Weekly Threat Briefing: Ransomware Attacks In Spain Leave Radio Station In 'Hysteria'

<p>The intelligence in this week’s iteration discuss the following threats: <strong>Calypso, China, DarkUniverse, Emotet, EternalBlue, Megacortex, Monero, Nanocore, Platinum, Ransomware, </strong>and<strong> Titanium</strong>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/QwNWGdPSgKStRqdUo8Sd"/></p><h2>Trending Threats</h2><p><a href="https://www.helpnetsecurity.com/2019/11/08/november-2019-patch-tuesday-forecast/" target="_blank"><b>November 2019 Patch Tuesday Forecast: Out With Old, In With The New</b></a> (<i>November 8, 2019</i>)<br/> With the upcoming End-Of-Life (EOL) for Windows 7, users are reminded to assess their operating system. Using an unsupported operating system leaves the user open to attacks such as ransomware, as attacks will exploit vulnerabilities. Support for Windows 10 Home, Professional and Professional Workstations Version 1803 is also ending. For users not intending on upgrading, it is highly recommended to put in place mitigation such as application control, privilege management and restrict network access to prevent against exploitation.<br/> <a href="https://forum.anomali.com/t/november-2019-patch-tuesday-forecast-out-with-old-in-with-the-new/4353" target="_blank">Click here for Anomali recommendation</a></p><p><a href="https://securelist.com/titanium-the-platinum-group-strikes-again/94961/" target="_blank"><b>Titanium: The Platinum Group Strikes Again</b></a> (<i>November 8, 2019</i>)<br/> Platinum, an Advanced Persistent Threat (APT) group focused on the Asia Pacific region have been utilizing a new backdoor “Titanium” in recent attacks, according to researchers at Kaspersky. Targeting Indonesia, Malaysia and Vietnam, the infection spreads via local intranet websites. Once in the system, the payload is downloaded from a Command and Control (C2) server, with a backdoor downloader that pulls down an installer. Using the Windows Background Intelligent Transfer Service (BITS) and cURL, the final payload is downloaded. Loaded into memory, the payload is obfuscated using Windows API calls to bypass anti-virus software. Due to the use of encryption and fileless technologies the malware is able to evade detection.<br/> <a href="https://forum.anomali.com/t/titanium-the-platinum-group-strikes-again/4354" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947082">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947257">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/49-disguised-adware-apps-with-optimized-evasion-features-found-on-google-play/" target="_blank"><b>49 Disguised Adware Apps With Optimized Evasion Features Found on Google Play</b></a> (<i>November 7, 2019</i>)<br/> Researchers at Trend Micro have recently found 49 adware apps on the Google Play store disguised as games and camera applications. Adware apps hide within mobile devices to display ads and deploy anti-uninstallation and evasion functions, such as hiding the app icon. Within the app source code more evasion tactics are utilized such as string encoding, obfuscation with the app kept alive as a foreground service, meaning it runs even without user interaction.<br/> <a href="https://forum.anomali.com/t/49-disguised-adware-apps-with-optimized-evasion-features-found-on-google-play/4355" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a></p><p><a href="https://www.microsoft.com/security/blog/2019/11/07/the-new-cve-2019-0708-rdp-exploit-attacks-explained/" target="_blank"><b>Microsoft Works With Researchers To Detect and Protect Against New RDP Exploits</b></a> (<i>November 7, 2019</i>)<br/> The “BlueKeep” vulnerability (CVE-2019-0708) which allows for remote code execution in Windows Remote Desktop Services, is currently being exploited to deliver cryptominers. Discovered by security researcher Kevin Beaumont, after his honeypots started to crash and reboot, indicating blue screen of death (BSOD). Further investigation showed a PowerShell payload downloading a second PowerShell script that drops the Monero Miner. Threat actors are likely using the BlueKeep scanner, a vulnerability that allows malware to spread through connected systems without user intervention, to search for vulnerable systems that can be exploited to drop the cryptominer.<br/> <a href="https://forum.anomali.com/t/microsoft-works-with-researchers-to-detect-and-protect-against-new-rdp-exploits/4356" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a></p><p><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/double-loaded-zip-file-delivers-nanocore/ " target="_blank"><b>Specially Crafted Zip Files Used To Bypass Secure Email Gateways</b></a> (<i>November 7, 2019</i>)<br/> Researchers at Trustwave have identified a new technique being used to archive malware. Normally being sent as 7z, rar, or zip files, the spam campaign analyzed by Trustwave contains a zip within a zip to deliver Nanocore malware. Utilizing this method means malicious emails can bypass email security. The campaign sends an email pretending to be from USCO Logistics with a zip appearing to be to shipping documents. The zip file however has a much larger file size than the uncompressed content, that when analyzed shows two ZIP structures. The first ZIP contains a decoy image with the second ZIP containing the Nanocore Remote Access Trojan (RAT).<br/> <a href="https://forum.anomali.com/t/specially-crafted-zip-files-used-to-bypass-secure-email-gateways/4357" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p><p><a href="https://www.zdnet.com/article/emotet-resurgence-packs-in-new-binaries-malicious-functions/" target="_blank"><b>Emotet Resurgence Packs In New Binaries, Trickbot Functions</b></a> (<i>November 6, 2019</i>)<br/> Emotet, a banking Trojan first discovered in 2014 has returned with upgraded functions. Researchers at Proofpoint determined that between January and March 2019, Emotet accounted for almost two-thirds of all phishing payloads. With an uptick in activity, a number of changes have been seen in the malware’s deployment and functionality. Multiple functions have been added to Emotet that are also seen in TrickBot, such as an API call resolution and other obfuscation techniques. Other changes to the Emotet main payload are minor including Command and Control (C2) lists and RSA keys.<br/> <a href="https://forum.anomali.com/t/emotet-resurgence-packs-in-new-binaries-trickbot-functions/4358" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a></p><p><a href="https://nakedsecurity.sophos.com/2019/11/06/spanish-ransomware-hits-two-companies/" target="_blank"><b>Ransomware Attacks In Spain Leave Radio Station In "Hysteria"</b></a> (<i>November 6, 2019</i>)<br/> Two large Spanish companies have been infected with ransomware, Everis an IT consultancy firm, and Spain’s largest radio network, Cadena SER. Everis, a company with more than 24,500 employees located in over 18 countries, was hit with a version of the BitPaymer ransomware. As of this writing, it is not known what ransomware infected Cadena SER. Due to the previous WannaCry attacks in Spain, the Department of National Security quickly issued a security advisory advising companies on security measures. Despite rumors, there is currently no evidence that other IT companies were infected.<br/> <a href="https://forum.anomali.com/t/ransomware-attacks-in-spain-leave-radio-station-in-hysteria/4359" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a></p><p><a href="https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/" target="_blank"><b>DarkUniverse – The Mysterious APT Framework #27</b></a> (<i>November 5, 2019</i>)<br/> Researchers at Kaspersky have identified a new Advanced Persistent Threat (APT) group while investigating a script found within the 2017 ShadowBroker “Lost In Translation” leak. The APT, dubbed “DarkUniverse,” is a cyber-espionage group with approximately 20 victims in its telemetry between 2009 and 2017, including civilian and military organizations in Afghanistan, Belarus, Ethiopia, Iran, Russia, Sudan, Syria, Tanzania, and the United Arab Emirates. DarkUniverse spread its malware in a highly-targeted, customized spearphising campaign, prompting email recipients to open an attached malicious Microsoft Office document. The malware contains all the modules necessary for collecting and decrypting username and password credentials, as well as the ability to capture screenshots and access machine registry information. According to Kaspersky, unique code overlaps suggest “DarkUniverse” is connected with the ItaDuke set of activities, and that operations appear to have suspended after the 2017 ShadowBroker leak.<br/> <a href="https://forum.anomali.com/t/darkuniverse-the-mysterious-apt-framework-27/4360" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&amp;CK] Execution through API - T1106</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a></p><p><a href="https://www.tripwire.com/state-of-security/security-data-protection/new-megacortex-ransomware-variant-changes-victims-windows-passwords/" target="_blank"><b>New MegaCortex Ransomware Variant Changes Victims' Windows Passwords</b></a> (<i>November 5, 2019</i>)<br/> Researchers at MalwareHunterTeam working with reverse engineer Vitali Kremez, have identified a new variant of MegaCortex ransomware that has the ability to change a victim’s Window password. Executing the net user command, the ransomware is able to change the victim’s password on execution. Before the user is able to log in, the ransom note displays stating “All of your user credentials have been changed and your files have been encrypted” also claiming to have downloaded the victim’s data that will be released publicly if the ransom is not met. Researchers have not been able to determine the veracity of this claim.<br/> <a href="https://forum.anomali.com/t/new-megacortex-ransomware-variant-changes-victims-windows-passwords/4361" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a></p><p><a href="https://www.engadget.com/2019/11/04/chinese-hacking-calypso-apt/" target="_blank"><b>Chinese Hacking Group Targeted Governments In Six Countries </b></a> (<i>November 4, 2019</i>)<br/> Newly discovered Advanced Persistent Threat (APT) group “Calypso”, has been targeting government bodies in various countries since 2016. Discovering the group in March, researchers at Positive Technologies found government agencies in Brazil, India, Kazakhstan, Russia, Thailand, and Turkey had been targeted. The group typically infiltrate networks by exploiting a Windows SMB vulnerability, “CVE-2017-0143”, or by using stolen credentials. The Calypso backdoor and Remote Access Trojan (RAT), the namesake of the group, is then deployed. The backdoor enables the actors to execute commands, and upload malware/utilities such as EternalBlue allowing them to move laterally through the network. Using legitimate tools, the group is able to evade detection in order to steal sensitive information. Positive Technologies state the APT group are likely based in Asia, hace Chinese-language abilities, and utilized a Chinese IP address.<br/> <a href="https://forum.anomali.com/t/chinese-hacking-group-targeted-governments-in-six-countries/4362" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&amp;CK] Network Sniffing - T1040</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/1260045">[MITRE PRE-ATT&amp;CK] Upload, install, and configure software/tools (PRE-T1139)</a></p>