March 3, 2020
Anomali Threat Research

Weekly Threat Briefing: APT Activity, Chrome 0-Day, MuddyWater, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> 0-Day, Data breach, NetSupport Manager RAT, Roaming Mantis, Sea Turtle,</b> and <b> Trickbot</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Trickbot Delivery Method Gets a New Upgrade Focusing on Windows 10</b></a></h3> <span>(published: February 28, 2020)</span></div><p>According to researchers at Morphisec, the threat actors behind Trickbot have started to misuse a new functionality added to Windows 10 to execute malicious macros. The method has the potential of both bypassing static and dynamic analysis. The phishing document includes an ActiveX control for the "MsRdpClient10NotSafeForSripting" class that is only available on Windows 10. The object does not include a server address, which causes it to fail with a DNS resolution error. If this error is returned, it triggers the malicious macro code to be executed. Usually, malicious macros are triggered to be executed when the document is either opened or closed, this method used may not be considered by static analysis tools. Also if the document is opened in a dynamic analysis tool and a fake DNS response is returned, the malicious code is not executed either.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Roaming Mantis, part V</b></a></h3> <span>(published: February 27, 2020)</span></div><p>Roaming Mantis has improved their techniques to make it harder for researchers to track them according to researchers at Kaspersky Labs. The new technique appears to be tested against Korean targets and requires the victim to provide their phone number on the download page. This serves as a whitelist and a way for the threat actor to ensure only victims that are being targeted can download the malware, in effect locking out security researchers. The threat actor has also added SMiShing of spoofed delivery notices as a new distribution method of their malware.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE MOBILE-ATT&amp;CK] Deliver Malicious App via Other Means - T1476</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Cortex XDR™ Detects New Phishing Campaign Installing NetSupport Manager RAT</b></a></h3> <span>(published: February 27, 2020)</span></div><p>Palo Alto Networks’ Unit 42 has reported of a new phishing campaign to install NetSupport Manager. What’s unique to this campaign, is the threat actors decoy documents. The decoy documents are made to look like a document from Norton LifeLock. The document asks the user to enable macros and to enter the password into the pop-up box presented. Unit 42 believes that the password is provided in the email. If the wrong password is presented, nothing malicious happens. The password check may be used to prevent detection via dynamic analysis.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Israeli Marketing Company Exposes Contacts Database</b></a></h3> <span>(published: February 27, 2020)</span></div><p>The Israeli marketing company "Straffic" exposed 140 GB of contact information due to poor credential hygiene. This data included 49 million email addresses. The data was stored in a password protected Elasticsearch database cluster, but the password was stored in plaintext in a file on one of the web servers used by the company. The data stored in the database included email addresses, names, phone numbers, physical address, and gender.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Business as Usual For Iranian Operations Despite Increased Tensions</b></a></h3> <span>(published: February 26, 2020)</span></div><p>Spearphishing campaigns targeting governmental, intergovernmental, and unknown entities located in Middle Eastern countries were found taking place from mid-2019 to mid-January 2020, according to SecureWorks Counter Threat Unit researchers. This activity is attributed to the Iran-sponsored Advanced Persistent Threat (APT) group "MuddyWater" (Cobalt Ulster). The spearphishing emails contained zip archives that contained a Microsoft Excel file (.xls), titled to be relevant to the target, requesting the recipient to enable content. Enabling content launches an embedded VBScript macro to begin the infection process for a previously unknown Remote Access Trojan (RAT) called "ForeLord." The RAT was then used to download other tools to steal credentials, test the credentials on a target network, and subsequently create a reverse SSL tunnel for additional access.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">REVOKED - [MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="">[MITRE ATT&amp;CK] Registry Run Keys / Start Folder (T1060)</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server</b></a></h3> <span>(published: February 26, 2020)</span></div><p>Threat actors are using content delivery network (CDN) look-alike domains and ngrok to avoid detection of their credit card skimmers, according to researchers at Malwarebytes Labs. The skimmers were made to look like common JavaScript libraries served from a CDN. When the visitor of the site browse to the checkout page, the skimmers grabs all the form data and sends it off to the exfiltration server. In this campaign, the exfiltration server was hosted via ngrok. Ngrok is a service for exposing servers behind network address translation (NAT) and firewalls to the public internet.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>On Sea Turtle Campaign Targeting Greek Governmental Organisations</b></a></h3> <span>(published: February 25, 2020)</span></div><p>Greek news media has reported that the Greek Prime Minister’s office, the Ministry of Foreign Affairs, the National Intelligence Service, and the Greek Police were targeted by the threat group, Sea Turtle, back in April 2019. Sea Turtle, suspected to be based in Turkey, gained access to the victims' domain registrars to change to name servers used. Once the name server record was changed to a threat actor controlled server, Sea Turtle could obtain domain validation (DV) certificates for Man-in-The-Middle (MITM) attacks using the hijacked domain.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">REVOKED - [MITRE PRE-ATT&amp;CK] Domain registration hijacking (PRE-T1103)</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>"Cloud Snooper" Attack Bypasses Firewall Security Measures</b></a></h3> <span>(published: February 25, 2020)</span></div><p>Researchers at Sophos Labs have released a report on a new attack called "Cloud Snooper." The attack uses sophisticated techniques to smuggle command and control (C2) traffic through firewalls. The technique involves compromising a server with a public-facing service, for example, a web server. The server is infected with a rootkit that intercepts incoming network packets and checks the source port in the IP header for some magic values. The rootkit sends different C2 instructions to the backdoor, also installed by the rootkit, depending on the different source port values. This allows the threat actor to communicate with the C2 server through what appears to be legitimate traffic.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Kernel Modules and Extensions - T1215</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>LPE and RCE in OpenSMTPD's Default Install (CVE-2020-8794)</b></a></h3> <span>(published: February 24, 2020)</span></div><p>Qualys has released a security advisory for OpenSMTPD. OpenSMTPD is the default mail server used by OpenBSD but is also available for many Linux distributions. The vulnerability is an out-of-bounds read that can lead to a local privilege escalation (LPE) and remote code execution (RCE). It has been designated the enumeration of CVE-2020-8794. Qualys has confirmed that the vulnerability is exploitable on OpenBSD 6.6, OpenBSD 5.9, Debian 10, Debian 11, and Fedora 31.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a></p><p> </p><div><h3 style="display: inline-block;"><a href="" target="_blank"><b>Google Chrome 0day Fixed</b></a></h3> <span>(published: February 24, 2020)</span></div> Google has released a new version of Google Chrome to address three security fixes. One of the vulnerabilities, CVE-2020-6418, was reported by Google’s Threat Analysis Group after it was found to be exploited in the wild. A public Proof-of-concept (POC) for the vulnerability exists.<br/> <a href="" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><p> </p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2></div><div id="threat_model"><p>Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:</p><div id="threat_model_actors"><div><a href="" target="_blank">MuddyWater</a><p>Researchers from Palo Alto Networks and FireEye discovered the Advanced Persistent Threat (APT) group, "MuddyWater" to have been active since at least February 2017. The group was initially dubbed "TEMP.Zagros" by FireEye, and was suspected to be connected to the financially-motivated group, "FIN7;" however, researchers determined this group was Iranian-based with espionage as their main motivation. The group invests significant time to profile their targets and uses social engineering techniques to deliver weaponised word with malicious macros. The group is well equipped with various post-exploitation tools that are developed by themselves. These tactics show that the actor is a sophisticated threat to organisations.</p></div></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.