April 28, 2020
Anomali Threat Research

Weekly Threat Briefing: Malware, iOS Malware, Winnti, APT Group, and More

<div id="weekly"><p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> Asnarok, APT, Florentine Banker Group, Monero, </b> and <b> Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/MJmFZxXRQKb0o0iLKX4l"/></p><p><b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2><h3 id="article-1" style="margin-bottom:0;"><a href="https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/" target="_blank"><b>Single Malicious GIF Opened Microsoft Teams to Nasty Attack</b></a></h3><p>(published: April 27, 2020)</p><p>Microsoft has moved quickly to patch a subdomain takeover vulnerability in its communication and collaboration platform Microsoft Teams. The flaw was found by researchers at CyberArk, who have since created a proof-of-concept (PoC) of the attack. It was found that an inside attacker needed only to trick a user into viewing a malicious GIF image to be successful. Microsoft uses subdomains to validate a cookie called "authtoken" and "skype token" which is used to authenticate the user for loading images. Having compromised two insecure domains, "aadsync-test.teams.microsoft.com” and “data-dev.teams.microsoft.com”, the researchers were able to get the victim's "authtoken" and gain access to their Teams data.<br/> <b>Recommendation:</b> CyberArk worked with the Microsoft Security Research Center under Coordinated Vulnerability Disclosure after making them aware of the vulnerability. The technology giant rapidly removed the misconfigured DNS records of the affected subdomains. Microsoft has also pushed additional mitigations and continues to develop further security features in efforts to prevent any similar flaws. With increased reliance on applications such as this it is paramount that all applications in use by your company are properly maintained and monitored for potential unusual activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a><br/> <b>Tags:</b> Microsoft Teams, DNS, Compromised Subdomain</p><h3 id="article-2" style="margin-bottom:0;"><a href="https://news.sophos.com/en-us/2020/04/26/asnarok/" target="_blank"><b>“Asnarök” Trojan Targets Firewalls </b></a></h3><p>(published: April 26, 2020)</p><p>Sophos has advised its customers that it has patched a zero-day vulnerability that had been exploited, and used to deliver malware to its XG Firewall appliances. The attacks came to light on April 22nd when a suspicious field value was discovered in a device management interface. Further investigation revealed that a previously unknown SQL injection flaw was being used to access exposed physical and virtual firewalls in an attack targeting multiple customers. It is thought that the attackers were attempting to use the vulnerability to download malware that would enable them to exfiltrate data from the firewall. Sophos has named the malware involved as "Asnarok" but the identity of the adversary is as yet unknown.<br/> <b>Recommendation:</b> Sophos rolled out a SFOS hotfix on April 25th to patch the flaw. After doing so they informed users who may have been compromised within the attack. All users have been advised to enable automatic updates on the firewall. Sophos has also submitted a request for a CVE number and has stated that they have taken additional actions in relation to the discovery.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> Sophos, Firewall, Zero-day, SQL injection, Remote Code Execution (RCE), Asnarok</p><h3 id="article-3" style="margin-bottom:0;"><a href="https://research.checkpoint.com/2020/ir-case-the-florentine-banker-group/" target="_blank"><b>IR Case: The Florentine Banker Group</b></a></h3><p>(published: April 23, 2020)</p><p>An investigation by Check Point's Incident Response (IR) team has found that the ‘Florentine Banker’ threat group attempted to transfer £1.1 Million to unrecognised bank accounts. A bank account shared by three large, UK and Israeli based, finance sector firms were targeted in the campaign. Targeted phishing was used in the attack and utilised knowledge that the targets use Office 365 as their main email provider. Once the group had gained control over the victim's email address they carried out lengthy reconnaissance regarding the money transfer process. Email rules were then used to essentially set up a Man-In-The-Middle (MITM) attack, while the next stage involved lookalike domains registered to the attackers. The incident culminated in a request for funds and subsequent money transfer. The sum of £570,000 was recovered after emergency intervention from the banks involved but the remaining funds appear to be permanently lost.<br/> <b>Recommendation:</b> It is recommended that two-factor authentication is turned on so that email accounts have an additional level of security. Businesses should also ensure that fund transfer and payment requests are verified through phone calls to confirm that the transaction is valid. Communicate the breach to business partners as they may have also been targeted or could be in the future.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/2402527">[MITRE ATT&amp;CK] Transmitted Data Manipulation - T1493</a><br/> <b>Tags:</b> Phishing, Finance, Wire Transfer</p><h3 id="article-4" style="margin-bottom:0;"><a href="https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/" target="_blank"><b>Following ESET’s Discovery, a Monero Mining Botnet is Disrupted</b></a></h3><p>(published: April 23, 2020)</p><p>VictoryGate, a previously undocumented botnet, has been discovered by ESET researchers. Using telemetry data and sinkholing a number of command and control (C2) domains they were able to estimate a botnet size of at least 35,000 devices, over 90% of which are located in Peru. The noted main activity of the botnet was Monero mining, but with the botmaster able to command the nodes to download and execute secondary payloads there may have been other uses. The researchers have been able to confirm that the propagation vector was through removable devices, a technique that has proven particularly successful in Latin America over the years. It is believed that the infected USB drives remain in circulation so new infections may occur.<br/> <b>Recommendation:</b> Threat actors will sometimes drop USB drives in parking lots of target organization’s in the hope that someone will insert it into their machine. Unfortunately, this tactic has been successful in the past. Therefore, it is paramount that employees are educated about the risks of using random USB drives on their personal and professional machines. In addition, Cryptocurrency miners cause a high CPU usage, therefore, if fans seem to be always running on a machine, the activity/task manager should be checked to see if miners are running unknowingly.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947134">[MITRE ATT&amp;CK] Replication Through Removable Media - T1091</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947088">[MITRE ATT&amp;CK] Execution through Module Load - T1129</a> | <a href="https://ui.threatstream.com/ttp/947170">[MITRE ATT&amp;CK] Rundll32 - T1085</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&amp;CK] Execution through API - T1106</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947268">[MITRE ATT&amp;CK] Hidden Files and Directories - T1158</a> | <a href="https://ui.threatstream.com/ttp/2336969">[MITRE ATT&amp;CK] Registry Run Keys / Startup Folder - T1060</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/2336968">REVOKED - [MITRE ATT&amp;CK] File Permissions Modification - T1222</a> | <a href="https://ui.threatstream.com/ttp/947155">[MITRE ATT&amp;CK] Binary Padding - T1009</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a> | <a href="https://ui.threatstream.com/ttp/947102">[MITRE ATT&amp;CK] Process Hollowing - T1093</a> | <a href="https://ui.threatstream.com/ttp/947186">[MITRE ATT&amp;CK] Software Packing - T1045</a> | <a href="https://ui.threatstream.com/ttp/947134">[MITRE ATT&amp;CK] Replication Through Removable Media - T1091</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947109">[MITRE ATT&amp;CK] Security Software Discovery - T1063</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/947256">[MITRE ATT&amp;CK] Uncommonly Used Port - T1065</a> | <a href="https://ui.threatstream.com/ttp/947283">[MITRE ATT&amp;CK] Fallback Channels - T1008</a> | <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/2402525">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a> | <a href="https://ui.threatstream.com/ttp/2402528">[MITRE ATT&amp;CK] Stored Data Manipulation - T1492</a><br/> <b>Tags:</b> Botnet, Cryptomining, Monero, Removable Media</p><h3 id="article-5" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/security-researcher-identifies-new-apt-group-mentioned-in-2017-shadow-brokers-leak/" target="_blank"><b>Security Researcher Identifies New APT Group Mentioned in 2017 Shadow Brokers Leak</b></a></h3><p>(published: April 22, 2020)</p><p>A former security researcher at Google and Kaspersky is believed to have identified a new Advanced persistent threat (APT) group from the 2017 Shadow Broker leak. The leak contained a file named "sig.py" that is thought to be a malware scanner that NSA operators used to search for the presence of other APT's on compromised computers. It contains 44 signatures used to detect the hacking tools of other hacking groups. The signatures range from 1 - 45 with the omission of 42. 15 unattributed signatures remain but Juan Andres Guerrero-Saade appears to have identified 37 as a new group, acting out of Iran, which he has dubbed the Nazar APT based on a string within the malware. This discovery acts as a correction with 37 having previously been attributed to Iron Tiger, a cyber-espionage group with suspected Chinese-links known to have targeted government, technology, education, and telecommunications organizations in Asia and the US.<br/> <b>Recommendation:</b> Interestingly it appears that the targets of this group have been exclusively Iranian. It also is designed to attack older versions of Windows, XP and previous, but there is evidence of current activity affecting Iranian victims. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br/> <b>Tags:</b> Shadow Brokers, Advanced Persistent Threat, APT, NSA</p><h3 id="article-6" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/mac/2020/04/ios-mail-bug-allows-remote-zero-click-attacks/" target="_blank"><b>iOS Mail Bug Allows Remote Zero-Click Attacks</b></a></h3><p>(published: April 22, 2020)</p><p>ZecOps have identified two vulnerabilities in the iOS Mail application that are known to have been exploited in the wild. The flaws which could allow an attacker to execute arbitrary code in the application appear to have been present since iOS 6 which was issued in September 2012. To exploit the flaw a threat actor would craft an email that caused a buffer overflow attack. Worryingly in the most recent iOS 13 an attack can be carried out against the process running in the background, and does not require any user interaction. Affected users may observe a temporary slowdown of Mail and failed attacks may be identifiable via emails in their inbox that show the message "This message has no content". MacOS is not vulnerable to the identified vulnerabilities.<br/> <b>Recommendation:</b> Apple has patched both vulnerabilities within iOS 13.4.5 beta which should be used to mitigate the issues. If it is not possible to utilise the beta version then it is recommended that the Mail application is disabled and an alternative version is used.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402527">[MITRE ATT&amp;CK] Transmitted Data Manipulation - T1493</a><br/> <b>Tags:</b> iOS, Apple, Mail, Zero Click</p><h3 id="article-7" style="margin-bottom:0;"><a href="https://www.helpnetsecurity.com/2020/04/22/3d-vulnerabilities/" target="_blank"><b>Update MS Office, Paint 3D to Plug RCE Vulnerabilities</b></a></h3><p>(published: April 22, 2020)</p><p>Microsoft has released out-of-band security patches for its Office Suite after the discovery of vulnerabilities that could allow remote code execution (RTE) if exploited. A security update was also released for Paint 3D owing to a similar concern. The flaws relate to the Autodesk FBX library which is integrated in both the Office Suite applications and Paint 3D. The fix deals with six vulnerabilities (CVE-2020-7080 to CVE-2020-7085 inclusive) which could have triggered a malicious file that would either create a Denial of Service (DoS) condition or use the applications to run arbitrary code on the underlying system.<br/> <b>Recommendation:</b> These vulnerabilities require user interaction and are therefore listed as important but not critical. While this is the case, skilled actors can easily trick users into opening random files. Once a vulnerability has been reported on, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> Microsoft Office, Paint 3D, Remote Code Execution (RCE), CVE-2020-7080, CVE-2020-7081, CVE-2020-7082, CVE-2020-7083, CVE-2020-7084, CVE-2020-7085</p><h3 id="article-8" style="margin-bottom:0;"><a href="https://www.vpnmentor.com/blog/report-kinomap-leak/" target="_blank"><b>Report: Exercise App Exposes Private User Data in Massive Data Leak</b></a></h3><p>(published: April 21, 2020)</p><p>Exercise technology company Kinomap stored 42 million records containing Personally Identifiable Information (PII) data in an unsecured database, as found by bloggers at vpnMentor. France based Kinomap , who has a user base within over 80 countries, is a video hosting service that allows subscribers to create, share, and view interactive workout videos online. vpnMentor reported their discovery to Kinomap on 16th March but it was not until around 12th of April that the database was found to be secured. The leak was also reported to France's independent data privacy regulator Commission nationale de l’informatique et des libertés. The leak also exposed access keys for the site which would have allowed bad actors to take full control of user accounts. With most people confined to their homes due to COVID-19 restrictions applications like Kinomap have seen a rise in popularity, something that may not have escaped the minds of opportunistic hackers.<br/> <b>Recommendation:</b> It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured database has the potential to cause significant harm to individuals and a company’s reputation. GDPR repercussions are also expected given that Kinomap is based in France. If EU regulators decide to investigate it could lead to an expensive and time consuming exercise for the fitness technology company.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402688">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information - T1274</a><br/> <b>Tags:</b> Data Leak, Personally Identifiable Information (PII), GDPR, Kinomap</p><h3 id="article-9" style="margin-bottom:0;"><a href="https://labs.bitdefender.com/2020/04/oil-&amp;-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec+-deal/" target="_blank"><b>Oil &amp; Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal</b></a></h3><p>(published: April 21, 2020)</p><p>Spearphishing campaigns dropping the Agent Tesla spyware Trojan have been discovered by researchers at Bitdefender. The perpetrators are attempting to infiltrate the systems of key targets by impersonating a commonly known Egyptian engineering contractor, or a shipment company known to potential victims from the Philippines. With oil prices currently at an all time low in the fallout of the global COVID-19 pandemic an agreement was reached between Russia and Saudi Arabia with the aim to cut oil production and, in turn, balance prices. It is thought that this malware campaign intended to gain insight into how certain countries plan to address the issue. Such a spyware Trojan has not been previously associated with oil and gas spearphishing campaigns. An overall increase in cyberattacks on the energy industry has been noted in recent months with over 5000 malicious reports coming from companies between October 2019 and February 2020.<br/> <b>Recommendation:</b> Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a><br/> <b>Tags:</b> Spearphishing, Energy, Spyware, Trojan</p><h3 id="article-10" style="margin-bottom:0;"><a href="https://www.zdnet.com/article/nintendo-accounts-are-getting-hacked-and-used-to-buy-fortnite-currency/" target="_blank"><b>Nintendo Accounts are Getting Hacked and Used to Buy Fortnite Currency</b></a></h3><p>(published: April 21, 2020)</p><p>There have been increasing reports in the past month of Nintendo user accounts being compromised. While this weekend saw a peak in the account hijackings, they appear to have begun in mid-March. The attack vector is as yet unknown but it appears to be more sophisticated than standard credential stuffing, given that some affected users are utilising passwords generated by a password manager. Some hijack incidents saw hackers purchase Nintendo games while others used PayPal accounts, or cards, linked to the user profile to buy Fortnite game currency. ZDNet has identified adverts posted this month for Fortnite V-Bucks that originate from Nintendo Switch accounts. The adverts state "Once Bought, I Will Login And Buy You The Specified Amount Of V-Bucks You Wanted/Needed". While Nintendo is yet to release an official statement about the account hijackings they have used Twitter and Reddit to issue advice on enabling two-step verification on user accounts.<br/> <b>Recommendation:</b> Although the method of compromise remains unknown it highlights the need to use a defence in depth approach to security. Multi-Factor Authentication (MFA) should be used to add another layer of protection to user accounts that contain sensitive information or access to payment methods. Two-Factor Authentication (2FA) should also be enabled for online payment systems such as PayPal.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a><br/> <b>Tags:</b> Nintendo, PayPal, Fortnite, Account Hijack</p><h3 id="article-11" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/windows-10-smbghost-rce-exploit-demoed-by-researchers/" target="_blank"><b>Windows 10 SMBGhost RCE Exploit Demoed by Researchers</b></a></h3><p>(published: April 20, 2020)</p><p>Researchers at Ricerca Security have demoed a proof-of-concept remote code execution (RCE) for the Windows 10 "CVE-2020-0796" 'wormable' pre-auth code execution flaw. information relating to the so called 'SMBGhost' vulnerability was leaked within last month's Patch Tuesday having been accidentally published by members of the Microsoft Active Protections Program in spite of a decision by Microsoft to hold off on issuing a security advisory. Ricerca Security has so far declined to share their findings publicly, in an attempt to keep it out of the wrong hands.<br/> <b>Recommendation:</b> Patching against CVS-2020-0796 should be carried out as soon as possible to avoid any possible exploitation. If patching is not possible at present Microsoft recommends disabling Server Message Block 3.1.1 (SMBv3) compression. The advice for enterprise customers, in the absence of patching, is to block TCP port 445 at the enterprise perimeter firewall.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947217">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a><br/> <b>Tags:</b> Windows 10, CVE-2020-0796, Remote Code Execution (RCE), SMBGhost</p><h3 id="article-12" style="margin-bottom:0;"><a href="https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/" target="_blank"><b>WINNTI GROUP: Insights From the Past</b></a></h3><p>(published: April 20, 2020)</p><p>Analysis by QuoIntelligence shows that China's Winnti hacking group have launched attacks as recently as February. The group's signature was detected in an attack against Southern Korean games company, Gravity. Researchers located a dropper file containing a string that revealed Gravity as the target. QuoIntelligence also reported a second attack targeting an unidentified German chemical company. This sector has also been historically targeted by the hacking consortium with attacks dating back to 2013. This seemingly more sophisticated attack used a stolen digital certificate to sign Winnti malware drivers but its use of the Windows 7 based Windows x64 Driver Signature Enforcement Overrider (DSEFix) bypass would suggest it was an attempted reuse of an old technique. The attack also appears to have used DNS tunnelling.<br/> <b>Recommendation:</b> Winnti has been known to target companies within these sectors, motivated by both espionage and monetary gain. Potentially susceptible targets are advised to follow relevant regulations and are implementing security best practices in order to be best placed to avert potential attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947181">[MITRE ATT&amp;CK] Kernel Modules and Extensions - T1215</a> | <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947155">[MITRE ATT&amp;CK] Binary Padding - T1009</a> | <a href="https://ui.threatstream.com/ttp/947092">[MITRE ATT&amp;CK] Rootkit - T1014</a> | <a href="https://ui.threatstream.com/ttp/947101">[MITRE ATT&amp;CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a><br/> <b>Tags:</b> WINNTI GROUP, Gaming, South Korea, Germany</p></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.