Anomali Cyber Watch: Symbiote Linux Backdoor is Hard to Detect, Aoqin Dragon Comes through Fake Removable Devices, China-Sponsored Groups Proxy through Compromised Routers, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Hooking, Ransomware, Stealthiness, Vulnerabilities, and Web skimming. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat

(published: June 9, 2022)

Intezer and BlackBerry researchers described a new, previously unknown malware family dubbed Symbiote. It is a very stealthy Linux backdoor and credential stealer that has been targeting financial and other sectors in Brazil since November 2021. Symbiote is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD before any other SOs. It uses hardcoded lists to hide associated processes and files, and affects the way ldd displays lists of SOs to remove itself from it. Additionally, Symbiote uses three methods to hide its network traffic. For TCP, Symbiote hides traffic related to some high-numbered ports and/or certain IP addresses using two techniques: (1) hooking fopen and fopen64 and passing a scribbed file content for /proc/net/tcp that lists current TCP sockets, and (2) hooking extended Berkeley Packet Filter (eBPF) code to hide certain network traffic from packet capture tools. For UDP, Symbiote hooks two libpcap functions filtering out packets containing certain domains and fixing the packet count. All these evasion measures can lead to Symbiote being hidden during a live forensic investigation.
Analyst Comment: Defenders are advised to use network telemetry to detect anomalous DNS requests associated with Symbiote exfiltration attempts. Security solutions could be deployed as statically linked executables so they don’t expose themselves to this kind of compromise by calling for additional libraries.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Data Staged - T1074
Tags: Symbiote, target-region:Latin America, Brazil, target-country:BR, Financial, Linux, Berkeley Packet Filter, eBPF, LD_PRELOAD, Exfiltration over DNS, dnscat2

Alert (AA22-158A). People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

(published: June 8, 2022)

Several US federal agencies issued a special Cybersecurity Advisory regarding China-sponsored activities concentrating on two aspects: compromise of unpatched network devices and threats to IT and telecom. Attackers compromise unpatched network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, to serve as “hop points” to obfuscate their China-based IP addresses in preparation and during the next intrusion. Similarly, routers in IT and Telecom companies are targeted for initial access by China-sponsored groups, this time using open-source router specific software frameworks, RouterSploit and RouterScan.
Analyst Comment: When planning your company update strategy and automation, do not leave out network devices. Disable unused or unnecessary network services, ports, protocols, and devices.
MITRE ATT&CK: [MITRE ATT&CK] External Remote Services - T1133 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] Automated Exfiltration - T1020 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] System Network Configuration Discovery - T1016
Tags: China, APT, SOHO, NAS, IT, Telecom, RouterSploit, RouterScan, CVE-2018-0171, CVE-2018-14847, CVE-2021-22893, CVE-2018-13382, CVE-2019-19781, CVE-2019-1652, CVE-2020-8515, CVE-2019-11510, CVE-2019-7192, CVE-2019-7193, CVE-2019-7194, CVE-2019-7195, CVE-2019-16920, CVE-2017-6862, CVE-2019-15271, CVE-2020-29583, Cisco, Citrix, DrayTek, D-Link, Fortinet, MikroTik, Netgear, Pulse, QNAP, Zyxel

MakeMoney Malvertising Campaign Adds Fake Update Template

(published: June 8, 2022)

MakeMoney malvertising campaign has been active since December 2019. Through the years it was mostly engaging in drive-by exploits via RIG exploit kit (EK), although it was also observed serving Fallout EK in a 2020 campaign. The final payload was typically some kind of infostealer malware such as RedLine or KPOT. In 2022, Malwarebytes researchers detected a change in tactic with MakeMoney displaying a fake update to trick users into activating a loader leading to the BrowserAssistant adware infection.
Analyst Comment: Network defenders should block the known MakeMoney infrastructure as the group was often reusing the same servers. Users should be advised to keep their systems updated through official channels while not activating fake update warnings displayed by random websites.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: MakeMoney, BrowserAssistant, Malvertising, RIG, Exploit kit, Fallout, KPOT, RedLine, Infostealer, Fake update, Adware, Malvertising gates

FakeCrack: Crypto Stealing Campaign Spread via Fake Cracked Software

(published: June 8, 2022)

Avast researchers analyzed a newly emerged campaign dubbed FakeCrack that targets users with fake “free” versions of CCleaner, Microsoft Office, and Movavi Video Editor. FakeCrack successfully uses Black SEO mechanisms to have the highest positions in search engine results. A user being redirected twice, downloads and activates a malicious password-protected archive. The final payload is infostealer, with additional persistent scripts targeting cryptocurrency. One script has 37 different wallets for various cryptocurrencies to replace detected wallets in the clipboard. Another one is the proxy auto-configuration (PAC) script that redirects traffic from Binance, Huobi, and OKX cryptomarkets to the attacker-controlled IP address.
Analyst Comment: Users should be educated on the cyber-risks of downloading cracked software. If you suspect you were compromised by this campaign, remove malicious proxy settings by removing AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Man-in-the-Middle - T1557
Tags: FakeCrack, Fake software, Black SEO, Infostealer, Proxy Autoconfiguration Script, Cryptocurrency, Clipboard changer, Brazil, target-country:BR, India, target-country:IN, Indonesia, target-country:ID, France, target-country:FR

Cuba Ransomware Group’s New Variant Found Using Optimized Infection Techniques

(published: June 8, 2022)

The Cuba ransomware was first seen in February 2020 and grew big enough in 2021 to be described in a special warning notice from the FBI. In 2021, Cuba was seen distributed by the Hancitor malware, in March-April 2022, it was dropped by the BugHatch downloader. The latest Cuba variant was first spotted in late April 2022 targeting organizations in Asia. This Cuba variant refined its work by expanding directory and file extension safelists. It also added a double-extortion threat and communication with victims via qTox messenger.
Analyst Comment: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: Cuba ransomware, Cuba, Ransomware, Malware evolution, Asia, target-region:Asia, BugHatch, qTox, Tox protocol

Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer

(published: June 8, 2022)

Follina (CVE-2022-30190) is a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that became public on May 27, 2022. It affects all supported visions of Windows. Symantec researchers detected multiple attackers exploiting Follina in the wild to deliver various payloads including, downloaders, infostealers, and remote access trojan AsyncRAT. During a typical Follina exploitation attack, a malicious Word or RTF document loads a malicious HTML file through the remote template feature then allowing the attacker to load and execute PowerShell code.
Analyst Comment: Beware that Follina mitigations do not work in all contexts where MSDT is used, network administrators should be ready to apply the security fixes as soon as they become available from Microsoft.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Template Injection - T1221
Tags: Follina, CVE-2022-30190, MSDT, Windows, RCE, Vulnerability, RAT, PowerShell, HTML, RTF, Infostealer, AsyncRAT

Aoqin Dragon | Newly-Discovered Chinese-Linked APT Has Been Quietly Spying On Organizations For 10 Years

(published: June 8, 2022)

Sentinel Labs researchers discovered a China-sponsored group dubbed Aoqin Dragon. The group was active since 2013 targeting education, government, and telecommunication organizations in Australia and Southeast Asia (Cambodia, Hong Kong, Singapore, and Vietnam). Aoqin Dragon infection strategy was changing over years from weaponized Word documents to fake anti-viruses, to fake removable devices. The final payload for this cyberespionage campaign is delivering either the Mongall custom backdoor, or a modified Heyoka backdoor that uses spoofed DNS requests to create a bidirectional tunnel.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated to report security incidents such as suspected spearphishing and unwarranted applications on their devices.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Replication Through Removable Media - T1091 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Exploitation for Defense Evasion - T1211 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Non-Standard Port - T1571 | [MITRE ATT&CK] Data Encoding - T1132
Tags: Aoqin Dragon, Mongall, Heyoka, Upan, China, source-country:CN, APT, USB, Australia, target-country:AU, Cambodia, Hong Kong, Singapore, Vietnam, Education, Government, Telecommunication, Cyberespionage, Themida, DNS tunneling

It Takes 2 Seconds of Silence to Skim a Credit Card

(published: June 7, 2022)

Sucuri researchers found a new injection method when investigating a Magento website compromised with a web skimmer. The malicious JavaScript payload was concealed within an Audio tag, using the Onloadstart event handler to trigger the loading. The audio file itself was a benign 2 seconds of silence, and if the malicious link to the payload is opened directly by a researcher without the audio context, it will not reveal its true content.
Analyst Comment: Keep your website components and core content management system (CMS) files updated. Regularly review all admin accounts and follow the principle of least privilege. Employ unique and complex passwords for every admin account.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190
Tags: Web skimmer, Audio tag, Web injection, Credit card data, Magento, CMS, JavaScript

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to an authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.