January 3, 2023
Anomali Threat Research

Anomali Cyber Watch: Machine Learning Toolkit Targeted by Dependency Confusion, Multiple Campaigns Hide in Google Ads, Lazarus Group Experiments with Bypassing Mark-of-the-Web

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Backdoors, Data breaches, North Korea, Phishing,</b> and <b>Typosquatting</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-010423.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threats-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/" target="_blank">PyTorch Discloses Malicious Dependency Chain Compromise Over Holidays</a></h3> <p>(published: January 1, 2023)</p> <p>Between December 25th and December 30th, 2022, users who installed PyTorch-nightly were targeted by a malicious library. The malicious torchtriton dependency on PyPI uses the dependency confusion attack by having the same name as the legitimate one on the PyTorch repository (PyPI takes precedence unless excluded). The actor behind the malicious library claims that it was part of ethical research and that he alerted some affected companies via HackerOne programs (Facebook was allegedly alerted). At the same time the library’s features are more aligned with being a malware than a research project. The code is obfuscated, it employs anti-VM techniques and doesn’t stop at fingerprinting. It exfiltrates passwords, certain files, and the history of Terminal commands. Stolen data is sent to the C2 domain via encrypted DNS queries using the wheezy[.]io DNS server.<br /> <b>Analyst Comment:</b> The presence of the malicious torchtriton binary can be detected, and it should be uninstalled. PyTorch team has renamed the &#39;torchtriton&#39; library to &#39;pytorch-triton&#39; and reserved the name on PyPI to prevent similar attacks. Opensource repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9610" target="_blank">[MITRE ATT&CK] T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9639" target="_blank">[MITRE ATT&CK] T1003.008 - OS Credential Dumping: /Etc/Passwd And /Etc/Shadow</a> | <a href="https://ui.threatstream.com/attackpattern/9617" target="_blank">[MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel</a><br /> <b>Tags:</b> Dependency confusion, Dependency chain compromise, PyPI, PyTorch, torchtriton, Facebook, Meta AI, Exfiltration over DNS, Linux</p> </div> <div class="trending-threats-article"> <h3><a href="https://news.drweb.com/show/?i=14646&lng=en&c=23" target="_blank">Linux Backdoor Malware Infects WordPress-Based Websites</a></h3> <p>(published: December 30, 2022)</p> <p>Doctor Web researchers have discovered a new Linux backdoor that attacks websites based on the WordPress content management system. The latest version of the backdoor exploits 30 vulnerabilities in outdated versions of WordPress add-ons (plugins and themes). The exploited website pages are injected with a malicious JavaScript that intercepts all users clicks on the infected page to cause a malicious redirect.<br /> <b>Analyst Comment:</b> Owners of WordPress-based websites should keep all the components of the platform up-to-date, including third-party add-ons and themes. Use strong and unique passwords for your accounts. It is not unusual for attackers to develop exploits for what might be considered ‘old’ vulnerabilities, this is because organizations don’t always maintain up to date patching across all their applications with equal diligence and rigor, and maintaining accurate software inventory is challenging. This provides an attack surface that is visible to attackers but a blind spot for organizations.<br /> All known indicators associated with this threat are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a><br /> <b>Tags:</b> detection:Linux.BackDoor.WordPressExploit, malware-type:Backdoor, WordPress, JavaScript, Malicious redirect, Linux</p> </div> <div class="trending-threats-article"> <h3><a href="https://labs.guard.io/masquerads-googles-ad-words-massively-abused-by-threat-actors-targeting-organizations-gpus-42ae73ee8a1e" target="_blank">“MasquerAds” — Google’s Ad-Words Massively Abused by Threat Actors, Targeting Organizations, GPUs and Crypto Wallets</a></h3> <p>(published: December 28, 2022)</p> <p>Multiple campaigns have been abusing Google Ads hiding malicious redirects by profiling for a one-time valid gclid value (Google identifier for promotional flow) as well as additional visitors&#39; information (geo-location, user-agent, etc). This fingerprinting together with server-side forwarding makes this malicious forwarding hidden from Google and sandboxes. Threat actors are able to change malicious payloads daily, bundle the malware with the legitimate software, and bloat to 500Mb and above, and hide inside reputable file sharing and code hosting servers like Discord’s CDN, Dropbox, and GitHub. One threat actor dubbed Vermux deployed hundreds of domains in servers located mostly in Russia, targeting mainly Canada and the US. Vermux concentrates on serving cryptominers via GPU-related search terms, but has been seen serving a variant of the Vidar trojan as well.<br /> <b>Analyst Comment:</b> Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of redirect abuse, take extra caution with search results, especially promoted ones. Companies can protect their users by proactively monitoring for typosquatting attempts (use Anomali Premium Digital Risk Protection or similar service).<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/10023" target="_blank">[MITRE ATT&CK] T1496 - Resource Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&CK] T1614 - System Location Discovery</a><br /> <b>Tags:</b> MasquerAds, actor:Vermux, Google Ad-Words, Cryptocurrency wallet, target industry:Cryptocurrency, malware-type:Infostealer, detection:Raccoon, detection:TrickOrTreat, detection:Vidar, File bloating, GPU, malware-type:Miner, Russia, source-country:RU, Canada, target-country:CA, USA, target-country:US, Windows</p> </div> <div class="trending-threats-article"> <h3><a href="https://nakedsecurity.sophos.com/2022/12/28/twitter-data-of-400-million-unique-users-up-for-sale-what-to-do/" target="_blank">Twitter Data of “+400 Million Unique Users” up for Sale – What to Do?</a></h3> <p>(published: December 28, 2022)</p> <p>A threat actor under the alias Ryushi claims to be selling private data of over 400 million unique users of the Twitter social network. The actor shared a sample that included a number of most popular US politicians and business people. The stolen data exposes associated emails and phone numbers, it was likely scraped prior to Twitter fixing an API abuse vulnerability in 2021. The data provides for deanonymization and potential harassment, stalking, and social engineering attempts. The attacker has specifically addressed Twitter with the claim that the company will face European General Data Protection Regulation (GDPR) breach fines if the ransom is not paid.<br /> <b>Analyst Comment:</b> Privacy protection regulations similar to GDPR is a double-edged sword as they try to push companies to be more secure around users’ data, but also give additional leverage to the attackers if the breach did occur. High-profile Twitter users should prepare for potential spearphishing attacks via the email and phone number associated with their account.<br /> <b>Tags:</b> Twitter, Data breach, API abuse, Data scraping, Social engineering, Cyber stalking</p> </div> <div class="trending-threats-article"> <h3><a href="https://securelist.com/bluenoroff-methods-bypass-motw/108383/" target="_blank">BlueNoroff Introduces New Methods Bypassing MoTW</a></h3> <p>(published: December 27, 2022)</p> <p>Since September 2022, the financially-motivated, North Korea-sponsored BlueNoroff group (a subgroup of Lazarus Group) modified its initial malware delivery steps while targeting cryptocurrency and financial industries in Japan, UAE, Taiwan, and the US. It has recently started to adopt new methods of malware delivery. BlueNoroff evades the Mark-of-the-Web flag by hiding a decoy document and a malicious script inside the image (.ISO) and virtual (.VHD) drives. The group was seen using multiple Living Off the Land Binaries, Visual Basic and Windows Batch scripts.<br /> <b>Analyst Comment:</b> Unsolicited emails delivering ISO and VHD attachments should be handled with extreme caution. While preparing for its attacks, BlueNoroff acquires typosquatted domains. Use Anomali Premium Digital Risk Protection to monitor for typosquatting targeting your brands.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9853" target="_blank">[MITRE ATT&CK] T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/9614" target="_blank">[MITRE ATT&CK] T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9687" target="_blank">[MITRE ATT&CK] T1547.008 - Boot or Logon Autostart Execution: Lsass Driver</a> | <a href="https://ui.threatstream.com/attackpattern/9592" target="_blank">[MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/10089" target="_blank">[MITRE ATT&CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/9915" target="_blank">[MITRE ATT&CK] T1055.002 - Process Injection: Portable Executable Injection</a> | <a href="https://ui.threatstream.com/attackpattern/10020" target="_blank">[MITRE ATT&CK] T1553.005 - Subvert Trust Controls: Mark-Of-The-Web Bypass</a> | <a href="https://ui.threatstream.com/attackpattern/9928" target="_blank">[MITRE ATT&CK] T1218.007 - Signed Binary Proxy Execution: Msiexec</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/9797" target="_blank">[MITRE ATT&CK] T1221 - Template Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9617" target="_blank">[MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a><br /> <b>Tags:</b> actor:BlueNoroff, mitre-group:Lazarus Group, North Korea, source-country:KP, Japan, target-country:JP, Bypassing Mark-of-the-Web, APT, target-industry:Cryptocurrency, target-industry:Financial, Windows Batch script, VBS, file-type:ISO, file-type:VHD, file-type:BAT, file-type:VBS, file-type:EXE, LOLBins, DeviceCredentialDeployment, Typosquatting, Phishing, Unhooking DLL, Windows</p> </div> <div class="trending-threats-article"> <h3><a href="https://nakedsecurity.sophos.com/2022/12/23/lastpass-finally-admits-they-did-steal-your-password-vaults-after-all/" target="_blank">LastPass Finally Admits: Those Crooks Who Got in? They Did Steal Your Password Vaults, After All…</a></h3> <p>(published: December 23, 2022)</p> <p>The LastPass password management company previously admitted to a August 2022 breach and a follow-up attack that exfiltrated some of the customers’ information. In late December 2022, LastPass revealed that stolen customer data includes company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the service. Moreover the threat actor was also able to copy a backup of customer vault data that included unencrypted URLs for the websites.<br /> <b>Analyst Comment:</b> LastPass users who used the default complexity of master password or stronger, are likely safe from possible brute force attempts to reveal each of their passwords in the stolen vault. Other users are advised to change the master password and proceed to changing every password stored in the vault. Moreover all LastPass users should raise their awareness to phishing attacks as the stolen unencrypted data makes it easier to create a convincing spearphishing message.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&CK] T1566 - Phishing</a><br /> <b>Tags:</b> LastPass, Password Vault, Data breach, Brute force, Spearphishing</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.