August 3, 2021
Anomali Threat Research

Anomali Cyber Watch: LockBit ransomware, Phony Call Centers Lead to Exfiltration and Ransomware, VBA RAT using Double Attack Vectors, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Android malware, APT, Data leak, macOS malware, Phishing, Ransomware</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src=""/></p> <p><em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware</a></h3> <p>(published: July 29, 2021)</p> <p>BazaCall campaigns have forgone malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. Actual humans then provide the callers with step-by-step instructions for installing malware. The BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user's device, which allows for a fast network compromise. The lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.<br/> <b>Analyst Comment:</b> All users should be informed of the risk phishing poses, and how to safely make use of email. They should take notice that a phone number sent to them can be fraudulent too. In the case of infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> BazaCall, Bazaar, Ransomware</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Crimea “Manifesto” Deploys VBA Rat Using Double Attack Vectors</a></h3> <p>(published: July 29, 2021)</p> <p>Hossein Jazi has identified a suspicious document named "Манифест". It downloads and executes two templates: one is macro-enabled and the other is an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit is an unusual discovery.<br/> <b>Analyst Comment:</b> Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Template Injection - T1221</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a><br/> <b>Tags:</b> VBA, Russia, RAT, CVE-2021-26411, Macros</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Vulter V For VNC</a></h3> <p>(published: July 29, 2021)</p> <p>ThreatFabric has identified a new Android malware, named Vultur. Vultur, a banking trojan, has the capabilities to record screens and keystrokes to steal credentials. The malware abuses the accessibility services to gain permissions, as well as to log keystrokes. After checking what applications are running, Vultur uses VNC (Virtual Network Computing) to record the screen. The main targets of the malware are Australia, Italy, Spain, and cryptocurrency wallets.<br/> <b>Analyst Comment:</b> Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.<br/> <b>Tags:</b> Android, Dropper, Keylogger, Brunhilda, RAT, Vultur, VNC</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Threat Spotlight: Solarmarker</a></h3> <p>(published: July 29, 2021)</p> <p>Researchers at Cisco Talos have discovered a new .NET info stealer, named Solarmaker. Browser information, cookie data and credentials are among the data that is stolen. Various industries appear to be targeted including engineering, financial and religious organizations.<br/> <b>Analyst Comment:</b> Sometimes the simplest infection chain can be very effective. Users need to exercise caution when downloading and opening files downloaded from the internet.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a><br/> <b>Tags:</b> Powershell, .NET, Info Stealer</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Northern Ireland Suspends Vaccine Passport System After Data Leak</a></h3> <p>(published: July 28, 2021)</p> <p>Northern Ireland's Department of Health has temporarily suspended its COVIDCert service. The COVIDCert service is to validate the vaccine status of individuals in Northern Ireland. Some users of the NI app were presented with data of other users, says the Department. Neither the web service nor the mobile app functionality is accessible at the time of writing. The NI service is available via the website or mobile app for Android and iOS users.<br/> <b>Analyst Comment:</b> The Department of Health claims to be working on the issue, users are awaiting an investigation into the matter.<br/> <b>Tags:</b> COVID, COVID passport, Northern Ireland, Mobile app</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">UC San Diego Health Discloses Data Breach After Phishing Attack</a></h3> <p>(published: July 27, 2021)</p> <p>UC San Diego Health, the academic health system of the University of California, San Diego, has disclosed a data breach after the compromise of some employees' email accounts. The attackers may have accessed or acquired the personal information of patients, employees, and students between December 2, 2020, and April 8, 2021. While the threat actors had access to the email accounts for more than four months, an ongoing investigation by its security teams and external cybersecurity experts has not found any evidence that this information has been misused.<br/> <b>Analyst Comment:</b> Breaches such as this one serves to remind businesses that cyber security is a constant effort; monitoring, detecting, securing, preventing and responding to threats. Organisations should regularly review and audit their security controls to detect and remediate any accidental as well as malicious risk. Especially when it concerns personally identifiable information (PII).<br/> <b>Tags:</b> Data Leak, UC, Healthcare, PII</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">LockBit Ransomware Now Encrypts Windows Domains Using Group Policies</a></h3> <p>(published: July 27, 2021)</p> <p>A new version of the ransomware-as-a-service (RaaS), LockBit, has been found. The new version uses Active Directory group policies to automate the encryption, removing the need for scripts. Previously LockBit required third-party software to deploy scripts used for disabling antivirus, whereas with the new version this is no longer required. Once executed, new policies are created that disable Windows Defender, and create a scheduled task.<br/> <b>Analyst Comment:</b> Anti-spam and antivirus applications provided from trusted vendors should be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a><br/> <b>Tags:</b> Ransomware, Group policies, LockBit</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Time-Proven Tricks In A New Environment: The macOS Evolution of Formbook</a></h3> <p>(published: July 27, 2021)</p> <p>Researchers at Checkpoint have found a new variant of Formbook that operates in macOS. Named “XLoader”, the malware was found for sale on an underground forum. XLoader utilizes a p-trace anti-debugging technique and encrypted strings. For persistence, the malware copies itself to the user's home directory, along with creating a plist file that is added to the Launch Agents folder for auto start. XLoader commands include: download and execute file, uninstall, shutdown, recover passwords, clear cookies, and visit url.<br/> <b>Analyst Comment:</b> This story serves a reminder for users that while not as common, macOS malware still exists and poses a threat for users. Always practice Defense-in-Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe) and be careful when opening emails.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a><br/> <b>Tags:</b> macOS, Formbook, XLoader, Java, C2</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group</a></h3> <p>(published: July 27, 2021)</p> <p>While monitoring the Microsoft Exchange Server attacks in March 2021, Unit 42 researchers identified a PlugX variant delivered as a post-exploitation remote access tool. PlugX is a second-stage implant typically used by Mustang Panda. The variant observed by Unit 42 is unique in that it contains a change to its core source code: the replacement of its trademark word "PLUG" to "THOR". Exploiting multiple zero-days on an Exchange Server, a webshell was uploaded to a public facing web directory.<br/> <b>Analyst Comment:</b> PlugX is a malware and relies upon known vulnerabilities within the Microsoft Exchange Server. Always keep your systems patched with the latest fixes from Microsoft. Microsoft typically releases new security fixes every Tuesday (Patch Tuesday). Users should have updates installed automatically, so they don't forget or delay when these critical patches are available. Put update policies in place for users of Windows, Mac, and Linux.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> PlugX, THOR, Mustang Panda, Microsoft Exchange Server</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Bombshell Leak Shows Iran Creating ‘Target Bank’ For Future Cyber Assaults</a></h3> <p>(published: July 26, 2021)</p> <p>An anonymous source has leaked documents related to Iran’s cyber capabilities, including their abilities to potentially sink cargo ships or blow up petrol stations. The documents contain information related to American, British and French companies, which may potentially indicate collecting information for future targets. Iran appears to be attempting to increase their posture in the global cyber landscape, analyzing areas that would be vulnerable to mass disruption. Along with vessels and petrol stations, other areas of interest included smart buildings and maritime communication devices.<br/> <b>Analyst Comment:</b> Spearphishing and business email compromise (BEC) are often a preferred way for threat actors to penetrate shipping and other industries. It is important to have training, patch management and protections in place, and, if possible, isolate HR and billing departments from critical parts of the organization’s network. When adding connectivity to industrial control systems (ICS) the risks of the potential cyber attack should be weighed against the convenience of the online access.<br/> <b>Tags:</b> Iran, UK, Cyberwarfare</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.