December 20, 2021
Anomali Threat Research

Anomali Cyber Watch: 'PseudoManuscrypt' Mass Spyware Campaign Targets 35K Systems, APT31 Intrusion Set Campaign: Description, Countermeasures and Code, State-sponsored hackers abuse Slack API to steal

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT31, Magecart, Hancitor, Pakdoor, Lazarus,</b> and <b>Vulnerabilities CVE-2021-21551.</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="" /><br /> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">NSW Government Casual Recruiter Suffers Ransomware Hit</a></h3> <p>(published: December 17, 2021)</p> <p>Finite Recruitment suffered a ransomware attack during the month of October 2021, resulting in the exfiltration of some data. Their incident responders (IR) identified the ransomware as Conti, a fast encrypting ransomware commonly attributed to the cybercriminal group Wizard Spider. The exfiltrated data was published on the dark web, however the firm remains fully operational, and affected customers are being informed.<br /> <b>Analyst Comment:</b> Always check to see if there is a decryptor available for the ransomware before considering payment. Enforce a strong backup policy to ensure that data is recoverable in the event of encryption or loss.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Scheduled Transfer - T1029</a><br /> <b>Tags:</b> Conti, Wizard Spider, Ransomware, Banking and Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Phorpiex botnet is back with a new Twizt: Hijacking Hundreds of crypto transactions</a></h3> <p>(published: December 16, 2021)</p> <p>Check Point Research has uncovered a new variant of the Phorpiex botnet named Twizt. Historically, Phorpiex utilized sextortion, ransomware delivery, and cryptocurrency clipping. Twizt however, appears to be primarily focused on stealing cryptocurrency and have stolen half a million dollars since November 2020 in the form of Bitcoin, Ether and ERC20 tokens.The botnet features departure from it’s traditional command and control (C2) infrastructure, opting for peer-to-peer (P2P) communications between infected hosts, eliminating the need for C2 communication as each host can fulfill that role.<br /> <b>Analyst Comment:</b> Bots within a P2P network need to communicate regularly with other bots to receive and share commands. If the infected bots are on a private network, private IP addresses will be used. Therefore, careful monitoring of network traffic will reveal suspicious activity, and a spike in network resource usage as opposed to the detection of C2 IP addresses.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Data Encoding - T1132</a> | <a href="" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&CK] Clipboard Data - T1115</a><br /> <b>Tags:</b> Phorpiex, Twizt, Russia, Banking and Finance, Cryptocurrency, Bitcoin</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">‘PseudoManuscrypt’ Mass Spyware Campaign Targets 35K Systems</a></h3> <p>(published: December 16, 2021)</p> <p>Kaspersky researchers have documented a spyware that has targeted 195 countries as of December 2021. The spyware, named PseudoManuscrypt, was developed and deployed by Lazarus Group (Hidden Cobra), an Advanced Persistent Threat (APT) group. The campaign spreading this spyware specifically targets industrial control systems (ICS), with the malware itself masquerading as fake installers for software commonly used in the industry, such as MODBUS Master Devices. PseudoManuscrypt functionality includes keylogging, screenshot capture, camera and mic control for recording exfiltration of OS event logs and some VPN data access.<br /> <b>Analyst Comment:</b> Only download software from trusted sources, as malware will often impersonate their legitimate counterparts. Monitor event logs and outbound traffic to identify malicious behaviour and connections to command and control servers. Anomali match can match associated IOCs of malware against your event logs to assist in determining malicious activity.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a><br /> <b>Tags:</b> PseudoManuscrypt, Lazarus, Spyware, ICS</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">APT31 Intrusion Set Campaign: Description, Countermeasures and Code</a></h3> <p>(published: December 15, 2021)</p> <p>Beginning in January 2021, Anssi researchers investigated APT31 and released a report on December 15th documenting the entirety of their infection chain. APT31’s command and control (C2) infrastructure is built upon a mesh network consisting of compromised Small Office Home Office (SOHO) routers. Said routers were compromised by a new malware named Pakdoor; a 2 module backdoor and launcher malware. Brute force attacks are the initial technique utilized to compromise routers. As of release, APT31 appears to carry our opportunistic attacks, with no patterns or themes yet linking the intrusions.<br /> <b>Analyst Comment:</b> A strong password policy should be implemented with password criteria to reduce the success probability of brute force attacks. Default passwords should be changed and devices with no passwords should be password protected. Monitoring the inbound and outbound connections can assist in identifying discordant activity within the network.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&CK] External Remote Services - T1133</a> | <a href="" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="" target="_blank">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="" target="_blank">[MITRE ATT&CK] System Services - T1569</a> | <a href="" target="_blank">[MITRE ATT&CK] Server Software Component - T1505</a> | <a href="" target="_blank">[MITRE ATT&CK] Hijack Execution Flow - T1574</a> | <a href="" target="_blank">[MITRE ATT&CK] Create or Modify System Process - T1543</a> | <a href="" target="_blank">[MITRE ATT&CK] Account Manipulation - T1098</a> | <a href="" target="_blank">[MITRE ATT&CK] Logon Scripts - T1037</a> | <a href="" target="_blank">[MITRE ATT&CK] Create Account - T1136</a> | <a href="" target="_blank">[MITRE ATT&CK] Hijack Execution Flow - T1574</a> | <a href="" target="_blank">[MITRE ATT&CK] Access Token Manipulation - T1134</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a> | <a href="" target="_blank">[MITRE ATT&CK] Indicator Removal on Host - T1070</a> | <a href="" target="_blank">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="" target="_blank">[MITRE ATT&CK] Impair Defenses - T1562</a> | <a href="" target="_blank">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="" target="_blank">[MITRE ATT&CK] Modify Registry - T1112</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] OS Credential Dumping - T1003</a> | <a href="" target="_blank">[MITRE ATT&CK] Brute Force - T1110</a> | <a href="" target="_blank">[MITRE ATT&CK] Account Discovery - T1087</a> | <a href="" target="_blank">[MITRE ATT&CK] Network Service Scanning - T1046</a> | <a href="" target="_blank">[MITRE ATT&CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&CK] Process Discovery - T1057</a> | <a href="" target="_blank">[MITRE ATT&CK] Remote System Discovery - T1018</a> | <a href="" target="_blank">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="" target="_blank">[MITRE ATT&CK] System Network Connections Discovery - T1049</a> | <a href="" target="_blank">[MITRE ATT&CK] System Service Discovery - T1007</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation of Remote Services - T1210</a> | <a href="" target="_blank">[MITRE ATT&CK] Remote Services - T1021</a> | <a href="" target="_blank">[MITRE ATT&CK] Archive Collected Data - T1560</a> | <a href="" target="_blank">[MITRE ATT&CK] Email Collection - T1114</a> | <a href="" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a> | <a href="" target="_blank">[MITRE ATT&CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&CK] Proxy - T1090</a> | <a href="" target="_blank">[MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048</a><br /> <b>Tags:</b> APT31, ANSSI, Pakdoor, Intrusion Set</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">State-sponsored hackers abuse Slack API to steal airline data</a></h3> <p>(published: December 15, 2021)</p> <p>A new backdoor called Aclip has been observed by IBM Security X-Force researchers to be linked to the threat actor group ITG17, also known as MuddyWater. ITG17 are a Iranian state-sponsored actor that attacked an unnamed Asian airline during 2019 with Aclip, exfiltrating flight reservation data. The backdoor is able to communicate with a command and control (C2) server in a bidirectional manner, and utilises the Slack API to exfiltrate system data, screenshots and files. Furthermore, Aclip can execute arbitrary Powershell commands on a target system through the Slack API. Persistence is maintained via an inserted registry key that launches upon startup.<br /> <b>Analyst Comment:</b> Always monitor logs and network traffic to detect anomalous activity indicating C2 communication or outbound connections to suspicious domains. Anomali Threatstream can facilitate investigations, providing the links between IOCs and Threat Actors.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Screen Capture - T1113</a> | <a href="" target="_blank">[MITRE ATT&CK] Modify Registry - T1112</a><br /> <b>Tags:</b> AClip, ITG17, Win32Drv.exe, MuddyWater</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Sites Hacked with Credit Card Stealers Undetected for Months</a></h3> <p>(published: December 15, 2021)</p> <p>Researchers at Akamai have documented a skimming campaign centered around SCUF Gaming International, which has stolen the financial details of 32,000 as of December 2021. The threat actor behind the attack, Magecart, specialize in credential stealing from e-commerce websites. The skimmers involved load malicious JavaScript into the website that executes on the payment page, and logs payment details including card number, holder name and address as well as CVV number. Magecart utilized a cluster of 4 command and control (C2) domains for data exfiltration.<br /> <b>Analyst Comment:</b> Attacks against e-commerce websites always increase as the holidays approach so extra caution is advised. Code should be well commented, with logic and base assumptions noted to ensure that anomalous functionality can be identified. Data input should always be sanitized to prevent the injection of malicious code.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Credentials from Password Stores - T1555</a> | <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a><br /> <b>Tags:</b> Magecart, SCUF, Credential Stealing, Skimming, Banking and Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Owowa: The add-on that turns your OWA into a Credential Stealer and Remote Access Panel</a></h3> <p>(published: December 14, 2021)</p> <p>A new credential stealing malware has been discovered late 2020 that targets and exposes Exchanges’s Outlook Web Access (OWO). This malware, named Owowa, is a C# developed .NET v4.0 assembly that can be loaded into an IIS web server and harvest any user credentials that are inputted into the login page. It contains further functionality to allow for the execution of remote commands on the server. Observed Owowa samples can be identified by the unique public key in the file properties: b07504c8144c2a49.<br /> <b>Analyst Comment:</b> Always ensure that software is patched and up to date to prevent exploitation from malware that is reliant on out of date code. Always maintain a vigil on security logs and server activity to identify deviant behaviour that could indicate malicious activity. A strong defence in depth approach to security will mitigate compromises if they happen.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a><br /> <b>Tags:</b> Owo, Owowa, IIS, Credentail Stealing</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">HANCITOR DOC drops via CLIPBOARD</a></h3> <p>(published: December 13, 2021)</p> <p>A technique uncovered by McAfee Labs researchers allows for a new distribution method of Hancitor malware. Hancitor is a malware-as-a-service (MaaS) loader that delivers payloads constituting other malware such as Cobalt Strike, Cuba and other ransomware. The new technique abuses the selection copy method of the windows clipboard, allowing for the installation of files whilst evading detection and obfuscating activity from traditional antivirus detections. The most frequent payload is to drop a macro-embedded OLE file that can launch malicious macros when opened.<br /> <b>Analyst Comment:</b> Be aware of attachments or new files that come from unverified sources as even opening such documents can lead to an infection. Delete any suspicious files. Anomali Match can identify malicious IOCs and activity in your network that can assist in investigating malicious activity.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Clipboard Data - T1115</a> | <a href="" target="_blank">[MITRE ATT&CK] Office Application Startup - T1137</a><br /> <b>Tags:</b> Hancitor, FickerStealer, Cuba, Pony, CobaltStrike, Ransomware</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Driver-Based Attacks: Past and Present</a></h3> <p>(published: December 13, 2021)</p> <p>A vulnerability, registered as CVE-2021-21551, has been identified within the dbutil_2_3.sys Dell driver. This write-what-where vulnerability is the latest in a group of techniques collectively named, Bring Your Own Vulnerable Driver (BYOVD). Threat actors that possess administrator privileges can install legitimate drivers that are vulnerable to attack onto target machines and then exploit them. This will avoid security mechanisms to prevent the mounting of hostile, illegitimate drivers. CVE-2021-21551 when exploited grants access to Ring 0 of the windows kernel, providing adversaries with control over security mechanisms within the compromised machine.<br /> <b>Analyst Comment:</b> Always be wary of software or drivers that you haven’t installed, and check with a trusted administrator to verify their authenticity. Monitoring the registry and activity logs on a machine can aid in identifying suspicious, anomalous activity that are early indicators of compromise. Verify and check your security posture and programs to ensure that they are functioning properly.<br /> <b>MITRE ATT&CK: </b> <a href="" target="_blank">[MITRE ATT&CK] Subvert Trust Controls - T1553</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation for Defense Evasion - T1211</a> | <a href="" target="_blank">[MITRE ATT&CK] Rootkit - T1014</a> | <a href="" target="_blank">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a><br /> <b>Tags:</b> ZeroCleare, dbutil_2_3.sys, Dell, Mimikatz, XMRig, Winnti Group, Turla</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Malicious PyPI Code Packages Rack Up Thousands of Downloads</a></h3> <p>(published: December 13, 2021)</p> <p>Three malicious code packages were found to have been hosted on Python Package Index (PyPI). The first of the three, uploaded on the 1st of December, was a package named aws-login0tool that, when installed, further executes a trojan payload. Furthermore, the package contained code in the format of import urllib.request string which can be used to download external files or exfiltrate data. The trojan fetched two other packages, which imported Popen, a subprocess that can pipe commands into the command line, allowing for arbitrary code execution. All three packages have been removed as of the 10th December, but not before totalling 12,000 downloads.<br /> <b>Analyst Comment:</b> Caution should be taken when downloading files from the internet, even if they are hosted on trusted platforms. Always check the imports and dependencies of files to ensure that they are all trustworthy. A strong backup policy and defence in depth approach can help limit the damage malware can inflict and speed up the recovery process.<br /> <b>Tags:</b> Popen, PyPI, aws-login0tool</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.