Weekly Threat Briefing: North Korean Hackers Go On Phishing Expedition Before Trump-Kim Summit

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: APT, Attack vector, Botnet, Credential-stealer, Phishing, Spear phishing, Targeted attacks, Threat group, Trojan, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://www.zdnet.com/article/researchers-granted-command-server-by-officials-link-sharpshooter-campaign-to-north-korea/" target="_blank">Researchers Granted Server by Gov Officials Link Sharpshooter Attacks to North Korea</a> (March 4, 2019) The threat actor campaign called “Operation Sharpshooter,” first discovered by McAfee researchers in December 2018, is now more-likely attributed to the Democratic People’s Republic of Korea (DPRK)-sponsored threat group, “Lazarus Group.” Operation Sharpshooter targets industries such as energy, defense, government departments, and telecoms around the world with a particular focus on the US. Researchers found additional evidence on servers given to them by law enforcement officials in an in-memory implant that was found to download a backdoor called “Rising Sun.” The backdoor was identified to use the same source code as the “Duuzer” trojan that was used by Lazarus Group in a 2016 campaign, and it is this connection that leads researchers to believe that the group is responsible for Operation Sharpshooter, among other campaigns. <a href="https://forum.anomali.com/t/researchers-granted-server-by-gov-officials-link-sharpshooter-attacks-to-north-korea/3605" target="_blank">Click here for Anomali recommendation</a><a href="https://www.us-cert.gov/ncas/current-activity/2019/03/01/Adobe-Releases-Security-Updates-ColdFusion" target="_blank">Adobe Releases Security Updates for ColdFusion</a> (March 1, 2019) The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding a vulnerability in Adobe’s “ColdFusion” web application development platform. The vulnerability, registered as “CVE-2019-7816,” could be exploited by a threat actor to take control of an affected system, according to the Cybersecurity and Infrastructure Security Agency (CISA). An actor would first require “the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request” to exploit the vulnerability. Restricting requests to directories where uploaded files are stored will mitigate this attack.” Threat actors have been observed exploiting this vulnerability has been in the wild. Adobe has issued a patch to address CVE-2019-7816. <a href="https://forum.anomali.com/t/adobe-releases-security-updates-for-coldfusion/3606" target="_blank">Click here for Anomali recommendation</a><a href="https://www.kaspersky.com/blog/apex-legends-mobile-fakes/25836/" target="_blank">Fake Apex Legends: The Battle Royale of Malware</a> (March 1, 2019) Researchers have found that the new video game title “Apex Legends” is being utilized for malicious purposes by threat actors. The game, created by Epic Games, is not available on as a mobile applications, and this is where threat actors see opportunity. Similar to another popular game, Fortnite, threat actors have created fake downloads for the game purporting to for various operating systems such as Android, iOS, and PC. These download locations do not show and official developer input on the game, which is indicative of fraudulent software, and there are also videos on YouTube that show how to download these fake game installers and provide a link to the download page. The actual download and installer does not launch any sort of game and does not work and instead was found to be installing the “FakeFort” trojan that depicts advertisements on the affected device so actors can gain an illicit profit. <a href="https://forum.anomali.com/t/fake-apex-legends-the-battle-royale-of-malware/3607" target="_blank">Click here for Anomali recommendation</a><a href="https://threatpost.com/necurs-botnet-hide-payloads/142334/" target="_blank">Necurs Botnet Evolves to Hide in the Shadows, with New Payloads</a> (March 1, 2019) Black Lotus Labs researchers have published a report discussing the prolific “Necurs” botnet and a new technique the malware was observed using. The Necurs botnet is known to go through active and inactive cycles that are believed to be caused by threat actors conducting Command and Control (C2) infrastructure maintenance. This technique could also be uses to allow downtime for some C2 servers to avoid detection. Now researchers have observed that the botnet is spending most of its time in an inactive state, sometimes for several months, and only becomes active for about once per week for an unspecified, short period of time. The objective of this tactic is likely to increase the chances that the malware will remain undetected and continue its malicious capabilities such as conducting Distributed Denial-of-Service (DDoS) and downloading Remote Access Trojans (RATs), among other payloads. The largest number of infections in descending order are: India, Indonesia, Vietnam, Turkey, and Iran. <a href="https://forum.anomali.com/t/necurs-botnet-evolves-to-hide-in-the-shadows-with-new-payloads/3608" target="_blank">Click here for Anomali recommendation</a><a href="https://www.theregister.co.uk/2019/02/28/new_qbot_banking_malware_strain/" target="_blank">Qbot Malware’s Back, and Latest Strain Relies on Visual Basic Script to Slip into Target Machines</a> (February 28, 2019) A new variant of the credential-stealing malware, “Qbot,” has been observed in the wild, according to Varonis researchers. This version appears to still have “the anti-analysis polymorphism features of the original” that dates back approximately 10 years. Threat actors are using this new variant to target organizations primarily located in the US, but other infections have been observed throughout Europe and South America. The objective of these campaigns is to steal financial data and Personally Identifiable Information (PII). Qbot is being distributed via phishing emails that contain an attachment that utilizes a malicious macro to begin the infection process. <a href="https://forum.anomali.com/t/qbot-malware-s-back-and-latest-strain-relies-on-visual-basic-script-to-slip-into-target-machines/3609" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947201" target="_blank">[MITRE ATT&CK] Scripting (T1064)</a><a href="https://www.helpnetsecurity.com/2019/02/28/cve-2019-1663/" target="_blank">Cisco SOHO Wireless VPN Firewalls and Routers Open to Attack</a> (February 28, 2019) A vulnerability, registered as “CVE-2019-1663,” has been confirmed by Cisco to affect some of its products. The vulnerability can be exploited by a custom HTTP request and is located “in the web-based management interface” of multiple products including: RV110W Wireless-N VPN Firewall, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router. A threat actor could exploit this vulnerability to execute arbitrary code on an affected device. <a href="https://forum.anomali.com/t/cisco-soho-wireless-vpn-firewalls-and-routers-open-to-attack/3610" target="_blank">Click here for Anomali recommendation</a><a href="https://www.securityweek.com/thunderclap-flaws-expose-computers-attacks-peripheral-devices" target="_blank">“Thunderclap” Flaws Expose Computers to Attacks via Peripheral Devices</a> (February 27, 2019) A new attack vector dubbed, “Thunderclap,” has been discovered to affect the “Thunderbolt” hardware interface that was created by Apple and Intel “for connecting peripheral devices to a computer.” Thunderclap requires physical access to a machine. The attack vector exploit multiple vulnerabilities that affect Apple and Intel products as well as devices and machines compatible with Thunderbolt 3 because it often supports USB Type-C ports which could expose Windows and Linux machines to Thunderclap. An actor could attach a variety of devices to the target machine via the Thunderbolt port and gain Direct Memory Access (DMA via that connection. From there the attached device would be able to have read and write access “to all system memory without oversight from the operating system.” Windows and macOS have released updates in their recent operating systems releases (macOS 10.12.4, Windows 10) that are believed to address the more serious vulnerabilities associated with Thunderclap. <a href="https://forum.anomali.com/t/thunderclap-flaws-expose-computers-to-attacks-via-peripheral-devices/3611" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947277" target="_blank">[MITRE ATT&CK] Exfiltration Over Physical Medium (T1052)</a><a href="https://blog.talosintelligence.com/2019/02/cisco-talos-honeypot-analysis-reveals.html" target="_blank">Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters</a> (February 26, 2019) Cisco Talos researchers have observed an increase in threat actor activity targeting the Lucene library-based search engine, “Elasticsearch.” Researchers observed that actors are targeting Elasticsearch clusters that are using version 1.4.2 or earlier and are using vulnerabilities registered as “CVE-2014-3120” and “CVE-2015-1427.” Both vulnerabilities were deliberately chosen because they only affect older Elasticsearch versions and it is believed that approximately “six distinct actors are exploiting” the honeypots set up by researchers. It appears that the actors’ overall objective in targeting these older Elasticsearch versions is to install a cryptocurrency miner to garner an illicit profit, however, a variant of the “Spike” trojan was also observed being downloaded from an actor-controlled server via Elasticsearch. <a href="https://forum.anomali.com/t/cisco-talos-honeypot-analysis-reveals-rise-in-attacks-on-elasticsearch-clusters/3612" target="_blank">Click here for Anomali recommendation</a><a href="https://www.cyberscoop.com/trump-kim-summit-vietnam-north-korea-hackers-phishing/" target="_blank">North Korean Hackers Go On Phishing Expedition Before Trump-Kim Summit</a> (February 26, 2019) Security researchers have discovered a phishing campaign that is attempting to capitalize on the summit in Hanoi, Vietnam between President Donald Trump and the Democratic People’s Republic’s (DPRK) Kim Jong Un. Researchers suspect that DPRK actors, specifically “Velvet Chollima,” are behind this campaign that appears, at the time of this writing, to be targeting South Korean individuals. The email purports to be an invitation from the “Korean-U.S. Friendship Society” to join a meeting hosted in Seoul, South Korea. The email contains an attachment formatted in the Hangul Word Processor (HWP) file format (.hwp). The objective of the malicious document is to execute PostScript on a machine that attempts to communicate with a Command and Control (C2) server for additional instructions. <a href="https://forum.anomali.com/t/north-korean-hackers-go-on-phishing-expedition-before-trump-kim-summit/3613" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260028" target="_blank">[MITRE PRE-ATT&CK] Spear phishing messages with malicious links (PRE-T1146)</a> | <a href="https://ui.threatstream.com/ttp/1260027">[MITRE PRE-ATT&CK] Spear phishing messages with malicious attachments (PRE-T1144)</a><a href="https://latesthackingnews.com/2019/02/25/linkedin-direct-messages-exploited-in-latest-phishing-campaign/" target="_blank">LinkedIn Direct Messages Exploited Via “more_eggs” Backdoor</a> (February 25, 2019) A phishing campaign is utilizing the direct message feature of the employment and networking platform “LinkedIn” to distribute a backdoor, according to Proofpoint researchers. The threat actors behind this campaign are distributing fake job offers on LinkedIn followed emails to server as a “follow up” reminders for the purported job offer. The emails were found to contain links leading to fake and malicious websites or attempt to convince a recipient to open a PDF attachment and follow the URL within. The fake website requests a visitor to download a Microsoft Word file that contains malicious macros that, in enabled, will begin the infection process of a backdoor called “more_eggs.” The backdoor function as a “Jscript” loader that is capable of downloading additional malicious payloads. <a href="https://forum.anomali.com/t/linkedin-direct-messages-exploited-via-more-eggs-backdoor/3614" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260033" target="_blank">[MITRE PRE-ATT&CK] Targeted social media phishing (PRE-T1143)</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="https://www.bleepingcomputer.com/news/security/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/" target="_blank">Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor</a> (February 25, 2019) Security researchers have observed a malspam campaign exploiting a 19 year old vulnerability, registered as “CVE-2018-20250,” located in the “WinRAR UNACEV2.DLL” library to install a backdoor. This observation comes one week after Check Point researchers disclosed their finding of the vulnerability. The vulnerability can be exploited by a threat actor by creating a custom ACE archive that extracts a file to the Windows Startup folder when that custom archive is extracted. This process would grant an executable persistence on a machine and would launch as soon as an individual logs in to Windows. The malware was found to download various files, one of which was found to be the “Cobalt Strike Beacon DLL” which is a penetration testing tool. Approximately 500 million users are believed to have WinRAR installed on their machines, which represents a tremendous target pool for threat actors. <a href="https://forum.anomali.com/t/malspam-exploits-winrar-ace-vulnerability-to-install-a-backdoor/3615" target="_blank">Click here for Anomali recommendation</a><a href="https://www.darkreading.com/threat-intelligence/turbotax-hit-with-cyberattack-tax-returns-compromised/d/d-id/1333954" target="_blank">TurboTax Hit with Credential Stuffing Attack, Tax Returns Compromised</a> (February 25, 2019) The parent company of the “TurboTax” tax preparation software, “Intuit,” has issued a statement in which they confirmed that TurboTax was targeted by a credential stuffing attack. Credential stuffing is a tactic used by threat actors where they use previously compromised to attempt to gain access to other accounts, in this instance TurboTax. Actors were able to gain access to an unspecified number of TurboTax accounts. Said accounts contain Personally Identifiable Information (PII) including: birthdates, driver’s license number, financial data (salary, deduction), Social Security Number, among other information contained in tax returns. This incident shows the potential risk associated with reusing passwords for multiple online services. <a href="https://forum.anomali.com/t/turbotax-hit-with-credential-stuffing-attack-tax-returns-compromised/3616" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1851" target="_blank">Legitimate Credentials (ATT&CK T1078)</a><a href="https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/" target="_blank">Multiple ArtraDownloader Variants Used by BITTER to Target Pakistan</a> (February 25, 2019) Palo Alto Networks Unit 42 researchers have discovered that the threat group called “BITTER,” who is believed to originate in South Asia, has been targeting organizations with a new variant of the “ArtraDownloader.” BITTER has been actively targeting Pakistan and Chinese organizations since at least 2015 with AtraDownloader variants. Beginning in September 2018 and continuing until at least January 2019, researchers found that the group was utilizing a new AtraDownloader variant to target entities located Pakistan and Saudi Arabia. The threat group is distributing the malware via spear phishing emails that contain malicious documents that were observed communicating with legitimate Pakistani websites that were likely compromised. Researchers found that AtraDownloader was downloading and executing a Remote Access Trojan (RAT) in this campaign but the malware is capable of downloading other payloads. <a href="https://forum.anomali.com/t/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/3617" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/1260027" target="_blank">[MITRE PRE-ATT&CK] Spear phishing messages with malicious attachments (PRE-T1144)</a><h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products" target="_blank">Click here to request a trial.</a><a href="https://ui.threatstream.com/actor/281" target="_blank">Lazarus Group</a> The Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People's Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121?), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau” (????? ???????). The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.