625" target="_blank">[MITRE ATT&CK] T1437.001 - Application Layer Protocol: Web Protocols</a><br /> <b>Tags:</b> campaign:Operation Triangulation, exploit-type:Zero-click, APT, target-industry:Software and Services, target-industry:Cybersecurity, target-company:Kaspersky, target-system:Mobile, target-system:iOS</p> <h3 id="article-4"><a href="https://blog.lumen.com/qakbot-retool-reinfect-recycle/" target="_blank">Qakbot: Retool, Reinfect, Recycle</a></h3> <p>(published: June 1, 2023)</p> <p>Qakbot (Pinkslipbot or Qbot) is a long-standing banking trojan and malware/ransomware distribution network that has been active since 2007. It primarily spreads through email hijacking and social engineering methods, delivering malicious files to infect Windows hosts. In 2023, Qakbot employed various tactics, including the use of malicious OneNote files, Mark of the Web evasion techniques, and HTML smuggling. The botnet has evolved to conceal its infrastructure within residential IP space. Bots communicate with the backconnect server to be repurposed into proxies: Tier 1 command-and-control (C2) servers. Lumen’s Black Lotus Labs researchers have detected up to 70-90 new C2 servers a week as part of Qakbot spamming cycle. These servers communicate with Tier 2 C2 servers hosted on “bulletproof” virtual private server (VPS) providers.<br /> <b>Analyst Comment:</b> Organizations should bolster defenses against phishing by fully monitoring network resources, ensuring proper patch management and conducting ongoing phishing and social-engineering training for employees. Continue or enable OneNote attachment blocking, if feasible. All known higher-tier C2 indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/10043" target="_blank">[MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server</a> | <a href="https://ui.threatstream.com/attackpattern/10049" target="_blank">[MITRE ATT&CK] T1584.005 - Compromise Infrastructure: Botnet</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/12882" target="_blank">[MITRE ATT&CK] T1027.006 - Obfuscated Files or Information: Html Smuggling</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&CK] T1486: Data Encrypted for Impact</a><br /> <b>Tags:</b> malware:Qakbot, malware:Pinkslipbot, malware:Qbot, malware-type:Botnet, malware-type:Ransomware, abused:OneNote, filetype:DLL, filetype:HTML, filetype:ONE, technique:Email hijacking, technique:Proxy, technique:Compromised web server, technique:VPS server, target-system:Windows</p> <h3 id="article-5"><a href="https://www.reversinglabs.com/blog/when-python-bytecode-bites-back-who-checks-the-contents-of-compiled-python-files" target="_blank">When Byte Code Bites: Who Checks the Contents of Compiled Python Files?</a></h3> <p>(published: June 1, 2023)</p> <p>In April 2023, a novel supply-chain attack was detected in the Python Package Index (PyPI). To evade typical static code analysis detection tools, it places the malicious functionality into a single file containing compiled Python byte code (PYC file). To load the malicious Python compiled module, the actors used the Importlib import implementation instead of the usual Import directive. The malware then downloads and executes yet another Python script, which actors change from time to time. It collects usernames, hostnames, and directory listings, and executes additional code using scheduled tasks or cronjob, depending on the target system. ReversingLabs researchers examined the C2 server and found evidence of successful exploitation and keylogging outputs.<br /> <b>Analyst Comment:</b> Researchers can leverage the inspection of decompiled versions of the suspicious PYC files. Suspicious behaviors to look for include the presence of URLs that reference the host by IP address, detection of file execution, gathering of sensitive information, and process creation. Host-based indicators associated with this campaign are available in the Anomali platform for ongoing infections and historical reference.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9655" target="_blank">[MITRE ATT&CK] T1053.003 - Scheduled Task/Job: Cron</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&CK] T1056.001 - Input Capture: Keylogging</a><br /> <b>Tags:</b> abused:PyPI, abused:Python, file-type:PYC, target-system:macOS, target-system:Linux, target-system:Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.