Anomali Cyber Watch: Mustang Panda Adopted MQTT Protocol, Redis Miner Optimization Risks Data Corruption, BlackLotus Bootkit Reintroduces Vulnerable UEFI Binaries | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Cryptojacking, Phishing, Ransomware, Secure boot bypass, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT

(published: March 2, 2023)

In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe.
Analyst Comment: Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives.
MITRE ATT&CK: [MITRE ATT&CK] T1583.003 - Acquire Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.004 - Acquire Infrastructure: Server | [MITRE ATT&CK] T1587.001 - Develop Capabilities: Malware | [MITRE ATT&CK] T1588.002 - Obtain Capabilities: Tool | [MITRE ATT&CK] T1608.001 - Stage Capabilities: Upload Malware | [MITRE ATT&CK] T1608.002 - Stage Capabilities: Upload Tool | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1071 - Application Layer Protocol | [MITRE ATT&CK] T1102.002 - Web Service: Bidirectional Communication | [MITRE ATT&CK] T1132.001 - Data Encoding: Standard Encoding | [MITRE ATT&CK] T1573.001 - Encrypted Channel: Symmetric Cryptography | [MITRE ATT&CK] T1041 - Exfiltration Over C2 Channel
Tags: malware:MQsTTang, malware-type:Backdoor, mitre-group:Mustang Panda, actor:YanNaingOo0072022, FTP, MQTT protocol, QMQTT library, Qt framework, APT, file-type:RAR, file-type:EXE, target-country:Australia, target-country:AU, target-country:Bulgaria, target-country:BG, target-country:Taiwan, target-country:TW, target-region:Asia, target-region:Europe, target-industry:Government, Windows

#StopRansomware: Royal Ransomware

(published: March 2, 2023)

The Royal ransomware is a double-extortion scheme active since September 2022. As some of the targets are in the US, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued an advisory featuring Royal domains and binaries up to January 2023. Royal has been targeting communications, education, healthcare, manufacturing, and other industries demanding from $1 million to $11 million USD in Bitcoin. The attackers were often using the Gozi malware or the Cobalt Strike C2 framework for data exfiltration. Royal’s crypter has an unique evasion setting allowing the attackers to lower the encryption percentage for larger files.
Analyst Comment: Organizations should implement multifactor authentication for all services to the extent possible, particularly for accounts that access critical systems, remote monitoring and management software, virtual private networks, and webmail. Network and host-based indicators associated with previous Royal attacks are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1133 - External Remote Services | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1572 - Protocol Tunneling | [MITRE ATT&CK] T1078.002 - Valid Accounts: Domain Accounts | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1484.001 - Domain Policy Modification: Group Policy Modification | [MITRE ATT&CK] T1070.001 - Indicator Removal on Host: Clear Windows Event Logs | [MITRE ATT&CK] T1021.001 - Remote Services: Remote Desktop Protocol | [MITRE ATT&CK] T1119 - Automated Collection | [MITRE ATT&CK] T1486: Data Encrypted for Impact
Tags: malware:Royal, malware-type:Ransomware, file-type:BAT, file-type:ZIP, malware:Gozi, malware:Cobalt Strike, malware:Chisel, malware-type:Tunneling, RDP, PsExec, target-country:US, target-industry:Manufacturing, target-industry:Communications, target-industry:Healthcare, target-industry:Education, Windows

Redis Miner Leverages Command Line File Hosting Service

(published: March 2, 2023)

Cado Security researchers detected a cryptomining campaign targeting vulnerable Redis servers. Payloads are being hosted on the opensource command-line file transfer service transfer[.]sh. Cryptomining (cryptojacking) attacks are often considered to be low-impact, but this campaign puts production systems at risk when optimizing it for mining. The attackers disable the Security-Enhanced Linux (SELinux) module, ensure DNS requests can be resolved by public resolvers, and remove existing cron jobs and the cron spool. Additionally, they try to free up RAM by modifying drop_caches to drop the cache of filesystem resolutions by the kernel.
Analyst Comment: An unusually high CPU usage and overheating can be a sign of the malicious resource hijacking for cryptocurrency mining. Network defenders should keep their systems updated. Malicious optimization for mining puts your systems at risk of data corruption.
MITRE ATT&CK: [MITRE ATT&CK] T1489 - Service Stop | [MITRE ATT&CK] T1496 - Resource Hijacking | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1105 - Ingress Tool Transfer | [MITRE ATT&CK] T1053.003 - Scheduled Task/Job: Cron
Tags: Redis server, malware-type:Miner, Cryptojacking, detection:XMRig, Cryptocurrency, Monero, malware:pnscan, malware-type:Scanner, transfer[.]sh, drop_caches, SELinux, Linux

BlackLotus UEFI Bootkit: Myth Confirmed

(published: March 1, 2023)

ESET researchers identified in-the-wild instances of the BlackLotus bootkit that is being sold on hacking forums for $5,000. BlackLotus is a UEFI bootkit capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Underlying Secure Boot Security Feature Bypass Vulnerability (CVE-2022-21894) is exploited by BlackLotus by reintroducing legitimate, vulnerable UEFI binaries replaced by Microsoft's January 2022 update. Its infection chain involves two forced reboots that enable persistence. BlackLotus employs common methods of analysis and debugging evasion. BlackLotus is still rare and the exact method used to deliver the BlackLotus installer is not known.
Analyst Comment: This method of Secure Boot bypassing will continue until Windows will revoke the vulnerable bootloaders that BlackLotus depends on. Practice defense-in-depth approach and keep your systems updated to avoid introduction of the BlackLotus installer. All known BlackLotus indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1587.002 - Develop Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1588.005 - Obtain Capabilities: Exploits | [MITRE ATT&CK] T1203 - Exploitation For Client Execution | [MITRE ATT&CK] T1559 - Inter-Process Communication | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1129 - Shared Modules | [MITRE ATT&CK] T1542.003 - Pre-OS Boot: Bootkit | [MITRE ATT&CK] T1548.002: Bypass User Access Control | [MITRE ATT&CK] T1134.002 - Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] T1574 - Hijack Execution Flow | [MITRE ATT&CK] T1562: Impair Defenses | [MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1070.009 - Indicator Removal: Clear Persistence | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1112: Modify Registry | [MITRE ATT&CK] T1027 - Obfuscated Files Or Information | [MITRE ATT&CK] T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution | [MITRE ATT&CK] T1027.009 - Obfuscated Files or Information: Embedded Payloads | [MITRE ATT&CK] T1055.012 - Process Injection: Process Hollowing | [MITRE ATT&CK] T1055.002 - Process Injection: Portable Executable Injection | [MITRE ATT&CK] T1014 - Rootkit | [MITRE ATT&CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks | [MITRE ATT&CK] T1622 - Debugger Evasion | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 - System Location Discovery | [MITRE ATT&CK] T1016 - System Network Configuration Discovery | [MITRE ATT&CK] T1016.001 - System Network Configuration Discovery: Internet Connection Discovery | [MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1132.001 - Data Encoding: Standard Encoding | [MITRE ATT&CK] T1573.001 - Encrypted Channel: Symmetric Cryptography | [MITRE ATT&CK] T1573.002 - Encrypted Channel: Asymmetric Cryptography
Tags: malware:BlackLotus, malware-type:UEFI Bootkit, malware-type:HTTP downloader, malware-type:Bootkit, file-type:EFI, file-type:DLL, CVE-2022-21894, UEFI Secure Boot, MOK key, Windows

RIG Exploit Kit In-Depth Analysis

(published: February 27, 2023)

RIG exploit hit (RIG EK) is a global threat that has been active since 2014. It distributes Internet Explorer exploits via watering hole attacks and collects victim data, and ultimately malware being dropped, such as Dridex, RaccoonStealer, or SmokeLoader infostealers. At the end of 2022, RIG EK has added two new exploits, CVE-2021-26411 and CVE-2020-0674, achieving an extremely high exploitation rate among its victims (consistently 30%). RIG EK hides its exploit servers behind proxy servers, it has an integrated Antivirus testing feature for payloads, and typically updates them on weekly to daily basis.
Analyst Comment: Organizations need to move away from using Internet Explorer on their enterprise devices. Keep your software updated and replace end-of-life products that are no longer receiving updates.
MITRE ATT&CK: [MITRE ATT&CK] T1588 - Obtain Capabilities | [MITRE ATT&CK] T1584 - Compromise Infrastructure | [MITRE ATT&CK] T1189: Drive-by Compromise | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1203 - Exploitation For Client Execution | [MITRE ATT&CK] T1090 - Proxy
Tags: malware:RIG, malware-type:Exploit kit, Malvertising, Compromised website, CVE-2021-26411, CVE-2020-0674, malware:Dridex, malware:RaccoonStealer, malware:SmokeLoader, malware-type:infostealer, Internet Explorer, Windows

Resecurity Disrupts Investment Scam Network - Digital Smoke

(published: February 27, 2023)

Resecurity researchers discovered a large network dubbed Digital Smoke impersonating top 100 companies in order to promote fraudulent investment schemes. This network was primarily targeting users in India (users using Indian Rupees and Indian cell phone numbers). Among dozens of impersonated organizations were ABRDN (UK), Blackrock (US), Baxter Medical (US), Cigna (US), DJI (China), Eaton Corporation (US/UK), ITC Hotels (India), Ferrari (Italy), Lloyds Bank (UK), Novuna Business Finance (UK), Tata (India), Shell (UK), and Valesto Oil (Malaysia). The attack typically starts with an affiliate promoting the scam via an instant message, for example on Youtube or WhatsApp. The threat actors were able to hide their activity using hidden redirects, domain cloaking, one-time URLs, and special invitation codes. Final instructions often required installing an app and/or registering an account. To receive funds the attackers used AliPay, card-to-card payments to money mules, cryptocurrencies, and India’s Unified Payments Interface.
Analyst Comment: Profiled in late 2022, Digital Smoke network was disrupted in early 2023. Potential investors should be very careful about personal messages with invite links, and offers that are too good to be true. Pay attention to the domain that is asking for your financial information, try to establish its authenticity and ownership. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out Anomali's Premium Digital Risk Protection service.
MITRE ATT&CK: [MITRE ATT&CK] T1583.001 - Acquire Infrastructure: Domains | [MITRE ATT&CK] T1585.001 - Establish Accounts: Social Media Accounts
Tags: target-country:India, target-country:IN, Blackrock, ABRDN, target-country:UK, Blackrock, target-country:US, Baxter Medical, Ferrari, target-country:IT, ITC Hotels, Eaton Corporation, Novuna Business Finance, Tata, Valesto Oil, target-country:Malaysia, target-country:MD, Lloyds Bank, Financial fraud, Redirect, Cloaking, Black SEO, Typosquatting


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.