January 9, 2023
Anomali Threat Research

Anomali Cyber Watch: Turla Re-Registered Andromeda Domains, SpyNote Is More Popular after the Source Code Publication, Typosquatted Site Used to Leak Company's Data

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Artificial intelligence, Expired C2 domains, Data leak, Mobile, Phishing, Ransomware,</b> and <b>Typosquatting</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://wwwlegacy.anomali.com/images/uploads/blog/acw-011023.png" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/" target="_blank">OPWNAI : Cybercriminals Starting to Use ChatGPT</a></h3> <p>(published: January 6, 2023)</p> <p>Check Point researchers have detected multiple underground forum threads outlining experimenting with and abusing ChatGPT (Generative Pre-trained Transformer), the revolutionary artificial intelligence (AI) chatbot tool capable of generating creative responses in a conversational manner. Several actors have built schemes to produce AI outputs (graphic art, books) and sell them as their own. Other actors experiment with instructions to write an AI-generated malicious code while avoiding ChatGPT guardrails that should prevent such abuse. Two actors shared samples allegedly created using ChatGPT: a basic Python-based stealer, a Java downloader that stealthily runs payloads using PowerShell, and a cryptographic tool.<br /> <b>Analyst Comment:</b> ChatGPT and similar tools can be of great help to humans creating art, writing texts, and programming. At the same time, it can be a dangerous tool enabling even low-skill threat actors to create convincing social-engineering lures and even new malware.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9745" target="_blank">[MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9692" target="_blank">[MITRE ATT&CK] T1560 - Archive Collected Data</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&CK] T1005: Data from Local System</a><br /> <b>Tags:</b> ChatGPT, Artificial intelligence, OpenAI, Phishing, Programming, Fraud, Chatbot, Python, Java, Cryptography, FTP</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank">Turla: A Galaxy of Opportunity</a></h3> <p>(published: January 5, 2023)</p> <p>Russia-sponsored group Turla re-registered expired domains for old Andromeda malware to select a Ukrainian target from the existing victims. Andromeda sample, known from 2013, infected the Ukrainian organization in December 2021 via user-activated LNK file on an infected USB drive. Turla re-registered the Andromeda C2 domain in January 2022, profiled and selected a single victim, and pushed its payloads in September 2022. First, the Kopiluwak profiling tool was downloaded for system reconnaissance, two days later, the Quietcanary backdoor was deployed to find and exfiltrate files created in 2021-2022.<br /> <b>Analyst Comment:</b> Advanced groups are often utilizing commodity malware to blend their traffic with less sophisticated threats. Turla’s tactic of re-registering old but active C2 domains gives the group a way-in to the pool of existing targets. Organizations should be vigilant to all kinds of existing infections and clean them up, even if assessed as “less dangerous.” All known network and host-based indicators and hunting rules associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9779" target="_blank">[MITRE ATT&CK] T1564.003 - Hide Artifacts: Hidden Window</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9702" target="_blank">[MITRE ATT&CK] T1010 - Application Window Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9957" target="_blank">[MITRE ATT&CK] T1049 - System Network Connections Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9985" target="_blank">[MITRE ATT&CK] T1518 - Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9692" target="_blank">[MITRE ATT&CK] T1560 - Archive Collected Data</a> | <a href="https://ui.threatstream.com/attackpattern/9693" target="_blank">[MITRE ATT&CK] T1560.001 - Archive Collected Data: Archive Via Utility</a> | <a href="https://ui.threatstream.com/attackpattern/10048" target="_blank">[MITRE ATT&CK] T1584 - Compromise Infrastructure</a> | <a href="https://ui.threatstream.com/attackpattern/10109" target="_blank">[MITRE ATT&CK] T1608.003 - Stage Capabilities: Install Digital Certificate</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/10083" target="_blank">[MITRE ATT&CK] T1573.002 - Encrypted Channel: Asymmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9736" target="_blank">[MITRE ATT&CK] T1529 - System Shutdown/Reboot</a><br /> <b>Tags:</b> mitre-group:Turla, actor:UNC4210, Russia, APT, source-country:RU, Ukraine, target-country:UA, detection:Trojan.Downloader.Andromeda, malware-type:Downloader, file-type:LNK, USB, detection:Kopiluwak, detection:Quietcanary, detection:Tunnus, malware-type:Backdoor, file-type:EXE, file-type:JS, file-type:COM, Dynadot, Expired C2 domain, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions.html" target="_blank">SpyNote: Spyware with RAT Capabilities Targeting Financial Institutions</a></h3> <p>(published: January 5, 2023)</p> <p>In the last quarter of 2022, ThreatFabric researchers have detected a significant increase in volume for the SpyNote (SpyMax) Android spyware. The latest version, SpyNote.C, was marketed by its developer under the Cypher Rat alias. It received additional capabilities to target mobile banking applications. In October 2022, the developer made the SpyNote.C (Cypher Rat) source code public and moved to work on a newer private spyware dubbed CraxsRat.<br /> <b>Analyst Comment:</b> It is paramount that users use the official Google Play store and review all available information regarding an application prior to downloading, even if the application is located on an official app store. This review can include an overlook of the comments (while keeping in mind that some comments could be fake) and examining the permissions an application will request upon installation. Organizations that publish applications for their customers are invited to use Anomali Premium Digital Risk Protection to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.<br /> <b>Tags:</b> detection:SpyNote, detection:SpyNote.C, detection:SpyMax, detection:Cypher Rat, detection:CraxsRat, malware-type:RAT, malware-type:Spyware, malware-type:Banking trojan, target-industry:Financial, target-industry:Banking, Mobile, HSBC, Deutsche Bank, Kotak Bank, BurlaNubank, WhatsApp, Facebook, Google Play, Sellix, Accessibility Services, LocationManager, Android</p> </div> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/" target="_blank">BlindEagle Targeting Ecuador With Sharpened Tools</a></h3> <p>(published: January 5, 2023)</p> <p>Financially-motivated threat group APT-C-36 (Blind Eagle) has been active in South America since 2018. Its new campaign targets Ecuador and Columbia with phishing emails impersonating government agencies. APT-C-36 relies on target IP geolocation to limit the targeting to a certain country or two. The group continues to refine its tools and experiment with new infection chains. APT-C-36 has been adding features to the QuasarRAT leaked code base and abusing the living-off-the-land tool mshta.<br /> <b>Analyst Comment:</b> When receiving a purported government email, determine if it is a proper channel of communication for the alleged agency. Double-check sender information and domain names for the links that the email prompts you to click.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&CK] T1614 - System Location Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9932" target="_blank">[MITRE ATT&CK] T1218.005 - Signed Binary Proxy Execution: Mshta</a><br /> <b>Tags:</b> actor:Blind Eagle, mitre-group:APT-C-36, Ecuador, target-country:EC, Colombia, target-country:CO, target-region:South America, file-type:LHA, detection:QuasarRAT, file-type:PDF, RDP, Proxy, VBS, PowerShell, file-type:PY, Meterpreter, mshta, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.securityjoes.com/post/raspberry-robin-detected-itw-targeting-insurance-financial-institutes-in-europe" target="_blank">Raspberry Robin Detected ITW Targeting Insurance & Financial Institutes In Europe</a></h3> <p>(published: January 3, 2023)</p> <p>An upgraded version of the Raspberry Robin automated framework has been detected targeting Spanish and Portuguese-speaking financial organizations in Europe. The latest version of Raspberry Robin received a modified execution mechanism, more extensive code obfuscation and added encryption layer. The malware employs multiple anti-analysis techniques and expanded the number of collected information points used for victim fingerprinting.<br /> <b>Analyst Comment:</b> These new Raspberry Robin samples seem to share the C2 IP address with its previous iteration. Block known Raspberry Robin indicators (available in the Anomali platform) and adhere to basic anti-phishing measures.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9893" target="_blank">[MITRE ATT&CK] T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols</a><br /> <b>Tags:</b> detection:Raspberry Robin, Automated framework, target-region:Europe, Discord, Azure, Github, target-sector:Financial, Anti-analysis, QNAP server, Tor, 7zip, file-type:MSI, file-type:ZIP, file-type:DLL, Botnet, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victim-s-website-to-leak-stolen-data/" target="_blank">Ransomware Gang Cloned Victim’s Website to Leak Stolen Data</a></h3> <p>(published: January 1, 2023)</p> <p>On December 26, 2022, the ALPHV (BlackCat) ransomware group added a new channel for exposing stolen information. After a compromised company in the financial services industry refused to pay ransom, ALPHV released the exfiltrated data on their Onion website, while also releasing it via a clearnet domain typosquatted for the company name.<br /> <b>Analyst Comment:</b> The ALPHV ransomware group is continuously innovating (previously they were first to enable a search function for the stolen data). Ransomware is an evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out <a href="https://www.anomali.com/resources/data-sheets/anomali-premium-digital-risk-protection">Anomali&#39;s Premium Digital Risk Protection</a> service.<br /> <b>MITRE ATT&CK:</b> <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&CK] T1583.001 - Acquire Infrastructure: Domains</a><br /> <b>Tags:</b> actor:ALPHV, actor:BlackCat, Ransomware, Data leak, Typosquatting</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.