October 1, 2019
-
Anomali Threat Research
,

Weekly Threat Briefing: US Military Veterans Targeted By Iranian State Hackers

<p>The intelligence in this Weekly Threat Briefing discusses the following threats: <b>APT10, China, DoorDash, Emotet, Fancy Bear, Gandcrab, Malvertising, Nodersok, PcShare, REvil, Ryuk Ransomware, Sednit, Sofacy, Spamouflage Dragon, STRONIUM, Trickbot, Tropic Thunder</b>. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><h2>Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/microsoft-spots-nodersok-malware-campaign-that-zombifies-pcs/" target="_blank"><b>Microsoft Spots Nodersok Malware Campaign That Zombifies PCs</b></a><b> </b> (<i>September 26, 2019</i>)<br/> “Nodersok” is a new fileless malicious campaign discovered by Microsoft Defender ATP Research Team. It drops LOLBins with a Node.js-based malware which infects Windows machines and turns devices into proxies. Nodersok is delivered through drive-by downloads, which compromises the target's web browser. This leads to the download of a HTA file delivered either by the user clicking on a malicious link or malvertising. The actors use legitimate Windows tools to spread infections across networks.<br/> <a href="https://forum.anomali.com/t/microsoft-spots-nodersok-malware-campaign-that-zombifies-pcs/4219" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947205">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a></p><p><a href="https://www.cyberscoop.com/hong-kong-disinfo-campaign-graphika/" target="_blank"><b>Research Outs Poorly Constructed Disinfo Campaign Aimed At Hong Kong Protests</b></a><b> </b> (<i>September 26, 2019</i>)<br/> The research team from Graphika have detected a poorly conducted disinformation campaign aimed at Hong Kong protestors according to CyberScoop. The content and user accounts have been taken down by Facebook, and Twitter has taken down some of the accounts. The campaign called “Spamouflage Dragon” by Graphika appears to be acting in the interest of the Chinese Government. The badly planned campaign could be indicative of poorly invested resources and could show a lack of maturity although a ready interest in this type of activity.<br/> <a href="https://forum.anomali.com/t/research-outs-poorly-constructed-disinfo-campaign-aimed-at-hong-kong-protests/4220" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a></p><p><a href="https://blog.eset.ie/2019/09/26/microsoft-rushes-out-patch-for-internet-explorer-zero%E2%80%91day/" target="_blank"><b>Microsoft rushes out patch for Internet Explorer zero‑day</b></a> (<i>September 26, 2019</i>)<br/> A new Zero-Day vulnerability labelled as CVE-2019-1367, has been patched by Microsoft. It is a remote code execution vulnerability and it affects IE version 9, 10 and 11. It gives the attacker the ability to gain the same access privileges as the user. So if the user has admin access then the attacker can have access to the whole system. This bug has prompted a warning from the United States Cybersecurity and Infrastructure Security Agency (CISA).<br/> <a href="https://forum.anomali.com/t/microsoft-rushes-out-patch-for-internet-explorer-zero-day/4221" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947203">[MITRE ATT&amp;CK] Web Service - T1102</a></p><p><a href="https://www.securityweek.com/chinese-hackers-hit-technology-firms-southeast-asia-pcshare-backdoor" target="_blank"><b>Chinese Hackers Hit Technology Firms in Southeast Asia With PcShare Backdoor</b></a> (<i>September 26, 2019</i>)<br/> BlackBerry Cylance security researchers have detected a campaign, that they believe originates from China, targeting Southeast Asian technology firms. The actors are taking advantage of the built-in Narrator “Ease of Access” feature in Windows, by replacing it with a trojanized screen reader application. The trojanized Narrator executable is just one of the post exploitation tools used by the actors that share code found in Chinese programming sites. The malware used in the campaign is executed through DLL-Side-loading, specifically using the NVIDIA Smart Maximise Helper Host application. PcShare is a Chinese backdoor that is open source, and was found to be used across multiple organisations in this campaign. The actors continue to modify the fake Narrator app to suit its target victims. BlackBerry Cylance researchers have drawn similarities in this campaign to known Chinese APT Tropic Thunder.<br/> <a href="https://forum.anomali.com/t/chinese-hackers-hit-technology-firms-in-southeast-asia-with-pcshare-backdoor/4222" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947195">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947164">[MITRE ATT&amp;CK] File Deletion - T1107</a></p><p><a href="https://amp-france24-com.cdn.ampproject.org/c/s/amp.france24.com/en/20190926-airbus-hit-by-series-of-cyber-attacks-on-suppliers" target="_blank"><b>Airbus Hit By Series of Cyber Attacks On Suppliers</b></a><b> </b> (<i>September 26, 2019</i>)<br/> According to the French news channel France24, security sources have revealed that a number of organisations in the Airbus supply chain have been targeted with cyber attacks. It is believed that the actors were attempting to capture sensitive industry information. Several sources believe that the activity is likely to have originated from Chinese threat actor APT10.<br/> <a href="https://forum.anomali.com/t/airbus-hit-by-series-of-cyber-attacks-on-suppliers/4223" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947137">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a></p><p><a href="https://techcrunch.com/2019/09/26/doordash-data-breach/" target="_blank"><b>DoorDash Confirms Data Breach Affected 4.9 million Customers, Workers and Merchants</b></a><b> </b> (<i>September 26, 2019</i>)<br/> The food delivery company DoorDash has had a data breach according to TechCrunch. The breach happened on May 4th and it took the company more than five months to detect it. New customers who joined before the 5th of April 2018, have had sensitive information such as email address, home address, phone numbers, order history and the last four digits of their card numbers taken. Salted passwords were also taken. Staff members who were delivery drivers also had their license number taken<br/> <a href="https://forum.anomali.com/t/doordash-confirms-data-breach-affected-4-9-million-customers-workers-and-merchants/4224" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1259983">[MITRE PRE-ATT&amp;CK] Identify sensitive personnel information (PRE-T1051)</a></p><p><a href="https://www.zdnet.com/article/us-military-veterans-targeted-by-iranian-state-hackers/" target="_blank"><b>US Military Veterans Targeted By Iranian State Hackers</b></a><b> </b> (<i>September 25, 2019</i>)<br/> According to Cisco Talos researchers, Iran's government-backed hackers have been trying to infect US military veterans. The actors created a spoof application purporting to be an App designed to help veterans find employment. The application sends sensitive information about the machine and the network it is connected to, before downloading a Remote Access Trojan (RAT). Researchers say the actors were likely hoping the victim would download the application on the DOD network. The Talos team have linked the campaign to the Tortoiseshell group - believed to be an Iranian government backed hacking group.<br/> <a href="https://forum.anomali.com/t/us-military-veterans-targeted-by-iranian-state-hackers/4225" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a></p><p><a href="https://www.darkreading.com/attacks-breaches/gandcrab-developers-behind-destructive-revil-ransomware/d/d-id/1335919" target="_blank"><b>GandCrab Developers Behind Destructive REvil Ransomware</b></a> (<i>September 25, 2019</i>)<br/> Secureworks research team have assessed that the GandCrab group “Gold Garden” is still active and that they are probably behind a new ransomware variant called “REvil”. REvil first appeared in April 2019, and has been targeting Texas municipalities and dentist offices. There are code similarities between GandCrab and REvil, and they both contain code that prevents the malware from infecting machines in Russia. REvil has quickly become one of the most dangerous ransomwares in the wild.<br/> <a href="https://forum.anomali.com/t/gandcrab-developers-behind-destructive-revil-ransomware/4226" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947227">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a></p><p><a href="https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/" target="_blank"><b>Tibetan Groups Targeted with 1-Click Mobile Exploits</b></a><b> </b> (<i>September 24, 2019</i>)<br/> Senior members of the Tibetan community were targeted with cyber attacks between November 2018 and May 2019. The Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups were all targeted during this time. Toronto based, Citizen Labs report shows the level of effort taken during the campaigns to infect the targets. Sophisticated social engineering attempts through whatsapp conversations about recent events and activities related to the target groups. These conversations were used to dupe the victim into clicking on a link which would then use web browser exploits to install android and ios malware. The malware used to conduct the browser exploits was called POISON CARP and the Android and iOS exploit kits is dubbed “MOONSHINE” by Citizen Labs.<br/> <a href="https://forum.anomali.com/t/tibetan-groups-targeted-with-1-click-mobile-exploits/4227" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947106">[MITRE ATT&amp;CK] Spearphishing Link - T1192</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&amp;CK] Conduct social engineering (PRE-T1056)</a> | <a href="https://ui.threatstream.com/ttp/1260095">[MITRE MOBILE-ATT&amp;CK] Malicious Web Content (MOB-T1059)</a></p><p><a href="https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/" target="_blank"><b>No summer vacations for Zebrocy</b></a><b> </b> (<i>September 24, 2019</i>)<br/> The threat group APT28 (Sofacy, STRONIUM, Sednit or Fancy Bear) initiated a new campaign over the summer which was detected by the ESET security team. According to ESET researchers APT28 have targeted Ministries of Foreign Affairs across Eastern Europe and Central Asia much like previous campaigns. One of the distinctive aspects of this campaigns appears to be a development in the threat groups toolset; their downloader has been developed using the NIM programming language. However ESET researchers have observed that the campaign tactics of this group are quite “loud”. This is because the victim will have several downloaders installed on their machine before the final backdoor payload.<br/> <a href="https://forum.anomali.com/t/no-summer-vacations-for-zebrocy/4228" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947259">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/2402543">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947229">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a></p><p><a href="https://www.intezer.com/blog-russian-apt-ecosystem/" target="_blank"><b>Mapping the Connections Inside Russia's APT Ecosystem</b></a> (<i>September 24, 2019</i>)<br/> The Russian based APT groups Turla, Sofacy and APT29 have been mapped in a joint research effort between Intezer and Check Point Research. The research teams analysed around 2,000 samples attributed to Russia and discovered 22,000 connections. One of the most startling findings was that the threat groups operating out of Russia do not appear to share code with one another. The researchers also found that each actor working for Russia had its own malware development team. A detection tool has been created from this research for people to download.<br/> <a href="https://forum.anomali.com/t/mapping-the-connections-inside-russias-apt-ecosystem/4229" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a></p><p><a href="https://blog.malwarebytes.com/botnets/2019/09/emotet-malspam-campaign-uses-snowdens-new-book-as-lure/" target="_blank"><b>Emotet Malspam Campaign Uses Snowden’s New Book As Lure</b></a><b> </b> (<i>September 23, 2019</i>)<br/> Emotet resumed its activity one week ago after months of dormancy. Emotet is considered one of the most prolific threats to organizations over this last year. Whilst Emotet continued to use old methods to trick users, by incorporating invoice themed subject lines (for example). It was found to have used Edward Snowden’s new book “Permanent Record” as a lure this week. Emotet has a large and successful botnet behind it and is usually followed up by a further infection after initial compromise. Malware such as Trickbot or Ryuk Ransomware can infect an end point after compromise. Emotet has been particularly up to date with the themes of its lure.<br/> <a href="https://forum.anomali.com/t/emotet-malspam-campaign-uses-snowden-s-new-book-as-lure/4230" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.