Anomali Cyber Watch: Time-to-Ransom Under Four Hours, Mustang Panda Spies on Russia, Ricochet Chollima Sends Goldbackdoor to Journalists, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Cyberespionage, LNK files, Malspam, North Korea, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

A Lookback Under the TA410 Umbrella: Its Cyberespionage TTPs and Activity

(published: April 28, 2022)

ESET researchers found three different teams under China-sponsored umbrella cyberespionage group TA410, which is loosely linked to Stone Panda (APT10, Chinese Ministry of State Security). ESET named these teams FlowingFrog, JollyFrog, and LookingFrog. FlowingFrog uses the Royal Road RTF weaponizer described by Anomali in 2019. Infection has two stages: the Tendyron implant followed by a very complex FlowCloud backdoor. JollyFrog uses generic malware such as PlugX and QuasarRAT. LookingFrog’s infection stages feature the X4 backdoor followed by the LookBack backdoor. Besides using different backdoors and exiting from IP addresses located in three different districts, the three teams use similar tools and similar tactics, techniques, and procedures (TTPs).
Analyst Comment: Organizations should keep their web-facing applications such as Microsoft Exchange or SharePoint secured and updated. Educate your employees on handling suspected spearphishing attempts. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Native API - T1106 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Inter-Process Communication - T1559 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Application Window Discovery - T1010 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Peripheral Device Discovery - T1120 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Query Registry - T1012 | [MITRE ATT&CK] Clipboard Data - T1115 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Video Capture - T1125 | [MITRE ATT&CK] Audio Capture - T1123 | [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Data from Removable Media - T1025 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] Data Transfer Size Limits - T1030 | [MITRE ATT&CK] System Shutdown/Reboot - T1529
Tags: TA410, FlowingFrog, LookingFrog, JollyFrog, FlowCloud, China, source-country:CN, Mustang Panda, APT10, Tendyron, X4 backdoor, Lookback, Korplug, PlugX, QuasarRAT, Royal Road, Asia, Middle East, EU, Government, Military, Education

BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX

(published: April 27, 2022)

Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President) targeting Russia. They found overlapping infrastructure previously used by the same advanced persistent group (APT). In the last two years, Mustang Panda switched its targeting from Southeast Asia to Europe, and now, to Russia. The latest attack starts by the threat actors somehow delivering a Windows executable file named in Russian that masquerades as a PDF file. It is heavily obfuscated and upon user execution it downloads four files from a staging server: decoy, legitimate but vulnerable signed executable, malicious DLL, and the PlugX payload.
Analyst Comment: Suspicious malicious attachments and unwarranted files from the Internet should be reported to the system administrator and investigated. Report abnormal file behaviors such as if the content of opened attachment doesn’t match its filename and/or email context. Administrators should focus on detecting and blocking masquerading executable attachments.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow - T1574 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059
Tags: Bronze President, Mustang Panda, PlugX, DLL search order hijacking, APT, Government, Military, Russia, China, source-country:CN, Russia, target-country:RU, EU, target-region:EU

Stonefly: North Korea-linked Spying Operation Continues to Hit High-Value Targets

(published: April 27, 2022)

Symantec researchers describe 2022 cyberespionage efforts by DarkSeoul (Stonefly, Silent Chollima), a North Korea-sponsored group first detected in 2009. The attackers breached an engineering organization working in the energy and military sectors by exploiting the Log4j2 (CVE-2021-44228) vulnerability on a public-facing VMware View server. During the attack, they relied on their updated custom backdoor Preft, a custom infostealer, and on a number of open-source tools: 3proxy tiny proxy server, Invoke-TheHash, Mimikatz, PuTTy, and WinSCP. Preft works in four stages: main Python script (Stage 1) unpacks two shellcode scripts and the payload, first shellcode script (Stage 2) starts Internet Explorer and injects second shellcode (Stage 3) into it, final payload (Stage 4) acts as a HTTP remote access tool (RAT).
Analyst Comment: Organizations should consider blocking certain open-source tools, scanners, and remote administration tools in their environments. Keep your systems updated, segregate your networks, and limit accessibility of your servers from the Internet.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] Proxy - T1090 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol - T1048 | [MITRE ATT&CK] Use Alternate Authentication Material - T1550 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Data Staged - T1074 | [MITRE ATT&CK] Data from Local System - T1005
Tags: Stonefly, DarkSeoul, BlackMine, Operation Troy, Silent Chollima, APT, North Korea, source-country:KP, Energy, Military, Engineering, VMware View, Backdoor.Preft, 3proxy tiny proxy server, WinSCP, Invoke-TheHash, PuTTy, Mimikatz, Log4j, CVE-2021-44228

New Black Basta Ransomware Springs into Action with a Dozen Breaches

(published: April 27, 2022)

Black Basta ransomware group first appeared in the second week of April 2022 and have since breached at least twelve companies. One notable example is the attack on the US-based American Dental Association (ADA), when Black Basta started leaking ADA’s data, but then withdrew it, likely due to ransom negotiations. Black Basta shows signs of being an experienced ransomware group that went through rebranding. MalwareHunterTeam and other researchers assess with medium confidence that Black Basta is a rebrand of Conti ransomware that is operated by the threat group Wizard Spider.
Analyst Comment: As with other forms of cyber-attacks, it is crucial that organizations ensure that their systems are secure and protected. This includes patch management, enhanced security systems and practices, regular backups, and effective solutions to security problems. Policies should be updated to include how to address these double-ransom attacks.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Black Basta, Conti ransomware, Conti, Wizard Spider, American Dental Association, USA, target-country:US

VMWare Identity Manager Attack: New Backdoor Discovered

(published: April 25, 2022)

On April 6, 2022, VMware addressed a number of vulnerabilities including VMware Workspace ONE Access (formerly VMware Identity Manager) remote code execution (RCE) vulnerability (CVE-2022-22957). On April 11, a proof-of-concept for this RCE was published and on April 13, it started to be exploited in the wild. Morphisec researchers detected exploitation to launch reverse HTTPS backdoors—mainly Cobalt Strike, Core Impact, or Metasploit payloads. Core Impact is a penetration testing tool developed by Core Security and abused by the attackers. The attack flow includes exploitation to deploy a PowerShell stager, which downloads a large, highly-obfuscated PowerShell script identified as the PowerTrash Loader, which decompresses the deflated payload: a Core Security Agent, and reflectively loads it in memory.
Analyst Comment: VMWare’s identity access management should immediately apply the VMWare patches or consider virtual patching. Make sure your affected identity access management components are not accidentally published on the internet.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Ingress Tool Transfer - T1105
Tags: Core Impact, Cobalt Strike, PowerTrash Loader, Powershell, Metasploit, CVE-2022-22958, CVE-2022-22954, CVE-2022-22957, VMware, Workspace ONE Access, VMware Identity Manager

Emotet Malware Infects Users Again after Fixing Broken Installer

(published: April 25, 2022)

Threat group Mummy Spider adopted a new way to deliver Emotet, its modular stealer-downloader. The first wave of malspam could not infect due to a file-referencing error in the LNK dropper code, but Mummy Spider fixed it by April 25, 2022. This new malspam campaign includes password-protected ZIP archive attachments containing Windows shortcut (LNK) droppers masquerading as Microsoft Word documents. After the user executes the LNK dropper, it finds a string in itself, copies the remainder into a Visual Basic Script (VBS) file and executes it.
Analyst Comment: Defenders are advised against allowing .LNK files in incoming email attachments or password-protected archives. Block .VBS executions out of temporary folders. Encourage your users to report to sysadmin instead of clicking through unwarranted suspicious emails, especially with password-protected archives.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: Mummy Spider, Emotet, Epoch4, LNK, VBS, Cobalt Strike, Phishing, Malspam, USA, target-country:US

North Korean Hackers Targeting Journalists with Novel Malware

(published: April 25, 2022)

Stairwell researchers describe a multi-stage spearphishing attack on NK News, a US-based news media covering North Korea. The attack is attributed to North Korea-sponsored group APT37 (Ricochet Chollima, ScarCruft). Prior to the attack, APT37 compromised the computer of a former South Korean intelligence official, stole his past email correspondence with the NK News founder, and registered a similarly-looked email address. They also typosquatted NK News domain by registering .US instead of .COM top-level domain (TLD). The infection chain included user extracting and executing an attached LNK file leading to Powershell and shellcode scripts sequentially executing and downloading additional malware abusing Microsoft OneDrive and Google Drive file storages. The final payload, Goldbackdoor, shares code similarities with Bluelight malware attributed to APT37 by Volexity in August 2021.
Analyst Comment: Have offline antivirus capabilities available as APT37 pad their malicious attachments to make them too large for online analysis. Some foreign spearphishing attempts could be identified by minor inconsistencies in grammar or even cultural settings. In the described case, the target became suspicious of the request for help getting a book published in the US, something not so complicated.
MITRE ATT&CK: [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Data from Local System - T1005 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Input Capture - T1056
Tags: Goldbackdoor, Gold-backdoor, Bluelight, LNK, PowerShell, Fantasy, APT37, Ricochet Chollima, ScarCruft, Chinotto, Windows, Government, USA, target-country:US, North Korea, source-country:KP, Journalists, Mass media

Quantum Ransomware

(published: April 25, 2022)

Researchers with The DFIR Report detail a March 2022 domain-wide ransomware attack with an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes. The first stage of the attack saw a user in the organization clicking a phishing ISO attachment and executing the embedded LNK file resulting in the IcedID infection. Actors gathered system and network information and created a scheduled task for IcedID persistence. During the second hour of the attack, they created a cmd.exe process and injected Cobalt Strike into it, and proceeded with domain and network discovery and stealing credentials from LSASS memory. During the third hour, attackers used stolen credentials to remotely (RDP) access an organization’s server, deploy a Cobalt Strike on it from second attempt, and move laterally to other Domain Controllers and file servers in the environment. Finally during the fourth hour, attackers staged the Quantum ransomware executable on the Domain Controller, used Admin Shares to deliver it to individual machines, and executed it via WMIC and PsExec from the Domain Controller.
Analyst Comment: Attackers can encrypt your organization machines just a couple hours after an employer activated a phishing email. Defenders should implement constant network monitoring and consider 24/7 security operation center (SOC) operations to respond to detected warnings in a timely manner.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Domain Trust Discovery - T1482 | [MITRE ATT&CK] Remote Services - T1021 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] Windows Management Instrumentation - T1047 | [MITRE ATT&CK] Account Discovery - T1087 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Remote System Discovery - T1018 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Application Layer Protocol - T1071
Tags: Quantum, Ransomware, IcedID, Cobalt Strike, ISO, LNK, RDP, WMI, PsExec, Scheduled task, AdFind, Active Directory, LSASS, Powershell

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Mummy Spider
Mummy Spider is a cybercrime actor that was first identified by the security community in June 2014. Mummy Spider is associated with Emotet malware that they used initially as a banking trojan, but has been updated over time to function as a modular downloader. Mummy Spider operates Emotet as-a-service and it was used to delivers multiple malwares such as Cobalt Strike, IcedID, Gootkit, Trickbot among others. Mummy Spider targets all industries and on a global scale by distributing the Emotet trojan via wide-scale malspam campaigns with malicious attachments or hyperlinks embedded in email messages.

Mustang Panda
Malicious activity conducted by the China-based cyberespionage group, Mustang Panda, was first identified by CrowdStrike in April 2017 and later published upon under the name of Mustang Panda in June 2018. The group is motivated by gaining access to information that appears to align with the strategic goals laid out by the government of the People’s Republic of China.

Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users
A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.

CVE-2022-22954
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVE-2022-22957
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

CVE-2022-22958
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

Topics:

Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.