November 22, 2022
Anomali Threat Research

Anomali Cyber Watch: URI Fragmentation Used to Stealthily Defraud Holiday Shoppers, Lazarus and BillBug Stick to Their Custom Backdoors, Z-Team Turned Ransomware into Wiper, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Cyberespionage, Phishing, Ransomware, Signed malware,</b> and <b>Wipers</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="" /><br /> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="" target="_blank">DEV-0569 Finds New Ways to Deliver Royal Ransomware, Various Payloads</a></h3> <p>(published: November 17, 2022)</p> <p>From August to October, 2022, Microsoft researchers detected new campaigns by a threat group dubbed DEV-0569. For delivery, the group alternated between delivering malicious links by abusing Google Ads for malvertising and by using contact forms on targeted organizations’ public websites. Fake installer files were hosted on typosquatted domains or legitimate repositories (GitHub, OneDrive). First stage was user-downloaded, signed MSI or VHD file (BatLoader malware), leading to second stage payloads such as BumbleBee, Gozi, Royal Ransomware, or Vidar Stealer.<br /> <b>Analyst Comment:</b> DEV-0569 is a dangerous group for its abuse of legitimate services and legitimate certificates. Organizations should consider educating and limiting their users regarding software installation options. Links from alternative incoming messaging such as from contact forms should be treated as thorough as links from incoming email traffic.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Phishing - T1566</a> | <a href="" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Command and Scripting Interpreter - T1059</a> | <a href="" target="_blank">[MITRE ATT&CK] Impair Defenses - T1562</a> | <a href="" target="_blank">[MITRE ATT&CK] Data Encrypted for Impact - T1486</a><br /> <b>Tags:</b> actor:DEV-0569, detection:Cobalt Strike, detection:Royal, malware-type:Ransomware, file-type:VHD, detection:NSudo, malware-type:Hacktool, detection:IcedID, Google Ads, Keitaro, Traffic distribution system, detection:Gozi, detection:BumbleBee, NirCmd, detection:BatLoader, malware-type:Loader, detection:Vidar, malware-type:Stealer, AnyDesk, GitHub, OneDrive, PowerShell, Phishing, SEO poisoning, TeamViewer, Adobe Flash Player, Zoom, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment</a></h3> <p>(published: November 16, 2022)</p> <p>From mid-September 2022, a new phishing campaign targets users in North America with holiday special pretenses. It impersonated a number of major brands including Costco, Delta Airlines, Dick&#39;s, and Sam&#39;s Club. Akamai researchers analyzed techniques that the underlying sophisticated phishing kit was using. For defense evasion and tracking, the attackers used URI fragmentation. They were placing target-specific tokens after the URL fragment identifier (a hash mark, aka HTML anchor). The value was used by a JavaScript code running on the victim’s browser to reconstruct the redirecting URL.<br /> <b>Analyst Comment:</b> Evasion through URI fragmentation hides the token value from traffic inspection tools because it is not being sent to the server. Users are advised to double-check domains that are asking for a payment or personal information. Learn the signs of an advanced-fee scam. Organizations are invited to try Anomali Premium Digital Risk Protection to detect abuse of their brands.<br /> <b>Tags:</b> Costco, Delta Airlines, Dick&#39;s, Sam&#39;s Club, target-region:North America, USA, target-country:US, Canada, target-country:CA, Phishing, JavaScript, Redirect, Credit card data, Advanced fee, Fraud</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">DTrack Activity Targeting Europe and Latin America</a></h3> <p>(published: November 15, 2022)</p> <p>Since 2019, North Korea-sponsored Lazarus Group has used the DTrack backdoor to enable discovery, lateral movement, and stealing sensitive information. In 2022, DTrack was seen in a wider range of attacks targeting Brazil, Germany, India, Italy, Mexico, Saudi Arabia, Switzerland, Turkey, and the United States. DTrack comes inside an executable, and there are three to four stages of decryption before the malware payload starts. First stage retrieves the second stage from the inside of the malware PE file using either offset-based or resource-based approaches. After being decrypted and executed, this heavily-obfuscated shellcode decrypts the next eight bytes after the final payload decryption key, to discover payload size and its entry point offset.<br /> <b>Analyst Comment:</b> Organizations are advised to block known DTrack C2 domains (available in the Anomali platform).<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Input Capture - T1056</a> | <a href="" target="_blank">[MITRE ATT&CK] Data from Local System - T1005</a><br /> <b>Tags:</b> mitre-group:Lazarus Group, detection:DTrack, target-region:Europe, target-region:Latin America, USA, target-country:US, target-country:BR, target-country:DE, target-country:IN, target-country:IT, target-country:MX, target-country:SA, target-country:CH, North Korea, source-country:KP, APT</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries</a></h3> <p>(published: November 15, 2022)</p> <p>Symantec researchers detected a new campaign by China-sponsored cyberespionage group Billbug (aka Thrip, Lotus Blossom, Spring Dragon). Starting in March 2022, the group targeted a certificate authority in Asia and a number of government and defense agencies across various countries in Asia. The group was using its custom backdoors first detected in 2019: Hannotog and Sagerunex, as well as a large number of publicly-available tools: AdFind, Certutil, NBTscan, Ping, Port Scanner, Route, Tracert, Winmail, and WinRAR.<br /> <b>Analyst Comment:</b> Network defenders should plan for detecting anomalous behavior from signed but malicious binaries. Certificate authorities should be regarded as a critical target and be protected as such using the defense-in-depth approach.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&CK] Proxy - T1090</a> | <a href="" target="_blank">[MITRE ATT&CK] System Network Configuration Discovery - T1016</a> | <a href="" target="_blank">[MITRE ATT&CK] Service Stop - T1489</a><br /> <b>Tags:</b> actor:Billbug, mitre-group:Lotus Blossom, actor:Thrip, actor:Spring Dragon, China, source-country:CN, target-region:Asia, detection:Sagerunex, malware-type:Backdoor, detection:Hannotog, malware-type:Loader, detection:Stowaway Proxy Tool, AdFind, Winmail, WinRAR, Ping, Tracert, Route, NBTscan, Certutil, Port Scanner</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Ukrainian CERT Discloses New Data-Wiping Campaign</a></h3> <p>(published: November 14, 2022)</p> <p>Computer Emergency Response Team (CERT) reported a new data-wiping campaign that affected several Ukrainian organizations since spring 2022. The responsible group UAC-0118 (self-named as “From Russia with Love”, FRwL, and Z-Team) has been using a modified version of the Somnia ransomware that does not provide for the possibility of data decryption. It is likely that UAC-0118 has been acquiring access from another threat group (an initial access broker). Employees were targeted to download bogus software that led to the Vidar stealer installation. The victim&#39;s Telegram was used to transfer VPN connection configuration files (including certificates and authentication data) to users. The attackers used a number of tools for lateral movement and data exfiltration: Anydesk, Cobalt Strike Beacon, Netscan, Ngrok, and Rclone.<br /> <b>Analyst Comment:</b> Organizations with exposure to the military conflict in Ukraine should prepare offline backups to minimize the effects of a potential data-wiping attack. Indicators associated with the UAC-0118 activity are available in the Anomali platform and customers are advised to block these on their infrastructure.<br /> <b>MITRE ATT&CK:</b> <a href="" target="_blank">[MITRE ATT&CK] User Execution - T1204</a> | <a href="" target="_blank">[MITRE ATT&CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&CK] Credentials from Password Stores - T1555</a> | <a href="" target="_blank">[MITRE ATT&CK] Disk Wipe - T1561</a><br /> <b>Tags:</b> actor:UAC-0118, actor:From Russia with Love, actor:FRwL, actor:Z-Team, detection:Somnia, malware-type:Wiper, Russia, source-country:RU, Ukraine, target-country:UA, Anydesk, detection:Cobalt Strike Beacon, Netscan, Ngrok, Rclone, Windows</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.