October 3, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: LightlessCan Incorporates Windows Utility Functions, ZenRAT Avoids Disks under 95GB, and More

<div id="weekly"> <p id="intro"> <h1><b>Anomali Cyber Watch: LightlessCan Incorporates Windows Utility Functions, ZenRAT Avoids Disks under 95GB, and More.</b></h1> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Anti-virtualization checks, China, Infostealers, North Korea, Ransomware,</b> and <b> Russia</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img alt="IoC Stats" src="https://cdn.filestackcontent.com/gZ7TQNV9QAm1GwA7C7Sa"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79" target="_blank">Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and More)</a></h3> <p>(published: October 3, 2023)</p> <p> Luca Mella’s research team has profiled a Russia-based FTP server involved in a LockBit extortion incident that occurred in Q3 2023. They discovered the same “WIN-LIVFRVQFMKO” hostname among 105 hosts serving an IIS-based FTP service, and linked infrastructure that involves over 8,000 hosts worldwide, with at least a third of them located in the Commonwealth of Independent States (CIS) countries. Active since 2019, this criminal infrastructure has been connected to ransomware attacks and data exfiltrations (Conti ransomware and LockBit starting from LockBit 2.0), info-stealing malware distribution (DarkGate loader, Ursnif banking trojan), and romance scams. The hostname was also linked to an individual named "Bentley," who was previously the technical lead and system administrator for the Conti (Wizard Spider) group.<br/> <b>Analyst Comment:</b> The threat actor reusing the same golden image (snapshot of a pre-installed operating system ready to be customized for the particular application) allowed to map a wide, long-lived malicious infrastructure. All known network indicators associated with this infrastructure are available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9733" target="_blank">[MITRE ATT&amp;CK] T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/23212" target="_blank">[MITRE ATT&amp;CK] Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001]</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a><br/> <b>Tags:</b> malware:LockBit, malware-type:Ransomware, actor:Bentley, actor:LockBit, actor-type:RaaS, actor-type:RaaS affiliate, acto:Wizard Spider, actor:Conti, abused:FileZilla FTP, abused:Ngrok, malware-type:Tunneling, protocol:RDP, tactic:Exfiltration, hostname:WIN-LIVFRVQFMKO </p> <h3 id="article-1"><a href="https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/" target="_blank">Lazarus Luring Employees with Trojanized Coding Challenges: The Case of a Spanish Aerospace Company</a></h3> <p>(published: September 29, 2023)</p> <p> Since at least 2020, Operation DreamJob conducted by North Korea-sponsored Lazarus Group has been impersonating recruiters to trick victims into downloading malicious files. In March 2023, Lazarus targeted a Spanish aerospace company on LinkedIn by posing as a Meta recruiter. ESET researchers have discovered archived malicious executables disguised as alleged coding challenges. User execution results in three parallel infection chains delivering various payloads. The attack involved the NickelLoader downloader, the miniBlindingCan (AIRDRY.V2) backdoor, and previously-undocumented LightlessCan remote access trojan (RAT) with backdoor capabilities. Lazarus were able to reverse engineer a number of closed-source core Windows utilities (such as ipconfig, net, ping, sc, and systeminfo) to implement and discreetly execute them within the LightlessCan RAT itself. The attackers also employed execution guardrails so that the LightlessCan payload can only be decrypted on the intended victim’s machine.<br/> <b>Analyst Comment:</b> Mimicking functionality of native Windows commands allows for more discrete, quiet execution. Phishing education training should bring awareness that attackers might utilize the job-hunting context to deliver malware. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Indicators associated with this latest Operation DreamJob activity are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10076" target="_blank">[MITRE ATT&amp;CK] T1593.001 - Search Open Websites/Domains: Social Media</a> | <a href="https://ui.threatstream.com/attackpattern/10052" target="_blank">[MITRE ATT&amp;CK] T1584.004 - Compromise Infrastructure: Server</a> | <a href="https://ui.threatstream.com/attackpattern/10060" target="_blank">[MITRE ATT&amp;CK] T1585.001 - Establish Accounts: Social Media Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/18599" target="_blank">[MITRE ATT&amp;CK] T1585.003 - Establish Accounts: Cloud Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/23223" target="_blank">[MITRE ATT&amp;CK] Resource Development - Develop Capabilities: Malware [T1587.001]</a> | <a href="https://ui.threatstream.com/attackpattern/10107" target="_blank">[MITRE ATT&amp;CK] T1608.001 - Stage Capabilities: Upload Malware</a> | <a href="https://ui.threatstream.com/attackpattern/22384" target="_blank">[MITRE ATT&amp;CK] Initial Access - Phishing: Spearphishing Link [T1566.002]</a> | <a href="https://ui.threatstream.com/attackpattern/9884" target="_blank">[MITRE ATT&amp;CK] T1566.003 - Phishing: Spearphishing Via Service</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&amp;CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/9649" target="_blank">[MITRE ATT&amp;CK] T1053 - Scheduled Task/Job</a> | <a href="https://ui.threatstream.com/attackpattern/28394" target="_blank">[MITRE ATT&amp;CK] Execution - Shared Modules [T1129]</a> | <a href="https://ui.threatstream.com/attackpattern/22184" target="_blank">[MITRE ATT&amp;CK] Execution - User Execution: Malicious File [T1204.002]</a> | <a href="https://ui.threatstream.com/attackpattern/23579" target="_blank">[MITRE ATT&amp;CK] Picus: T1047 Windows Management Instrumentation of the MITRE ATT&amp;CK Framework</a> | <a href="https://ui.threatstream.com/attackpattern/9718" target="_blank">[MITRE ATT&amp;CK] T1134.002 - Access Token Manipulation: Create Process With Token</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&amp;CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9829" target="_blank">[MITRE ATT&amp;CK] T1480 - Execution Guardrails</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/27806" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Hijack Execution Flow: DLL Side-Loading [T1574.002]</a> | <a href="https://ui.threatstream.com/attackpattern/26499" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information: Software Packing [T1027.002]</a> | <a href="https://ui.threatstream.com/attackpattern/18584" target="_blank">[MITRE ATT&amp;CK] T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution</a> | <a href="https://ui.threatstream.com/attackpattern/18593" target="_blank">[MITRE ATT&amp;CK] T1027.009 - Obfuscated Files or Information: Embedded Payloads</a> | <a href="https://ui.threatstream.com/attackpattern/10102" target="_blank">[MITRE ATT&amp;CK] T1562.003 - Impair Defenses: Impair Command History Logging</a> | <a href="https://ui.threatstream.com/attackpattern/23206" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Impair Defenses: Disable or Modify System Firewall [T1562.004]</a> | <a href="https://ui.threatstream.com/attackpattern/27796" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004]</a> | <a href="https://ui.threatstream.com/attackpattern/9772" target="_blank">[MITRE ATT&amp;CK] T1070.006 - Indicator Removal on Host: Timestomp</a> | <a href="https://ui.threatstream.com/attackpattern/9813" target="_blank">[MITRE ATT&amp;CK] T1202 - Indirect Command Execution</a> | <a href="https://ui.threatstream.com/attackpattern/27826" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Process Injection [T1055]</a> | <a href="https://ui.threatstream.com/attackpattern/10000" target="_blank">[MITRE ATT&amp;CK] T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/12881" target="_blank">[MITRE ATT&amp;CK] T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/23209" target="_blank">[MITRE ATT&amp;CK] Discovery - File and Directory Discovery [T1083]</a> | <a href="https://ui.threatstream.com/attackpattern/23227" target="_blank">[MITRE ATT&amp;CK] Discovery - Network Share Discovery [T1135]</a> | <a href="https://ui.threatstream.com/attackpattern/24155" target="_blank">[MITRE ATT&amp;CK] Discovery - Process Discovery [T1057]</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&amp;CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/23219" target="_blank">[MITRE ATT&amp;CK] Discovery - Remote System Discovery [T1018]</a> | <a href="https://ui.threatstream.com/attackpattern/27810" target="_blank">[MITRE ATT&amp;CK] Discovery - System Network Configuration Discovery [T1016]</a> | <a href="https://ui.threatstream.com/attackpattern/27820" target="_blank">[MITRE ATT&amp;CK] Discovery - System Network Connections Discovery [T1049]</a> | <a href="https://ui.threatstream.com/attackpattern/9632" target="_blank">[MITRE ATT&amp;CK] T1007 - System Service Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/22189" target="_blank">[MITRE ATT&amp;CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001]</a> | <a href="https://ui.threatstream.com/attackpattern/9717" target="_blank">[MITRE ATT&amp;CK] T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9622" target="_blank">[MITRE ATT&amp;CK] T1132.001 - Data Encoding: Standard Encoding</a> | <a href="https://ui.threatstream.com/attackpattern/22191" target="_blank">[MITRE ATT&amp;CK] Exfiltration - Exfiltration Over C2 Channel [T1041]</a><br/> <b>Tags:</b> actor:Lazarus, mitre-group:Lazarus Group, malware:LightlessCan, malware:BlindingCan, malware:AIRDRY.V2, malware:miniBlindingCan, malware-type:Backdoor, malware-type:RAT, malware:NickelLoader, malware-type:Loader, malware-type:Dropper, detection:Win64/NukeSped, campaign:Operation DreamJob, target-country:ES, target-industry:Aerospace, impersonated:Meta, abused:LinkedIn Messaging, file-type:DAT, file-type:DLL, file-type:EXE, target-system:Windows </p> <h3 id="article-1"><a href="https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service" target="_blank">BunnyLoader, the Newest Malware-as-a-Service</a></h3> <p>(published: September 29, 2023)</p> <p> Zscaler researchers have discovered a new malware-as-a-service (MaaS) named BunnyLoader, which is being sold on multiple hacker forums for $250-350 US Dollars, depending on the package. Upon execution, BunnyLoader performs several actions including creating a new registry value, hiding the window, creating a mutex name, and performing anti-VM techniques. The malware is capable of stealing and replacing the contents of the system clipboard, downloading and executing payloads, logging keys, stealing sensitive data and cryptocurrency, and executing remote commands. Since its emergence in the beginning of September 2023, BunnyLoader has been under rapid development, in one month receiving at least ten updates with new features and bug fixes.<br/> <b>Analyst Comment:</b> Commodity MaaS offerings pose a risk of widespread adoption and use by threat actors employing diverse delivery methods. Indicators associated with BunnyLoader are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9779" target="_blank">[MITRE ATT&amp;CK] T1564.003 - Hide Artifacts: Hidden Window</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/28388" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Virtualization/Sandbox Evasion: System Checks [T1497.001]</a> | <a href="https://ui.threatstream.com/attackpattern/22189" target="_blank">[MITRE ATT&amp;CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001]</a> | <a href="https://ui.threatstream.com/attackpattern/9606" target="_blank">[MITRE ATT&amp;CK] T1565 - Data Manipulation</a> | <a href="https://ui.threatstream.com/attackpattern/28384" target="_blank">[MITRE ATT&amp;CK] Credential Access - Input Capture: Keylogging [T1056.001]</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/27801" target="_blank">[MITRE ATT&amp;CK] Collection - Archive Collected Data [T1560]</a><br/> <b>Tags:</b> malware:BunnyLoader, malware-type:Infostealer, malware-type:Loader, threat-type:MaaS, actor:PLAYER_BUNNY, actor:PLAYER_BL, file-type:EXE, file-type:DLL, target-system:Windows </p> <h3 id="article-1"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-tool-update-telecoms-govt" target="_blank">Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org</a></h3> <p>(published: September 28, 2023)</p> <p> The China-sponsored Emissary Panda (APT27, Budworm) group has been active since at least 2013. In August 2023, Symantec researchers discovered new Emissary Panda activity targeting a Middle Eastern telecommunications organization and an Asian government. The group has used a new variant of its custom SysUpdate backdoor. It was side-loaded using the legitimate INISafeWebSSO application: a specific sub-technique used by Emissary Panda since at least 2018. The group also used a variety of living-off-the-land (AdFind, Curl) and commodity credential-dumping tools (PasswordDumper, SecretsDump). <br/> <b>Analyst Comment:</b> Emissary Panda continues to actively develop its toolset, but is not shy of using previously seen tactics, techniques and procedures (TTPs). Host-based indicators associated with the latest Emissary Panda campaigns are available in the Anomali platform for detection and historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/27806" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Hijack Execution Flow: DLL Side-Loading [T1574.002]</a> | <a href="https://ui.threatstream.com/attackpattern/22193" target="_blank">[MITRE ATT&amp;CK] Collection - Screen Capture [T1113]</a> | <a href="https://ui.threatstream.com/attackpattern/9632" target="_blank">[MITRE ATT&amp;CK] T1007 - System Service Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/24155" target="_blank">[MITRE ATT&amp;CK] Discovery - Process Discovery [T1057]</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a><br/> <b>Tags:</b> actor:Emissary Panda, actor:APT27, actor:Budworm, actor:LuckyMouse, mitre-group:Threat Group-3390, threat-type:APT, malware:SysUpdate, malware-type:Backdoor, target-industry:Government, target-industry:Telecom, target-region:Asia, source-country:CN, abused:INISafeWebSSO, tool:AdFind, malware-type:Network mapping, tool:Curl, malware-type:Command-line, malware:PasswordDumper, malware:SecretsDump, malware-type:Credential dumping, technique:DLL side-loading, file-type:DLL, target-system:Windows </p> <h3 id="article-1"><a href="https://www.proofpoint.com/us/blog/threat-insight/zenrat-malware-brings-more-chaos-calm" target="_blank">ZenRAT: Malware Brings More Chaos Than Calm </a></h3> <p>(published: September 26, 2023)</p> <p> Threat actors have used a fake download page for the popular password manager Bitwarden to distribute a previously-unknown remote access trojan (RAT) named ZenRAT. Only Windows users visiting the malicious site are presented with the malicious payload. ZenRAT features a geofencing check that prevents execution in Belarus, Kazakhstan, Kyrgizia, Moldova, Russia, and Ukraine. Additionally it performs anti-virtualization checks for processes and the system disk size (would not run on less than 95GB). ZenRAT uses a custom C2 protocol to receive commands and exfiltrate system information and stolen data. <br/> <b>Analyst Comment:</b> ZenRAT has a potential of becoming a growing threat in the field of commodity RATs and infostealers. Users should download software exclusively from trusted sources and consistently inspect domains for indications of typosquatting. Exercise caution regarding ads in search engine results, as they persist as a significant method for diverting traffic to malicious websites. Indicators associated with ZenRAT are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/9614" target="_blank">[MITRE ATT&amp;CK] T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/22184" target="_blank">[MITRE ATT&amp;CK] Execution - User Execution: Malicious File [T1204.002]</a> | <a href="https://ui.threatstream.com/attackpattern/27796" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004]</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/27810" target="_blank">[MITRE ATT&amp;CK] Discovery - System Network Configuration Discovery [T1016]</a> | <a href="https://ui.threatstream.com/attackpattern/27789" target="_blank">[MITRE ATT&amp;CK] Discovery - Software Discovery: Security Software Discovery [T1518.001]</a> | <a href="https://ui.threatstream.com/attackpattern/27801" target="_blank">[MITRE ATT&amp;CK] Collection - Archive Collected Data [T1560]</a> | <a href="https://ui.threatstream.com/attackpattern/22191" target="_blank">[MITRE ATT&amp;CK] Exfiltration - Exfiltration Over C2 Channel [T1041]</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&amp;CK] T1614 - System Location Discovery</a><br/> <b>Tags:</b> malware:ZenRAT, malware-type:RAT, malware-type:Infostealer, impersonated:ApplicationRuntimeMonitor, impersonated:Bitwarden, impersonated:Speccy, technique:Typosquatting, language:.NET, open-port:9890, file-type:EXE, target-system:Windows </p> </div> </p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.