February 6, 2023
Anomali Threat Research

Anomali Cyber Watch: MalVirt Obfuscates with KoiVM Virtualization, IceBreaker Overlay Hides V8 Bytecode Runtime Interpretation, Sandworm Deploys Multiple Wipers in Ukraine

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Data leak, Malvertising, North Korea, Proxying, Russia, Typosquatting, Ukraine,</b> and <b>Wipers</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-020723.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://labs.withsecure.com/content/dam/labs/docs/WithSecure-Lazarus-No-Pineapple-Threat-Intelligence-Report-2023.pdf" target="_blank">No Pineapple! –DPRK Targeting of Medical Research and Technology Sector</a></h3> <p>(published: February 2, 2023)</p> <p>In August-November 2022, North Korea-sponsored group Lazarus has been engaging in cyberespionage operations targeting defense, engineering, healthcare, manufacturing, and research organizations. The group has shifted their infrastructure from using domains to be solely IP-based. For initial compromise the group exploited known vulnerabilities in unpatched Zimbra mail servers (CVE-2022-27925 and CVE-2022-37042). Lazarus used off the shelf malware (Cobalt Strike, JspFileBrowser, JspSpy webshell, and WSO webshell), abused legitimate Windows and Unix tools (such as Putty SCP), and tools for proxying (3Proxy, Plink, and Stunnel). Two custom malware unique to North Korea-based advanced persistent threat actors were a new Grease version that enables RDP access on the host, and the Dtrack infostealer.<br /> <b>Analyst Comment:</b> Organizations should keep their mail server and other publicly-facing systems always up-to-date with the latest security features. Lazarus Group cyberespionage attacks are often accompanied by stages of multi-gigabyte exfiltration traffic. Suspicious connections and events should be monitored, detected and acted upon. Use the available YARA signatures and known indicators.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/10055" target="_blank">[MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/14432" target="_blank">[MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique—T1059 Command and Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/3718" target="_blank">[MITRE ATT&CK] T1569.002: Service Execution</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/9869" target="_blank">[MITRE ATT&CK] T1505.003 - Server Software Component: Web Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9681" target="_blank">[MITRE ATT&CK] T1037.005 - Boot or Logon Initialization Scripts: Startup Items</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9584" target="_blank">[MITRE ATT&CK] T1553 - Subvert Trust Controls</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/18595" target="_blank">[MITRE ATT&CK] T1070.007 - Indicator Removal: Clear Network Connection History And Configurations</a> | <a href="https://ui.threatstream.com/attackpattern/9642" target="_blank">[MITRE ATT&CK] T1136 - Create Account</a> | <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9808" target="_blank">[MITRE ATT&CK] T1003.001 - OS Credential Dumping: Lsass Memory</a> | <a href="https://ui.threatstream.com/attackpattern/10084" target="_blank">[MITRE ATT&CK] T1556 - Modify Authentication Process</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/10019" target="_blank">[MITRE ATT&CK] T1018 - Remote System Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9957" target="_blank">[MITRE ATT&CK] T1049 - System Network Connections Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9701" target="_blank">[MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account</a> | <a href="https://ui.threatstream.com/attackpattern/9605" target="_blank">[MITRE ATT&CK] T1021.001 - Remote Services: Remote Desktop Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9605" target="_blank">[MITRE ATT&CK] T1021.001 - Remote Services: Remote Desktop Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9981" target="_blank">[MITRE ATT&CK] T1114.002 - Email Collection: Remote Email Collection</a> | <a href="https://ui.threatstream.com/attackpattern/9692" target="_blank">[MITRE ATT&CK] T1560 - Archive Collected Data</a> | <a href="https://ui.threatstream.com/attackpattern/9803" target="_blank">[MITRE ATT&CK] T1074 - Data Staged</a> | <a href="https://ui.threatstream.com/attackpattern/9794" target="_blank">[MITRE ATT&CK] T1119 - Automated Collection</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9734" target="_blank">[MITRE ATT&CK] T1090.002 - Proxy: External Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9629" target="_blank">[MITRE ATT&CK] T1090.001 - Proxy: Internal Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9617" target="_blank">[MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel</a><br /> <b>Tags:</b> mitre-group:Lazarus Group, North Korea, source-country:KP, India, target-country:IN, target-industry:Defense, target-industry:Engineering, target-industry:Healthcare, target-industry:Manufacturing, target-industry:Research, target-industry:Universities, APT, Cyberespionage, Data leak, Printnightmare, CVE-2021-34527, CVE-2022-27925, CVE-2022-37042, CVE-2021-4034, file-type:JSP, Plink, 3Proxy, RDPWrapper, malware:JspSpy, malware:WSO webshell, malware-type:webshell, mitre-software:Cobalt Strike, malware:Dtrack, malware-type:Infostealer, malware:Grease, RDP access, Windows, Unix</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/" target="_blank">MalVirt | .NET Virtualization Thrives in Malvertising Attacks</a></h3> <p>(published: February 2, 2023)</p> <p>SentinelLabs detected a malvertising campaign that uses a virtualized malware loader dubbed MalVirt. The loader uses KoiVM virtualization from the ConfuserEX .NET protector. It turns the .NET opcodes into new ones that only are understood by the KoiVM virtual machine. MalVirt has obfuscated namespace, class, and function names, it can patch the AmsiScanBuffer function to bypass the Anti Malware Scan Interface, and uses Base-64 encoding and AES-encryption for some strings that can raise suspicion. The final payload, an infostealer from the Formbook/XLoader family is disguising its C2 traffic camouflaging the true C2 domain through beaconing to multiple domains. It also employs anti-analysis and anti-detection techniques such as detecting the presence of user- and kernel-land debuggers using the NtQueryInformationProcess and NtQuerySystemInformation functions.<br /> <b>Analyst Comment:</b> Consider using an ad-blocker service. Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of redirect abuse, take extra caution with search results, especially promoted ones.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9592" target="_blank">[MITRE ATT&CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&CK] T1622 - Debugger Evasion</a><br /> <b>Tags:</b> malware:MalVirt, malware-type:Loader, Malvertising, Google Ads, malware:Formbook, malware:XLoader, malware-type:Infostealer, Virtualization, .Net, KoiVM, ConfuserEX, file-type:EXE, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.deepinstinct.com/blog/no-macro-no-worries-vsto-being-weaponized-by-threat-actors" target="_blank">No Macro? No Worries. VSTO Being Weaponized by Threat Actors</a></h3> <p>(published: February 1, 2023)</p> <p>After Microsoft decided to block-by-default any VBA macro in Office files bearing the mark-of-the-web, threat actors started looking for new delivery methods including Visual Studio Tools for Office (VSTO). Deep Instinct detected in-the-wild samples abusing VSTO, a software development toolset available in Microsoft’s Visual Studio IDE. VSTO allows to develop .Net-based Office Add-In’s, incorporate them into an Office document for delivery and execution, and achieve persistence by associating with an Office application and run each time the application is booted.<br /> <b>Analyst Comment:</b> Security vendors should incorporate monitoring for VSTO. When handling a potential suspicious maldocs, users should be suspicious if prompted to install an Add-In and/or a customization.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10020" target="_blank">[MITRE ATT&CK] T1553.005 - Subvert Trust Controls: Mark-Of-The-Web Bypass</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9704" target="_blank">[MITRE ATT&CK] T1137.006 - Office Application Startup: Add-Ins</a><br /> <b>Tags:</b> file-type:VSTO, Visual Studio Tools for Office, Visual Studio IDE, .Net, file-type:DLL, file-type:ZIP, PowerShell, Microsoft, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.securityjoes.com/post/operation-ice-breaker-targets-the-gam-bl-ing-industry-right-before-it-s-biggest-gathering" target="_blank">Operation Ice Breaker Targets The Gam(bl)ing Industry Right Before It&#39;s Biggest Gathering</a></h3> <p>(published: February 1, 2023)</p> <p>Security Joes researchers detected several incidents for the Operation Ice Breaker campaign targeting gaming and gambling industries. The unidentified attackers used typosquatted domains and targeted customer support chats with malicious links masquerading as error screenshot images. One attack chain used a VBS downloader to deliver the well-documented Houdini RAT, another used a LNK downloader to download and execute an additional MSI package. These MSI packages impersonated legitimate software installers for Avast Free Antivirus or Formware 3D and contained a set of decoy files and a CAB archive with a compressed version of the IceBreaker Backdoor. IceBreaker executable has a unique use for the overlay appended to the end of the original executable: it stores V8 Bytecode, an abstraction of machine code that represents the code of the script and is interpreted at runtime by the V8’s Ignition interpreter.<br /> <b>Analyst Comment:</b> Operation Ice Breaker used two specific social engineering techniques that could be taught to client-facing support agents. First, they complained to customer support without actually having an account with the company. Second, to mask their broken English, they were requesting support in different languages (Spanish, French) but communicated in English.<br /> Network defenders are advised to monitor for the execution of VBS scripts and LNK files from the Temp folder; LNK files created in the startup folder; creation of msiexec.exe processes receiving URLs as parameters; and unauthorized tsocks.exe tool execution.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9884" target="_blank">[MITRE ATT&CK] T1566.003 - Phishing: Spearphishing Via Service</a> | <a href="https://ui.threatstream.com/attackpattern/9614" target="_blank">[MITRE ATT&CK] T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9853" target="_blank">[MITRE ATT&CK] T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/12870" target="_blank">[MITRE ATT&CK] T1036.007 - Masquerading: Double File Extension</a> | <a href="https://ui.threatstream.com/attackpattern/9928" target="_blank">[MITRE ATT&CK] T1218.007 - Signed Binary Proxy Execution: Msiexec</a> | <a href="https://ui.threatstream.com/attackpattern/10025" target="_blank">[MITRE ATT&CK] T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/10018" target="_blank">[MITRE ATT&CK] T1087.001 - Account Discovery: Local Account</a> | <a href="https://ui.threatstream.com/attackpattern/9985" target="_blank">[MITRE ATT&CK] T1518 - Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9733" target="_blank">[MITRE ATT&CK] T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/9720" target="_blank">[MITRE ATT&CK] T1571 - Non-Standard Port</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols</a><br /> <b>Tags:</b> Operation Ice Breaker, malware:IceBreaker, malware-type:Backdoor, file-type:VBS, file-type:LNK, malware:Houdini RAT, malware-type:RAT, file-type:ZIP, Reverse shell, DropBox, Bytenode, file-type:JSC, Customer service, Typosquatting, IDN homograph attack, Social engineering, file-type:MSI, file-type:CAB, file-type:EXE, Node.js, C++, JavaScript, V8 Bytecode, Ignition interpreter, target-industry:Gaming, target-industry:Gambling, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/01/new-data-wipers-deployed-by-sandworm-group-against-ukraine" target="_blank">New Data Wipers Deployed Against Ukraine</a></h3> <p>(published: January 30, 2023)</p> <p>The Computer Emergency Response Team of Ukraine (CERT-UA) reported a sophisticated, partially-successful, data-wiping attack against one of Ukraine’s news agencies. The reconnaissance started on December 7, 2022, or earlier, followed by the initial access. On January 17, 2023, the attacker attempted to deploy and execute five different wipers using a group policy object (GPO) for scheduled task creation. CaddyWiper and ZeroWipe malware, and the SDelete legitimate utility were targeting Windows. Additional two wipers were AwfulShred targeting Linux and BidSwipe targeting FreeBSD. The attack was advertised on the CyberArmyofRussia_Reborn Telegram channel associated with the Russia-sponsored Sandworm Team, likely responsible for the attack.<br /> <b>Analyst Comment:</b> Advanced data wiping campaigns can be spoiled by having proper safe-guards in place including, but not limited to online and offline backups, requiting proper authorization for data removal, and other protections. For legitimate tool abuse, network defenders are advised to establish a baseline for typical running processes and monitor for anomalies.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9982" target="_blank">[MITRE ATT&CK] T1485 - Data Destruction</a> | <a href="https://ui.threatstream.com/attackpattern/9649" target="_blank">[MITRE ATT&CK] T1053 - Scheduled Task/Job</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&CK] T1490: Inhibit System Recovery</a><br /> <b>Tags:</b> malware:CaddyWiper, malware:ZeroWipe, detection:SDelete, malware:AwfulShred, malware:BidSwipe, malware-type:Wiper, mitre-group:Sandworm Team, actor:UAC-0082, CyberArmyofRussia_Reborn, APT, Russia, source-country:RU, GRU, Ukraine, target-country:UA, target-industry:Mass media, Group Policy Object, TOR, file-type:EXE, file-type:BAT, file-type:SH, Windows, Linux, FreeBSD</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.welivesecurity.com/2023/01/27/swiftslicer-new-destructive-wiper-malware-ukraine/" target="_blank">SwiftSlicer: New Destructive Wiper Malware Strikes Ukraine</a></h3> <p>(published: January 27, 2023)</p> <p>Russia-sponsored group Sandworm Team have been detected targeting Ukraine with a new Go-based wiper dubbed SwiftSlicer. Sandworm deployed the wiper using Active Directory Group Policy. The initial intrusion vector used to compromise the organization is unknown. SwiftSlicer is capable of deleting shadow copies, recursively overwriting critical system files and drivers, and rebooting. For overwriting, it uses a 4096 bytes length random-data block.<br /> <b>Analyst Comment:</b> In 2022, Russian APT groups used several different wipers. SwiftSlicer shows that the data destruction threat continues to evolve. Organizations with exposure to the military conflict in Ukraine should prepare offline backups to minimize the effects of a potential data-wiping attack.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9982" target="_blank">[MITRE ATT&CK] T1485 - Data Destruction</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/9736" target="_blank">[MITRE ATT&CK] T1529 - System Shutdown/Reboot</a><br /> <b>Tags:</b> detection:SwiftSlicer, detection:WinGo/KillFiles.C, Golang, malware-type:Wiper, mitre-group:Sandworm Team, APT, Russia, source-country:RU, GRU, Ukraine, target-country:UA, Active Directory Group Policy, Windows</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.