Anomali Cyber Watch: MuddyWater Hides Behind Legitimate Remote Administration Tools, Vice Society Tops Ransomware Threats to Education, Abandoned JavaScript Library Domain Pushes Web-Skimmers | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Compromised websites, Education, Healthcare, Iran, Phishing, Ransomware, and Supply chain. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

New MuddyWater Threat: Old Kitten; New Tricks

(published: December 8, 2022)

In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows

Babuk Ransomware Variant in Major New Attack

(published: December 7, 2022)

In November 2022, Morphisec researchers identified a new ransomware variant based on the Babuk source code that was leaked in 2021. One modification is lowering detection by abusing the legitimate Microsoft signed process: DLL side-loading into NTSD.exe — a Symbolic Debugger tool for Windows. The mechanism to remove the available Shadow Copies was changed to using Component Object Model objects that execute Windows Management Instrumentation queries. This sample was detected in a large, unnamed manufacturing company where attackers had network access and were gathering information for two weeks. They have compromised the company’s domain controller and used it to distribute ransomware to all devices within the organization through Group Policy Object. The delivered BAT script bypasses User Account Control and executes a malicious MSI file that contains files for DLL side-loading and an open-source-based reflective loader (OCS files).
Analyst Comment: The attackers strive to improve their evasion techniques, their malware on certain steps hides behind Microsoft-signed processes and exists primarily in device memory. It increases the need for the defense-in-depth approach and robust monitoring of your organization domain.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Group Policy Modification - T1484 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] Inhibit System Recovery - T1490 | [MITRE ATT&CK] Inter-Process Communication - T1559
Tags: detection:Babuk, malware-type:Ransomware, Leaked source code, Russian-speaking, target-industry:Manufacturing, UAC bypass, COM objects, WMI queries, DLL side-loading, file-type:BAT, file-type:MSI, file-type:DLL, file-type:OCS, Windows

DEV-0139 Launches Targeted Attacks Against the Cryptocurrency Industry

(published: December 6, 2022)

DEV-0139, a suspected state-sponsored group, has been involved in sophisticated targeting of the cryptocurrency investment industry. The social engineering phase of the attack started in October 2022. The attackers showed a deep knowledge of the targeted industry; they communicated with targets both in existing and in newly-created, attacker-controlled Telegram groups. After gaining initial trust, DEV-0139 delivers malicious macros in an XLS spearphishing attachment (alternative infection chain starts with a malicious MSI file). The attackers rely on DLL side-loading to execute the final payload, the Wolfic implant.
Analyst Comment: Attackers go to a great length in their social engineering attacks and are creating fake professional profiles and groups. It’s important to combine anti-phishing awareness with system hardening. Do not disable runtime macro scanning by Antimalware Scan Interface. Implement rules to block Office applications from creating executable content, block Office communication application from creating child processes, and block Win32 API calls from Office macros.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Rogue Domain Controller - T1207 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: actor:DEV-0139, target-industry:Cryptocurrency, Social engineering, Telegram, Cryptocurrency exchange, OKX Binance, Huobi, file-type:XLS, file-type:PNG, file-type:TMP, file-type:MSI, OpenDrive, detection:Wolfic

Vice Society: Profiling a Persistent Threat to the Education Sector

(published: December 6, 2022)

Among ransomware groups targeting the education sector in 2022, Vice Society was the most impactful with at least 33 educational institutions having been listed on the group’s data leak site. Other Vice Society’s common victims include healthcare and regional governments, followed by 15 other targeted industries. The group targeted 29 countries with approximately half of the cases being in the US and the UK. In their attacks, Vice Society uses commodity ransomware families such as the Linux-targeting variant of HelloKitty (FiveHands) and Zeppelin ransomware targeting Windows.
Analyst Comment: Ransomware is an evolving threat that requires a defense-in-depth approach. For backups, follow the 3-2-1 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable through segmentation, off-line storage, encrypting data at rest, and limiting the storage of personal and sensitive data.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Network Service Scanning - T1046 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Taint Shared Content - T1080 | [MITRE ATT&CK] Lateral Tool Transfer - T1570 | [MITRE ATT&CK] Automated Exfiltration - T1020 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567 | [MITRE ATT&CK] Remote Access Tools - T1219 | [MITRE ATT&CK] Account Access Removal - T1531
Tags: actor:Vice Society, malware-type:Ransomware, target-industry:Education, target-industry:Healthcare, detection:HelloKitty, file-type:ELF, Linux, detection:Zeppelin, Windows, PrintNightmare, CVE-2021-1675, CVE-2021-34527, target-country:US, target-country:UK

Infected WordPress Plugins Redirect to Push Notification Scam

(published: December 6, 2022)

A new malicious campaign targeting WordPress websites adds a listener to the whole page’s onclick event causing fraudulent redirects whenever a site visitor clicks on any link. Sucuri researchers discovered that the malicious script avoids detection by using obfuscation followed by unusual hexadecimal encoding of the binary string. Additionally this script detects open Developer Tools using multiple alternative methods, including checks for the following functions: checkByImageMethod, checkDevByScreenResize, detectDevByKeyboard, checkByFirebugMethod, and checkByProfileMethod.
Analyst Comment: Website owners should pay attention to the feedback from website visitors as some malicious activity can be seen only by those who match certain profiling (such as the absence of dev tools). Update and patch your content management system, plugins, themes, and other extensible components.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Redirect, WordPress, WordPress Plugin, Scam, Obfuscation, hex2dec, Compromised website

Defcon Skimming: A New Batch of Web Skimming Attacks

(published: December 5, 2022)

Jscrambler researchers analyzed three new web-skimming clusters (categorized under Magecart umbrella term) dubbed Group X, Group Y, and Group Z. All three were disguising their malicious Javascript as Google code (Google Tag Manager or Google Analytics). Common tactics included code obfuscation, and referrer fingerprinting. Group X was able to mass-inject their code by exploiting a free, third-party JavaScript library that was discontinued in December 2014. They re-registered the abandoned domain name and used it to serve their skimming scripts via the URL that the old library was hosted at.
Analyst Comment: Site administrators should be aware of supply-chain dependencies and remove ones that are unsupported and/or abandoned. Keep their systems updated and secure the administrator panel with two-factor authentication or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: Supply chain, Web skimming, Cockpit, target-industry:E-commerce, Payment Card Industry, Credit card data, Google Analytics, JavaScript


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.