December 7, 2021
Anomali Threat Research

Anomali Cyber Watch: Nginx Trojans, BlackByte Ransomware, Android Malware Campaigns, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Ransomware, Maldocs, E-Commerce, Phishing, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">New Malware Hides as Legit Nginx Process on E-Commerce Servers</a></h3> <p>(published: December 2, 2021)</p> <p>Researchers at Sansec discovered NginRAT, a new malware variant that has been found on servers in the US, Germany, and France. Put in place to intercept credit card payments, this malware impersonates legitimate nginx processes which makes it very difficult to detect. NginRAT has shown up on systems that were previously infected with CronRAT, a trojan that schedules processes to run on invalid calendar days. This is used as a persistence technique to ensure that even if a malicious process is killed, the malware has a way to re-infect the system.<br/> <b>Analyst Comment:</b> Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Shared Modules - T1129</a><br/> <b>Tags:</b> NginRAT, CronRAT, Nginx, North America, EU</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">How Phishing Kits Are Enabling A New Legion Of Pro Phishers</a></h3> <p>(published: December 2, 2021)</p> <p>Phishing kits, such as XBALTI are seeing increased use against financial institutions. Mixing email with SMS messages, attackers are targeting companies such as Charles Schwab, J.P. Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. The attack is made to appear legitimate by redirecting to the real sites after information has been harvested.<br/> <b>Analyst Comment:</b> With financial transactions increasing around this time of year, it is likely financially themed malspam and phishing emails will be a commonly used tactic. Therefore, it is crucial that your employees are aware of their financial institution's policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.<br/> <b>Tags:</b> Phishing, XBATLI</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors</a></h3> <p>(published: December 1, 2021)</p> <p>Proofpoint threat researchers have observed the adoption of a novel and easily implemented phishing attachment technique by APT threat actors in Q2 and Q3 of 2021. This technique, referred to as RTF template injection, leverages the legitimate RTF template functionality. It subverts the plain text document formatting properties of an RTF file and allows the retrieval of a URL resource instead of a file resource via an RTF’s template control word capability. This enables a threat actor to replace a legitimate file destination with a URL from which a remote payload may be retrieved.<br/> <b>Analyst Comment:</b> Threat actors deliver malware in numerous ways and will consistently update their TTPs to make analysis and discovery more difficult. Educate your employees on the methods actors use to distribute malware: compromised websites, malicious files, phishing, spearphishing, and vulnerability exploitation, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a><br/> <b>Tags:</b> Phishing, APT, RTF Malware</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">HP Printer Hijack Bugs Impact 150 Models</a></h3> <p>(published: December 1, 2021)</p> <p>Two vulnerabilities in multi-function printers (MFPs) have been discovered by F-Secure security consultants Timo Hirvonen and Alexander Bolshev. The vulnerabilities, registered as CVE-2021-39237 and CVE-2022-39238, were discovered in HP’s “FutureSmart” MFP “M725z” devices going back to 2013. A “cross-site printing” attack can be performed by attackers via a malicious website. This would allow for arbitrary code execution on the machine and steal any printed, scanned or faxed information, as well as passwords. Multiple MFPs on the same network could be automatically impacted due to the nature of the of the CVEs. HP has issued patches for the vulnerabilities.<br/> <b>Analyst Comment:</b> Threat actors will often attempt to exploit old vulnerabilities that already have patches (SonicWall advisory located here) because there is a lot of open source information on said vulnerability. This makes it easier to use an exploit for the vulnerability because proof-of-concept code is likely available and ready to be weaponized. In addition, applying patches can sometimes cause disruption among software used by an organization. Therefore, having patch policies and business continuity plans in place are crucial in maintaining a good security posture.<br/> <b>Tags:</b> CVE-2021-39237, CVE-2022-39238, HP</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Have You Downloaded That Android Malware From The Play Store Lately?</a></h3> <p>(published: December 1, 2021)</p> <p>Security researchers have discovered banking trojans on the Google Play Store, and say they have been downloaded by more than 300,000 Android users. The apps themselves appear legitimate and may not be related to banking at all. A number of known samples include QR readers, fitness apps, and document scanners. These are difficult to detect as they filter activation by region, Android version or a variety of other factors. Often, the malicious code does not appear in the app when it's downloaded; checks are performed on the device and then malicious actions are taken or code is downloaded.<br/> <b>Analyst Comment:</b> It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Non-Standard Port - T1571</a><br/> <b>Tags:</b> Anatsa, Alien, Hydra, Ermac, Android, Malware, Banking</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware</a></h3> <p>(published: December 1, 2021)</p> <p>BlackByte, a known ransomware group, is using exploited Microsoft Exchange servers to serve ransomware using ProxyShell vulnerabilities. ProxyShell is the name for a set of three Microsoft Exchange vulnerabilities that allow unauthenticated, remote code execution on the server when chained together. Once breached, the actors are utilizing Cobalt Strike to move laterally through systems and networks. Firewall rules, Active Directory security protocols and PowerShell are also utilized during a worm phase. The vulnerabilities were patched by security updates released in April and May 2021. Threat actors are now using ProxyShell to install web shells, coin miners, and ransomware.<br/> <b>Analyst Comment:</b> The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, how to identify such attempts, and to inform the appropriate personnel when they are identified. Follow proper patch schedules and regularly scan infrastructure for changes. Avoiding paying the cyber criminals is paramount. Implement a backup solution for your users to ease the pain of losing sensitive and important data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Inhibit System Recovery - T1490</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> BlackByte, ProxyShell, Microsoft Exchange, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">ScarCruft Surveilling North Korean Defectors And Human Rights Activists</a></h3> <p>(published: November 29, 2021)</p> <p>The Advanced Persistent Threat (APT) group ScarCruft (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT group. It is known to target North Korean defectors, journalists who cover North Korea-related news and government organizations related to the Korean Peninsula. Active since 2016, the threat actors go through acquaintances of the victim using stolen Facebook or email credentials. This is followed by sending spear phishing emails to individuals that consists of a RAR archive containing a malicious Word file.<br/> <b>Analyst Comment:</b> This malicious activity is likely being conducted through sponsorship of the North Korean government. Anomali researchers previously released a report in which analysts the phishing domains and credential theft was being conducted by North Korean actors. Government entities will always be assessed to hold valuable information, as such, actors who want this information (other governments) will target said entities in attempts to steal information for strategic purposes.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Archive Collected Data - T1560</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a><br/> <b>Tags:</b> APT37, Reaper, ScurCraft, North Korea</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.