Anomali Cyber Watch: Velvet Chollima Steals Emails from Browsers, Austrian Mercenary Leverages Zero-Days, China-Sponsored Group Uses CosmicStrand UEFI Firmware Rootkit, and More | Anomali

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyber mercenaries, Phishing, Rootkits, Spyware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”

(published: July 28, 2022)

Volexity researchers discovered SharpExt, a new malicious browser app used by the North-Korea sponsored Velvet Chollima (Kimsuky, SharpTongue, Thallium) group. SharpExt inspects and exfiltrates data from a victim's webmail (AOL or Gmail) account as they browse it. Velvet Chollima continues to add new features to the app, the latest known version (3.0) supports three browsers: Microsoft Edge, Google Chrome, and Whale, the latter almost exclusively used in South Korea. Following the initial compromise, Velvet Chollima deploy SharpExt and to avoid warning the victim they manually exfiltrate settings files to change the settings and generate a valid "super_mac" security check value. They also hide the newly opened DevTools window and any other warning windows such as a warning regarding extensions running in developer mode.
Analyst Comment: Velvet Chollima is known for its tactic of deploying malicious browser extensions, but in the past it was concentrating on stealing credentials instead of emails. The group continues aggressive cyberespionage campaigns exfiltrating military and industrial technologies from Europe, South Korea, and the US. Network defenders should monitor for suspicious instances of PowerShell execution, as well as for traffic to and from known Velvet Chollima infrastructure (available in Anomali Match).
MITRE ATT&CK: [MITRE ATT&CK] Browser Extensions - T1176 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Hide Artifacts - T1564
Tags: SharpExt, Velvet Chollima, Kimsuky, SharpTongue, Thallium, APT, North Korea, source-country:KP, South Korea, target-country:KR, USA, target-country:US, target-region:Europe, AOL, Gmail, Edge, Chrome, Whale, PowerShell, VBS, Browser extension

Untangling KNOTWEED: European Private-Sector Offensive Actor Using 0-Day Exploits

(published: July 27, 2022)

Microsoft researchers detail activity of DSIRF, Austrian private-sector offensive actor (PSOA). In 2021, this actor, tracked as Knotweed, used four Windows and Adobe 0-day exploits. In 2022, DSIRF was exploiting another Adobe Reader vulnerability, CVE-2022-22047, which was patched in July 2022. DSIRF attacks rely on their malware toolset called Subzero. The initial downloader shellcode is executed from either the exploit chains or malicious Excel documents. It downloads a JPG image file with extra encrypted data, extracts, decrypts and loads to the memory the Corelump memory-only infostealer. For persistence, Corelump creates trojanized copies of legitimate Windows DLLs that serve as the Jumplump downloader. Despite DSIRF advertising itself as a red-teaming service provider, at least some of their observed victims never ordered being breached.
Analyst Comment: Cyber mercenary companies often end up selling advanced malware toolsets to customers ready to abuse it to spy on other organizations and prominent individuals. DSIRF appears to be an advanced threat actor as they are able to use zero-day exploits for their attacks. Network defenders should ensure deployment of the July 2022 Microsoft security updates to address the CVE-2022-22047 vulnerability. Enable multifactor authentication (MFA) to address the risk of credential theft, with special attention to all remote connectivity accounts.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Data Obfuscation - T1001 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] OS Credential Dumping - T1003 | [MITRE ATT&CK] Modify Registry - T1112
Tags: DSIRF, Knotweed, Subzero, Private-sector offensive actor, Cyber mercenary, PSOA, Access-as-a-service, Hack-for-hire, DSIRF GmbH, Windows, Adobe, Adobe Reader, 0-day, target-region:Europe, target-region:Central America, United Kingdom, target-country:UK, Panama, target-country:PA, Austria, source-country:AT, target-country:AT, detection:Jumplump, detection:Corelump, Mex, PassLib, Mimikatz, Chisel, JPG, CVE-2021-28550, CVE-2021-36948, CVE-2022-22047, CVE-2021-31201, CVE-2021-31199, Finance, Law

Malicious IIS Extensions Quietly Open Persistent Backdoors into Servers

(published: July 26, 2022)

Microsoft researchers observed a rise in backdoors that are malicious extensions for Internet Information Services (IIS), a Microsoft web server. A typical infection chain involves installation of a script web shell, later followed by installation of an IIS backdoor to provide highly covert and persistent access to the server. Once registered with the target application, the backdoor can monitor incoming and outgoing requests, dump credentials and perform app-specific attacks such as mailbox export from Microsoft Exchange servers. Four major categories of the IIS backdoors include credential stealers, IIS handlers, open-source variants, and web shell-based variants.
Analyst Comment: Threat actors are migrating the functionality of their web shells (such as China Chopper) into malicious IIS modules enjoying at the moment a lower detection ratio. They understand the opportunities IIS can offer, equally they understand the typical monitoring and security that will be in place and will craft/reengineer to ‘stay beneath the radar’. The goal here is persistence, reconnaissance and everything that follows. It is important for web server administrators to keep their systems up to date with patching and ensure that they have worked with their security teams to harden and lock down the environment adequately. In tandem, it is key to set up monitoring for unexpected additions, paths, and new modules. For IIS servers, prioritize alerts related to suspicious processes originating from w3wp.exe. Looking more widely, consideration of the attack flow should inform reviews of systems and networks monitoring and security hardening - creating multiple layers of defense across the connected estate. Anomali Match customers can run a check to look for evidence of compromise from this IIS based attack flow through matching to known malicious DLL binaries.
MITRE ATT&CK: [MITRE ATT&CK] Server Software Component - T1505 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Protocol Tunneling - T1572 | [MITRE ATT&CK] Encrypted Channel - T1573 | [MITRE ATT&CK] OS Credential Dumping - T1003
Tags: Internet Information Services, IIS, IIS extension, Windows, China Chopper, w3wp.exe, Antsword, Mimikatz, PsExec, Backdoor, detection:Backdoor:MSIL/SuspIISModule, detection:Backdoor:MSIL/OWAStealer, detection:Win32/SuspGacInstall, Global assembly cache, ProxyShell, PowerShell, RDP, SSH

DHL Phishing Page Uses Telegram Bot for Exfiltration

(published: July 26, 2022)

Sending phished data via encrypted channel to a bot in the Telegram messenger becomes a popular alternative to a standard tactic of sending it via emails. Another trend observed by Sucuri researchers is the usage of multi-step phishing pages where the victim is navigated from one screen to another before actually being asked to provide financial information. A specific DHL-themed phishing campaign that Sucuri outlines uses a third party IP address check to avoid showing the phishing page if a proxy or a VPN service is suspected.
Analyst Comment: Phishing threat actors strive to make their phishing pages and traffic less detectable. The tactic of traffic distribution system leads to false negatives when actors are able to display benign content to known research and proxy IP addresses. As these phishing pages are often hosted on compromised websites, website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. It is also a good practice for website owners to deploy client side monitoring to flag possible malicious content coming through pull in content and plugins from elsewhere and hence only visible client side in the interaction.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566
Tags: Phishing, DHL, Telegram, Heroku, VPN, Proxy, IP fraud score

DUCKTAIL: An InfoStealer Malware Targeting Facebook Business Accounts

(published: July 26, 2022)

A newly found malware campaign dubbed “DUCKTAIL” was observed targeting individuals and businesses that operate on Facebook Business platform, according to WhiteSecure researchers. The malware has the capability of stealing stealing browser cookies and Facebook security tokens. The attackers then leverage the access to user accounts to add attacker-controlled email to administer connected Facebook Business accounts. Upon analyzing data and samples, researchers attribute this activity to a Vietnamese group that is financially motivated. Researchers also found the samples linked to the DUCKTAIL operation are written in .NET Core.
Analyst Comment: Regularly reviewing the administrative access for business accounts and revoking access to unknown users are some of the factors that reduce the attack surface and impact. Using web endpoint protection and real-time threat protection also reduces the exposure and attack probability.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Exfiltration Over Web Service - T1567
Tags: DUCKTAIL, Malware, Business, Facebook, Browser, Cookies, Telegram

Luca Stealer Source Code Leaked On A Cybercrime Forum

(published: July 25, 2022)

Cyble researchers detected that developers of Luca Stealer, a new Rust-based infostealer made its source code publicly available. After publishing the source code on a popular cybercrime forum on July 3, 2022 and cooperating with other actors on improving and adding new features, the improved Luca Stealer code appeared on GitHub. Rust programming language gives malware developers additional versatility and evasion capabilities. First Luca Stealer version was exfiltrating stolen data using a Telegram bot, it was replaced with Discord webhooks to expand the exfiltration file size limit. Luca Stealer steals login credentials, credit cards, and cookies from over 30 Chromium-based browsers, targets 10 cold crypto wallets, and various browser extensions of password managers and crypto wallets for over 20 browsers.
Analyst Comment: Luca Stealer is a cresting threat - with the source code widely shared new versions and additions will be developed. Security teams should define and deploy protection, detection and response for this threat as soon as possible. Users should be educated on dangers of torrenting, downloading from untrusted sources, unwarranted emails, and links. They should avoid using Browser built in password managers in favor of secured password vaults, use MFA for all accounts that offer it, and always use unique strong passwords. Use a reputed antivirus and internet security software.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Steal Application Access Token - T1528 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Software Discovery - T1518 | [MITRE ATT&CK] System Time Discovery - T1124 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Automated Exfiltration - T1020
Tags: Luca Stealer, Infostealer, Source code, Cybercrime forum, Rust, Windows, Cryptocurrency, Telegram bot, Discord webhooks, GitHub

ComicStrand: The Discovery Of A Sophisticated UEFI Firmware Rootkit

(published: July 25, 2022)

ComicStrand, a UEFI (Unified Extensible Firmware Interface), which is located in the firmware image of Gigabyte or ASUS motherboards, firmware rootkit was recently discovered by Kaspersky researchers. The rootkit was discovered on Windows systems and the infected firmware images were linked to H81 chipset designs. A kernel-level implant makes the rootkit executable at every OS startup, thus achieving stealthiness and persistence. Potential entry point of the malware remains unclear, however, researchers believe a tampered or a blackdoored motherboard usually sold as a second-hand device could be a possible infection vector. According to the researchers, the malware is attributed to a Chinese-speaking APT group and were identified in China, Iran, Russia, and Vietnam. Kaspersky also concluded the UEFI implant has been used in the wild since late 2016, although the potential impact and the C2 implants on the victims remain unknown.
Analyst Comment: Rootkits are stealthy and have an edge over other malwares due to their complicated nature. Although no remedy has been identified for firmware based infection, re-flashing the infected firmware is the only way of removing it. This can be performed by utilizing the BIOS utilities.
MITRE ATT&CK: [MITRE ATT&CK] Boot or Logon Autostart Execution - T1547 | [MITRE ATT&CK] Logon Scripts - T1037 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Pre-OS Boot - T1542 | [MITRE ATT&CK] Rootkit - T1014 | [MITRE ATT&CK] Firmware Corruption - T1495 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Hijack Execution Flow - T1574
Tags: ComicStrand, Rootkit, Firmware, UEFI, Windows, Malware, Target-Country: China, Target-Country: Vietnam, Target-Country: Russia,Target-Country: Iran

Hackers Attack EU Targets with Konni RAT Malware

(published: July 23, 2022)

Securonix researchers discovered a new state-sponsored campaign dubbed STIFF#BIZON that targeted the Czech Republic, Poland, and other European countries. This campaign used the Konni remote access trojan (RAT) previously attributed to North Korean group APT37. At the same time, some of the underlying infrastructure points to Russia-sponsored Fancy Bear (APT28), so the final attribution is inconclusive. The STIFF#BIZON campaign features a complex, multi-stage infection chain including spearphishing archived attachment with a malicious LNK shortcut leading to a Powershell script execution. Once the Konni RAT is installed, the attackers gather various information from the victim machine and extract the state key to decrypt the cookie database offline and bypass MFA authentication.
Analyst Comment: Defenders are advised to disable the storage of clear text passwords in LSASS memory. Monitor for a suspicious PowerShell in .LNK file process and a scheduled task creation run from a public directory. Anomali XDR customers are enabled by ingested indicators to look for evidence of compromise and potential established persistence on their estate.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Command and Scripting Interpreter - T1059 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] System Services - T1569 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Create or Modify System Process - T1543 | [MITRE ATT&CK] Abuse Elevation Control Mechanism - T1548 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Indicator Removal on Host - T1070 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Credentials from Password Stores - T1555 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] System Information Discovery - T1082 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] System Owner/User Discovery - T1033 | [MITRE ATT&CK] Archive Collected Data - T1560 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Automated Collection - T1119 | [MITRE ATT&CK] Application Layer Protocol - T1071 | [MITRE ATT&CK] Data Encoding - T1132 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Exfiltration - T1020 | [MITRE ATT&CK] Exfiltration Over C2 Channel - T1041
Tags: STIFF#BIZON, APT28, FancyBear, APT37, Konni, EU, Poland, target-country:PL, Check Republic, target-country:CZ, Russia, North Korea, Cyberespionage, APT, VBscript, PowerShell, LNK, MFA bypass, Windows

Observed Threats

Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:

Velvet Chollima
Velvet Chollima, also known as “Kimsuky”, is a suspected APT group believed to be linked to the Democratic People’s Republic of Korea (DPRK). Active since at least 2013, the primary motive of the group is espionage against South Korea. An increase of activity occurred during the period of the 2018 summit between United States President Donald Trump and DPRK Leader Kim Jong-Un.

Windows CSRSS Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-22026, CVE-2022-22049.

Windows Update Medic Service Elevation of Privilege Vulnerability.

Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31199.

Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31201.

Acrobat Reader DC versions versions 2021.001.20150 (and earlier), 2020.001.30020 (and earlier) and 2017.011.30194 (and earlier) are affected by a Use After Free vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.


Anomali Cyber Watch

Related Content

Get the Anomali Newsletter

The latest Anomali updates and cybersecurity news, delivered straight to your inbox each month.