March 24, 2020
-
Anomali Threat Research
,

Weekly Threat Briefing: APT36, Coronavirus, Phishing, Remote Access Trojan, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, Data Leak, Mobile Malware, Parallax, TrickBot, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/eIrVopJOQrSbUUyNOWcv"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><p> </p><div><h3 style="display: inline-block;"><a href="https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/" target="_blank"><b>Netwalker Ransomware Infecting Users via Coronavirus Phishing</b></a></h3> <span>(published: March 21, 2020)</span></div> MalwareHunterTeam researchers have identified email attachments in Coronavirus phishing campaigns being used to distribute the Netwalker ransomware. Netwalker is a variant of the Mailto ransomware family that has been seen targeting businesses and government agencies. Phishing campaigns contain a Visual Basic script (vbs) as an attachment named “CORONAVIRUS_COVID-19.vbs”, where an embedded Netwalker ransomware payload is stored waiting to be executed. Netwalker will encrypt all files and append them with a random extension. The ransomware will avoid ceasing endpoint security software as a likely method to evade detection. Once encryption of files is complete, a ransom note will be dropped on the machine which instructs user’s how to pay the ransom via a Tor payment site.<br/> <a href="https://forum.anomali.com/t/netwalker-ransomware-infecting-users-via-coronavirus-phishing/4665" target="_blank">Click here for Anomali recommendatio</a><a href="http://forum.anomali.com/t/netwalker-ransomware-infecting-users-via-coronavirus-phishing/4665" target="_blank">n</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://www.flashpoint-intel.com/blog/ghostcat/" target="_blank"><b>Apache Tomcat Vulnerability "Ghostcat" Attracting Threat Actor Attention</b></a></h3> <span>(published: March 20, 2020)</span></div> The newly discovered vulnerability “CVE-2020-1938” (aka “Ghostcat”) is being leveraged to target vulnerable Apache Tomcat HTTP servers. Tomcat versions 7.0, 8.5 and 9.0 are at risk and the vulnerability allows for threat actors to execute remote code without authentication. Ghostcat is the result of unwarranted openness of Tomcat’s Apache JServ Protocol (AJP) interface, which is used to provide network communication. AJP by default exists on the port 8009 which is open for anyone to gain access to the Apache server.<br/> <a href="https://forum.anomali.com/t/apache-tomcat-vulnerability-ghostcat-attracting-threat-actor-attention/4666" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://unit42.paloaltonetworks.com/new-mirai-variant-mukashi/" target="_blank"><b>New Mirai Variant Targets Zyxel Network-Attached Storage Devices</b></a></h3> <span>(published: March 19, 2020)</span></div> A vulnerability registered as “CVE-2020-9054”, will allow for threat actors to execute remote arbitrary code on vulnerable Zyxel network-attached storage (NAS) drives. This vulnerability has been seen as being exploited to deploy a new Mirai bot variant called Mukashi. Mukashi will scan port 23 of hosts, brute-forcing the login with different combinations of credentials until it is successful. Mukashi will send the successful credential pairing back to its command and control (C2) server. Zyxel products at risk of this vulnerability are those running firmware versions up to 5.21.<br/> <a href="https://forum.anomali.com/t/new-mirai-variant-targets-zyxel-network-attached-storage-devices/4667" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&amp;CK] Uncommonly Used Port - T1065</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://www.bankinfosecurity.com/covid-19-themed-malware-goes-mobile-a-13981" target="_blank"><b>COVID-19-Themed Malware Goes Mobile</b></a></h3> <span>(published: March 19, 2020)</span></div> Cybercriminals have recently been using Coronavirus (COVID-19) in spearphishing campaigns but are now using the pandemic to spread malware in mobile devices. Threat actors are using legitimate and illegitimate mobile applications related to the coronavirus to spread malware including spyware. Researchers at Lockout have seen the malicious application ‘corona live 1.1’ which spoofs the legitimate app ‘corona live’ to conduct mass surveillance on civilians in Libya. Avast researchers observed ransomware called ‘CovidLock’ which masquerades as an application for COVID-19 information tracking which will actually lock people’s phone screens until they pay a ransom.<br/> <a href="https://forum.anomali.com/t/covid-19-themed-malware-goes-mobile/4668" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260054">[MITRE MOBILE-ATT&amp;CK] Access Sensitive Data or Credentials in Files - T1409</a> | <a href="https://ui.threatstream.com/ttp/1260088">[MITRE MOBILE-ATT&amp;CK] Location Tracking - T1430</a> | <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&amp;CK] Access Contact List - T1432</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://www.zdnet.com/article/cisco-tackles-root-privilege-vulnerability-in-sd-wan-software/" target="_blank"><b>Cisco Tackles Root Privilege Vulnerability in SD-WAN Software</b></a></h3> <span>(published: March 19, 2020)</span></div> Cisco employees are actively patching three root escalation vulnerabilities software-defined wide area networks (SD-WAN) due to insufficient input validation. SD-WAN is a virtual architecture used to manage large scale networks effectively, and these exploits will result in compromised systems. The first vulnerability tracked is “CVE-2020-3264”, and if leveraged can result in buffer overflows leaking sensitive data. The second vulnerability leveraged is “CVE-2020-3265”, which will allow privilege escalation by sending crafted requests to compromised systems. The final exploit is referred to as “CVE-2020-3266”, this will allow for threat actors to inject arbitrary commands into systems.<br/> <a href="https://forum.anomali.com/t/cisco-tackles-root-privilege-vulnerability-in-sd-wan-software/4669" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://blog.morphisec.com/parallax-rat-active-status" target="_blank"><b>Parallax: The New RAT on the Block</b></a></h3> <span>(published: March 18, 2020)</span></div> Parallax is a recently discovered Remote access trojan (RAT) which supports all Windows operating system (OS) versions. It has been linked to several campaigns leveraging the coronavirus pandemic and is capable of evading advanced detection solutions, stealing credentials and executing remote commands. Researchers at Morphisec labs have seen it being distributed in spearphishing campaigns with a malicious word document that will download the Parallax payload. The payload itself will be downloaded from Pastebin.<br/> <a href="https://forum.anomali.com/t/parallax-the-new-rat-on-the-block/4670" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://labs.bitdefender.com/2020/03/new-trickbot-module-bruteforces-rdp-connections-targets-select-telecommunication-services-in-us-and-hong-kong/" target="_blank"><b>New TrickBot Module Bruteforces RDP Connections, Targets select Telecommunication Services in US and Hong Kong,</b></a></h3> <span>(published: March 18, 2020)</span></div> A new module has been discovered in the TrickBot trojan by Bitdefender researchers that allows for Remote Desktop Protocol (RDP) brute-forcing capabilities. At the time of discovery, this module called rdpScanDll is being employed in targeted campaigns against telecommunication, education and financial services based in the US and Hong Kong. Trickbot has been around since 2016 focusing on credential harvesting primarily in the financial industry and is suspected to have originated from Russia.<br/> <a href="https://forum.anomali.com/t/new-trickbot-module-bruteforces-rdp-connections-targets-select-telecommunication-services-in-us-and-hong-kong/4671" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force - T1110</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://www.zdnet.com/article/covid-19-with-everyone-working-from-home-vpn-security-has-now-become-paramount/" target="_blank"><b>COVID-19: With Everyone Working from Home, VPN Security Has Now Become Paramount</b></a></h3> <span>(published: March 18, 2020)</span></div> Government and security officials have recently begun voicing their concerns for companies to secure their Virtual Private Network (VPN) servers due to the recent novel coronavirus (COVID-19) outbreak. The coronavirus has caused many employees to work from home and are using company VPN’s to access sensitive company information. Representatives from the SANS Internet Storm Center (ISC), Department of Homeland security and the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) are advising employers to take necessary precautions to prevent exploitation of their VPN servers.<br/> <a href="https://forum.anomali.com/t/covid-19-with-everyone-wokring-from-home-vpn-security-has-now-become-paramount/4672" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/2402529">[MITRE ATT&amp;CK] Endpoint Denial of Service - T1499</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://www.bleepingcomputer.com/news/security/nation-backed-hackers-spread-crimson-rat-via-coronavirus-phishing/" target="_blank"><b>Nation-Backed Hackers spread Crimson RAT via Coronavirus Phishing</b></a></h3> <span>(published: March 17, 2020)</span></div> The state-sponsored threat group APT36 has been seen using Coronavirus (COVID-19) based lures in their recent spearphishing campaigns to deploy the Crimson Remote Access Trojan (RAT). The emails will masquerade as health advisory boards and government officials with updates on the coronavirus. The documents used in the campaign have two main formats, one containing an excel document with embedded macros to download the Crimson RAT, and an RTF file exploiting the zero-day “CVE-2017-0199” for remote code execution. The RAT’s abilities include but are not limited to; stealing user credentials from web browsers, screen capture, and file/directory discovery. Collected information will be exfiltrated to a hardcoded Command and Control (C2) server. APT36, which is also known by the names: Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis, is suspected to be based in Pakistan and has a history of targeting Indian entities.<br/> <a href="https://forum.anomali.com/t/nation-backed-hackers-spread-crimson-rat-via-coronavirus-phishing/4673" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947109">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a><p> </p><p> </p><div><h3 style="display: inline-block;"><a href="https://www.vpnmentor.com/blog/report-mca-wizard-leak/" target="_blank"><b>Two Corporate Finance Companies Leak Half a Million Legal and Financial Documents Online</b></a></h3> <span>(published: March 17, 2020)</span></div> Researchers at vpnMentor have identified an open Amazon Web Services (AWS) S3 bucket exposing over 500,000 sensitive financial and legal documents. The database was linked to the mobile application MCA Wizard, developed by the companies Advantage Capital Funding and Argus Capital Funding, for Android and iOS. The application was being used by these companies for arranging loans to small businesses but has been held under scrutiny due to questionable work practices. Upon further investigation, it was identified that the 425GB of open data did not relate to the MCA application but in fact, came from Advantage and Argus. The documentation includes but is not limited to, bank statements, credit reports, driver’s license, and Social Security information.<br/> <a href="https://forum.anomali.com/t/two-corporate-finance-companies-leak-half-a-million-legal-and-financial-documents-online/4674" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">REVOKED - [MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a><p> </p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.