Weekly Threat Briefing: APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS

The intelligence in this week’s iteration discuss the following threats: APT, Backdoor, Banking trojan, Cryptocurrency malware, Malspam, Mobile malware Phishing, Spear phishing, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<h2>Trending Threats</h2><a href="https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank">APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS</a> (March 10, 2018) While investigating an incident in May 2017; NCC Group’s Incident Response team discovered that their client had been compromised by the Advanced Persistent Threat (APT) group “APT15” (GREF, Ke3chang, Mirage, Playful Dragon, Vixen Panda). The response team found that APT15 had compromised their client’s network and managed to steal “a number of sensitive documents” via three backdoors. The first backdoor, called “BS2005,” is known to be used by the group, however, two new backdoors dubbed “RoyalCli” and “RoyalDNS” were also observed. NCC Group believes that APT15 was targeting data related to U.K. government departments and military technology. <a href="https://forum.anomali.com/t/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/2147" target="_blank">Click here for Anomali recommendation</a><a href="https://securelist.com/apt-slingshot/84312/" target="_blank">The Slingshot APT FAQ</a> (March 9, 2018) A new Advanced Persistent Threat (APT) group, dubbed “Slingshot,” has been identified and found to have been active since at least 2012, according to Kaspersky Lab researchers. The researchers discovered the cyber espionage group while investigating an incident involving a keylogger which led to the finding of a malicious library that could interact with a virtual file system; a sign indicative of APT activity according to researchers. The primary initial infection vector for the group has not yet been identified. However, researchers did find some cases in which the group gained access to “Mikrotik” routers and placed a component downloaded by “Winbox” loader (Mikrotik management suite) to infect the router administrator. Approximately one hundred targets have been identified that are located mainly in Africa and the Middle East. <a href="https://forum.anomali.com/t/the-slingshot-apt-faq/2148" target="_blank">Click here for Anomali recommendation</a><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank">Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant</a> (March 8, 2018) The Advanced Persistent Threat (APT) group “Hidden Cobra” (Lazarus Group) is continuing their targeting of cryptocurrency organizations and financial institutions with a recently observed attack on a Turkish financial system, according to the McAfee Advanced Threat Research team. Hidden Cobra was able to gain unauthorized access to an unnamed Turkish financial institution via a new variant of the group’s custom “Bankshot” implant that was distributed via spear phishing emails. The spear phishing emails contain Microsoft Word document with an embedded Adobe Flash exploit that exploits the vulnerability registered as “CVE-2018-4878” that can allow an actor to execute arbitrary code. <a href="https://forum.anomali.com/t/hidden-cobra-targets-turkish-financial-sector-with-new-bankshot-implant/2149" target="_blank">Click here for Anomali recommendation</a><a href="https://www.imperva.com/blog/2018/03/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/" target="_blank">RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits</a> (March 8, 2018) Imperva researchers have published information regarding a cryptojacking campaign that is targeting both application and database servers. One of these observed campaigns, dubbed “RedisWannaMine,” is reported to be responsible for approximately “90% of all remote code execution attacks in web applications.” The threat actors behind this campaign are using remote code execution vulnerabilities, one of such is “CVE-2017-9805,” (REST plugin vulnerability in Apache Struts) to download and execute an external resource. In Imperva’s given example, the external resource was found to be located on a remote host and included a list of files. One of the said files was a shell script that downloads a crypto-miner. Other techniques observed in these campaigns include downloading the open source tool “masscan” from GitHub, and launching a process called “redisscan.sh” which utilizes masscan to scan the internet with the objective of infecting publicly available “Redis” servers with crypto-mining malware. Furthermore, researchers also observed this campaign using the “EternalBlue” Server Message Block (SMB) exploit. <a href="https://forum.anomali.com/t/rediswannamine-unveiled-new-cryptojacking-attack-powered-by-redis-and-nsa-exploits/2150" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/" target="_blank">Hardcoded Password Found in Cisco Software</a> (March 8, 2018) Cisco has released 22 security advisories that address vulnerabilities in their products, two of which are rated critical. The first critical vulnerability, registered as “CVE-2018-0141,” affects Cisco’s “Prime Collaboration Provisioning” (PCP). A threat actor could exploit this vulnerability by connecting to the affected systems via Secure Shell (SSH) using the hardcoded password to gain full control over the system. Researchers note this vulnerability can only be exploited by local threat actors. The second vulnerability, registered as “CVE-2018- 0147,” affects Cisco’s Secures Access Control Systems (ACS) and can be exploited when ACS attempts to deserialize user-supplied Java-serialized content. This would allow an actor to execute arbitrary code without the need for user credentials. <a href="https://forum.anomali.com/t/hardcoded-password-found-in-cisco-software/2151" target="_blank">Click here for Anomali recommendation</a><a href="https://www.malware-traffic-analysis.net/2018/03/07/index2.html" target="_blank">Hancitor Malspam – Fake PayPal Notice</a> (March 7, 2018) Security researcher have observed that the “Hancitor” (malicious downloader) malspam campaign has begun distributing PayPal-themed Word documents with the object of installing the “Zeus Panda” banking trojan. The emails purport to come from “PayPal Invoice Service” and claim that the recipient has been sent an invoice. The PayPal-themed email also provides a link for the recipient as well as a due date to instill a sense of urgency. If the link is followed, a recipient will be asked to open or save the Word document. If opened, the document requests that “Enable Editing” be clicked that, if clicked, will launch a malicious macro which will begin the infection process for Zeus Panda. <a href="https://forum.anomali.com/t/hancitor-malspam-fake-paypal-notice/2152" target="_blank">Click here for Anomali recommendation</a><a href="https://www.helpnetsecurity.com/2018/03/07/exim-remote-code-execution/" target="_blank">Exim vulnerability opens 400,000 servers to remote code execution</a> (March 7, 2018) Security researchers have discovered that the “Exim” mail transfer agent is vulnerable to a remote code execution vulnerability, specifically if Exim is used on Unix-like systems. The buffer overflow vulnerability, registered as “CVE-2018-6789,” was discovered and reported by Meh Chang of the DEVCORE research team in February. Researchers note that this vulnerability is present in all Exim versions prior to version 4.90.1, which at the time of DEVCORE’s publication discussing the vulnerability, was reported to affect approximately 400,000 Exim servers. <a href="https://forum.anomali.com/t/exim-vulnerability-opens-400-000-servers-to-remote-code-execution/2153" target="_blank">Click here for Anomali recommendation</a><a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank">Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent</a> (March 7, 2018) The threat group called “Patchwork,” which was first discovered in December 2015, has been observed conducting cyber espionage campaigns against targets located in the Indian subcontinent. The group is distributing their custom “BADNEWS” malware via two Encapsulated PostScript (EPS) exploits (CVE-2015-2545, CVE-2017-0261) that are packaged into legitimate documents. The documents have been observed to be themed after topics such as information related to the Pakistan Energy Commission and Ministry of the Interior, and military promotions within the Pakistan Army. BADNEWS functions as a backdoor that can grant actors control of an affected machine. Researchers note that this version of BADNEWS is different than prior iterations which indicates that the group is increasing in sophistication. <a href="https://forum.anomali.com/t/patchwork-continues-to-deliver-badnews-to-the-indian-subcontinent/2154" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/patchwork-continues-to-deliver-badnews-to-the-indian-subcontinent/2154" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/patchwork-continues-to-deliver-badnews-to-the-indian-subcontinent/2154" target="_blank"> recommendation</a><a href="http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html" target="_blank">Gozi ISFB Remains Active in 2018, Leverages “Dark Cloud” Botnet For Distribution</a> (March 6, 2018) Cisco Talos researchers have discovered several new “relatively low-volume” malware campaigns in which actors are using the “Dark Cloud” botnet to distribute the “Gozi ISFB” banking trojan. Researchers have found that the actor(s) behind this campaign distributing a low-volume of spam emails with a focus on creating more convincing emails to increase the likelihood of a recipient opening a malicious attachment. In addition, these emails are only being distributed to specific organizations, and out of more than 100 emails and their attachments that were analyzed the majority of them are unique. The file attachments are Microsoft Word documents which the text of the emails purport to be related to a sales order. If the attachment is opened, it asks the user to “Enable Editing” and then to “Enable Content.” If these are enabled, malicious macros will begin the infections process for Gozi ISFB. <a href="https://forum.anomali.com/t/gozi-isfb-remains-active-in-2018-leverages-dark-cloud-botnet-for-distribution/2155" target="_blank">Click here for Anomali recommendation</a><a href="https://www.malware-traffic-analysis.net/2018/03/05/index2.html" target="_blank">Coins LTD Campaign Uses Rig EK to Push Ursnif</a> (March 5, 2018) Security researchers have found that the “Coins LTD” malspam campaign, which uses cryptocurrency-themed emails and domains to deliver malware, is now delivering the “Ursnif” banking trojan. Prior to this, the Coins LTD campaign was observed distributing malicious attachments and links to malicious domains that attempt to infect uses with the “Ramnit” and “Trickbot” banking trojans. Currently, this malspam campaign is attempting to direct recipients to malicious websites that host the Rig Exploit Kit (EK) that uses an Adobe Flash exploit to drop Ursnif. <a href="https://forum.anomali.com/t/coins-ltd-campaign-uses-rig-ek-to-push-ursnif/2156" target="_blank">Click here for Anomali recommendation</a><a href="https://www.securityweek.com/triada-trojan-pre-installed-low-cost-android-smartphones" target="_blank">Triada Trojan Pre-Installed on Low Cost Android Smartphones</a> (March 5, 2018) The “Triada” trojan, first discovered in early 2016, has been identified to come preinstalled on some lower-cost Android smartphones, according to Dr. Web researchers. Affected models include the following: Leagoo M5 Plus, Leagoo M8, Nomu S10, and the Nomu S20, among others which brings the overall amount to over 40 devices. Triada injects its module into the Zygote process on Android devices to infiltrate all applications running on a device. The malware is able to download and launch other applications, redirect SMS transactions to buy content or steal money directly from the owner of the affected device. Dr. Web researchers found that devices that were launched as recently as December 2017 were observed to come preinstalled with Triada. <a href="https://forum.anomali.com/t/triada-trojan-pre-installed-on-low-cost-android-smartphones/2157" target="_blank">Click here for Anomali recommendation</a><a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/" target="_blank">Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency</a> (March 5, 2018) Palo Alto Unit 42 researchers have discovered a new cryptocurrency-stealing malware, dubbed “ComboJack,” that is being distributed by threat actors via a malspam campaign. Proofpoint and Unit 42 researchers observed that the malspam emails purport that the sender has found a passport in her/his office, and asks the recipient to open the attached PDF file to check if he/she knows the owner. If the PDF attachment is opened, a user will be presented with a single line of text that refers to an embedded doc file. The doc file is an embedded HTA file that contains Powershell commands that, if the file is opened, will begin the infection process for ComboJack. Combojack targets popular digital payment systems such as “WebMoney” and Yandex Money by entering a loop in which every half second it checks the affected machine’s clipboard for data such as wallet information for various currencies. <a href="https://forum.anomali.com/t/sure-ill-take-that-new-combojack-malware-alters-clipboards-to-steal-cryptocurrency/2158" target="_blank">Click here for Anomali recommendation</a>