June 15, 2021
Anomali Threat Research

Anomali Cyber Watch: TeamTNT Expand Its Cryptojacking Footprint, PuzzleMaker Attack with Chrome Zero-day, NoxPlayer Supply-Chain Attack Likely The Work of Gelsemium Hackers and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b>BackdoorDiplomacy, Gelsemium, Gootkit, Siloscape, TeamTNT, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/fJecBYACS4OUEMkGDdUr"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://thehackernews.com/2021/06/noxplayer-supply-chain-attack-is-likely.html?utm_source=feedburner&amp;utm_medium=feed&amp;utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Cyber+Security+Blog%29" target="_blank">NoxPlayer Supply-Chain Attack is Likely The Work of Gelsemium Hackers</a></h3> <p>(published: June 14, 2021)</p> <p>ESET researchers have discovered malicious activity dating back to at least 2014 attributed to the Gelsemium cyberespionage group. The group targets electronics manufacturers, governments, religious entities in multiple countries throughout East Asia and the Middle East. Gelsemium demonstrated sophistication in their infection chain with extensive configurations, multiple implants at each stage, and modifying settings on-the-fly for delivering the final payload. The dropper, called Gelsemine, will drop a loader called Gelsenicine that will deliver the final payload, called Gelsevirine.<br/> <b>Analyst Comment:</b> Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139" target="_blank">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Cyberespionage, Gelsemium, Supply Chain</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank">BackdoorDiplomacy: upgrading from Quarian to Turian</a></h3> <p>(published: June 10, 2021)</p> <p>A new advanced persistent threat (APT) group, dubbed BackdoorDiplomacy, has been targeting ministries of foreign affairs (MOFAs) and telecommunication companies located in Africa and the Middle East since at least 2017, according to ESET researchers. The group was observed targeting “vulnerable internet-exposed devices such as web servers and management interfaces for networking equipment.” BackdoorDiplomacy’s objective is to access a system, use pentesting tools for lateral movement, and install a custom backdoor called “Turian,” which is based on the Quarian backdoor.<br/> <b>Analyst Comment:</b> It is important that your company has patch-maintenance policies in place, particularly if there are numerous internet-facing services your company uses or provides. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947100" target="_blank">[MITRE ATT&amp;CK] Data from Removable Media - T1025</a> | <a href="https://ui.threatstream.com/ttp/947209" target="_blank">[MITRE ATT&amp;CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a><br/> <b>Tags:</b> BackdoorDiplomacy, APT, cyberespionage, Africa, Middle East, Turian, Quarian</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://unit42.paloaltonetworks.com/prometheus-ransomware/" target="_blank">Prometheus Ransomware Gang: A Group of REvil?</a></h3> <p>(published: June 9, 2021)</p> <p>Unit 42 researchers have discovered a new ransomware threat group called Prometheus. The group uses a “personalized” version of the Thanos ransomware and claims to have breached 30 organizations in multiple industries in countries around the world. Interestingly, Prometheus claims to be associated with another ransomware threat group called REvil, however, there is no evidence to support this assertion. Initial access to a target is still unknown, but once the group’s ransomware has encrypted files a ransom note will appear and demand funds within a certain timeframe or the cost will increase.<br/> <b>Analyst Comment:</b> Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3297596" target="_blank">[MITRE ATT&amp;CK] Software Discovery - T1518</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Ransomware threat group, Prometheus</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://unit42.paloaltonetworks.com/teamtnt-cryptojacking-watchdog-operations/" target="_blank">TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint</a></h3> <p>(published: June 8, 2021)</p> <p>The cryptojacking threat group, TeamTNT, is actively copying tactics, techniques, and procedures (TTPs) of another cryptojacking threat group called WatchDog, according to Unit 42 researchers. The scripts currently being used by TeamTNT were likely created by the group mimic WatchDog’s behaviors, utilize open source malware repos, and lack distinguishing characteristics previously associated to TeamTNT. This is interesting because the more complex nature of TeamTNT operations is gone, which may indicate that the group is practicing how to disguise its behavior to masquerade as other groups.<br/> <b>Analyst Comment:</b> In this interesting turn of events, we find one threat group imitating another in a way that is less advanced. We can observe that knowing how threat groups operate can be a good part of the mitigation process because sometimes other actors will imitate TTPs for various motivations.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/947126" target="_blank">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a><br/> <b>Tags:</b> Cryptojacking, cryptocurrency, TeamTNT</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/" target="_blank">PuzzleMaker Attacks with Chrome Zero-day Exploit Chain</a></h3> <p>(published: June 8, 2021)</p> <p>Kaspersky researchers have identified a targeted campaign against unnamed companies, dubbed PuzzleMaker, that took place on April 14-15, 2021. The unnamed or unknown threat actors exploited zero-day vulnerabilities affecting Google Chrome and Microsoft Windows. The actors were able to conduct malicious activity through malware modules including at least the following capabilities: stage, dropper, service, remote shell. While researchers were not able to get the full JavaScript remote code execution exploit code for the Chrome exploit, the Windows vulnerabilities, registered as CVE-2021-31955 and CVE-2021-31956 have been issued patches by Microsoft.<br/> <b>Analyst Comment:</b> Some threat actors go to great lengths to create sophisticated exploits and malware for targeted attacks. However, sometimes proof-of-concept code for exploits exist on open source locations and quickly incorporated by actors in the timeframe prior to and post patch release. Ensure that your company has a patch policy in place to react quickly to sudden vulnerabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> PuzzleMaker attacks, Chrome, Windows, RCE, CVE-2021-31955, CVE-2021-31956</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/" target="_blank">Another Brick in the Wall: eCrime Groups Leverage SonicWall VPN Vulnerability</a></h3> <p>(published: June 8, 2021)</p> <p>Threat actors motivated by ecommerce crime (eCrime) are actively exploiting a SonicWall VPN vulnerability, registered as CVE-2019-7481, according to Crowdstrike researchers. The vulnerability affects the Secure Remote Access (SRA) 4600 devices on the latest firmware versions 8x and 9x. The attacks exploiting this vulnerability are being conducted by big game hunting ransomware actors.<br/> <b>Analyst Comment:</b> Threat actors will often attempt to exploit old vulnerabilities that already have patches (SonicWall advisory located here) because there is a lot of open source information on said vulnerability. This makes it easier to use an exploit for the vulnerability because proof-of-concept code is likely available and ready to be weaponized. In addition, applying patches can sometimes cause disruption among software used by an organization. Therefore, having patch policies and business continuity plans in place are crucial in maintaining a good security posture.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><br/> <b>Tags:</b> SonicWall VPN vulnerability, CVE-2019-7481, CVE-2021-20016</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://unit42.paloaltonetworks.com/siloscape/" target="_blank">Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments</a></h3> <p>(published: June 7, 2021)</p> <p>A new malware called “Siloscape” was found to be targeting Kubernetes clusters through Windows containers. The malware is heavily obfuscated and likely uses known vulnerabilities to gain initial access to a cloud application, such as a web server. Next Siloscape can escape from a Windows container node in Kubernetes via CVE-2021-24096 to the host machine. The malware will use the nodes credentials to propagate through a cluster, connect to a command and control server through IRC protocol over Tor, and lastly wait for additional commands.<br/> <b>Analyst Comment:</b> Your company should have protocols in place to ensure that all cloud storage systems are properly configured and patched. Cloud applications are too often misconfigured or vulnerable, and threat actors realize there is potential for malicious activity if the buckets are targeted. Apply patches as soon as possible to avoid potential malicious activity as other threat actors adopt different malicious techniques conducted by others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> Windows Server containers, Kubernetes, Vulnerability, CVE-2021-24096, Siloscape</p> </div> <div class="trending-threat-article"> <h3 id="article-8"><a href="https://securelist.com/gootkit-the-cautious-trojan/102731/" target="_blank">Gootkit: The Cautious Trojan</a></h3> <p>(published: June 7, 2021)</p> <p>Threat actors utilizing the well-known Gootkit banking trojan, which dates back to 2014, have added a new packer to the malware’s loader component. Gootkit is a modular trojan that has undergone numerous changes and updates over the years, however, it’s primary objective is usually data theft. The trojan is packed with numerous capabilities such as: keylogging, man-in-the-browser attacks, stealing browser data, and taking screenshots, among others.<br/> <b>Analyst Comment:</b> Threat actors deliver malware in numerous ways and will consistently update their TTPs to make analysis and discovery more difficult. Educate your employees on the methods actors use to distribute malware: compromised websites, malicious files, phishing, spearphishing, and vulnerability exploitation, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a><br/> <b>Tags:</b> Infostealer, Trojan, Spyware, Gootkit</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.