February 1, 2022
Anomali Threat Research

Anomali Cyber Watch: Researchers Break Down WhisperGate Wiper Malware, Trickbot Will Now Try To Crash Researcher PCs to Stop Reverse Engineering Attempts, New DeadBolt Ransomware Targets QNAP Devices

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>CVE-2022-21882, DazzleSpy , DeadBolt, DTPacker, Trickbot,</b> and <b>WhisperGate</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/XADZftA9Rq2xjQYkGsvP"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/" target="_blank">Windows Vulnerability With New Public Exploits Lets You Become Admin </a></h3> <p>(published: January 29, 2022)</p> <p>A new vulnerability, tracked as CVE-2022-21882 was discovered by researcher RyeLv in early January 2022. The exploit is a bypass to a previous vulnerability, CVE-2021-1732, and affects all Windows 10 machines that have not applied January’s Patch Tuesday patch. This vulnerability is a privilege escalation exploit, which grants administrator level privileges and allows for the creation of new admin accounts, as well as lateral movement. The exploit abuses a flaw in the manner in which the kernel handles callbacks, changing the flag ConsoleWindow. This will modify the window type, and tricks the system into thinking tagWND.WndExtra is an offset of the kernel desktop heap, thereby granting administrator level read and write access.<br/> <b>Analyst Comment:</b> Apply patches when they become available to keep your systems and assets protected from the latest attacks and vulnerabilities. This is essential when new vulnerabilities are discovered as threat actors will actively attempt to exploit them. A strong patch management policy combined with an effective asset management policy will assist you in keeping your assets up to date and protected.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947273">[MITRE ATT&amp;CK] Create Account - T1136</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a><br/> <b>Tags:</b> Windows, Priviledge escalation, CVE-2021-1732, CVE-2022-21882</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://threatpost.com/shipment-delivery-scams-a-fav-way-to-spread-malware/178050/" target="_blank">Shipment-Delivery Scams Become the Favored Way to Spread Malware</a></h3> <p>(published: January 28, 2022)</p> <p>Researchers at Cofense and Checkpoint have documented a series of Phishing campaigns throughout Q4 of 2021. The campaign imitates large known delivery brands such as DHL or the US postal service, and aims to abuse the trust these companies have associated with them to manipulate their targets into clicking malicious links or files. The most prominent tactic is to provide a link to a missed package, capitalizing on current global supply chain issues. Once clicked, TrickBot malware is delivered, though other campaigns are delivering as of yet non-attributed trojans. The malicious links in these campaigns are not particularly sophisticated, and are easily identified as false as they lead to domains outside the company they are targeting.<br/> <b>Analyst Comment:</b> Never click on attachments or links from untrustworthy sources, and verify with the legitimate sender the integrity of these emails. Treat any email that attempts to scare, coerce, provide a time limit or force you to click links or attachments with extreme suspicion.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Trickbot, DHL, Phishing, Trojan</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034" target="_blank">PwnKit: Local Privilege Escalation Vulnerability Discovered in Polkit’s Pkexec (CVE-2021-4034)</a></h3> <p>(published: January 27, 2022)</p> <p>Qualys research team has discovered a vulnerability named CVE-2021-4034 within polkit’s pkexec, a program installed on Linux distributions by default. The vulnerability allows for root level privilege escalation as well as command execution through the introduction of insecure environment variables. With default configuration, popular distributions of Linux including Ubuntu, CentOS and Debian are all vulnerable in their default configurations.<br/> <b>Analyst Comment:</b> Create and implement a patch management policy to keep systems up to date and protected when new vulnerabilities are discovered. A strong asset management policy will assist in identifying which assets are vulnerable to exploitation and patch prioritization of critical infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3906161">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a><br/> <b>Tags:</b> CVE-2021-4034, PwnKit, pkexe, Privilege escalation, Linux</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank">DazzleSpy: Pro-democracy org Hijacked to Become MacOS Spyware Distributor</a></h3> <p>(published: January 26, 2022)</p> <p>A new macOS malware dubbed DazzleSpy has been discovered by ESET researchers and Google Threat Analysis Group. The malware leveraged a watering hole attack focused on pro-democracy websites and media outlets regarding Hong Kong. Initial infection utilized a XNU privilege escalation vulnerability on macOS Catalina now tracked as CVE-2021-30869, which resulted in backdoor malware execution. These exploits were executed by malicious code delivered via iframes from a radio station website between 30th September and 4th November 2021. After successful exploitation, DazzleSpy gains read and write permissions, which then allows it to perform a variety of functions including executing shell commands, launching remote sessions, downloading files and enumerating files.<br/> <b>Analyst Comment:</b> Never click on links that are untrustworthy, always verify their legitimacy. Apply all patches that are released by vendors to mitigate against vulnerabilities. Collect logs from various sources including command line history to identify potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> DazzleSpy, Hong Kong, Watering hole, Backdoor, CVE-2021-30869</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/" target="_blank">Trickbot Will Now Try to Crash Researcher PCs to stop Reverse Engineering Attempts</a></h3> <p>(published: January 26, 2022)</p> <p>IBM Truster Researchers have documented a series of upgrades to the modular Trickbot malware that assist in detection avoidance and anti-reverse engineering. The malware utilizes a Javascript loader to facilitate server-side injection that grants greater real time control over malware delivery. A new anti-reverse engineering technique has been employed that crashes computers analyzing the malware. If researchers attempt to beautify code, a Trickbot RegEx will detect it and trigger a loop that will increase it’s dynamic array size recursively. This will overload the computer’s memory and crash it.<br/> <b>Analyst Comment:</b> Centralizing log collection within a SIEM will assist in monitoring outbound connections to identify anomalous activity that could be potential C2 connections. Anomali Match and Threatstream can assist in investigating malicious activity and can check your logs against known indicators of compromise.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> Trickbot, HTTPS, Javascript, Detection avoidance, anti-reverse engineering</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/new-deadbolt-ransomware-targets-qnap-devices-asks-50-btc-for-master-key/" target="_blank">New DeadBolt Ransomware Targets QNAP Devices, Asks 50 BTC for Master Key</a></h3> <p>(published: January 26, 2022)</p> <p>Taiwanese company QNAP was victim to a series of ransomware attacks that began on 25th January. The ransomware, identified as DeadBolt and operated by the threat group DeadBolt Gang, claimed that a zero day exploit was utilized to gain access to internet facing systems. The ransom notes left in the form of a hijacked login page, demands 0.03 Bitcoin ($1100 USD) to decrypt an individual machine, 5 Bitcoins ($184,000) for information regarding the zero day exploit and 50 Bitcoins ($1.85 million) for the master decryption key for all affected systems. The master key payment is to be paid to the crypto wallet address of bc1qnju697uc83w5u3ykw7luujzupfyf82t6trlnd8. Unusually for a ransomware attack, the threat actors refuse to communicate or provide a means of contact.<br/> <b>Analyst Comment:</b> Always maintain a comprehensive backup plan that can be used to restore access to critical systems and files in the event of an attack. Priority should then be placed upon mitigation of the means of access the threat actors used to gain access to the system, to prevent further exploitation.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/2402523">[MITRE ATT&amp;CK] Defacement - T1491</a><br/> <b>Tags:</b> DeadBolt, Ransomware, Zero day, QNAP</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent-tesla/" target="_blank">Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies</a></h3> <p>(published: January 25, 2022)</p> <p>Unit 42 researchers have discovered a significant surge in Agent Tesla and Dridex malware between 27th July and 1st December 2021, with both being dropped by malicious Excel add-ins. The initial infection vector began with a phishing email, with recipients receiving either a malicious XLL file or a XLM file as an attachment. If an XLL was attached, an intermediate dropper is received that downloads Agent Tesla and Dridex from Discord. If a XLM attachment, a VBS downloader is instead dropped which in turn downloads Dridex hosted on Discord.<br/> <b>Analyst Comment:</b> Never open links or attachments from unknown sources and delete any suspicious emails. Office file attachments and Macro enabled files are common infection vectors and should be treated with extreme suspicion. Ensure that credentials are stored safely via defense in depth to mitigate against credential theft.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Dridex, Agent Tesla, XLL, XLM, Phishing</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/segway-store-compromised-with-magecart-skimmer/" target="_blank">Segway Store Compromised with Magecart Skimmer</a></h3> <p>(published: January 24, 2022)</p> <p>Malwarebytes researchers recently discovered that the Segway company website was potentially compromised by a Magecart skimmer. A connection to a malicious domain was uncovered, one that has been active since November 2021 and connected to the Ant and Cockroach campaign, though the compromise has been dated back to early January 2021. The skimmer is dynamically loaded via JavaScript code disguised as a Copyright statement, with the skimmer itself being embedded within a favicon.ico file. The image is preserved, however a hex editor reveals the modification. Many countries have been exposed to the skimmer, including the USA, Australia and Canada.<br/> <b>Analyst Comment:</b> Monitor network traffic to identify any unusual domains that are being connected too. Anomali Threatstream can assist in investigations into threat actors and their associated domains, malware and C2 servers. Maintain a defense in depth approach to minimize data exfiltration.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&amp;CK] Automated Collection - T1119</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a><br/> <b>Tags:</b> Magecart Group 12, Magecart, Skimmer, Segway, USA, Australia, UK</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.proofpoint.com/us/blog/threat-insight/dtpacker-net-packer-curious-password-1" target="_blank">Unusual ‘Donald Trump’ Packer Malware Delivers RATs, Infostealers</a></h3> <p>(published: January 24, 2022)</p> <p>A .NET malware packer named DTPacker has seen a resurgence in popularity as of late 2021, as noted by Proofpoint researchers. Tracking the packer since 2020, researchers have documented the functionality of DTPacker, with the ultimate goal of the packer to deliver Agent Tesla, although Ave Maria, AsyncRAT and Formbook have also been spread. DTPacker is noticeable for having dual functionality It can function as both a packer that contains its own payloads, and also as a downloader to fetch payloads from a command and control server. The downloader portion of the malware contains its namesake, with a hardcoded password referencing Donald Trump.<br/> <b>Analyst Comment:</b> Monitor network traffic for unusual or unauthenticated outbound connections, which may indicate a C2 connection. Anomali Match can assist in identifying any C2 indicators of compromise within your network. Studying computer resource usage can help detect the presence of spyware that is abusing those resources.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/3904494">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a><br/> <b>Tags:</b> Spyware, Agent Tesla, Formbook, Ave Maria, AsyncRAT, packer, DTPacker, downloader</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement/#ftag=RSSbaffb68" target="_blank">Researchers Break Down WhisperGate Wiper Malware Used in Ukraine Website Defacement</a></h3> <p>(published: January 24, 2022)</p> <p>A new malware, dubbed WhisperGate, was observed targeting domains owned by the Ukrainian government in early January 2022. The targeting resulted in the defacement of 70 of government-owned websites, with an additional 10 suffering interference. Cisco Talos has alleged that stolen credentials were used for the initial infection. Microsoft has released it’s analysis of the malware detailing it’s execution cycle. It first attempts to delete the master boot record with one of it’s wipers, before downloading some code and using a hardcoded downloader to retrieve a DLL. The DLL is a dropper obfuscated with Eazfuscator that executes a VBscript to disrupt Windows Defender and execute another wiper, targeting fixed and remote logical drives. This cyberattack compromised two Ukrainian government websites at a time where there is an increased tensions with Russia due to troop amassment at the countries shared border. This suggests geopolitical intent and potential state-sponsored actors. WhisperGate invites comparison to NotPetya, sharing it’s destructive capabilities and camouflage as ransomware though no link is yet established between the two.<br/> <b>Analyst Comment:</b> Enforce a strong password policy to maintain the strength of credential defenses. Adopting a defense in depth approach to security will mitigate the harm caused during a stolen credential attack. Monitoring network traffic will assist in identifying anomalous activity within your network.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/3905778">[MITRE ATT&amp;CK] Impair Defenses - T1562</a> | <a href="https://ui.threatstream.com/ttp/2402541">[MITRE ATT&amp;CK] Data Destruction - T1485</a><br/> <b>Tags:</b> NotPetya, WhisperGate, Ukraine, Russia, Defacement, Windows Defender, VBscript, Eazfuscator</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://research.checkpoint.com/2022/scammers-are-creating-new-fraudulent-crypto-tokens-and-misconfiguring-smart-contracts-to-steal-funds/" target="_blank">Scammers are Creating New Fraudulent Crypto Tokens and Misconfiguring Smart Contracts to Steal Funds</a></h3> <p>(published: January 24, 2022)</p> <p>Check Point Research have documented recent techniques threat actors utilize to steal Crypto wallet funds through the abuse of smart contracts functions after initial access through Phishing campaigns. Smart contracts charge not the owner of the contract, but the one who executes it’s commands, in addition to being able view the code for executed functions. Thus, actors that have access to the contract can inject new functions into the contracts that charge users for their use, or modify the charge cost of a function and then return it to it’s default value after the money has been charged. Furthermore, compromised smart contracts can be abused to set permissions as to who can sell tokens, as well as create new tokens to sell or “burn” tokens, destroying them to inflate the price.<br/> <b>Analyst Comment:</b> Care should be taken when exposing crypto wallets. Consider only using trusted marketplaces. Only use smart contract technology that is secure. Take all precautions when dealing with potential Phishing attacks, never click links or open attachments from untrustworthy sources.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3905776">[MITRE ATT&amp;CK] Hide Artifacts - T1564</a><br/> <b>Tags:</b> Cryptocurrency, Phishing, Smart Contracts, EVM, Blockchain</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.