April 18, 2022
Anomali Threat Research

Anomali Cyber Watch: RaidForums Seized, Sandworm Attacks Ukrainian Power Stations, North Korea Steals Chemical Secrets, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, China, Cyberespionage, North Korea, Spearphishing, Russia, Ukraine,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-041822.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lazarus-dream-job-chemical" target="_blank">Lazarus Targets Chemical Sector</a></h3> <p>(published: April 14, 2022)</p> <p>In January 2022, Symantec researchers discovered a new wave of Operation Dream Job. This operation, attributed to the North Korea-sponsored group Lazarus, utilizes fake job offers via professional social media and email communications. With the new wave of attacks, Operation Dream Job switched from targeting the defense, government, and engineering sectors to targeting South Korean organizations operating within the chemical sector. A targeted user executes an HTM file sent via a link. The HTM file is copied to a DLL file to be injected into the legitimate system management software. It downloads and executes the final backdoor: a trojanized version of the Tukaani project LZMA Utils library (XZ Utils) with a malicious export added (AppMgmt). After the initial access, the attackers gain persistence via scheduled tasks, move laterally, and collect credentials and sensitive information.<br /> <b>Analyst Comment:</b> Organizations should train their users to recognize social engineering attacks including those posing as “dream job” proposals. Organizations facing cyberespionage threats should implement a defense-in-depth approach: layering of security mechanisms, redundancy, fail-safe defense processes.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947145" target="_blank">[MITRE ATT&CK] Signed Binary Proxy Execution - T1218</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&CK] Credentials from Password Stores - T1555</a><br /> <b>Tags:</b> Lazarus, Operation Dream Job, North Korea, source-country:KP, South Korea, target-country:KR, APT, HTM, CPL, Chemical sector, Espionage, Supply chain, IT sector</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.group-ib.com/oldgremlin_comeback" target="_blank">Old Gremlins, New Methods</a></h3> <p>(published: April 14, 2022)</p> <p>Group-IB researchers have released their analysis of threat actor OldGremlin’s new March 2022 campaign. OldGremlin favored phishing as an initial infection vector, crafting intricate phishing emails that target Russian industries. The threat actors utilized the current war between Russia and Ukraine to add a sense of legitimacy to their emails, with claims that users needed to click a link to register for a new credit card, as current ones would be rendered useless by incoming sanctions. The link leads users to a malicious Microsoft Office document stored within Dropbox. When macros are enabled, the threat actor’s new, custom backdoor, TinyFluff, a new version of their old TinyNode backdoor, is installed. TinyFluff would launch Node.js to enable remote access to the machine. Once TinyFluff ensures that it is not running on a virtual environment, the backdoor proceeds to install TinyCrypt (TinyCryptor), a custom ransomware payload.<br /> <b>Analyst Comment:</b> Phishing continues to be a major initial infection vector for threat actors. Invest in anti-phishing training, as it is the best protection against phishing. Never click on links from suspicious emails. Threat actors will often incorporate current events into their emails and add a false sense of urgency to pressure users to click links. Always slow down and carefully examine unknown emails before clicking on links.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905073" target="_blank">[MITRE ATT&CK] Dynamic Resolution - T1568</a> | <a href="https://ui.threatstream.com/ttp/947224" target="_blank">[MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a><br /> <b>Tags:</b> OldGremlin, Ransomware, TinyNode, TinyFluff, TinyCrypt, TinyCryptor, DGA, DNS tunnel, Russia, target-country:RU, Belarus, target-country:BY</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/reports/2022/04/nginx-zero-day-vulnerability-check-if-youre-affected/" target="_blank">NGINX Zero-Day Vulnerability: Check if You’re Affected</a></h3> <p>(published: April 13, 2022)</p> <p>BlueHornet (AgainstTheWest) tweeted 10th April 2022 claiming that they had successfully breached the China branch of UBS Securities that used NGINX 1.18, utilizing a new zero-day exploit. The vulnerability exists within the implementation of NGINX’s use of Lightweight directory access protocol (LDAP) for authentication. A backend python daemon can be used to configure the LDAP parameters. If the daemon is used whilst there are unused, optional parameters and LDAP authentication requires a specific group membership, unsanitized input can be passed to LDAP, changing configuration parameters and allowing for remote code execution. As a new vulnerability, it has not yet been recorded into the common vulnerabilities and exposures database (CVE) nor is a patch yet available, however NGINX assures that a patch for the vulnerability will be released soon.<br /> <b>Analyst Comment:</b> Unsanitized data handling is a common cause of code injection. Strip special characters from user input to mitigate against malicious code injection. When the new patch is released, a patch management policy will assist in ensuring vulnerable assets are patched and protected.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&CK] Exploitation for Client Execution - T1203</a><br /> <b>Tags:</b> NGINX, Zero Day, LDAP, BlueHornet, AgainstTheWest</p> </div> <div class="trending-threat-article"> <h3><a href="https://securelist.com/emotet-modules-and-recent-attacks/106290/" target="_blank">Emotet Modules and Recent Attacks</a></h3> <p>(published: April 13, 2022)</p> <p>Kaspersky researchers have released their research into new Emotet modules. Since Emotet’s return in January 2021, malware possesses an estimated 16 new modules, each with their own payload and hardcoded C2 domains. The initial infection vector for Emotet is phishing, with the malware being propagated by spam emails with malicious Microsoft Office attachments. The attachments will ask the user once opened to enable macros. Once enabled, a Powershell script is executed which will download the Emotet .dll and begin the installation of the malware. Kaspersky have identified 10 of the estimated 16 new modules, with four modules being dedicated to email-stealing, two for credential/password scraping from browser data, two for spam, one for listing the current running process on the victim machine and one final UPnP module for testing external connection potential.<br /> <b>Analyst Comment:</b> The best defense against Emotet is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Macros are a common method for executing malicious code therefore, never enable macros on suspicious documents.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947114" target="_blank">[MITRE ATT&CK] Office Application Startup - T1137</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&CK] Encrypted Channel - T1573</a><br /> <b>Tags:</b> Emotet, Microsoft, Spam, Phishing, Powershell</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.rapid7.com/blog/post/2022/04/12/cve-2022-24527-microsoft-connected-cache-local-privilege-escalation-fixed/" target="_blank">CVE-2022-24527: Microsoft Connected Cache Local Privilege Escalation (Fixed)</a></h3> <p>(published: April 12, 2022)</p> <p>Microsoft has released a patch for a new vulnerability recorded as CVE-2022-24527, that exists within the Connected Cache feature of Windows Endpoint Manager. The exploit allows for arbitrary Powershell execution at “System” level of privileges. Connected Cache contains a series of Powershell scripts that are executed every 60 seconds by the Task Scheduler. The “SetDrivesToHealthy.ps1” script will attempt to load a module named webAdministration. If no such module is installed, malicious users can create their own module named webAdministration containing malicious code which will then be executed.<br /> <b>Analyst Comment:</b> Apply patches as soon as possible for exploits when they are released. A strong patch management policy will assist in minimizing downtime of critical assets that need patched. Additionally, disabling the caching feature will mitigate CVE-2022-24527.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a><br /> <b>Tags:</b> CVE-2022-24527, Powershell, Task Scheduler, Privilege Escalation</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank">Tarrask Malware Uses Scheduled Tasks for Defense Evasion</a></h3> <p>(published: April 12, 2022)</p> <p>Microsoft Researchers have detailed the activities of China-associated threat actor HAFNIUM, who utilize Windows scheduled tasks functionality to maintain persistence and communication with their C2 infrastructure. As of late February 2022, HAFNIUM have been using a new, presumed custom malware named Tarrask which specializes in defense evasion and is able to hide malicious scheduled tasks from normal investigation tools such as Task Scheduler and schtasks /query. Tarrask is able to delete the Security Descriptor (SD) value from the task’s Tree registry. Deleting the SD value will remove the task from appearing in Task Scheduler and schtasks /query, forcing security practitioners to manually inspect the registry for signs of persistence.<br /> <b>Analyst Comment:</b> Enumerate Scheduled Tasks registries to assist in locating signs of persistence, as those registry keys will be the ones manipulated by the malware. Additionally, leverage tools, like a SIEM, to closely monitor network traffic for anomalous activity which may indicate potential C2 communications.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&CK] Hide Artifacts - T1564</a><br /> <b>Tags:</b> Tarrask, Privilege Escalation, Microsoft, Windows, HAFNIUM</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/" target="_blank">Industroyer2: Industroyer Reloaded</a></h3> <p>(published: April 12, 2022)</p> <p>ESET and CERT-UA researchers have released a joint analysis of an attack against Ukrainian power stations that occured 8th April 2022, attributable to APT group Sandworm (BlackEnergy, Telebots), a suspected Russia-based APT group. Sandworm utilized Scheduled Task to execute a new variant of Industroyer malware named Industroyer2 at 2022-04-08 at 16:10:00 UTC. Industroyer2 is highly modular, able to communicate with multiple ICS systems simultaneously whilst having a different payload for each. Currently, the exact actions taken against the power substations is unknown, however it is known that Industroyer2 is able to terminate legitimate processes. In addition to Industroyer2, multiple wiper malware were also deployed at the same time with Scheduled Tasks. Caddywiper was deployed, in addition to a wiper aimed at Linux and Solaris systems. All wipers with the exception of the Solaris wiper were obfuscated.<br /> <b>Analyst Comment:</b> A defense in depth approach can assist in creating a proactive stance against threat actors attempting to destroy data. Critical ICS systems should be segregated from each other to minimize potential damage, with any attack surfaces closely monitored for malicious activity. A strong and enforced backup policy will assist in a fast recovery of compromised systems.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402541" target="_blank">[MITRE ATT&CK] Data Destruction - T1485</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&CK] Data Obfuscation - T1001</a><br /> <b>Tags:</b> Caddywiper, Industroyer, Industroyer2, Sandworm, Ukraine, ICS</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet" target="_blank">Enemybot: A Look into Keksec’s Latest DDos Botnet</a></h3> <p>(published: April 12, 2022)</p> <p>FortiGuard researchers have conducted research on Enemybot, a new DDoS Botnet that has been active since February 2022. The botnet is attributed to Keksec, a cryptomining threat actor. Enemybot is modular and the majority of its source code comes from Gafgyt (Bashlite), with select modules from the Mirai botnet. The botnet is heavily obfuscated with a variety of techniques including XOR encoding and substitution cypher cryptography. Furthermore, Enemybot has a variety of techniques to gain access to and infect more machines including a hardcoded list of weak username/password combinations, accessing Android devices that expose Android Debug Bridge port (5555), and routers that are vulnerable to an ever-changing list of vulnerabilities.<br /> <b>Analyst Comment:</b> Monitor machine resource usage to detect any anomalous increases that may indicate your device is being used as part of a botnet. Close any unused ports to prevent their unauthorized usage. A strong patch management policy will assist in protecting your assets whenever a vulnerability is discovered.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/2402529" target="_blank">[MITRE ATT&CK] Endpoint Denial of Service - T1499</a> | <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&CK] Data Obfuscation - T1001</a><br /> <b>Tags:</b> Enemybot, Keksec, DDos, Botnet, Mirai, Gafgyt, XOR, Android</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/raidforums-hacking-forum-seized-by-police-owner-arrested/" target="_blank">RaidForums Hacking Forums Seized by Police, Owner Arrested</a></h3> <p>(published: April 12, 2022)</p> <p>Police have taken control of the infrastructure of popular hacking forum RaidForums and the lead administrator and founder, Diogo Santos (known as Omnipotent) was arrested 31st January 2022. The operation, named TOURNIQUET, was a joint effort between Europol and the police forces of Portugal, Romania, Sweden, the UK, and the US which resulted in the seizure of the three domains associated with the forum; raidforums.com, Rf.ws, and Raid.Lol. Users of the Forum suspect that the Forums have been taken over since February, as that is when the login page began to loop, a suspected attempt from law enforcement to harvest the credentials of users. The popular forum allegedly had over 500,000 users and was a popular place where threat actors would buy and sell databases of stolen credentials, particularly PII, credit card details and social security numbers.<br /> <b>Analyst Comment:</b> Whilst a significant achievement, the removal of RaidForums will not affect the criminal Darkweb scene in a major way. Most threat actors will migrate to other forums, or new forums with different administrators will be created.<br /> <b>Tags:</b> RaidForums, Europol, UK, US, Sweden, Romania, Portugal, TOURNIQUET</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/threat-analysis/2022/04/credential-stealing-malware-disguises-itself-as-telegram-targets-social-media-users/" target="_blank">Credential-Stealing Malware Disguises Itself as Telegram, Targets Social Media Users</a></h3> <p>(published: April 11, 2022)</p> <p>Malwarebytes have released a blog detailing, Spyware.FFDroider, a Windows based spyware. The spyware presents itself as freeware and a cracked version of Telegram on stores but in actuality is a cookie stealing software that is packed with Aspack to hide its malicious functionality. Spyware.FFDroider has different modules for different browsers, including Chrome, Firefox, and Microsoft Edge, with each module designed to harvest credentials from popular websites such as Amazon, Ebay, Facebook, and Twitter. Once cookies are stolen, the spyware will attempt to authenticate using them, afterwards proceeding to steal user account information and exfiltrating all stolen credentials to a C2 domain.<br /> <b>Analyst Comment:</b> Always remain skeptical of illegitimate software, or cracked versions of legitimate software. Such software is often modified to be malicious and is unsafe to install or execute. Never grant an untrustworthy program administrator privileges.<br /> <b>MITRE ATT&CK: </b> <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&CK] Data Obfuscation - T1001</a><br /> <b>Tags:</b> Spyware.FFDroider, Telegram, Chrome, Firefox, Microsoft Edge, Facebook, Amazon, Ebay, Twitter, Aspack, Spyware</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week&#39;s Anomali Cyber Watch can be found below:</p> <p><a href="https://ui.threatstream.com/actor/281" target="_blank">Lazarus Group</a><br /> The Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People&#39;s Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121국), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau” (전자정찰국 사이버전지도국). The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.</p> <p><a href="https://ui.threatstream.com/actor/97506" target="_blank">HAFNIUM</a><br /> HAFNIUM, a suspected Advanced Persistent Threat (APT) group associated with China, primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. They have compromised victims by exploiting vulnerabilities in internet-facing servers, and have used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, HAFNIUM was also observed interacting with victim Office 365 tenants. While they were often unsuccessful in compromising customer accounts, this reconnaissance activity likely helped HAFNIUM identify more details about their targets’ environments.</p> <p><a href="https://ui.threatstream.com/actor/134201" target="_blank">Mummy Spider</a><br /> Mummy Spider is a cybercrime actor that was first identified by the security community in June 2014. Mummy Spider is associated with Emotet malware that they used initially as a banking trojan, but has been updated over time to function as a modular downloader. Mummy Spider operates Emotet as-a-service and it was used to delivers multiple malwares such as Cobalt Strike, IcedID, Gootkit, Trickbot among others. Mummy Spider targets all industries and on a global scale by distributing the Emotet trojan via wide-scale malspam campaigns with malicious attachments or hyperlinks embedded in email messages.</p> <p><a href="https://ui.threatstream.com/vulnerability/2035823" target="_blank">CVE-2022-24527</a><br /> Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.