October 18, 2022
Anomali Threat Research

Anomali Cyber Watch: Ransom Cartel Uses DPAPI Dumping, Unknown China-Sponsored Group Targeted Telecommunications, Alchimist C2 Framework Targets Multiple Operating Systems, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, China, Cyberespionage, Hacktivism, Ransomware,</b> and <b>Russia</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/OLqwO9jTPi65JCL8Wxw3"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/" target="_blank">Ransom Cartel Ransomware: A Possible Connection With REvil</a></h3> <p>(published: October 14, 2022)</p> <p>Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities. Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys.<br/> <b>Analyst Comment:</b> Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947094" target="_blank">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="https://ui.threatstream.com/ttp/3904310" target="_blank">[MITRE ATT&amp;CK] Software Deployment Tools - T1072</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947273" target="_blank">[MITRE ATT&amp;CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947222" target="_blank">[MITRE ATT&amp;CK] Account Manipulation - T1098</a> | <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/947257" target="_blank">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/3297570" target="_blank">[MITRE ATT&amp;CK] File and Directory Permissions Modification - T1222</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947145" target="_blank">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947123" target="_blank">[MITRE ATT&amp;CK] Network Share Discovery - T1135</a> | <a href="https://ui.threatstream.com/ttp/947189" target="_blank">[MITRE ATT&amp;CK] Account Discovery - T1087</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3904552" target="_blank">[MITRE ATT&amp;CK] Use Alternate Authentication Material - T1550</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3905097" target="_blank">[MITRE ATT&amp;CK] Archive Collected Data - T1560</a> | <a href="https://ui.threatstream.com/ttp/3905082" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Web Service - T1567</a> | <a href="https://ui.threatstream.com/ttp/947139" target="_blank">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> actor:Ransom Cartel, Ransomware-as-a-service, Double extortion, malware-type:Ransomware, DonPAPI, malware-type:Credential dumper, actor:REvil, Linux, VMware, ESXi, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state" target="_blank">Budworm: Espionage Group Returns to Targeting U.S. Organizations</a></h3> <p>(published: October 13, 2022)</p> <p>Six to eight years ago, China-sponsored group Emissary Panda (aka APT27, Budworm, TG-3390) was heavily targeting US organizations. Later it stopped targeting the US and was largely focused on Asia, Europe, and the Middle East. Over the past six months, the group has returned to the US targeting (a US state legislature), and attacked the government of a Middle Eastern country, as well as a multinational electronics manufacturer. These recent attacks started by exploiting the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) in the Apache Tomcat service on servers in order to install web shells. The attackers abused the CyberArk Viewfinity software for DLL side-loading to install various malware and tools. These include: their custom HyperBro backdoor, the PlugX backdoor, and/or using a number of commodity tools (Cobalt Strike, Fast Reverse Proxy (FRP), the Fscan intranet scanning tool, the IOX proxy and port-forwarding tool, and the LaZagne credential dumping tool.<br/> <b>Analyst Comment:</b> Keep operating systems updated. Establish baseline activity to detect unauthorized introduction of abused software. Block known Emissary Panda command-and-control infrastructure (available in the Anomali platform).<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a><br/> <b>Tags:</b> actor:Budworm, mitre-group:Threat Group-3390, actor:APT27, actor:Emissary Panda, China, APT, source-country:CN, USA, target-country:US, target-region:Middle East, mitre-software:HyperBro, malware-type:Backdoor, malware-type:Loader, mitre-software:PlugX, Log4j, CVE-2021-44228б CVE-2021-45105, VPS, Vultr, Telstra, CyberArk Viewfinity, mitre-software:Cobalt Strike, detection:LaZagne, detection:IOX, detection:FRP, detection:Fscan, target-sector:Government NAICS 92, target-sector:Manufacturing NAICS 33</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html" target="_blank">Alchimist: A New Attack Framework in Chinese for Mac, Linux and Windows</a></h3> <p>(published: October 13, 2022)</p> <p>Talos researchers have discovered a new attack framework dubbed Alchimist. It operates as a standalone GoLang-based executable that carries the implants and the whole web user interface written in simplified Chinese. Alchimist is targeting Windows, Linux, and macOS systems. It uses the Insekt RAT to target Windows and Linux. Alchimist MacOSX exploitation is based on a Mach-O dropper file that contains a CVE-2021-4034 privilege escalation exploit and a bind shell backdoor. Alchimist can choose one of the three protocols for C2 communication: regular TLS, Server Name Indication (SNI), or WebSocket Secure/WebSocket (WSS/WS).<br/> <b>Analyst Comment:</b> Attack frameworks such as Alchimist are easy-to-use off-the-shelf tools that can be abused by a wide range of attackers. All known indicators associated with in-the-wild use of Alchimist are available in the Anomali platform and customers are advised to block these on their infrastructure. Organizations should implement strict policies regarding download and file execution on the endpoints and servers.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947273" target="_blank">[MITRE ATT&amp;CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947189" target="_blank">[MITRE ATT&amp;CK] Account Discovery - T1087</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a><br/> <b>Tags:</b> detection:Insekt, malware-type:RAT, detection:Alchimist, C2 framework, Attack framework, Bind shell backdoor, Chinese, Go, SNI, WSS/WS, WebSocket Secure, Windows, Linux, macOS, CVE-2021-4034</p> </div> <div class="trending-threat-article"> <h3><a href="https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/" target="_blank">Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates</a></h3> <p>(published: October 13, 2022)</p> <p>HP researchers described a new ransomware dubbed Magniber. It is a single-client ransomware (focuses on home users), so it targets only Windows 10 and newer, and relies on users having administrative privileges. Since September 2022, Magniber spreads via ZIP files containing a JavaScript file that purports to be an antivirus or Windows update. Magniber uses the DotNetToJScript technique to run a .NET executable in memory only. For additional detection evasion, it bypasses User Account Control (UAC), and uses syscalls instead of standard Windows API libraries.<br/> <b>Analyst Comment:</b> If you think your system needs an update, use the official update channel. Configure your everyday account to be a user account and use an administrative account only when needed.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947133" target="_blank">[MITRE ATT&amp;CK] Custom Cryptographic Protocol - T1024</a> | <a href="https://ui.threatstream.com/ttp/3906164" target="_blank">[MITRE ATT&amp;CK] Abuse Elevation Control Mechanism - T1548</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/2402534" target="_blank">[MITRE ATT&amp;CK] Inhibit System Recovery - T1490</a><br/> <b>Tags:</b> detection:Magniber, malware-type:Ransomware, JavaScript, UAC bypass, DotNetToJScript, VBS, .NET, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/" target="_blank">WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware</a></h3> <p>(published: October 12, 2022)</p> <p>SentinelOne researchers detected a new China-sponsored cyberespionage activity dubbed WIP19. This activity was targeting IT service and telecommunications providers in Asia and the Middle East. A portion of WIP19 tools were authored by WinEggDrop, a Chinese-speaking malware author who has created tools for a variety of groups such as Operation Shadow Force. WinEggDrop has been active since 2014, and the version of its SQLMaggie backdoor used by WIP19 was time-stamped with 2019. WIP19 has been signing its malware with a certificate stolen from the DEEPSoft Korean company. The attackers avoided stable C2 infrastructure, completed their operations in a “hands-on keyboard” fashion, during an interactive session with compromised machines.<br/> <b>Analyst Comment:</b> Telecommunications companies should include likely cyberespionage attacks into their threat model. Defense-in-depth is an effective way to help mitigate potential APT activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/947079" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a><br/> <b>Tags:</b> actor:WIP19, China, source-country:CN, target-region:Asia, target-region:Middle East, detection:SQLMaggie, malware-type:Backdoor, malware-type:Implant, detection:ScreenCap, malware-type:Keylogger, malware-type:Credential dumper, WinEggDrop, Windows, target-sector:Telecommunications NAICS 517</p> </div> <div class="trending-threat-article"> <h3><a href="https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimate-apps/107690/" target="_blank">Malicious WhatsApp Mod Distributed Through Legitimate Apps</a></h3> <p>(published: October 12, 2022)</p> <p>Kaspersky researchers detected a new malicious WhatsApp modified build (mod) named YoWhatsApp (WhatsApp Plus). This malicious mod was brought to users through other legitimate applications: either through an ad in the Snaptube app, or through the Vidmate app internal store. The infected build of YoWhatsApp is a fully working messenger but it comes with a malicious module that decrypts and launches the main payload: Triada trojan. Infected users can lose control over their WhatsApp account, be set up for paid subscriptions, and end up distributing malicious spam.<br/> <b>Analyst Comment:</b> Application owners should vet the code they offer in their internal stores or via internal advertising. Android users should consider limiting the number of installed apps to those necessary and/or installing antivirus software on their device. Before adding an application, check its developer information, popularity, and reviews.<br/> <b>Tags:</b> detection:Triada, malware-type:Trojan, Malicious app, Android, WhatsApp, YoWhatsApp</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/us-airports-taken-down-in-ddos-attacks-by-pro-russian-hackers/" target="_blank">US Airports Taken Down in DDoS Attacks by Pro-Russian Hackers</a></h3> <p>(published: October 10, 2022)</p> <p>On October 10, 2022, Russia-based hacktivist group KillNet attacked websites of several major airports in the US with distributed denial-of-service (DDoS). The attack affected public-facing websites of the Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Chicago O'Hare International Airport (ORD), as well as smaller airports in Arizona, Colorado, Florida, Hawaii, Kentucky, and Mississippi.<br/> <b>Analyst Comment:</b> This DDoS attack came the same day as Russia activated its kinetic actions in Ukraine with major rocket and drone strikes targeting Ukrainian cities. Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack. Anomali platform allows for access to updated actor profiles including the KillNet profile listed below.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a><br/> <b>Tags:</b> actor:KillNet, target-industry:Airports NAICS 4581, USA, target-country:US, Russia, source-country:RU, DDoS, Hacktivism</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:</p> <p><a href="https://ui.threatstream.com/actor/232781" target="_blank">KillNet</a><br/> KillNet, a Russia-affiliated hacktivist group specialized in distributed denial of service (DDoS) attacks, originally created on the basis of a Russian-speaking DDoS-for-hire group with the same name. On February 26, 2022, KillNet formed an Anonymous-like collective to wage war on Anonymous (a loosely affiliated group of volunteer hacktivists), Ukraine, and countries that support Ukraine in a way hostile to Russia. The group united with other threat groups (XakNet Team), DDoS actors and services such as Stresser[.]tech. KillNet’s most popular media on Telegram messenger had over 90,000 subscribers. Anomali observed over 30,000 US Dollars in Bitcoin moved to KillNet during February-July, 2022, both for its DDoS-for-hire and politically-motivated DDoS activities.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.