Anomali Cyber Watch: Storm-0539 Activates Holiday Gift Card Frauds, NKAbuse Hides in the NKN Blockchain Traffic, and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Backdoors, Blockchain, DDoS, Fraud, Phishing, Remote access trojans, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Qbot Malware Returns in Campaign Targeting Hospitality Industry

(published: December 17, 2023)

The QakBot (Qbot) malware, which started as a banking trojan in 2008, has evolved into a malware delivery service, and was disrupted by law enforcement in August 2023. On December 11, 2023, Microsoft researchers observed QakBot being distributed again targeting the hospitality industry through phishing campaigns with emails pretending to be from an IRS employee. The email contains a PDF file with a link to a digitally signed Windows Installer (MSI) file. User downloading and opening this MSI launches the QakBot malware using export “hvsi” execution of an embedded DLL. The delivered Qakbot payload had previously-unseen version 0x500.
Analyst Comment: The best defense against QakBot is anti-phishing training. Never click on attachments from spam emails or untrusted senders. For example, the US Internal Revenue Service (IRS) never asks for additional information via email sent from a generic free online account with prompts to download and execute a suspicious file format (MSI). Network indicators associated with this QakBot campaign are available in the Anomali platform, and customers are advised to block these on their infrastructure. ThreatStream users are welcome to join the "Anomali Free Sample Malware" trusted circle and filter for recent QakBot indicators.
MITRE ATT&CK: [MITRE ATT&CK] Initial Access - Phishing: Spearphishing Link [T1566.002] | [MITRE ATT&CK] T1204.001 - User Execution: Malicious Link | [MITRE ATT&CK] Execution - User Execution: Malicious File [T1204.002] | [MITRE ATT&CK] Command and Control - Remote File Copy [T1105]
Tags: malware:Qbot, malware-type:Downloader, target-industry:Hospitality, file-type:DLL, file-type:MSI, file-type:PDF, target-system:Windows

Microsoft Warns of Storm-0539: The Rising Threat Behind Holiday Gift Card Frauds

(published: December 16, 2023)

Storm-0539 is a financially-motivated group that has been active since late 2021. Microsoft has issued a warning about an increase in Storm-0539’s malicious activity. This group is responsible for orchestrating gift card fraud and theft through sophisticated email and SMS phishing attacks against retail entities, particularly during the holiday shopping season. The attacks involve the propagation of booby-trapped links typically containing one of the four strings: /Udlaps/, /Usrlop/, /adls/index[.]html, or /saml2/index[.]html. These links lead victims to phishing pages capable of harvesting their credentials and session tokens. Once access is gained, Storm-0539 bypasses MFA protections and persists in the environment using the fully compromised identity. The group also collects emails, contact lists, and network configurations for follow-on attacks.
Analyst Comment: Network defenders are advised to strengthen their security posture and adhere to strong credential hygiene. If your organization becomes aware of a compromise anywhere in its user base, consider enterprise wide re-authentication to disable potentially-stolen session tokens. Users should be educated on the risks associated with holiday-time phishing and smishing attacks and in this case underline the level of research the attacker is taking in order to craft convincing phishes and smishes specifically targeting the organization.
MITRE ATT&CK: [MITRE ATT&CK] T1598.003 - Phishing for Information: Spearphishing Link | [MITRE ATT&CK] T1539 - Steal Web Session Cookie
Tags: actor:Storm-0539, technique:Gift card fraud, technique:Credential phishing, technique:MFA bypass, technique:Smishing

Unveiling NKAbuse: a New Multiplatform Threat Abusing the NKN Protocol

(published: December 14, 2023)

Kaspersky researchers have discovered a new Linux backdoor dubbed NKAbuse. This Go-based malware uses the New Kind of Network (NKN) blockchain protocol to communicate with its C2 and perform DDoS flooding. NKAbuse supports 11 types of flooding payloads, including one with junk DNS requests with randomly generated subdomain names. NKAbuse primarily targets Linux desktops, it has screenshot-taking and file-manipulation capabilities. At the same time, it can also infect MIPS and ARM systems, posing a threat to IoT devices. The malware has been detected in Colombia, Mexico, and Vietnam. In one incident, NKAbuse was delivered following Apache Struts2 exploitation (CVE-2017-5638) in a financial company network.
Analyst Comment: Network defenders should keep their systems updated and monitor for suspicious blockchain traffic that is not essential for their business. Host-based indicators associated with NKAbuse are available in the Anomali platform for ongoing infections and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] Initial Access - Exploit Public-Facing Application [T1190] | [MITRE ATT&CK] Command and Control - Remote File Copy [T1105] | [MITRE ATT&CK] T1498 - Network Denial Of Service | [MITRE ATT&CK] T1053.003 - Scheduled Task/Job: Cron | [MITRE ATT&CK] Collection - Screen Capture [T1113]
Tags: malware:NKAbuse, abused:Blockchain, detection:HEUR:Backdoor.Linux.NKAbuse.a, malware-type:DDoS botnet, malware-type:RAT, malware-type:Backdoor, malware-type: vulnerability:CVE-2017-5638, target-software:Apache Struts2, target-sector:Financial, target-country:MX, target-country:CO, target-country:VN, abused:NKN, language:Go, target-system:Linux

Actively Exploited Vulnerability in QNAP VioStor NVR: Fixed, Patches Available

(published: December 14, 2023)

The Mirai-based botnet InfectedSlurs has been identified as targeting two previously-undisclosed vulnerabilities to infect routers and NVR (Network Video Recorder) devices, including QNAP VioStor NVR devices. The latest vulnerability (CVE-2023-47565) allows command injection with a payload delivered via a POST request to the management interface. It affects QNAP VioStor NVR devices versions 5.0.0 and earlier, that are still using weak default credentials.
Analyst Comment: QNAP had previously quietly patched this vulnerability and while it considers these devices discontinued for support; upgrading VioStor firmware on existing QNAP VioStor NVR devices to the latest available version fixes the issue. Network defenders should ensure consistent updating of systems and always change default passwords on devices during initial setup. Manufactures should strive for longer software support cycles and security upon setup, such as forced password changes. YARA rules and indicators associated with InfectedSlurs are available in the Anomali platform for detection and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] Initial Access - Exploit Public-Facing Application [T1190] | [MITRE ATT&CK] T1078.001 - Valid Accounts: Default Accounts | [MITRE ATT&CK] Command and Control - Remote File Copy [T1105] | [MITRE ATT&CK] T1498 - Network Denial Of Service
Signatures: Snort Rules: FXC AE1021 & AE1021PE - CVE-2023-49897 (InfectedSlurs exploitation attempt) | InfectedSlurs 0day Exploit #2 Attempt | QNAP VioStor - CVE-2023-47565 (InfectedSlurs exploitation attempt)
                       YARA Rules: infected-slurs-scripts-2 | infected_slurs_bins
Tags: malware:InfectedSlurs, malware-type:Botnet, malware-type:DDoS botnet, malware:Mirai, vulnerability:CVE-2023-47565, target-system:Linux, target-system:QNAP VioStor NVR

Rhadamanthys v0.5.0 – a Deep Dive into the Stealer’s Components

(published: December 14, 2023)

The Rhadamanthys infostealer is a sophisticated and continuously updated malware sold on the black market. Check Point researchers analyzed its latest versions 0.5.0 and 0.5.1 that introduced new stealing capabilities, general-purpose spying functions, and a Clipper plugin that replaces wallet addresses with attackers' addresses. The malware uses a new plugin system, making it expandable for specific distributor needs. It targets a variety of applications, including Chrome, Firefox, KeePass, and others, stealing credentials and other sensitive data. It also has the ability to disable Event Tracing for Windows (ETW), run PowerShell scripts, and .NET assemblies received from the C2.
Analyst Comment: Rhadamanthys is distributed through various channels, making it a widespread threat. All known indicators associated with its latest versions are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] Credential Access - Input Capture: Keylogging [T1056.001] | [MITRE ATT&CK] T1565 - Data Manipulation
Tags: malware:Rhadamanthys, malware-type:Infostealer, detection:InfoStealer.Wins.Rhadamanthys, file-type:BIN, file-type:DLL, target-system:Windows