Anomali Cyber Watch: TURLA’s New Phishing-Based Reconnaissance Campaign in Eastern Europe, Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Chromeloader, Goodwill, MageCart, Saitama, Turla and Yashma. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Credit Card Stealer Targets PsiGate Payment Gateway Software

(published: May 25, 2022)

Sucuri Researchers have detailed their findings on a MageCart skimmer that had been discovered within the Magento payment portal. Embedded within the core_config_data table of Magento’s database, the skimmer was obfuscated and encoded with CharCode. Once deobfuscated, a JavaScript credit card stealer was revealed. The stealer is able to acquire text and fields that are submitted to the payment page, including credit card numbers and expiry dates. Once stolen, a synchronous AJAX is used to exfiltrate the data.
Analyst Comment: Harden endpoint security and utilize firewalls to block suspicious activity to help mitigate against skimmer injection. Monitor network traffic to identify anomalous behavior that may indicate C2 activity.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Input Capture - T1056
Tags: MageCart, skimmer, JavaScript Magento, PsiGate, AJAX

How the Saitama Backdoor uses DNS Tunneling

(published: May 25, 2022)

MalwareBytes Researchers have released their report detailing the process behind which the Saitama backdoor utilizes DNS tunneling to stealthy communicate with command and control (C2) infrastructure. DNS tunneling is an effective way to hide C2 communication as DNS traffic serves a vital function in modern day internet communications thus blocking DNS traffic is almost never done. Saitama formats its DNS lookups with the structure of a domain consisting of message, counter . root domain. Data is encoded utilizing a hardcoded base36 alphabet. There are four types of messages that Saitama can send using this method: Make Contact to establish communication with a C2 domain, Ask For Command to get the expected size of the payload to be delivered, Get A Command in which Saitama will make Receive requests to retrieve payloads and instructions and finally Run The Command in which Saitama runs the instructions or executes the payload and sends the results to the established C2.
Analyst Comment: Implement an effective DNS filtering system to block malicious queries. Furthermore, maintaining a whitelist of allowed applications for installation will assist in preventing malware like Saitama from being installed.
MITRE ATT&CK: [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: C2, DNS, Saitama, backdoor, base36, DNS tunneling

New Linux-Based Ransomware Cheerscrypt Targets ESXi Devices

(published: May 25, 2022)

A new ransomware named Cheers (Cheerscrypt) has been targeting vulnerable VMware ESXi servers since March 2022. It uses SOSEMANUK stream cipher to encrypt files and ECDH to generate the SOSEMANUK key. Cheers targets its victims with double extortion for decryption and for keeping the stolen data private.
Analyst Comment: Server virtualization systems are heavily targeted and require protection and disaster recovery planning. Backup important information, and keep your systems updated and securely configured.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Service Stop - T1489
Tags: Cheerscrypt, Cheers, Ransomware, Double extortion, VMware ESXi, Linux

ChromeLoader: a Pushy Malvertiser

(published: May 25, 2022)

Red Canary researchers monitored the ChromeLoader browser hijacker since February 2022 and noticed an increase in its activity in May 2022. Under the pretense of a cracked video game or pirated movie or TV show, the user is enticed to open an ISO file and launch the ChromeLoader executable inside. For persistence through a scheduled task, it bypasses the Windows Task Scheduler (schtasks.exe) by loading the Task Scheduler COM API, along with a cross-process injection into Service Host Process (svchost.exe). ChromeLoader uses PowerShell to inject itself into the Chrome browser in the form of a malicious extension. ChromeLoader version targeting MacOS drops payloads for either Chrome or Safari.
Analyst Comment: Check application reviews, developer information, and scan a downloaded file before making use of it. Defenders can monitor for PowerShell spawning chrome.exe containing load-extension and AppData\Local as a parameter.
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140
Tags: ChromeLoader, Browser hijacker, Loader, PowerShell, Chrome, Windows, Safari, MacOS

Hunting a Global Telecommunications Threat: DecisiveArchitect and Its Custom Implant JustForFun

(published: May 25, 2022)

CrowdStrike researchers analyze the BPFDoor (JustForFun) implant used by threat group Red Menshen (DecisiveArchitect). They observe activity dating back to 2019 targeting logistic and telecommunication companies to steal targeted information such as call detail records (CDRs) or information relating to specific phone numbers. The actors do interact with Windows systems in initial stages and use Windows post-exploitation tools after moving laterally later, but their main tool is the BFDoor implant that achieves stealthy persistence on Linux and Oracle Solaris systems.
Analyst Comment: To look for a BPFDoor infection on Linux, start with identifying a spoofed command line and associated open files. On Solaris, look for process strings indicating a process running with a packet filter, and processes that loaded the libpcap library. Check for typical Red Menshen file paths provided by CrowdStrike.
MITRE ATT&CK: [MITRE ATT&CK] Hide Artifacts - T1564 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Logon Scripts - T1037
Tags: BPFDoor, Telecommunications, Logistics, DecisiveArchitect, Red Menshen, JustForFun, CVE-2019-3010, China, Windows, ldapdomaindump, Impacket, Solaris, Linux

Yashma Ransomware, Tracing the Chaos Family Tree

(published: May 24, 2022)

The Blackberry Research and Intelligence Team have released their research tracing and documenting the evolution of the Chaos ransomware family tree. There are currently six versions of Chaos, with Chaos v1.0 being a rebrand of the .NET version of Ryuk and the latest Chaos v6.0 being named Yashma. Chaos has ties to the Onyx ransomware as well, with the creator of Chaos claiming the Onyx was developed using Chaos v4.0 as a base. Blackberry researchers document the change to the ransomware’s functionality over its iterations, with early versions only destroying data, essentially making it a wiper. Later versions of Chaos were able to encrypt data, with Chaos v5.0 overcoming the v4.0 limitation of only encrypting files less than 2MB. The current version, Yashma, now includes functionality to detect the victim’s country and prevent itself from running if it detects specific languages and the ability to stop various services on the victim machine.
Analyst Comment: Ransomware is a threat that is always evolving. Maintain a defense in depth security posture to maximize your protection against malware. Enforce a backup policy to ensure that you are able to recover quickly from possible attacks and minimize downtime. Check to see if there are any decryptors available before considering paying ransom.
MITRE ATT&CK: [MITRE ATT&CK] Data Destruction - T1485 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Impair Defenses - T1562
Tags: Yashma, Onyx, Ryuk, ransomware, Chaos, wiper

Unknown APT Group Has Targeted Russia Repeatedly Since Ukraine Invasion

(published: May 24, 2022)

Malwarebytes researchers discovered an unknown Advanced Persistent Threat (APT) group (possibly China-sponsored) targeting Russian government entities. At least four spearphishing campaigns have been recorded since late February 2022, covering various topics for the lures: Cybersecurity instructions, Interactive map of Ukraine, and even job vacancy at Saudi Aramco. The final payload, a novel remote access trojan (RAT) employs a number of anti-analysis techniques. Those are control flow flattening, using XOR for string obfuscation, implementing command-and-control (C2) HTTPS over raw sockets, and using the WolfSSL library to implement SSL itself. The last two measures cause and Fiddler to fail to capture the HTTPS requests made by the malware.
Analyst Comment: Defenders should teach their users to avoid unwarranted emails and be suspicious when an attachment asks to enable editing. Analysts dealing with a sample with control code flattening can deobfuscate with the D810 plugin for IDA.
MITRE ATT&CK: [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218
Tags: APT, Russia, target-country:RU, Cyberespionage, Spearphishing, RAT, Typosquatting, Deep Panda, Windows, VBS, DLL, OLLVM, Control flow flattening, Blake2b-256, WolfSSL, Rostec, Government, Defense, Military, China, Ukraine

GoodWill Ransomware Forces Victims to Donate to the Poor and Provides Financial Assistance to Patients in Need

(published: May 24, 2022)

GoodWill Ransomware was first identified in March 2022. It is attributed to an India-based actor based on its infrastructure, email provided, and an error comment string in Hindi. Instead of demanding a monetary payment from a victim whose files were encrypted, it makes three demands to help people in need. It demands new clothes/blankets for the homeless, to take five poor children to Dominos, KFC, or Pizza Hut, and to pay a hospital bill for somebody who cannot afford it.
Analyst Comment: There are no known victims of the GoodWill ransomware. Despite its “good” intentions, file encryptions can cause shutdown of the targeted company's operations and accompanied revenue loss. Organizations should enforce data protection, backup, and recovery measures.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497
Tags: GoodWill, Ransomware, Hindi, Hacktivism, India, source-country:IN

TURLA’s New Phishing-Based Reconnaissance Campaign in Eastern Europe

(published: May 23, 2022)

Sekoia researchers expanded on indicators shared by Google and discovered a new campaign by Russia-sponsored group Turla. Threat actors use typosquatted domains to host documents that are used for reconnaissance. Embedded external PNG file is being requested from an attacker-controlled server via the HTTP protocol. It allows the attackers to collect the victim's IP address and the Word application version and type. Phishing documents were themed around topics of war and sanctions on Russia and targeting included Austrian Federal Economic Chamber, Baltic Defence College, and NATO Joint Advanced Distributed Learning.
Analyst Comment: It’s important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Anomali Targeted Threat Monitoring service can help you detect and block such suspicious domain registrations.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: Turla, Reconnaissance, Phishing, Typosquatting, Russia, source-country:RU, FSB


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.