February 5, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: New SpeakUp Backdoor Infects Linux and macOS with Miners

<div id="weekly"><p id="intro">The intelligence in this weekís iteration discuss the following threats: <strong>APT32, APT39, Backdoors, CookieMiner, Cryptominers, Data breach, Malspam, Malware, Phishing, SectorA05, </strong>and<strong> Vulnerabilities</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/new-speakup-backdoor-infects-linux-and-macos-with-miners/" target="_blank"><b>New SpeakUp Backdoor Infects Linux and macOS with Miners </b></a> (<i>February 4, 2019</i>)<br/> Check Point researchers have observed a malware campaign that has been distributing a new backdoor, dubbed ìSpeakUp.î The malware appears to be targeting Linux and macOS servers primarily based in Brazil, China, Columbia, Ecuador, India, Mexico, Paraguay, South Korea, amongst others. The malware uses a known vulnerability, ìCVE-2018-20062,î in the Chinese PHP framework ìThinkPHP,î that allows for remote code execution as the initial infection vector to install a Perl backdoor. Once it obtains access to the Linux or macOS server, it it contact its Command and Control (C2) server to relay the newly infected machineís information to it. The other vulnerabilities exploited in this campaign include: ìCVE-2012-0874,î a JBoss Enterprise Application Platform multiple security bypass, ìCVE-2010-1871,î a JBoss Seam Framework remote code execution (RCE), ìCVE-2017-10271,î an Oracle WebLogic wls-wsat Component Deserialization RCE, ìCVE-2018-2894,î a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware, and ìCVE-2016-3088,î an Apache ActiveMQ Fileserver file upload RCE.<br/> <a href="https://forum.anomali.com/t/new-speakup-backdoor-infects-linux-and-macos-with-miners/3515" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" target="_blank"><b>Tracking OceanLotusí New Downloader, KerrDown </b></a> (<i>February 1, 2019</i>)<br/> Advanced Persistent Threat (APT) group, ìOceanLotusî (also known as APT32), has been observed utilising a new custom downloader family, named ìKerrDown,î according to researchers at Palo Alto Networks. The downloader can be distributed in one of two ways: a malicious Microsoft Office Document with macros, or a RAR archive containing a legitimate program with DLL side-loading. The document and RAR archive are both in Vietnamese which indicates the likely targets are Vietnamese-speakers. The malicious Word document and RAR archive will drop the KerrDown DLLs that install the final payload of the malware, which appears to be a variant of Cobalt Strike Beacon.<br/> <a href="https://forum.anomali.com/t/tracking-oceanlotus-new-downloader-kerrdown/3516" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://threatpost.com/themoon-botnet-as-a-service/141393/" target="_blank"><b>TheMoon Rises Again, With a Botnet-as-a-Service Threat </b></a> (<i>January 31, 2019</i>)<br/> An Internet-of-Things (IoT) botnet, ìTheMoon,î that targets home routers and modems, has been observed to have a new module added to it that can allow it to be sold Software-as-a-Service (SaaS) to threat actors. TheMoon is a botnet that targets vulnerabilities in routers by ASUS, D-Link, GPON, Linksys, and MikroTik to brute-force credentials, obfuscate traffic, and, with the newest module, act as a SOCKS5 proxy. The botnet is capable of spreading like a worm, and has been observed to utilise up to six exploits at a time to increase its victim count. This iteration of the botnet allows the threat actor behind it to sell its proxy network as a service for other threat actors to utilise.<br/> <a href="https://forum.anomali.com/t/themoon-rises-again-with-a-botnet-as-a-service-threat/3517" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy (T1090)</a></p><p><a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"><b>Mac Malware Steals Cryptocurrency Exchangesí Cookies</b></a> (<i>January 31, 2019</i>)<br/> Palo Alto Networksí researchers have found a new strain of cryptocurrency mining malware that specifically targets macOS operating systems. The malware, dubbed ìCookieMiner,î is a variant of the ìOSX.DarthMinerî malware. The Malware initiates its attack with a shell script that targets macOS, and copies the Safari browserís cookies to a folder and uploads those to a remote server. It also targets Google Chrome with a python script that extracts saved credentials and credit card information from Chromeís local data storage. CookieMinerís is capable of installing the ìEmPyreî backdoor, mining cryptocurrency, in addition to stealing various forms of data. The data it aims to steal include: stealing cryptocurrency wallet data and keys, Google Chrome and Apple Safari browser cookies, iPhoneís text messages if backed up, saved credit card credentials in Chrome, and saved usernames and passwords in Chrome. The various forms of data the malware is capable of stealing may allow threat actors to bypass forms of multi-factor authentications. The malware mines for the ìKotoî cryptocurrency which is associated with Japan specifically.<br/> <a href="https://forum.anomali.com/t/mac-malware-steals-cryptocurrency-exchanges-cookies/3518" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell (T1086)</a></p><p><a href="https://www.infosecurity-magazine.com/news/matrix-ransomware-a-threat-to-low/" target="_blank"><b>Matrix Ransomware: A Threat to Low-Hanging Fruit </b></a> (<i>January 31, 2019</i>)<br/> Researchers from Sophos published a report, ìMatrix: A Low-Key Targeted Ransomware,î in which they discuss an unsophisticated malware called ìMatrixî that attempts to brute-force weak Remote Desktop Protocols (RDPs). Once it gains access into a system, the malware will use other RDPs to obtain persistence in the network and spread. Matrix bundles several payload executables into it to accomplish tasks, including free, legitimate system administrator tools. The ransom note that is presented to the infected user requests victims to email the attackers to find out the ransom amount as well as get their files back. The authors behind the malware initially request $2,500 in Bitcoin and increase the amount by $1,000 if the victim does not pay after the first 24 hour period. They then state that the private key to obtain the decryption key will be deleted if the user does not pay the ransom after 96 hours of the initial encryption.<br/> <a href="https://forum.anomali.com/t/matrix-ransomware-a-threat-to-low-hanging-fruit/3519" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947156">[MITRE ATT&amp;CK] Remote Desktop Protocol (T1076)</a> | <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force (T1110)</a></p><p><a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"><b>Chafer Used Remexi Malware to Spy on Iran-based Foreign Diplomatic Entities </b></a> (<i>January 30, 2019</i>)<br/> A campaign targeting foreign diplomatic entities in Iran has been observed to install the malware, ìRemexi,î according to researchers from Kaspersky Lab. The campaign is attributed to the Advanced Persistent Threat (APT) group, ìChafer.î It is unclear how the campaign is initiated, but once the malware is on a machine, it has the ability to keylog, take screenshots, obtain credentials, view logon and browser history, and execute remote commands. It establishes persistence in a network by utilising scheduled tasks and system registries.<br/> <a href="https://forum.anomali.com/t/chafer-used-remexi-malware-to-spy-on-iran-based-foreign-diplomatic-entities/3520" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task (T1053)</a> | <a href="https://ui.threatstream.com/ttp/947211">[MITRE ATT&amp;CK] Registry Run Keys / Start Folder (T1060)</a></p><p><a href="https://techcrunch.com/2019/01/30/state-bank-india-data-leak/" target="_blank"><b>Indiaís Largest Bank SBI Leaked Account Data on Millions of Customers </b></a> (<i>January 30, 2019</i>)<br/> State Bank of India (SBI) suffered a data breach due to a misconfigured server that stored two months-worth of customer financial data from ìSBI Quick,î including bank balances and recent transactions. The server was not configured to be protected by a password, thus allowing anyone to be able to access information such as: bank account balances, partial bank account numbers, phone numbers, recent transaction, text messages to customers, and when a check had been cashed. According to the article, SBI Quick permitted: ìSBIís banking customers to text the bank, or make a call, to retrieve information back by text message about their finances and accountsÖ the service recognises the customerís registered phone number and will send back the current amount in that customerís bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.î The accessible database allowed anyone to see those messages in real-time. The database was secured following the disclosure of the misconfiguration.<br/> <a href="https://forum.anomali.com/t/india-s-largest-bank-sbi-leaked-account-data-on-millions-of-customers/3521" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.welivesecurity.com/2019/01/30/love-you-malspam-makeover-massive-japan-targeted-campaign/" target="_blank"><b>ìLove youî Malspam Gets a Makeover for Massive Japan-targeted Campaign </b></a> (<i>January 30, 2019</i>)<br/> Researchers from ESET discovered that a recent ìLove Youî malspam campaign has been modified to target users in Japan. The unknown threat actors used Japanese-relevant subject headers to entice users to open the email and extract the malicious .zip file in it. If a user opens the .zip folder, a JScript file will initiate the first-stage payload that downloads one or more final payloads: ìGandCrabî ransomware, an unspecified cryptominer, ìPhorpiex worm,î a system settings changer, and/or a locale-specific downloader that only downloads further payloads if the default language on an infected machine indicates the user is in Australia, China, Germany, Japan, South Korea, Turkey, the UK, or Vietnam.<br/> <a href="https://forum.anomali.com/t/love-you-malspam-gets-a-makeover-for-massive-japan-targeted-campaign/3522" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting (T1064)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/" target="_blank"><b>The Double Life of SectorA05 Nesting in Agora (Operation Kitty Phishing) </b></a> (<i>January 30, 2019</i>)<br/> The threat group, ìSectorA05,î has been observed conducting a phishing campaign against personnel of the South Korean government and cryptocurrency exchanges to install malware, according to researchers at Threat Recon. This campaign has been dubbed ìOperation Kitty Phishingî and the phishing emails purport to be related to ìthe Unification Ministry of South Koreaî and contains two .zip folders that contain an executable disguised as a Hangul Word Processor (HWP) file. The executable will execute two Remote Access Trojans (RATs) in the hopes at least one is not blocked by antivirus. Once one of the RATs is successfully downloaded, it will run reconnaissance on the machine, obtaining screen captures, keylog, and steal passwords. The goal of the infection appear to be to mine for cryptocurrency as well as steal information from the South Korean government.<br/> <a href="https://forum.anomali.com/t/the-double-life-of-sectora05-nesting-in-agora-operation-kitty-phishing/3523" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools (T1219)</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell (T1086)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking (T1179)</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&amp;CK] Execution through API (T1106)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947263">[MITRE ATT&amp;CK] Spearphishing via Service (T1194)</a></p><p><a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"><b>APT39: An Iranian Cyber Espionage Group Focused on Personal Information </b></a> (<i>January 29, 2019</i>)<br/> Researchers from FireEye disclosed that they have identified a new Iranian Advanced Persistent Threat (APT) group, ìAPT39,î that has been observed stealing personal data from victims. Their targeted victims are based in several Middle Eastern countries, Spain, and the US, with specific focus upon Middle Eastern targets. This APT group focuses on victimising telecommunications and travel industries to monitor, track, and perform surveillance operations on specific individuals as well as aim to collect customer and commercial information for operational uses, and establish additional access vectors for future campaigns. APT39 utilises spear phishing emails with malicious attachments or links that result in ìPOWBATî malware infection. They leverage backdoors such as ìSEAWEED,î ìCACHEMONEY,î and a variant of ìPOWBATî to establish a presence in a network to obtain persistence and privilege escalation in the future.<br/> <a href="https://forum.anomali.com/t/apt39-an-iranian-cyber-espionage-group-focused-on-personal-information/3524" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a> | <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools (T1219)</a></p><p><a href="https://thehackernews.com/2019/01/apple-facetime-privacy-hack.html" target="_blank"><b>New FaceTime Bug Lets Callers Hear and See You Without You Picking Up</b></a> (<i>January 29, 2019</i>)<br/> An unpatched bug in Appleís FaceTime application was discovered that allows a person initiating a call to hear or see the recipient before they accept the call. This could allow a user to call any iPhone number via FaceTime and eavesdrop, even when the call is not actively answered. The bug works on the latest iOS version: iOS 12.1.2, as well as macOS Mojave.<br/> <a href="https://forum.anomali.com/t/new-facetime-bug-lets-callers-hear-and-see-you-without-you-picking-up/3525" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://www.securityweek.com/zero-days-wordpress-plugin-actively-exploited" target="_blank"><b>Zero-Days in WordPress Plugin Actively Exploited </b></a> (<i>January 28, 2019</i>)<br/> The WordPress plugin, ìTotal Donations,î was found to be affected by several zero-day vulnerabilities that could allow unauthorised actors administrative access to affected WordPress sites, according to Wordfence. The plugin is intended to make receiving online donations easier and allow the site owner to view progress bars as well as manage tasks and campaigns. 88 unique AJAX actions can be accessed by unauthorised users, 49 of which can be exploited to see sensitive data and make unauthorised changes to a siteís content and configuration. The vulnerabilities are tracked as ìCVE-2019-6703.î The pluginís developers have yet to respond to security researchers contacting them, and no patch has been announced to be in the works.<br/> <a href="https://forum.anomali.com/t/zero-days-in-wordpress-plugin-actively-exploited/3526" target="_blank">Click here for Anomali recommendation</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a></p><div><a href="https://ui.threatstream.com/tip/262672" target="_blank">Analyzing Digital Quartermasters in Asia – Do Chinese and Indian APTs Have a Shared Supply Chain?</a><p>Anomali Labs recently analyzed a large number of weaponized RTF phishing files related to APT groups aligned with Chinese and Indian state interests. This analysis has identified a shared object dimension and shared obfuscation methods across weaponized RTF files utilized by the APT groups known as Sidewinder (Indian State Interests), Goblin Panda/Conimes (Chinese State Interests), Temp.Periscope/ APT40 / Leviathan (Chinese State Interests), and Temp.Trident / Dagger Panda &amp; Nomad Panda / Icefog (Chinese State Interests). Both unique object dimensions and multiple shared obfuscation methods are visible in the RTF files which appear to be artifacts of a shared RTF phishing weaponizer. In addition to shared RTF properties, a distinct pattern of post-exploitation TTP’s is shared between the APT groups aligned with China, whereas a unique post-exploitation execution chain can be seen in Sidewinder APT campaigns. The use of a common RTF phishing weaponizer alongside distinct post-exploitation TTPs introduces the possibility that Chinese and Indian APTs may have an overlapping supply chain for the acquisition of exploits and phishing weaponizers. However, after these tools are acquired a distinct and complex network of APT digital quartermasters may determine how these tools are equipped with payloads and deployed in distinct operations.</p></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.