June 7, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: Man-on-the-Side Attack Affects 48,000 IP Addresses, Iran Outsources Cyberespionage to Lebanon, XLoader Complex Randomization to Contact Mostly Fake C2 Domains, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, China, Confluence, Iran, Lebanon, Sandbox evasion, Signed files,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/TCqdbnJ0QwKNANrT3rsd"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://securelist.com/windealer-dealing-on-the-side/105946/" target="_blank">WinDealer Dealing on the Side</a></h3> <p>(published: June 2, 2022)</p> <p>Kaspersky researchers detected a man-on-the-side attack used by China-sponsored threat group LuoYu. Man-on-the-side is similar to man-in-the-middle (MitM) attack; the attacker has regular access to the communication channel. In these attacks LuoYu were using a potent modular malware dubbed WinDealer that can serve as a backdoor, downloader, and infostealer. The URL that distributes WinDealer is benign, but on rare conditions serves the malware. One WinDealer sample was able to use a random IP from 48,000 IP addresses of two Chinese IP ranges. Another WinDealer sample was programmed to interact with a non-existent domain name, www[.]microsoftcom.<br/> <b>Analyst Comment:</b> Man-on-the-side attacks are hard to detect. Defense would require a constant use of a VPN to avoid networks that the attacker has access to. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from advanced threat groups.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905334" target="_blank">[MITRE ATT&amp;CK] Man-in-the-Middle - T1557</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947079" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a><br/> <b>Tags:</b> Man-on-the-side attack, WinDealer, LuoYu, SpyDealer, Demsty, Man-in-the-middle, APT, EU, target-region:EU, North America, Russia, China, source-country:CN, target-country:CN, Germany, target-country:DE, Austria, target-country:AT, USA, target-country:US, Czech Republic, target-country:CZ, Russia, target-country:RU, India, target-country:IN.</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html" target="_blank">Analysis of the Massive NDSW/NDSX Malware Campaign</a></h3> <p>(published: June 2, 2022)</p> <p>Sucuri researchers describe the NDSW/NDSX (Parrot TDS) malware campaign that compromises websites to distribute other malware via fake update notifications. Currently one of the top threats involving compromised websites, NDSW/NDSX began operation in or before February 2019. This campaign utilizes various exploits including those based on newly-disclosed and zero-day vulnerabilities. After the compromise, the NDSW JavaScript is injected often followed by the PHP proxy script that loads the payload on the server side to hide the malware staging server. Next step involves the NDSX script downloading payload depending on the victim’s profile.<br/> <b>Analyst Comment:</b> Keep your content management system (CMS) and all plugins up to date. Monitor for unwanted users, admin accounts, themes, and plugins. Defenders should teach their users to avoid fake update notifications and to follow standard update procedure utilizing trusted channels.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> NDSW/NDSX, Parrot TDS, Website compromise, Fake update, Fake Plugins, WordPress, PHP, JavaScript, Inline script</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank">Exposing POLONIUM Activity and Infrastructure Targeting Israeli Organizations</a></h3> <p>(published: June 2, 2022)</p> <p>Microsoft researchers detected Polonium, a new Lebanon-sponsored threat group that targets predominantly Israeli companies involved in defense, IT, and critical manufacturing. In one case, targeting of an IT company was serving the following supply-chain attacks that relied on service provider credentials. Iranian government is known to use third parties to carry out some cyber operations on their behalf. Based on targeting and tactics, techniques and procedures (TTPs), Polonium activity is probably one of the several groups guided by Iran’s Ministry of Intelligence and Security. This guidance was suggested by researchers as Polonium activity was seen in several systems previously targeted by Static Kitten. Similar to Siamese Kitten (Lyceum, Hexane), Polonium creates accounts on cloud services (OneDrive and DropBox) to abuse them for command-and-control (C2) traffic. Similar to CopyKittens, Polonium uses AirVPN.<br/> <b>Analyst Comment:</b> Review partner relationships to remove unrecognized ones and minimize any unnecessary permissions between your organization and upstream providers. Analyze suspicious PowerShell behavior and network connections. Review outbound connection to non-standard ports.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905082" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Web Service - T1567</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&amp;CK] Web Service - T1102</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a><br/> <b>Tags:</b> Polonium, Lebanon, source-country:LB, Israel, target-country:IL, OneDrive, Iran’s Ministry of Intelligence and Security, APT, Manufacturing, IT, Defense, Middle East, Supply chain, CreepyDrive, CreepyBox, PowerShell, CreepySnail, CreepyRing, CreepyWink, plink, AirVPN, CVE-2018-13379</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/popping-eagle-malware/" target="_blank">Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor</a></h3> <p>(published: June 2, 2022)</p> <p>Palo Alto Networks discovered a new advanced group of an unknown origin that was able to use open-source tools to develop custom malware that is designed to evade security detection. The attack starts with signed binary (clicksharelauncher.exe, signed by "Barco N.V.") being modified using DLL search order hijacking by an unsigned modified DLL. The first stage malware was called Popping Eagle by the researchers based on the naming of the added malicious exported function. The second stage is the Going Eagle malware, a 32-bit DLL written in Go. It was used to create a reverse SOCKS, move laterally using open RDP, SMB and RPC ports and steal credentials.<br/> <b>Analyst Comment:</b> Researchers are advised to monitor for suspicious GO binaries with proxy communication capabilities (“Go socks”). Hunt for anomalous actions done by signed applications.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/3905073" target="_blank">[MITRE ATT&amp;CK] Dynamic Resolution - T1568</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947145" target="_blank">[MITRE ATT&amp;CK] Signed Binary Proxy Execution - T1218</a> | <a href="https://ui.threatstream.com/ttp/3905359" target="_blank">[MITRE ATT&amp;CK] Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947276" target="_blank">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947189" target="_blank">[MITRE ATT&amp;CK] Account Discovery - T1087</a> | <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a><br/> <b>Tags:</b> Popping Eagle, Going Eagle, Industrial espionage, DLL hijacking, Golang, SOCKS, Proxy, SMB, RDP, Windows, WinHttpClient, wmiexec</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/" target="_blank">Zero-Day Exploitation of Atlassian Confluence</a></h3> <p>(published: June 2, 2022)</p> <p>Volexity researchers detected zero-day exploitation of an Atlassian Confluence vulnerability registered as CVE-2022-26134 over the Memorial Day weekend in the United States (May 28-30, 2022). The attackers consist of multiple threat actors and are likely China-based, according to Volexity researchers. Post-exploitation activity included deployment of the open-source Behinder implant and additional webshells such as another openly available malware, China Chopper.<br/> <b>Analyst Comment:</b> Security fixes were made available on June 3, 2022, and should be applied to vulnerable systems. If there is a possibility that a compromise has already occurred, check for newly-introduced JSP files and for modification of existing Confluence JSP files, especially noop.jsp.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3297595" target="_blank">[MITRE ATT&amp;CK] Server Software Component - T1505</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a><br/> <b>Tags:</b> Atlassian, Confluence, CVE-2022-26134, RCE, Confluence Server, Confluence Data Center, China, source-country:CN, USA, target-country:US, JSP web shell, Bash shell, Behinder, Web server implant, China Chopper, Meterpreter, Cobalt Strike, Zero-day, APT, Memory-only, Command injection vulnerability, Exploit</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.avast.com/smsfactory-android-trojan" target="_blank">SMSFactory Android Trojan Producing High Costs for Victims</a></h3> <p>(published: June 1, 2022)</p> <p>Within the last 12 months, Avast researchers detected over 165,000 attacks involving the SMSFactory Android trojan. The most targeted countries were Russia, Brazil, Argentina, Turkey, and Ukraine, in that order. This malware spreads via malvertising, gathers victim system and location information, and steals funds by sending messages and making calls to premium rate numbers. SMSFactory has variants with additional functionality such as creating a new admin account for persistence, or collecting the contact list for further targeting. The actors rely on their own infrastructure of websites for staging and communication, independent of the Google Play Store. It allowed them to use otherwise prohibited stealthy features such as the lack of app icon and name.<br/> <b>Analyst Comment:</b> Only use official locations such as the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation. Disable premium SMS with your carrier.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> SMSFactory, TrojanSMS, Malvertising, Premium rate numbers, Paid SMS, Fraud, Russia, target-country:RU, Brazil, target-country:BR, Argentina, target-country:AR, Turkey, target-country:TR, Ukraine, target-country:UA, Android</p> </div> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2022/xloader-botnet-find-me-if-you-can/" target="_blank">XLoader Botnet: Find Me If You Can</a></h3> <p>(published: May 31, 2022)</p> <p>Since 2020, the XLoader infostealer has taken over the Formbook malware niche and is rapidly evolving. XLoader developers try hard to hide the command-and-control (C2) infrastructure. Each XLoader sample has 65 encoded domains with only one of which being the real C2 domain, and the malware doesn’t contact it until after a wait period. XLoader version 2.5 contacts a portion of encoded domains and slowly replaces some of them each cycle resulting in only about 50% chance of contacting the real C2 domain in the first nine minutes of execution. Real C2 domains are masquerading with fake Hostinger or Namecheap parked domain pages. On May 5, 2022, a new XLoader version 2.6 was detected with a new sandbox-evasion technique of preferring fake C2 connections when running on x86 system architecture still used by many sandboxes.<br/> <b>Analyst Comment:</b> Manual analysis can still spot the real XLoader C2 domains: they are shared by multiple samples, and the code of fake parked domain pages is different from the original. Always run antivirus and endpoint protection software to assist in preventing infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a><br/> <b>Tags:</b> XLoader, Formbook, Namecheap, Sandbox evasion, C2, Fake C2 domains, Infostealer, Keylogger</p> </div> <div class="trending-threat-article"> <h3><a href="https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers" target="_blank">Rapidly Evolving IoT Malware EnemyBot Now Targeting Content Management System Servers and Android Devices</a></h3> <p>(published: May 26, 2022)</p> <p>First discovered in March 2022, EnemyBot was originally based on Mirai, Qbot, and, to a lesser extent, Zbot. EnemyBot is operated by the well-resourced threat group Keksec (Kek Security) that is able to implement new vulnerabilities within days of the proof-of-concept (PoC) publication. It expanded its capability beyond Internet of Things (IoT) and now targets Adobe ColdFusion, Android devices, PHP Scriptcase, VMware Workspace ONE, WordPress, and more.<br/> <b>Analyst Comment:</b> Monitor for outbound port scans and unreasonable bandwidth usage. Apply security updates on a regular basis. Limit exposure to the Internet on Linux servers and IoT devices and use a properly configured firewall.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947217" target="_blank">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947253" target="_blank">[MITRE ATT&amp;CK] Data Transfer Size Limits - T1030</a><br/> <b>Tags:</b> EnemyBot, Keksec, Kek Security, Mirai, Qbot, Github, VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, IoT, CMS, Android, IoT, x86, ARM, macOS, OpenBSD, PowerPC, MIPS, CVE-2022-22954, CVE-2022-1388, CVE-2021-44228, CVE-2022-22947, CVE-2022-22954, DDoS</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar