October 6, 2020
Anomali Threat Research

Weekly Threat Briefing: Ransomware, IPStorm, APT Group, and More

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics:<b> APT, BlackTech, BLINDINGCAN, Linux Malware, Palmerworm, Vulnerabilities,</b> and <b>XDSpy</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/wzv8Fu5ETPWKrzbPIsyS"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/grindr-fixed-a-bug-allowing-full-takeover-of-any-user-account/" target="_blank"><b>Grindr Fixed a Bug Allowing Full Takeover of Any User Account</b></a></h3> <p>(published: October 3, 2020)</p> <p>Grindr, an LGBT networking platform, has fixed a vulnerability that could allow any account to be hijacked. The vulnerability was identified by security researcher Wassime Bouimadaghene, finding that the reset token was leaked in the page’s response content. This would enable anyone who knows a users’ email address to generate the reset link that is sent via email. Gaining account access would enable an attacker to obtain sensitive information such as pictures stored on the app (including NSFW), HIV status, location, and messages. Grindr has announced a bug bounty program.<br/> <b>Recommendation:</b> If your account has been breached, you can reset the password using the reset link sent to the associated email address.<br/> <b>Tags:</b> Browser, Exposed tokens, Grindr, Sensitive Info</p> <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/" target="_blank"><b>XDSpy: Stealing Government Secrets Since 2011</b></a></h3> <p>(published: October 2, 2020)</p> <p>Security researchers from ESET have identified a new Advanced Persistent Threat (APT) group that has been targeting Eastern European governments and businesses for up to nine years. Dubbed “XDSpy,” ESET was unable to identify any code similarity or shared infrastructure with other known groups and believe the group operates in a UTC+2 or UTC+3 time zone, Monday to Friday. XDSpy mainly uses spearphishing emails with some variance, some will contain attachments or links to malicious files, usually a ZIP or RAR archive. When the malicious file has infected a victim, it will install “XDDown,” a downloader that will begin to install additional plugins that will begin to exfiltrate files, passwords, and nearby SSIDs. XDSpy has also been observed using “CVE-2020-0968” (Internet Explorer legacy JavaScript vulnerability) bearing some resemblance to DarkHotel campaigns and Operation Domino, ESET do not believe these campaigns are related but may be using the same exploit broker.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947082">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947135">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947100">[MITRE ATT&amp;CK] Data from Removable Media - T1025</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947117">[MITRE ATT&amp;CK] Automated Collection - T1119</a> | <a href="https://ui.threatstream.com/ttp/947193">[MITRE ATT&amp;CK] Automated Exfiltration - T1020</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a><br/> <b>Tags:</b> XDSpy, XDDown, APT, Eastern Europe</p> <h3 id="article-3" style="margin-bottom:0;"><a href="https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/" target="_blank"><b>IPStorm Now Has Linux Malware</b></a></h3> <p>(published: October 1, 2020)</p> <p>IPStorm (InterPlanetary Storm) is a botnet discovered by researchers at Anomali, that uses InterPlanetary File System (IPFS) to obfuscate malicious traffic allowing for arbitrary code execution on victims’ machines. Recently, security researchers at Intezer have identified new Linux variants of IPStorm. Written in GoLang, the Linux version has the ability to spread via SSH brute-force, check for Android Debug Bridge (ADB) and will upload the Android version of the malware, evade detection by antivirus software, gain persistence if executed with root privileges and reverse shell. The botnet will create fake ad clicks by imitating a user clicking on ad iframes.<br/> <b>Recommendation:</b> You can check if IPStorm is running on your system with ‘pstree | grep storm’ ‘sudo systemctl status storm.service’ which will return the service if active. To check if IPStorm’s file is on your system with ‘sudo find/ -name “storm*” -type f’. Should your system have IPStorm on it, stop the service running with: ‘sudo systemctl stop storm.service’ and kill processes with ‘sudo pkill -9 storm’. Make sure all associated files are deleted.<br/> <b>Tags:</b> Botnet, Go, GoLang, IPStorm, Linux, Malware</p> <h3 id="article-4" style="margin-bottom:0;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt" target="_blank"><b>Palmerworm: Espionage Gang Targets the Media, Finance, and Other Sectors</b></a></h3> <p>(published: September 29, 2020)</p> <p>Researchers from Symantec have been tracking a new Palmerworm (BlackTech) espionage campaign targeting organisations in the US and Asia. The campaign is believed to have begun around August 2019 and has been seen targeting news media, electronics, and finance companies in Taiwan; an engineering company in Japan, a construction company in China, and various others in the US. The researchers are currently uncertain as to how Palmerworm is gaining initial access but has previously used spearphishing emails before deploying previously unseen malware families dubbed “Backdoor.Consock”, “Backdoor.Waship”, “Backdoor.Dalwit” and “Backdoor,Nomri.” The group is also leveraging a custom loader called “Trojan Horse.” Palmerworm is believed to have connections to the Chinese government and is possibly sponsored by them.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947101">[MITRE ATT&amp;CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a><br/> <b>Tags:</b> Palmerworm, BlackTech, APT, espionage</p> <h3 id="article-5" style="margin-bottom:0;"><a href="https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html" target="_blank"><b>BLINDINGCAN - Malware Used by Lazarus</b></a></h3> <p>(published: September 29, 2020)</p> <p>JPCERT/CC has released an analysis of a malware called “BLINDINGCAN” and is used by the Lazarus group. The malware provides remote access control of the compromised machine to the operator of the malware. The malware is of a form of a Dynamic-link library (DLL) and requires a loader to be executed. Some samples investigated by JPCERT/CC were encrypted and were decrypted by the loader before the payload was executed. The malware can be configured by the threat actor by the use of a configuration file. The configuration file can be hardcoded in the malware, stored as a file in the same folder as the DLL, or stored in a registry key. The configuration is encrypted with an XOR scheme, AES, or RC4. For the Command and Control (C2) protocol, the data is encrypted with RC4 or a modified version of RC4. Plain RC4 and the modified version is used for different parameters in the network payload, making it hard for analysts to decrypt unless they know the modifications to the encryption scheme.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947235">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> APT, Lazarus, BLINDINGCAN</p> <h3 id="article-6" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/" target="_blank"><b>UHS Hospitals Hit by Reported Country-Wide Ryuk Ransomware Attack</b></a></h3> <p>(published: September 28, 2020)</p> <p>Bleeping Computer has reported an attack against Universal Health Services (UHS). According to Bleeping Computer, the attack appears to be a Ryuk ransomware campaign. The ransomware started to encrypt files across the network late Sunday night. UHS has issued a statement of them being affected by an IT security incident but has not confirmed it is Ryuk. Ryuk related attacks are known to be started by a phishing email that is used to install Emotet followed by Trickbot or the BazarBackdoor followed by Cobalt Strike.<br/> <b>Recommendation:</b> Educate your employees on the risks of opening attachments from unknown senders. In addition, as shown in this story, employees should also be cautious of opening suspicious attachments in emails even if they appear to have been sent from within the company. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Ransomware, Ryuk</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.