December 6, 2022
Anomali Threat Research

Anomali Cyber Watch: Infected Websites Show Different Headers Depending on Search Engine Fingerprinting, 10 Android Platform Certificates Abused in the Wild, Phishing Group Impersonated Major UAE Oil

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, China, In-memory evasion, Infostealers, North Korea, Phishing, Ransomware, Search engine optimization,</b> and <b>Signed malware</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src=""/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="" target="_blank">Chinese Gambling Spam Targets World Cup Keywords</a></h3> <p>(published: December 2, 2022)</p> <p>Since 2018, a large-scale website infection campaign was affecting up to over 100,000 sites at a given moment. Infected websites, mostly oriented at audiences in China, were modified with additional scripts. Compromised websites were made to redirect users to Chinese gambling sites. Title and Meta tags on the compromised websites were changed to display keywords that the attackers had chosen to abuse search engine optimization (SEO). At the same time, additional scripts were switching the page titles back to the original if the visitor fingerprinting did not show a Chinese search engine from a preset list (such as Baidu).<br/> <b>Analyst Comment:</b> Website owners should keep their systems updated, use unique strong passwords and introduce MFA for all privileged or internet facing resources, and employ server-side scanning to detect unauthorized malicious content. Implement secure storage for website backups.<br/> <b>MITRE ATT&amp;CK:</b> <a href="" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> SEO hack, HTML entities, Black hat SEO, Fraudulent redirects, Visitor fingerprinting, Gambling, Sports betting, World Cup, China, target-country:CN, JavaScript, Baidu, baiduspider, Sogou, 360spider, Yisou</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Leaked Android Platform Certificates Create Risks for Users</a></h3> <p>(published: December 2, 2022)</p> <p>On November 30, 2022, Google reported 10 different Android platform certificates that were seen actively abused in the wild to sign malware. Rapid7 researchers found that the reported signed samples are adware, so it is possible that these platform certificates may have been widely available. It is not shared how these platform certificates could have been leaked.<br/> <b>Analyst Comment:</b> Malware signed with a platform certificate can enjoy privileged execution with system permissions, including permissions to access user data. Developers should minimize the number of applications requiring a platform certificate signature.<br/> <b>Tags:</b> Android, Google, Platform certificates, Signed malware, malware-type:Adware</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Blowing Cobalt Strike Out of the Water With Memory Analysis</a></h3> <p>(published: December 2, 2022)</p> <p>The Cobalt Strike attack framework remains difficult to detect as it works mostly in memory and doesn’t touch the disk much after the initial loader stage. Palo Alto researchers analyzed three types of Cobalt Strike loaders: KoboldLoader which loads an SMB beacon, MagnetLoader loading an HTTPS beacon, and LithiumLoader loading a stager beacon. These beacon samples do not execute in normal sandbox environments and utilize in-memory evasion features. For example, the KoboldLoader’s SMB beacon attempts to free memory associated with the reflective DLL package, overwrites the MZ magic PE bytes and subsequent DOS header with a small loader shellcode, uses the x86 reflective loader to load the specified library and overwrite its space, and obfuscates the reflective DLL’s import table, overwriting unused header content.<br/> <b>Analyst Comment:</b> Highly-evasive nature of in-memory beacons makes it important to analyze artifacts from the deltas in process memory at key points of execution. It is suggested to concentrate on function pointers, decoded stages of the loader, OS Structure modifications, and all changes made to page permissions.<br/> <b>MITRE ATT&amp;CK:</b> <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> detection:Cobalt Strike, detection:Cobalt Strike beacon, SMB, HTTPS, Stager beacon, detection:KoboldLoader, detection:MagnetLoader, detection:LithiumLoader, Sandbox evasion</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">₿uyer ₿eware: Fake Cryptocurrency Applications Serving as Front for AppleJeus Malware</a></h3> <p>(published: December 1, 2022)</p> <p>Since 2018, North Korea-sponsored Lazarus Group has been using fake cryptocurrency-related applications to spread the AppleJeus malware. In June-October 2022, Volexity researchers observed continuation and evolution of this campaign. Lazarus Group was switching from using Microsoft Installation (MSI) malicious files to Microsoft Office documents that use an OLE object with a macro dynamically loaded from another macro. The attackers also augmented their DLL sideloading procedure by adding a second step. The legitimate binary loads a legitimate DLL from the System32 directory, and then that DLL causes the loading of a malicious DLL from the binary’s directory.<br/> <b>Analyst Comment:</b> Users involved in cryptocurrency and other financial activity should take extra caution when downloading new applications. Consider blocking macro execution in Microsoft Office. Network defenders are advised to pay extra attention to creation of new scheduled tasks. Indicators associated with this Lazarus Group campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK:</b> <a href="" target="_blank">[MITRE ATT&amp;CK] Custom Cryptographic Protocol - T1024</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a><br/> <b>Tags:</b> mitre-group:Lazarus Group, North Korea, source-country:KP, target-industry:Cryptocurrency, APT, detection:AppleJeus, file-type:MSI, OLE object, Macro, file-type:DLL, file-type:EXE, DLL side-loading, OpenDrive, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Advanced Phishing Campaign Targeting Individuals &amp; Businesses in the Middle East (Part 2)</a></h3> <p>(published: November 28, 2022)</p> <p>A major business email compromise (BEC) phishing campaign targets UAE organizations using fake job offers, contract bidding, and vendor registration lures. CloudSEK researchers connected this campaign to an unidentified, experienced group that has been active since at least 2020. Some of the typosquatted domains were impersonating three major oil companies and were only used for email servers. Other typosquattted domains included websites copying the respective investment firms, hotels, and travel agencies. The attackers used HTTrack to port sites from one typosquatted domain to another, and services slow-to-respond to abuse complaints such as Tucows Domains, and Zoho Mail.<br/> <b>Analyst Comment:</b> It is important to keep a watchful eye on suspicious domain registration activity related to your brand and companies from your supply chain. Anomali Targeted Threat Monitoring service can help you detect and block such suspicious domain registrations and further protect your digital and corporate assets. Encourage your employees to check email addresses and web links for altered spellings.<br/> <b>Tags:</b> target-region:Middle East, UAE, target-country:AE, target-industry:Tourism, target-industry:Oil and Gas, target-industry:Real Estate, target-industry:Investment, Phishing, Tucows Domains, Zoho Mail, HTTrack, Domain forwarding</p> </div> <div class="trending-threat-article"> <h3><a href="" target="_blank">Attacker Uses a Popular TikTok Challenge to Lure Users Into Installing Malicious Package</a></h3> <p>(published: November 28, 2022)</p> <p>Checkmarx researchers discovered a new social engineering campaign tricking users to install the WASP stealer. In November 2022, the attackers were tricking users to download malicious packages claiming the ability to remove nudity obfuscation from "Invisible Body" filtered TikTok videos. Despite efforts to report and remove initial malicious packages from pypi, the attackers showed some resiliency by publishing new ones. Besides prompting users to download the malware, new members were asked to "star" the GitHub project, giving it more social weight.<br/> <b>Analyst Comment:</b> Users should be careful when downloading software projects that are new, especially if their alleged functionality is illegal or of dubious nature. Open-source package registries should implement multi-step verification to protect their ecosystem against the abuse.<br/> <b>MITRE ATT&amp;CK:</b> <a href="" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> detection:WASP, malware-type:Infostealer, Social engineering, StarJacking, Invisible Challenge, Space Unfilter, TikTok, Discord, GitHub, Tiktok-Unfilter-Api, pypi</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.