November 2, 2021
Anomali Threat Research

Anomali Cyber Watch: Russian Intelligence Targets IT Providers, Malspam Abuses Squid Games, Another npm Library Compromise, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Data leak, Critical services, Money laundering, Phishing, Ransomware, </b> and <b> Supply-chain</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">BlackMatter: New Data Exfiltration Tool Used in Attacks</a></h3> <p>(published: November 1, 2021)</p> <p>Symantec researchers have discovered a custom data exfiltration tool, dubbed Exmatter, being used by the BlackMatter ransomware group. The same group has also been responsible for the Darkside ransomware - the variant that led to the May 2021 Colonial Pipeline outage. Exmatter is compiled as a .NET executable and obfuscated. This tool is designed to steal sensitive data and upload it to an attacker-controlled server prior to deployment of the ransomware as fast as possible. The speed is achieved via multiple filtering mechanisms: directory exclusion list, filetype whitelist, excluding files under 1,024 bytes, excluding files with certain attributes, and filename string exclusion list. Exmatter is being actively developed as three newer versions were found in the wild.<br/> <b>Analyst Comment:</b> Exmatter exfiltration tool by BlackMatter is following two custom data exfiltration tools linked to the LockBit ransomware operation. Attackers try to narrow down data sources to only those deemed most profitable or business-critical to speed up the whole exfiltration process. It makes it even more crucial for defenders to be prepared to quickly stop any detected exfiltration operation.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a><br/> <b>Tags:</b> Exmatter, BlackMatter, Darkside, Ransomware, Exfiltration, Data loss prevention</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Iran Says Israel, U.S. Likely Behind Cyberattack on Gas Stations</a></h3> <p>(published: October 31, 2021)</p> <p>Iranian General Gholamreza Jalali, head of Iran’s passive defense organization, went to state-run television to blame Israel and the U.S. for an October 26, 2021 cyberattack that paralyzed gasoline stations across the country. The attack on the fuel distribution chain in Iran forced the shutdown of a network of filling stations. The incident disabled government-issued electronic cards providing subsidies that tens of millions of Iranians use to purchase fuel at discounted prices. Jalali said the attack bore similarities to cyber strikes on Iran’s rail network and the Shahid Rajaee port. The latest attack displayed a message reading "cyberattack 64411" on gas pumps when people tried to use their subsidy cards. Similarly, in July 2021, attackers targeting Iranian railroad prompted victims to call 64411, the phone number for the office of Supreme Leader Ali Khamenei.<br/> <b>Analyst Comment:</b> Iran has not provided evidence behind the attribution, so the attack could have come from less sophisticated hacktivists among Kurds or Saudis. Organizations providing critical services should harden their security posture. Anomali will help with delivering detailed proposals once the investigation progresses.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Data Manipulation - T1565</a><br/> <b>Tags:</b> Oil And Gas, Iran, Government, Ali Khamenei, Middle East, USA, Israel, Critical infrastructure</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">TA575 Uses ‘Squid Game’ Lures to Distribute Dridex Malware</a></h3> <p>(published: October 28, 2021)</p> <p>Proofpoint researchers have discovered a new campaign by a large cybercrime group TA575, that has been using the popularity of Netflix’s popular series, Squid Game, to spread the Dridex banking trojan. The group has been distributing Dridex through emails pretending to be from someone working on the show with a few varying subject lines. This campaign was detected on October 27, 2021, as thousands of emails were targeting all industries primarily in the United States. The emails contain Excel documents that contain macros that will download the Dridex banking trojans from Discord servers.<br/> <b>Analyst Comment:</b> Threat actors often utilize current events and trending movies in their malspam campaigns. Users should be trained that flashy subjects are often abused in phishing attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Non-Standard Port - T1571</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Dridex, USA, Phishing, Squid Game, Netflix, Banking and Finance, Banking trojan, Discord, Malspam</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Threat Analysis Report: Snake Infostealer Malware</a></h3> <p>(published: October 28, 2021)</p> <p>Cybereason has released a report on the Snake malware. Snake is a feature-rich information-stealing malware that can steal credentials from over 50 applications, including File Transfer Protocol (FTP) clients, email clients, communication platforms, and web browsers. It has keystroke logging as well as clipboard data, screenshot, and credential theft capabilities that include WiFi passwords and Windows Product Key. Snake can exfiltrate stolen data through a variety of protocols, such as FTP, Simple Mail Transfer Protocol Protocol (SMTP), and Telegram. First seen in November 2020, it was a constant threat with a spike of use in late August 2021 with no specific trend in the industry or geographical locations. Snake is written in .NET and has many similarities with three other infostealers, Matiex, FormBook, and Agent Tesla, possibly due to code reuse.<br/> <b>Analyst Comment:</b> Anti-phishing training is crucial as Snake typically requires user interaction with archived attachments in phishing emails. Monitor outgoing network traffic for data exfiltration activities. Use multi-factor authentication (MFA) where possible.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Unsecured Credentials - T1552</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Clipboard Data - T1115</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Automated Exfiltration - T1020</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Unsecured Credentials - T1552</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Transfer - T1029</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Time Discovery - T1124</a><br/> <b>Tags:</b> Snake, Matiex, FormBook, Agent Tesla, Infostealer, Sandbox evasion</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">DECAF Ransomware: A New Golang Threat Makes Its Appearance</a></h3> <p>(published: October 28, 2021)</p> <p>Researchers at Morphisec Labs have identified a new Golang-based ransomware variant that appeared starting in late September 2021 and continued development through October. The ransomware, dubbed Decaf, was identified in September, but the threat actors quickly stripped the original alpha version, added additional functionality, and uploaded a stub version to verify its detection score. Within a week they had deployed a fully-weaponized version on a customer site. Malware written in Golang 1.17 is harder to analyze due to a modification in how parameters are being passed to functions.<br/> <b>Analyst Comment:</b> Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Decaf, Ransomware, Golang, Malware development, Reverse engineering</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">THREAT ALERT: Malicious Code Implant in the UAParser.js Library</a></h3> <p>(published: October 27, 2021)</p> <p>Unknown actors have compromised several versions of a popular JavaScript library, UAParser.js, by injecting malicious code that deploys cryptocurrency-mining (XMRig) and information-stealing (DanaBot) malware. According to statistics on the developers' page, many projects use the library, which is downloaded over seven million times per week. Kaspersky researchers warn of a possible risk of a supply-chain compromise as UAParser.js is implemented on many websites and used in the software development process of various companies, including Amazon, Apple, Dell, Facebook, HPE, IBM, Microsoft, Mozilla, Oracle, and Slack, and some software developers use third-party instruments for code testing, which also depend on this library. On Linux systems the attackers check location to avoid targeting Belarus, Kazakhstan, Russia, or Ukraine.<br/> <b>Analyst Comment:</b> Affected users should remove the malware and update libraries to the patched UAParser.js versions — 0.7.30, 0.8.1, and 1.0.1. Users and administrators should change all credentials that were used on computers where the infected version was installed.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a><br/> <b>Tags:</b> UAParser.js, Library, Supply-chain, Cryptojacking, Information stealer, Npm, Danabot, XMRig, Russia</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Almost 100 Organizations in Brazil Targeted with Banking Trojan</a></h3> <p>(published: October 26, 2021)</p> <p>As many as 98 organizations in Brazil have been targeted with a banking trojan since approximately late August 2021, with the most recent activity seen in early October. Targeted sectors were financial services, government, information technology, manufacturing, and professional services. This campaign appears to be a continuation of activity that was published by researchers at ESET in September 2020. The attackers appeared to be undeterred by exposure and Symantec has found a large number of new indicators of compromise (IOCs) relating to this latest wave of attacks. Just like in 2020, attackers use DLL search-order hijacking, malicious files bigger than 100 MB in order to evade submission to security services, and initial persistence with utilization of either Windows Registry or Windows Management Instrumentation (WMI).<br/> <b>Analyst Comment:</b> Ensure you have multi-factor authentication enabled on all financial accounts. Train your staff to recognize and handle phishing and other suspicious, unsolicited email.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a><br/> <b>Tags:</b> Infostealer.Bancos, Banking trojan, Banking And Finance, South America, Brazil, Government, Manufacturing, IT, DLL search-order hijacking, Windows Registry, Windows Management Instrumentation, Side-loading</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">SquirrelWaffle Leverages Malspam to Deliver Qakbot, Cobalt Strike</a></h3> <p>(published: October 26, 2021)</p> <p>Cisco Talos researchers have discovered new malspam campaigns using a new loader called ​​SquirrelWaffle to deliver Qakbot and Cobalt Strike malware. These campaigns are using stolen email threads to come off as replies in those threads, similar to how the virulent Emotet malware works. The SquirrelWaffle emails are most often written in English, but the language used in the reply message shifts to match the original email thread, in some cases it was in French, German, Dutch, or Polish. The emails typically contain hyperlinks to malicious ZIP archives containing Microsoft Office documents with malicious macros delivering ​​SquirrelWaffle as a malicious DLL that is then executed using rundll32.exe. These malware distribution campaigns appear to be taking advantage of previously-compromised WordPress websites. Threat actors use multiple anti-analysis techniques including multiple network-based checklists, IP blocklist, geographic-based filtering, and execution parameters. SquirrelWaffle campaigns are likely to a certain extent automated, for example every few days they rotate their landing page URL schema, and the malicious document builder rotates their function names and hashes.<br/> <b>Analyst Comment:</b> Website owners should regularly update their servers, content management systems, and plugins. Phishing education training should bring awareness that attackers may utilize stolen email chains. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Rundll32 - T1085</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a><br/> <b>Tags:</b> SquirrelWaffle, AZORult, Emotet, Cobalt Strike, Qakbot, English, French, German, Malspam, Rundll32.exe, WordPress, Detection evasion</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">Money Launderers for Russian Hacking Groups Arrested in Ukraine</a></h3> <p>(published: October 26, 2021)</p> <p>The Cyber Security Department of the Security Service of Ukraine (SSU) carried out a joint operation at the request of U.S. intelligence services. The suspected group targeted in this operation was located in Mykolayiv, Ukraine, it allegedly laundered millions of dollars for cyber threat actors from various countries including Russia. Searches resulted in additional seizure of malicious hardware and software; it turned out, the identified criminals also prepared and sold flash drives infected with malware that cracked digital wallets to steal cryptocurrency.<br/> <b>Analyst Comment:</b> Don’t buy hardware such as flash drives from untrusted sources. Verify the receiver’s address before sending a financial transaction, especially if it is a non-reversible cryptocurrency transaction.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] Hardware Additions - T1200</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Data Manipulation - T1565</a><br/> <b>Tags:</b> Hardware, Cryptocurrency, Cryptostealer, Money laundering, Arrest, Russia, Ukraine</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="" target="_blank">NOBELIUM Targeting Delegated Administrative Privileges to Facilitate Broader Attacks</a></h3> <p>(published: October 25, 2021)</p> <p>Microsoft describes new nation-state activity associated with the threat actor tracked as Cozy Bear (Nobelium, APT29) and attributed to Russia's Foreign Intelligence Service (SVR). The group was attempting to gain access to downstream customers of multiple cloud service providers (CSP), managed service providers, and other IT services organizations that have been granted administrative or privileged access by other organizations. The targeted activity has been observed against organizations based in the United States and across Europe since May 2021. The threat actor is the same actor behind the SolarWinds compromise in 2020, and this latest activity shares the hallmarks of the actor's compromise-one-to-compromise-many approach. The actor is leveraging existing technical trust relationships between the provider organizations and the governments, think tanks, and companies they serve. For initial access, Cozy Bear tried a diverse and dynamic toolkit that includes sophisticated malware, password sprays, supply chain attacks, token theft, API abuse, and spear phishing.<br/> <b>Analyst Comment:</b> Remove delegated administrative privileges that are no longer in use. Review, harden, and monitor all tenant administrator accounts, business-to-business (B2B) accounts, and local administrator accounts in customer tenants. Do not use “shared” administrator accounts. Enforce multi-factor authentication (MFA) and conditional access policies. Review and audit logs and configurations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="" target="_blank">[MITRE ATT&amp;CK] External Remote Services - T1133</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a><br/> <b>Tags:</b> Nobelium, Cozy Bear, APT29, SVR, EU, USA, Government, Think tanks, Russia, Microsoft, Azure AD, Phishing, Password spray</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.