Blog

Anomali Cyber Watch: TA4903 Spoofs U.S. Agencies for BEC, Malicious Script Hijacks Browsers to Conduct WordPress Brute Force, and More

Anomali Threat Research
March 11, 2024
Table of contents

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Backdoors, Drainers, Phishing, RATs, Tunelling, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Image


Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities

(published: March 8, 2024)

Since at least January 2022, a financially motivated threat actor dubbed Magnet Goblin has been quickly adopting and leveraging one-day vulnerabilities in public-facing services as an initial infection vector. According to Check Point, the actor has targeted Ivanti, Magento, Qlik Sense, and possibly Apache ActiveMQ. The analysis revealed a novel Linux version of a malware called NerbianRAT, in addition to WARPWIRE, a JavaScript credential stealer, and Ligolo, an open-source tunneling tool written in Golang. The actor’s arsenal also includes MiniNerbian, a small Linux backdoor, and remote monitoring and management (RMM) tools for Windows like ScreenConnect and AnyDesk. The exact attribution for Magnet Goblin is unclear, but some researchers have linked its activities to Cactus ransomware intrusions.
Analyst Comment: In one case of Ivanti Connect Secure VPN (CVE-2024-21887), Magnet Goblin was able to start exploiting as fast as within one day after a proof-of-concept for it was published. It outlines the need for patch management and immediate reaction to security vulnerability disclosures. All known indicators associated with Magnet Goblin are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Initial Access - Exploit Public-Facing Application [T1190] | [MITRE ATT&CK] T1572 - Protocol Tunneling | [MITRE ATT&CK] T1497 - Virtualization/Sandbox Evasion | [MITRE ATT&CK] Collection - Screen Capture [T1113] | [MITRE ATT&CK] T1125 - Video Capture | [MITRE ATT&CK] Command and Control - Remote Access Software [T1219]
Tags: actor:Magnet-Goblin, malware:NerbianRAT, detection:Trojan:Linux/Nerbian, malware:MiniNerbian, malware-type:RAT, malware:WARPWIRE, language:JavaScript, malware-type:Credential-stealer, malware:Ligolo, language:Go, malware-type:Tunneling, target-software:Magento, vulnerability:CVE-2022-24086, target-software:Qlik-Sense, vulnerability:CVE-2023-41265, vulnerability:CVE-2023-41266, vulnerability:CVE-2023-48365, target-software:Ivanti-Connect-Secure, vulnerability:CVE-2023-46805, vulnerability:CVE-2024-21887, vulnerability:CVE-2024-21888, vulnerability:CVE-2024-21893, exploit-type:1-day, tool:ScreenConnect, tool:AnyDesk, file-type:ELF, target-system:Windows, target-system:Linux

TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids

(published: March 6, 2024)

A financially-motivated threat actor dubbed TA4903 has been active with credential phishing and business email compromise (BEC) activities since at least 2019. Since December 2021, the actor has impersonated various U.S. government entities to deceive targets into opening malicious files, including the Department of Agriculture (2023), Department of Commerce (2022), Department of Housing and Urban Development (2022), Department of Labor (2021 and 2024), and Department of Transportation (2022). TA4903 has increased its activity and variety of spoofing since mid-2023, targeting organizations in construction, finance, healthcare, food and beverage, and other sectors. Its phishing emails contain links or attachments with a link and/or QR codes in PDF document attachments. A common landing page is an impersonated Microsoft O365 credential-phishing page. For some period in 2023, TA4903 was using EvilProxy, a reverse proxy multifactor authentication bypass toolkit. A Proofpoint honeypot demonstrated the use of phished credentials to log in and search email history for keywords such as “bank information,” “payment,” and “merchant.” This gives the actor access to existing threads to conduct BEC activities such as invoice fraud or payroll redirect using thread hijacking techniques.
Analyst Comment: Phishing education training should bring awareness that attackers may impersonate your regulators, suppliers, and utilize stolen email chains. Organizations are invited to use Anomali Premium Digital Risk Protection to discover impersonation attacks involving your brand. Indicators associated with TA4903 campaigns are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1598.002 - Phishing for Information: Spearphishing Attachment | [MITRE ATT&CK] T1598.003 - Phishing for Information: Spearphishing Link | [MITRE ATT&CK] T1114.002 - Email Collection: Remote Email Collection | [MITRE ATT&CK] Privilege Escalation - Valid Accounts [T1078]
Tags: actor:TA4903, target-country:US, technique:Credential phishing, technique:BEC, technique:Thread-hijacking, malware:EvilProxy, abused:QR-code, actor:Edward-Ambakederemo, target-industry:Construction, target-industry:Finance, target-industry:Food, target-industry:Healthcare, target-identity:Microsoft-O365-user

Spinning YARN - A New Linux Malware Campaign Targets Docker, Apache Hadoop, Redis and Confluence

(published: March 6, 2024)

Researchers at Cado Security discovered a new campaign exploiting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, or Redis with new Golang-based malware. The malware automates the discovery and compromise of hosts, exploiting configuration weaknesses and previously-disclosed vulnerabilities such as CVE-2022-26134 in Atlassian Confluence. The actor added the ability to spawn a Docker container and escape from it onto the underlying host. The actor uses multiple shell scripts and common Linux attack techniques to install a cryptocurrency miner, establish persistence, and set up the open-source Platypus reverse shell. User-mode rootkits help to hide malicious processes.
Analyst Comment: This campaign highlights the lengths to which the actor goes to exploit servers that are misconfigured or have not been updated with recent security patches. Organizations should adhere to vulnerability and patch management, particularly on systems and services exposed to the Internet. All known indicators associated with this campaign are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1014 - Rootkit | [MITRE ATT&CK] Initial Access - Exploit Public-Facing Application [T1190] | [MITRE ATT&CK] Command and Control - Standard Application Layer Protocol [T1071] | [MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027] | [MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1053.003 - Scheduled Task/Job: Cron
Tags: campaign:Spinning-YARN, target-software:Docker, target-software:Apache-Hadoop, target-software:Redis, target-software:Confluence, vulnerability:CVE-2022-26134, exploit-type:RCE, malware:Platypus, malware-type:Reverse-shell, open-port:80, open-port:2375, open-port:6379, open-port:8088, open-port:8090, target-system:Linux

From Web3 Drainer to Distributed WordPress Brute Force Attack

(published: March 5, 2024)

Sucuri researchers discovered an unnamed threat actor known for breaching sites to inject crypto-wallet drainer scripts. These scripts steal all cryptocurrency and assets when someone connects their wallet. The threat actor has now shifted from draining wallets to hijacking visitors' browsers to conduct brute force attacks on other WordPress sites. The actor compromises a WordPress site to inject malicious code into the HTML templates, which then force visitors' browsers to conduct brute force attacks to obtain account credentials on other websites. BleepingComputer reports that over 1,700 sites have been compromised with these scripts, creating a large pool of users who will be unwittingly conscripted into this distributed brute-force army.
Analyst Comment: All known network indicators associated with this campaign are available in the Anomali platform, and customers are advised to block them on their infrastructure. Website administrators should strive to follow good password policies and avoid short commonly used passwords.
MITRE ATT&CK: [MITRE ATT&CK] T1110.003 - Brute Force: Password Spraying | [MITRE ATT&CK] T1584 - Compromise Infrastructure | [MITRE ATT&CK] T1594 - Search Victim-Owned Websites
Tags: technique:Brute-force, technique:Password-spraying, malware-type:Drainer, target-industry:Cryptocurrency, target-software:WordPress, file-type:PHP, file-type:JS

WogRAT Malware Exploits aNotepad (Windows, Linux)

(published: March 5, 2024)

A new malware named WogRAT, which targets both Windows and Linux systems, has been discovered by ASEC researchers. The malware abuses an online notepad platform, aNotepad, to store and retrieve malicious code. The malware has been active since late 2022, primarily targeting Asian countries such as China, Hong Kong, Japan, and Singapore. The distribution methods are unknown, but the Windows version likely spreads by disguising payloads as legitimate utility tools. The malware sends a basic profile of the infected system to the command and control (C2) server and receives commands for execution. The Linux version of WogRAT shares many similarities with the Windows variant but distinguishes itself by utilizing Tiny Shell for routing operations and additional encryption in its communication with the C2.
Analyst Comment: Users should avoid downloading applications, even if they appear legitimate, from third-party stores and file-sharing sites. All known indicators associated with WogRAT campaigns are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1036.004 - Masquerading: Masquerade Task Or Service | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] Discovery - System Network Configuration Discovery [T1016] | [MITRE ATT&CK] T1573.001 - Encrypted Channel: Symmetric Cryptography | [MITRE ATT&CK] Exfiltration - Exfiltration Over C2 Channel [T1041]
Tags: malware:WogRAT, detection:Downloader/Win.WogRAT, malware-type:Downloader, detection:Backdoor/Win.WogRAT, malware:WingsOfGod, malware-type:Backdoor, language:.NET, detection:Backdoor/Linux.TinySHell, malware:Tiny-Shell, target-region:Asia, target-country:CN, target-country:JP, target-country:HK, target-country:SG, abused:aNotepad, file-type:DLL, file-type:EXE, file-type:PE, target-system:Windows, file-type:ELF, target-system:Linux

Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.