July 31, 2018
Anomali Threat Research

Weekly Threat Briefing: US State Governments Receive Malware-Laden CDs From China Via Snail Mail

<div id="weekly"><p id="intro">The intelligence in this week’s iteration discuss the following threats: <strong>APT34, Hide n Seek Botnet, LeafMiner, </strong><strong>Macro Enabled</strong><strong> Malspam, Phishing,</strong> and <strong>QUADAGENT</strong>. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.</p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://latesthackingnews.com/2018/07/30/us-state-governments-receive-malware-laden-cds-from-china-via-snail-mail/" target="_blank"><b>US State Governments Receive Malware-Laden CDs From China Via Snail Mail</b></a> (<i>July 30, 2018</i>)<br /> The State Department of Cultural Affairs has received snail mail letters from an unknown sender in China that contained CDs filled with malware and notes that were written in confusing English. The letters are suspected to have been sent to various local and state-level government departments, and the Multi-State Center for the Distribution and Analysis of Information (MS-ISAC) has issued a non-public statement notifying the offices to not do anything with the CDs. It is unclear if any of the CDs have been placed into any government machines and used at the time of this publication.<br /> <a href="https://forum.anomali.com/t/us-state-governments-receive-malware-laden-cds-from-china-via-snail-mail/2726" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/us-state-governments-receive-malware-laden-cds-from-china-via-snail-mail/2726" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/us-state-governments-receive-malware-laden-cds-from-china-via-snail-mail/2726" target="_blank"> recommendation</a></p><p><a href="https://cyware.com/news/us-shipping-giant-cosco-reportedly-hit-by-destructive-ransomware-f4d2a48e" target="_blank"><b>US Shipping Giant COSCO Reportedly Hit By Destructive Ransomware</b></a> (<i>July 26, 2018</i>)<br /> The US-branch of Chinese shipping company, COSCO, has released a statement saying that it experienced a “network breakdown” on July 24, 2018. Internal emails suggest that it was a ransomware infection, and the company is warning employees to not open any suspicious emails and conduct a comprehensive scan of the network. The US-branch is said to have had their email systems, WAN, and VPN gateways compromised in the infection. This has forced the US-branch to have its network connection suspended to avoid further infection while an investigation into the matter is underway.<br /> <a href="https://forum.anomali.com/t/us-shipping-giant-cosco-reportedly-hit-by-destructive-ransomware/2727" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/us-shipping-giant-cosco-reportedly-hit-by-destructive-ransomware/2727" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/us-shipping-giant-cosco-reportedly-hit-by-destructive-ransomware/2727" target="_blank"> recommendation</a></p><p><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/" target="_blank"><b>New Exploit Kit Delivers Bootkit and Cryptocurrency-mining Malware via Encrypted TCP Tunnel</b></a> (<i>July 26, 2018</i>)<br /> A new Exploit Kit (EK), dubbed "Underminer" or "Hidden Bee," has been discovered attempting to exploit a number of known vulnerabilities ("CVE-2015-5119" and "CVE-2018-4878" in Flash player, and "CVE-2016-0189" in Internet Explorer) for the purpose of deploying a bootkit and cryptocurrency miner. A variant of the EK was first detected in late 2017 after infecting some 500,000 machines, that are mainly located in Asia. Unsuspecting users are enticed with malvertisements to websites that attempt to exploit the vulnerabilities on a client’s system. RSA encryption is used to encrypt payloads while the RC4 or Rabbit stream ciphers are used to encrypt traffic between the infected host and C2 server. Use of asymmetric encryption, (also used by Angler, Nuclear and Astrum EKs) impedes the ability of researchers to track online activity and reverse engineer the payloads.<br /> <a href="https://forum.anomali.com/t/new-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-via-encrypted-tcp-tunnel/2728" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/new-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-via-encrypted-tcp-tunnel/2728" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/new-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-via-encrypted-tcp-tunnel/2728" target="_blank"> recommendation</a></p><p><a href="https://www.welivesecurity.com/2018/07/26/fake-banking-apps-google-play-leak-stolen-credit-card-data/" target="_blank"><b>Fake banking apps on Google Play leak stolen credit card data</b></a> (<i>July 26, 2018</i>)<br /> A set of fake banking applications has made its way onto the official “Google Play” store according to ESET researchers. The applications claimed to increase the credit card limit for users of three different Indian banks. The applications phish for credit card information and banking credentials using bogus forms. The phished information is sent to the attackers server. The listing on the attackers server was open to anyone with the link, amplifying the potential damage for victims as the sensitive information is available to anyone who happens to come across it.<br /> <a href="https://forum.anomali.com/t/fake-banking-apps-on-google-play-leak-stolen-credit-card-data/2729" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/fake-banking-apps-on-google-play-leak-stolen-credit-card-data/2729" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/fake-banking-apps-on-google-play-leak-stolen-credit-card-data/2729" target="_blank"> recommendation</a></p><p><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"><b>OilRig Targets Technology Service Provider and Government Agency with QUADAGENT</b></a> (<i>July 25, 2018</i>)<br /> Palo Alto Networks researchers have observed the “OilRig” APT group targeting a technology services provider and a government entity in the Middle East. The attacks used compromised email accounts to send spear phishing emails with an attachment that delivered a PowerShell based backdoor named “QUADAGENT.” The compromised email accounts belonged to an unnamed government agency based in the Middle East. The QUADAGENT backdoor will communicate with its command and control server via DNS tunneling, from which it receives additional PowerShell scripts to run. The PowerShell script is obfuscated with the open source tool named “Invoke-Obfuscation.”<br /> <a href="https://forum.anomali.com/t/oilrig-targets-technology-service-provider-and-government-agency-with-quadagent/2730" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/oilrig-targets-technology-service-provider-and-government-agency-with-quadagent/2730" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/oilrig-targets-technology-service-provider-and-government-agency-with-quadagent/2730" target="_blank"> recommendation</a></p><p><a href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank"><b>Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions</b></a> (<i>July 25, 2018</i>)<br /> Symantec researchers have discovered a new threat actor group, dubbed “Leafminer,” that has been targeting various organizations in the Middle East since late 2017. Their primary targets have been financial, governmental, petrochemical, shipping, among others, based in Afghanistan, Bahrain, Egypt, Israel, Kuwait, Lebanon, Qatar, Saudi Arabia, and the United Arab Emirates. The threat group utilizes watering hole attacks on compromised web servers, pre-existing vulnerabilities in operating systems, and brute force attacks on logins with weak passwords. This threat group is extremely active and is suspected to be located in Iran based on the Iranian Farsi used in the list of intended targets discovered by researchers. The new Advanced Persistent Threat (APT) group is believed to be less experienced because they are capitalizing off more advanced groups’ Tactics, Techniques, and Procedures (TTPs) that are in the public domain and have poor operational security which led to their target list being leaked.<br /> <a href="https://forum.anomali.com/t/leafminer-new-espionage-campaigns-targeting-middle-eastern-regions/2731" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/leafminer-new-espionage-campaigns-targeting-middle-eastern-regions/2731" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/leafminer-new-espionage-campaigns-targeting-middle-eastern-regions/2731" target="_blank"> recommendation</a></p><p><a href="https://www.bleepingcomputer.com/news/security/hackers-hiding-web-shell-logins-in-fake-http-error-pages/" target="_blank"><b>Hackers Hiding Web Shell Logins in Fake HTTP Error Pages</b></a> (<i>July 24, 2018</i>)<br /> Threat actors have increased their usage of fake HTTP error documents to hide login forms for their web shells recently, according to security researcher, ‘nullcookies’. This type of attack is not new, but the frequency of the attack vector has substantially increased. This is an easy technique threat actors can use to upload malware, phishing script, or other software on a target’s system because potential targets cannot easily tell the error message is a fake.<br /> <a href="https://forum.anomali.com/t/hackers-hiding-web-shell-logins-in-fake-http-error-pages/2732" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/hackers-hiding-web-shell-logins-in-fake-http-error-pages/2732" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/hackers-hiding-web-shell-logins-in-fake-http-error-pages/2732" target="_blank"> recommendation</a></p><p><a href="https://www.proofpoint.com/us/threat-insight/post/kronos-reborn" target="_blank"><b>Kronos Reborn</b></a> (<i>July 24, 2018</i>)<br /> Researchers from Proofpoint have discovered a new version of the “Kronos” banking trojan in the wild. The banking trojan was observed being delivered via an multiple campaigns users, from Germany, Japan, and Poland, with malicious macro enabled Microsoft Word documents, RIG exploit kit. When macros are enabled in the malicious documents, it would download the new variant of Kronos and execute it. In some cases it used “Smoke Loader” as an intermediate. The major difference with the new version is that Kronos now uses Tor communications for command and control.<br /> <a href="https://forum.anomali.com/t/kronos-reborn/2733" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/kronos-reborn/2733" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/kronos-reborn/2733" target="_blank"> recommendation</a></p><p><a href="https://www.fortinet.com/blog/threat-research/hide--n-seek--from-home-routers-to-smart-home-insecurities.html" target="_blank"><b>Hide ‘N Seek Botnet Targets Smart Homes</b></a> (<i>July 24, 2018</i>)<br /> Security firm, Fortinet, has reported that the Hide ‘N Seek botnet has begun targeting vulnerabilities in IoT home devices. The malware, as of the publication of this article, has a configuration made up of 110 entries and 9 exploits, including an exploit for a HomeMatic Zentrale CCU2 remote execution code. The botnet has been known to infect home routers, IP cameras, AVTECH webcams, Cisco Linksys routers, and other devices. As of May 2018, it has infected over 90,000 unique IoT devices. Security researchers anticipate that there will be more functionalities added to the botnet including more publicly available exploits.<br /> <a href="https://forum.anomali.com/t/hide-n-seek-botnet-targets-smart-homes/2734" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/hide-n-seek-botnet-targets-smart-homes/2734" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/hide-n-seek-botnet-targets-smart-homes/2734" target="_blank"> recommendation</a></p></div><div id="observed-threats"><h2 id="observedthreats">Observed Threats</h2><p>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/platform/threatstream" target="_blank">Click here to request a trial.</a> </p></div><div id="threat_model"><div id="threat_model_actors"><div><h3><a href="https://ui.threatstream.com/actor/4411" target="_blank">APT34</a></h3> The Advanced Persistent Threat (APT) group “APT34” is believed to be an Iranian-based group that has been active since at least 2014. APT34 conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. The group works on behalf of the Iranian government. APT34 use a mix of public and non-public tools. There is a possibility that APT34 may be related to the Iranian “Chafer” threat group outlined by Symantec in 2015 due to a shared server.</div></div></div></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.