Anomali Cyber Watch: Ransomware Module Added to SOVA Android Trojan, Bitter APT Targets Mobile Phones with Dracarys, China-Sponsored TA428 Deploys Six Backdoors at Once, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, China, Cyberespionage, India, Malspam, Ransomware, Spearphishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

APT-C-35: New Windows Framework Revealed

(published: August 11, 2022)

The DoNot Team (APT-C-35) are India-sponsored actors active since at least 2016. Morphisec Labs researchers discovered a new Windows framework used by the group in its campaign targeting Pakistani government and defense departments. The attack starts with a spearphishing RTF attachment. If opened in a Microsoft Office application, it downloads a malicious remote template. After the victim enables editing (macroses) a multi-stage framework deployment starts. It includes two shellcode stages followed by main DLL that, based on victim fingerprinting, downloads a custom set of additional information-stealing modules.
Analyst Comment: The described DoNot Team framework is pretty unique in its customisation, fingerprinting, and module implementation. At the same time, the general theme of spearphishing attachment that asks the targeted user to enable editing is not new and can be mitigated by anti-phishing training and Microsoft Office settings hardening.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Data from Network Shared Drive - T1039 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059
Tags: APT-C-35, DoNot Team, APT, India, source-country:IN, Government, Military, Pakistan, target-country:PK, Windows, MSOffice User-Agent, DLL, Shellcode, Macros, Remote template, Spearphishing

SOVA Malware Is Back and Is Evolving Rapidly

(published: August 11, 2022)

SOVA (S.O.V.A.) is a potent, quickly evolving Android Banking trojan active since September 2019. Cleafy researchers described its newest versions that came in May and August 2022. Countries with the most number of targeted banking apps are Spain, Philippines, and the US, in that order. SOVA v4 increased the number of targeted banking apps from 90 to over 200 and added a new module targeting Binance exchange and its Trust Wallet. The newest version, SOVA v5 is being actively tested in the wild with its newly added ransomware module.
Analyst Comment: SOVA is rented to various threat actors. Its ability to steal credentials and funds and to encrypt cell phones makes the potential infection costly to victims. Always keep your Android phone fully patched with the latest security updates. Only use the official Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
Tags: SOVA, S.O.V.A., Android, Banking trojan, Ransomware, VNC, Accessibility services, Spain, target-country:ES, USA, target-country:US, Philippines, target-country:PH, United Kingdom, target-country:UK, Germany, target-country:GE, Italy, target-country:IT, Finance, Banking, Binance, Trust Wallet, Cryptocurrency

BlueSky Ransomware: Fast Encryption via Multithreading

(published: August 10, 2022)

Unit 42 researchers describe a new BlueSky ransomware that utilizes multithreading for faster encryption. BlueSky multithreading and network search modules connect it to the Conti v3 source code. At the same time, similar to Babuk Ransomware, BlueSky encrypts files using the ChaCha20 and Curve25519 algorithms. To evade security defenses BlueSky uses string encryption, API obfuscation, and anti-debugging mechanisms.
Analyst Comment: The BlueSky ransomware is an emerging threat and due to some code similarities it can be detected as Conti by antivirus engines. Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Network Share Discovery - T1135 | [MITRE ATT&CK] Obfuscated Files or Information - T1027
Tags: BlueSky, Ransomware, Conti, Multithreading, CVE-2020-0796, SMBGhost, CVE-2021-1732, PowerShell, ChaCha20, Curve25519, JuicyPotato, Windows, Russia, source-country:RU, detection:W32/Conti

Novel News on Cuba Ransomware aka Greetings From Tropical Scorpius

(published: August 9, 2022)

Cuba Ransomware existed since 2019, but beginning in early May 2022, Unit 42 researchers observed a threat actor deploying it using novel tools and techniques. To terminate security product processes Cuba Ransomware started writing a kernel driver that is signed using the certificate found in the Lapsus NVIDIA leak. For local privilege escalation the attackers used a public proof of concept (PoC) to develop an exploit targeting a logic bug in Common Log File System (CLFS.sys, CVE-2022-24521). The group developed the custom KerberCache tool for extracting cached Kerberos tickets from a host’s LSASS memory. Finally, the Cuba Ransomware group is actively developing a custom remote access trojan (RAT) dubbed RomCom RAT. It enables a unique command and control (C2) protocol working via HTTP or ICMP requests.
Analyst Comment: Cuba Ransomware has adopted new tools and become a more prevalent threat in 2022. Network defenders should have advanced logging and detection capabilities for Windows Command Line and PowerShell events. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068
Tags: Cuba Ransomware, UNC2596, Ransomware, Tropical Scorpius, Industrial Spy ransomware, Lapsus, RomCom RAT, KerberCache, ZeroLogon, BurntCigar, ADFind, Net Scan, Mimikatz, PowerShell, Tox, USA, target-country:US, CVE-2020-1472, CVE-2022-24521

Bitter APT Group Using “Dracarys” Android Spyware

(published: August 9, 2022)

Active since 2013, the Bitter (T-APT-17) group is suspected of being sponsored by the Indian government. Cyble researchers studied the Dracarys Android spyware used by the group. Dracarys is being spread via modified Signal, Telegram, WhatsApp, YouTube, and other chat applications. Bitter creates phishing websites for these apps mimicking legitimate ones. Dracarys abuses the Accessibility permissions: running the application in the background, activating Device Admin, and performing auto clicks. It receives commands from the Firebase server and exfiltrates collected contacts and other data to a command and Control (C2) server controlled by the attacker. Dracarys can collect call logs, installed applications list, files, and SMS data, as well as capture screenshots and record audio.
Analyst Comment: The Bitter cyberespionage group is not limiting itself to desktop malware and actively attacks high-value Android users. Users should be wary of opening any links received via SMS or emails delivered to their phone. Download and install software only from official app stores like Play Store. Be careful while enabling Accessibility and other permissions.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Audio Capture - T1123 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: Dracarys, Bitter, APT, T-APT-17, India, source-country:IN, Android, Spyware, Cyberespionage, Accessibility Service

deBridge Finance Crypto Platform Targeted by Lazarus Hackers

(published: August 8, 2022)

North Korea-sponsored Lazarus group continues targeting the cryptocurrency industry. In March 2022, the group was involved in the theft of 620 Million US Dollars in Ethereum from Axie Infinity's Ronin network bridge. In August 2022, Lazarus sent spearphishing emails with “New salary adjustments” link to deBridge Finance employees. MacOS users would download a benign PDF file, while opening the link on Windows machines leads to a malicious ZIP archive with HTML and LNK files inside. To prompt user execution the HTML file is masquerading as a PDF document, and the LNK file as a TXT document with a password for the information promised. The malware downloads additional code, profiles the victim machines, and ensures persistence by saving the generated malicious file in the startup folder.
Analyst Comment: North Korea continues directing financially-motivated attacks. They likely see cryptocurrency assets as an appealing, easy to launder target. It is not clear if it could be stopped by the US efforts to shut down certain related cryptocurrency exchange, mixing, and privacy services (such as virtual currency mixer Tornado Cash). Users should receive anti-phishing training, they should be directed to verify the sender’s full email address, especially if an attachment is involved. Organizations should have an internal protocol for how your team shares attachments and manages fund transfers.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Time Discovery - T1124
Tags: Lazarus group, Lazarus, CryptoCore, CryptoMimic, DangerousPassword, North Korea, source-country:KP, Cryptocurrency, Blockchain, deBridge Finance, Windows

Targeted Attack on Industrial Enterprises and Public Institutions

(published: August 8, 2022)

China-sponsored group TA428 launched a new spearphishing campaign targeting Afghanistan, Belarus, Russia, and Ukraine. Carefully crafted phishing emails often contained non-public information specific to the targeted organization (design bureaus and research institutes, government agencies, industrial plants, ministries and departments). Attached malicious Word documents exploited the Microsoft Equation Editor CVE-2017-11882 vulnerability to install the PortDoor malware. Then attackers proceeded to install five additional backdoors as a way to achieve persistence, continuous communication, lateral movement and information theft: Cotx, DNSep, Logtu, nccTrojan, and the newly-discovered CotSam backdoor.
Analyst Comment: China-sponsored actors continue targeted exfiltration of sensitive military and industrial information. Organizations should implement automation to help users detect spoofed spearphishing emails and malicious attachments.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets - T1558 | [MITRE ATT&CK] Impair Defenses - T1562 | [MITRE ATT&CK] Proxy - T1090
Tags: TA428, PortDoor, nccTrojan, DNSep, Cotx, Logtu, CotSam, NBTscan, Ladon hacking framework, Spearphishing, CVE-2017-11882, detection:Win32.CotSam, detection:Win64.CotSam, Windows, Government, Military, Russia, target-country:BY, Ukraine, target-country:UA, Belarus, target-country:BY, Afghanistan, target-country:AF, China, source-country:CN, APT, Cyberespionage

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Windows Common Log File System Driver Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-24481.

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.