February 15, 2022
Anomali Threat Research

Anomali Cyber Watch: Mobile Malware Is On The Rise, APT Groups Are Working Together, Ransomware For The Individual, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Mobile Malware, APTs, Ransomware, Infostealers,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-021522.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://blog.talosintelligence.com/2022/02/whats-with-shared-vba-code.html" target="_blank">What’s With The Shared VBA Code Between Transparent Tribe And Other Threat Actors?</a></h3> <p>(published: February 9, 2022)</p> <p>A recent discovery has been made that links malicious VBA macro code between multiple groups, namely: Transparent Tribe, Donot Team, SideCopy, Operation Hangover, and SideWinder. These groups operate (or operated) out of South Asia and use a variety of techniques with phishing emails and maldocs to target government and military entities within India and Pakistan. The code is similar enough that it suggests cooperation between APT groups, despite having completely different goals/targets.<br /> <b>Analyst Comment:</b> This research shows that APT groups are sharing TTPs to assist each other, regardless of motive or target. Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&CK] Phishing - T1566</a><br /> <b>Tags:</b> Transparent Tribe, Donot, SideWinder, Asia, Military, Government</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-installers-infect-you-with-redline-malware/" target="_blank">Fake Windows 11 Upgrade Installers Infect You With RedLine Malware</a></h3> <p>(published: February 9, 2022)</p> <p>Due to the recent announcement of Windows 11 upgrade availability, an unknown threat actor has registered a domain to trick users into downloading an installer that contains RedLine malware. The site, "windows-upgraded[.]com", is a direct copy of a legitimate Microsoft upgrade portal. Clicking the &#39;Upgrade Now&#39; button downloads a 734MB ZIP file which contains an excess of dead code; more than likely this is to increase the filesize for bypassing any antivirus scan. RedLine is a well-known infostealer, capable of taking screenshots, using C2 communications, keylogging and more.<br /> <b>Analyst Comment:</b> Any official Windows update or installation files will be downloaded through the operating system directly. If offline updates are necessary, only go through Microsoft sites and subdomains. Never update Windows from a third-party site due to this type of attack.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947184">[MITRE ATT&CK] Video Capture - T1125</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a><br /> <b>Tags:</b> RedLine, Windows 11, Infostealer</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://threatpost.com/molerats-apt-trojan-cyberespionage-campaign/178305/" target="_blank">MoleRats APT Flaunts New Trojan in Latest Cyber Espionage Campaign</a></h3> <p>(published: February 9, 2022)</p> <p>A member of the Gaza Cybergang known as &#39;MoleRats&#39; has launched a new attack against government entities within the Middle East. Targets include departments within Palestine and Turkey, as well as journalists and activists. The infection is spread via phishing emails and links. Malicious links are evasive and have multiple evasion techniques, such as tracking mouse movement, geofencing and redirection to legitimate news sites if the target doesn&#39;t meet certain criteria.<br /> <b>Analyst Comment:</b> The campaign by MoleRats is highly targeted and it is likely that actors may be impersonating officials or agencies with phishing emails. All employees should be educated on the risk of opening attachments or following links received from unknown or unexpected senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&CK] Automated Collection - T1119</a><br /> <b>Tags:</b> MoleRats, NimbleMamba, LastConn, TA402, BrittleBrush, Middle East</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-about-you-sugar-ransomware-targets-individuals/" target="_blank">“We absolutely do not care about you”: Sugar Ransomware Targets Individuals</a></h3> <p>(published: February 8, 2022)</p> <p>Sugar ransomware, also known as Encoded01, is a new strain discovered by the Walmart Security Team. Rather than focusing on enterprise environments and large entities, this ransomware-as-a-service (RaaS) targets individual systems and small businesses. Multiple similarities exist between ransom notes and the Tor site used for payment; the note is nearly identical to REvil, and the site is identical to the cl0p ransomware group. The infection method is currently unknown.<br /> <b>Analyst Comment:</b> As Sugar is relatively new and the infection method is unknown, users are advised to maintain regular security practices. Ensure antivirus is enabled and updated, do not open links or emailed documents from unknown senders. Regularly backup sensitive data on media that can be disconnected from the system and/or network, and have a plan in place to restore backups in the event of a ransomware infection.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/3905778">[MITRE ATT&CK] Impair Defenses - T1562</a> | <a href="https://ui.threatstream.com/ttp/3904527">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402534">[MITRE ATT&CK] Inhibit System Recovery - T1490</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947120">[MITRE ATT&CK] System Service Discovery - T1007</a> | <a href="https://ui.threatstream.com/ttp/947252">[MITRE ATT&CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&CK] Process Injection - T1055</a><br /> <b>Tags:</b> Sugar, Encoded01, Ransomware, North America</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodity-rats-with-custom-gold-dragon-malware/" target="_blank">Kimsuki Hackers Use Commodity RATs With Custom Gold Dragon Malware</a></h3> <p>(published: February 8, 2022)</p> <p>Kimsuki, also known as TA406 and Velvet Chollima, is a North Korean hacking group that has recently stepped up their activity. According to a research group out of South Korea, Kimsuki is using xRAT (a commodity remote access tool) in conjunction with Gold Dragon, a custom second-stage backdoor. This malware bundle is being used against companies within South Korea to steal data and set persistent backdoors for reconnaissance. The main method of distribution is phishing emails. Active since 2017, Kimsuki started their most recent campaign on January 24, 2022; it is still ongoing.<br /> <b>Analyst Comment:</b> Documents from the internet should be opened in Protected View or Application Guard for Office, and if an unknown document prompts to “Enable Editing” users should be advised against doing so unilaterally.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3904527">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947162">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947184">[MITRE ATT&CK] Video Capture - T1125</a> | <a href="https://ui.threatstream.com/ttp/3904531">[MITRE ATT&CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&CK] Phishing - T1566</a><br /> <b>Tags:</b> Kimsuki, Velvet Chollima, TA406, Kimsuky, xRAT, Gold Dragon, North Korea</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://securelist.com/roaming-mantis-reaches-europe/105596/" target="_blank">Roaming Mantis Reaches Europe</a></h3> <p>(published: February 7, 2022)</p> <p>Roaming Mantis is a malicious campaign that targets iOS and Android devices, spreading mobile malware via smishing (phishing via SMS messages). The malware is heavily targeting phones in France and Germany with messages that contain a malicious link. Clicking on the link will take the user to a fictitious landing page where the malware is downloaded and installed.<br /> <b>Analyst Comment:</b> Be aware of who is sending unknown links. If an application needs to be installed, go to the Google Play or iOS store directly to download. Mobile malware is seeing an increase in use, so caution is advised whenever links are sent by unknown numbers.<br /> <b>Tags:</b> Roaming Mantis, Wroba, Android, iOS, EU, North America, China, Middle East</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-android-sms-phishing-attacks/" target="_blank">Medusa Malware Ramps Up Android SMS Phishing Attacks</a></h3> <p>(published: February 7, 2022)</p> <p>Medusa, also known as TangleBot, is an Android banking trojan that is now seeing an increase in activity within North America and Europe. The target receives a text message with a link to download one of these apps from a malicious source. Using the same distribution as the FluBot trojan, Medusa is capable of keylogging, live audio and video streaming, remote command execution, data exfiltration, and more. It was last found to be masquerading as an Android system update, Flash Player, Amazon Locker, and a Video Player.<br /> <b>Analyst Comment:</b> It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947184">[MITRE ATT&CK] Video Capture - T1125</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a><br /> <b>Tags:</b> Cabassous, Medusa, FluBot, TangleBot, EU, Banking and Finance</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/microsoft-these-hackers-are-targeting-emergency-response-and-security-organizations-in-ukraine/#ftag=RSSbaffb68" target="_blank">Microsoft: These Hackers Are Targeting Emergency Response And Security Organizations In Ukraine</a></h3> <p>(published: February 7, 2022)</p> <p>Gamaredon, also known as Actinium and Primitive Bear, a group that has been active for over a decade, is now targeting large aid organizations and Ukrainian government entities as tensions escalate over Russia assembling troops at the border. The group is thought to be linked to the Federal Security Service (FSB), working to attack and destabilize any organization responsible for the security and response to attacks against Ukraine. This includes compromising user accounts, phishing attacks, web shells, persistent backdoors, and infostealers.<br /> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3905071">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3905768">[MITRE ATT&CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947199">[MITRE ATT&CK] Data Staged - T1074</a> | <a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/3904527">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&CK] Screen Capture - T1113</a><br /> <b>Tags:</b> Actinium, Primitive Bear, Gamaredon, Pterodo, PowerPunch, DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, Ukraine, Russia, Government, Military</p> </div> <div class="trending-threats-article"> <h3 id="article-1"><a href="https://blog.talosintelligence.com/2022/02/vulnerability-spotlight-use-after-free.html" target="_blank">Vulnerability Spotlight: Use-after-free In Google Chrome Could Lead To Code Execution</a></h3> <p>(published: February 7, 2022)</p> <p>An exploitable vulnerability has recently been identified by the Cisco Talos team. It allows for a malformed web page that could trigger a use-after-free condition, which could lead to the execution of remote code on the victim machine. Chrome versions 94.0.4606.81 (Stable) and 97.0.4674.1 (Canary) were found to be vulnerable. This would allow attackers to potentially take control of the system or gain a foothold to allow for further attack.<br /> <b>Analyst Comment:</b> The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a><br /> <b>Tags:</b> CVE-2021-38008, Google Chrome</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week&#39;s Weekly Threat Briefing can be found below:</p> <p><a href="https://ui.threatstream.com/actor/1703" target="_blank">Gamaredon Group</a><br /> The Advanced Persistent Threat (APT) group “Gamaredon,” is believed to be a Russia-based group that has been active since at least 2013. The group is known for conducting cyber espionage campaigns targeting the Ukrainian government, law enforcement officials, media, and military. The Lookingglass Cyber Threat Intelligence Group first reported Gamaredon in their report on a cyberespionage campaign dubbed “Operation Armageddon” in April 2015, according to Palo Alto Networks Unit 42 researchers. This led Unit 42 researchers, in February 2017, to name the group “Gamaredon Group” because they believe the group conducted Operation Armageddon.</p> <p><a href="https://ui.threatstream.com/actor/27916" target="_blank">Velvet Chollima</a><br /> Velvet Chollima, also known as “Kimsuky”, is a suspected APT group believed to be linked to the Democratic People’s Republic of Korea (DPRK). Active since at least 2013, the primary motive of the group is espionage against South Korea. An increase of activity occurred during the period of the 2018 summit between United States President Donald Trump and DPRK Leader Kim Jong-Un.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.