Anomali Cyber Watch: RapperBot Persists on SSH Servers, Manjusaka Attack Framework Tested in China, BlackCat/DarkSide Ransom Energy Again, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnet, China, Data breach, DDoS, Phishing, Ransomware, and Taiwan. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

So RapperBot, What Ya Bruting For?

(published: August 3, 2022)

RapperBot, a new Internet of things (IoT) botnet, is rapidly evolving despite appearing in the wild just two months ago (June 2022). Fortinet researchers discovered that RapperBot heavily reuses parts of the Mirai source code, but changed the attack vector (brute-forcing SSH instead of Telnet), command and control (C2) protocol, and added persistence capabilities. RapperBot maintains remote access by adding the attacker's public key to ~/.ssh/authorized_keys. The latest RapperBot samples also started adding the root user "suhelper” to /etc/passwd and /etc/shadow/, and continue to add the root user account every hour. Top targeted IPs were from Taiwan, USA, and South Korea, in that order. RapperBot has basic DDoS capabilities such as UDP and TCP STOMP flood copied from Mirai source code.
Analyst Comment: Despite sharing a significant amount of source code with Mirai variants, RapperBot appears to be developed by a persistent actor and not a novice motivated by notoriety. It is possible that the actors will add new impact functionality after the RapperBot botnet grows substantially. SSH server administrators should adhere to secure password practices. It is also important to note that simply restarting the device, changing SSH credentials or even disabling SSH password authentication does not remove the RapperBot infection.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Account Manipulation - T1098 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Scheduled Task - T1053
Tags: RapperBot, Taiwan, target-country:TW, USA, target-country:US, South Korea, target-country:KR, SSH brute force, DDoS, IoT, ARM, MIPS, SPARC, x86, Linux, UDP flood, TCP STOMP, port:4343, port:4344, port:4345, port:48109, Mirai

Woody RAT: A New Feature-Rich Malware Spotted in the Wild

(published: August 3, 2022)

Malwarebytes researchers have identified a new Remote Access Trojan (RAT) dubbed Woody Rat. It has been used by unidentified attackers for at least one year targeting Russian organizations in the aerospace industry. Two kinds of spearphishing attachment were used. Initially, Woody Rat was delivered via archived executable with double extension .DOC.EXE. More recently, the attackers switched to Microsoft Office documents leveraging the Follina (CVE-2022-30190) vulnerability. Woody Rat allows for information discovery and data exfiltration, remote execution via multiple methods, and can remove itself from disk.
Analyst Comment: A significant amount of obscure features and targeted use show that Woody Rat is likely used by an advanced persistent threat (APT). System administrators should make sure that all exposed Windows systems have June 2022 cumulative updates installed to address the Follina vulnerability. Educate your users on the handling of suspected spearphishing emails.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Process Injection - T1055
Tags: Woody Rat, RAT, Follina, CVE-2022-30190, Russia, target-country:RU, APT, Aerospace, Spearphishing, Multithreading, AES-CBC, PowerShell, Assembly, Microsoft Word, Windows, DLL

Large-Scale AiTM Attack Targeting Enterprise Users of Microsoft Email Services

(published: August 2, 2022)

Zscaler researchers discovered a new large-scale phishing campaign targeting credentials for corporate Microsoft email services. The campaign uses a custom proxy-based phishing kit to bypass multi-factor authentication (MFA) by utilizing the adversary-in-the-middle (AiTM) technique. The attack starts as a business email compromise (BEC) phishing email with a link, and the attacker domains are often using typosquatting to mimic the targeted organization. Attackers utilize extensive browser fingerprinting to filter out sandboxes and research machines. The final destination of the phishing link is hidden using various redirecting techniques such as open redirect using DoubleClick, Google Ads, and Snapchat domains, as well as abusing code editing/hosting services such as CodeSandbox and Glitch.
Analyst Comment: Researchers and network defenders should be aware that a growing number of malicious links are using fingerprinting to display benign content to sandboxes and security analysts. To avoid a false negative, try overriding a virtual machine graphic card record in your browser, and possibly accessing the link without using a VPN address potentially known to the attacker. Users should be advised to verify the domain in the address bar of the browser before entering any credentials.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Credentials in Files - T1081 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] Proxy - T1090
Tags: Phishing, Adversary-in-the-middle, Microsoft, MFA bypass, BEC, FinTech, Lending, Insurance, Energy, Manufacturing, USA, target-country:US, target-country:UK, New Zealand, target-country:NZ, Australia, target-country:AU, Proxy-based, Cloaking, Browser fingerprinting, URL redirection, Typosquatting, Open Redirect, detection:HTML.Phish.Microsoft

Increase in Chinese "Hacktivism" Attacks

(published: August 2, 2022)

Starting from July 29, 2022 and culminating on August 2, 2022, multiple small and medium-size distributed denial of service (DDoS) attacks caused intermittent outages across several government websites in Taiwan. These attacks were following tensions as China was opposing the US House speaker Nancy Pelosi’s trip to Taiwan. SANS researcher Johannes Ullrich reported that observed small/medium application-specific DDoS attacks are coming from Chinese IP addresses. He also detected a slight increase in SSH scanning and scanning for known vulnerabilities in WordPress and other common targets coming from Chinese consumer IP addresses.
Analyst Comment: The Chinese government is likely holding back their cyber assets for a potential later use against Taiwan so as not to burn them ahead of time. For monitoring and preparing for possible escalation, Anomali platform provides threat bulletins covering Chinese cyber activities, plus ThreatStream users can add the “Threat Actor Monitoring - China-Based Actors” custom dashboard. Organizations connected to Taiwan and the US should consider dedicated DDoS protection for their public web-facing resources. Keep your systems updated, use strong administrative passwords and multifactor authentication (MFA) to mitigate the ongoing vulnerability scanning and bruteforce attempts.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498
Tags: Taiwan, target-country:TW, Nancy Pelosi, USA, Geopolitical, Government, China, source-country:CN, DDoS, Hacktivism, WordPress, Vulnerability scanning, SSH scanning

Manjusaka: A Chinese Sibling of Sliver and Cobalt Strike

(published: August 2, 2022)

Talos researchers discovered Manjusaka, a new attack framework developed in the GuangDong region of China. Manjusaka has a limited-functionality version freely available on GitHub. It includes Windows and Linux implants written in Rust and a C2 executable — a fully functional C2 ELF binary written in Go. Talos detected in-the-wild use of Manjusaka implants. The detected C2 IP address was serving two attack frameworks, Manjusaka and Cobalt Strike, the latter coming from an infection chain involving a malicious document with content related to COVID-19 in Qinghai Province, China.
Analyst Comment: Manjusaka can become an alternative to Cobalt Strike and other offensive frameworks. Its versatile programming foundation and the additional ability to target Linux-based systems make it especially dangerous. Manjusaka origin and C2 interface in simplified Chinese can make it especially popular among Chinese-speaking actors. Organizations should use a defense-in-depth approach: network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] System Network Connections Discovery - T1049 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: Manjusaka, RAT, Sliver, Cobalt Strike, Go, Rust, CS beacon, Maldoc, VBA, rundll32.exe, COVID-19, GitHub, China, Windows, Linux, target-region:Qinghai Province

LockBit Ransomware Exploits Windows Defender to Sideload Cobalt Strike Payload

(published: August 2, 2022)

SentinelOne researchers detected a new sideloading sub-technique used by LockBit 3.0 (LockBit) ransomware operators. The actors used the legitimate Windows Defender command line tool MpCmdRun.exe to sideload a weaponized mpclient.dll, which decrypts and loads Cobalt Strike payloads. The initial intrusion flow was in line with previously detected LockBit activity, the attackers exploited the Log4j vulnerability against an unpatched VMWare Horizon Server and installed a web shell using a publicly available proof-of-concept PowerShell code.
Analyst Comment: It is crucial that your company ensures that servers are always running the most current software version and patches. Abusing a security component to sideload a malicious DLL allows the attackers to enjoy a context with additional exceptions granted. System administrators should be mindful regarding security controls for products like VMware and Windows Defender. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: LockBit, LockBit 3.0, LockBit Black, Ransomware, Windows Defender, Cobalt Strike, Sideloading, Windows, VMWare Horizon, MpCmdRun.exe, PowerShell, PowerShell Empire, Meterpreter, DLL

BlackCat Ransomware Claims Attack on European Gas Pipeline

(published: August 1, 2022)

On July 22-23, two Luxembourgish subsidiaries of the European energy company Encevo fell victim to the ALPHV (BlackCat) ransomware group. Both the energy provider Enovos and the grid operator Creos were affected by the data loss. These energy organizations had many of their systems locked, but the supply of energy to existing customers continued. Encevo says they refused to pay any ransom to the attackers. It is not known if ALPHV will go through with their threat to publish 150GB of data they allegedly stole from Encevo.
Analyst Comment: ALPHV (BlackCat) is the rebranded version of the DarkSide ransomware group that went into hiding after attacking the Colonial Pipeline energy company. It is interesting that the rebranded group is not shy to attack a critical energy infrastructure again, possibly the smaller size of Luxembourg (population less than 700,000) plays into their decision. Organizations should audit user accounts with administrative privileges and configure access controls based on least privilege principle. Implement network segmentation, air gap, and password protect backup copies offline. Use multifactor authentication (MFA) where possible.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: ALPHV, BlackCat, DarkSide, Ransomware, Double extortion, EU, target-region:Europe, Luxembourg, target-country:LU, Oil and Gas, Energy, Creos Luxembourg, Encevo, Enovos

Raccoon Stealer v2: The Latest Generation of the Raccoon Family

(published: July 29, 2022)

Raccoon Stealer malware family has been available on a malware-as-a-service basis since 2019. In July 2022, Zscaler researchers detected a new version referred to as Raccoon Stealer v2. The infostealer was ported from C++ to C and Assembly. For obfuscation, instead of relying on packers, the new stealer dynamically resolves each of the necessary API functions. It also discarded the use of Telegram Bot API for C2 discovery. Instead, the new Raccoon uses hardcoded encrypted IP addresses and iterates over them.
Analyst Comment: A new major version release and the change of the programming language shows that the Raccoon Stealer malware-as-a-service is an active and evolving threat. The developers try new ways to avoid detection and help other attackers deploying this infostealer. Network defenders are advised to block traffic to known Raccoon Stealer v2 C2 nodes (available in the Anomali platform).
MITRE ATT&CK: [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Steal Web Session Cookie - T1539
Tags: Raccoon Stealer, Raccoon Stealer v2, String obfuscation, RC4, C++, Infostealer, Windows, Malware-as-a-service, detection:Win32.PWS.Raccoon, EXE, DLL

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users
A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.