April 25, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: Two Supply-Chain Attacks Chained Together, Decoy Dog Stealthy DNS Communication, EvilExtractor Exfiltrates to FTP Server

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Cryptomining, Infostealers, Malvertising, North Korea, Phishing, Ransomware, </b> and <b> Supply-chain attacks</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/7CNXEygTty63ww6qlfFO"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://blog.aquasec.com/leveraging-kubernetes-rbac-to-backdoor-clusters" target="_blank">First-Ever Attack Leveraging Kubernetes RBAC to Backdoor Clusters</a></h3> <p>(published: April 21, 2023)</p> <p>A new Monero cryptocurrency-mining campaign is the first recorded case of gaining persistence via Kubernetes (K8s) Role-Based Access Control (RBAC), according to Aquasec researchers. The recorded honeypot attack started with exploiting a misconfigured API server. The attackers preceded by gathering information about the cluster, checking if their cluster was already deployed, and deleting some existing deployments. They used RBAC to gain persistence by creating a new ClusterRole and a new ClusterRole binding. The attackers then created a DaemonSet to use a single API request to target all nodes for deployment. The deployed malicious image from the public registry Docker Hub was named to impersonate a legitimate account and a popular legitimate image. It has been pulled 14,399 times and 60 exposed K8s clusters have been found with signs of exploitation by this campaign.<br/> <b>Analyst Comment:</b> Your company should have protocols in place to ensure that all cluster management and cloud storage systems are properly configured and patched. K8s buckets are too often misconfigured and threat actors realize there is potential for malicious activity. A defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) approach is a good mitigation step to help prevent actors from highly-active threat groups.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/10023" target="_blank">[MITRE ATT&amp;CK] T1496 - Resource Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&amp;CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a><br/> <b>Tags:</b> Monero, malware-type:Cryptominer, detection:PUA.Linux.XMRMiner, file-type:ELF, abused:Docker Hub, technique:RBAC Buster, technique:Create ClusterRoleBinding, technique:Deploy DaemonSet, target-system:Linux, target:K8s, target:​​Kubernetes RBAC</p> <h3 id="article-2"><a href="https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" target="_blank">3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible</a></h3> <p>(published: April 20, 2023)</p> <p>Investigation of the previously-reported 3CX supply chain compromise (March 2023) allowed Mandiant researchers to detect it was a result of prior software supply chain attack using a trojanized installer for X_TRADER, a software package provided by Trading Technologies. The attack involved the publicly-available tool SigFlip decrypting RC4 stream-cipher and starting publicly-available DaveShell shellcode for reflective loading. It led to installation of the custom, modular VeiledSignal backdoor. VeiledSignal additional modules inject the C2 module in a browser process instance, create a Windows named pipe and send incoming communication to the C2 server encrypted with AES-256 in Galois Counter Mode. This attack has a medium confidence connection to financially-motivated AppleJeus activity by Lazarus Group, while also displaying some weak infrastructure connection to APT43, both being North Korea-sponsored groups.<br/> <b>Analyst Comment:</b> It is important to regularly review software dependencies for issues such as discontinued projects (X_TRADER platform was reportedly discontinued in 2020). Open source repositories and apps are a valuable asset for many organizations but adoption of these must be security risk assessed, appropriately mitigated and then monitored to ensure ongoing integrity. Indicators associated with the 3CX/X_TRADER compromise are available in the Anomali platform and customers are advised to block these on their infrastructure. This attack was not contained to 3CX users as Symantec researchers identified two critical-infrastructure, energy organizations in the U.S. and in Europe also affected by the X_Trader software supply chain attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10034" target="_blank">[MITRE ATT&amp;CK] T1588 - Obtain Capabilities</a> | <a href="https://ui.threatstream.com/attackpattern/10035" target="_blank">[MITRE ATT&amp;CK] T1588.004 - Obtain Capabilities: Digital Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/10106" target="_blank">[MITRE ATT&amp;CK] T1608 - Stage Capabilities</a> | <a href="https://ui.threatstream.com/attackpattern/10109" target="_blank">[MITRE ATT&amp;CK] T1608.003 - Stage Capabilities: Install Digital Certificate</a> | <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9609" target="_blank">[MITRE ATT&amp;CK] T1195 - Supply Chain Compromise</a> | <a href="https://ui.threatstream.com/attackpattern/9611" target="_blank">[MITRE ATT&amp;CK] T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</a> | <a href="https://ui.threatstream.com/attackpattern/9712" target="_blank">[MITRE ATT&amp;CK] T1574 - Hijack Execution Flow</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9712" target="_blank">[MITRE ATT&amp;CK] T1574 - Hijack Execution Flow</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&amp;CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9598" target="_blank">[MITRE ATT&amp;CK] T1036.001 - Masquerading: Invalid Code Signature</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9767" target="_blank">[MITRE ATT&amp;CK] T1070 - Indicator Removal On Host</a> | <a href="https://ui.threatstream.com/attackpattern/9768" target="_blank">[MITRE ATT&amp;CK] T1070.001 - Indicator Removal on Host: Clear Windows Event Logs</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10089" target="_blank">[MITRE ATT&amp;CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/12881" target="_blank">[MITRE ATT&amp;CK] T1620 - Reflective Code Loading</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&amp;CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/3715" target="_blank">[MITRE ATT&amp;CK] T1012: Query Registry</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9863" target="_blank">[MITRE ATT&amp;CK] T1083 - File And Directory Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10089" target="_blank">[MITRE ATT&amp;CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&amp;CK] T1614 - System Location Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/12873" target="_blank">[MITRE ATT&amp;CK] T1614.001 - System Location Discovery: System Language Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&amp;CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9891" target="_blank">[MITRE ATT&amp;CK] T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9716" target="_blank">[MITRE ATT&amp;CK] T1573 - Encrypted Channel</a> | <a href="https://ui.threatstream.com/attackpattern/10083" target="_blank">[MITRE ATT&amp;CK] T1573.002 - Encrypted Channel: Asymmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9606" target="_blank">[MITRE ATT&amp;CK] T1565 - Data Manipulation</a> | <a href="https://ui.threatstream.com/attackpattern/9607" target="_blank">[MITRE ATT&amp;CK] T1565.001 - Data Manipulation: Stored Data Manipulation</a><br/> <b>Signatures:</b> <a href="https://ui.threatstream.com/signature/107617" target="_blank"> VeiledSignal - YARA by Mandiant</a><br/> <b>Tags:</b> target:3CX, technique:Supply chain, malware:VeiledSignal, malware-type:Backdoor, malware:TAXHAUL, malware-type:Launcher, malware:COLDCAT, malware-type:Downloader, technique:DLL search order hijacking, malware:POOLRAT, malware:ICONICSTEALER, source-country:North Korea, source-country:KP, actor:UNC4736, actor:APT43, vulnerability:CVE-2013-3900, target:X_TRADER, file-type:EXE, file-type:DLL, target-system:macOS, target-system:Windows</p> <h3 id="article-3"><a href="https://blogs.infoblox.com/cyber-threat-intelligence/cyber-threat-advisory/dog-hunt-finding-decoy-dog-toolkit-via-anomalous-dns-traffic/" target="_blank">Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic</a></h3> <p>(published: April 20, 2023)</p> <p>Infoblox researchers identified several C2 domains using the same rare toolkit dubbed Decoy Dog. The earliest activity goes back to early April 2022. The toolkit is centered around a complex, publicly-available, multi-platform RAT called Pupy, that was previously observed in use by advanced actors such as Earth Berberoka. Decoy Dog exclusively targets enterprise network Linux appliances. It exhibits a unique DNS signature independent of Pupy. For C2 communication it uses encrypted DNS packets sent to dynamically-created subdomains. Decoy Dog C2 domains exhibit a pattern of periodic, but infrequent, DNS requests. These domains show resolution IP addresses in an unusually high number of ASNs and include some unresolvable IP addresses.<br/> <b>Analyst Comment:</b> Decoy Dog is trying to avoid detection using domain aging and infrequent, encrypted, low-level C2 traffic. At the same time this toolkit is uniquely identifiable when examining its domains on a DNS level including a unique DNS signature, resolution and activity patterns. Indicators associated with the Decoy Dog toolkit are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10083" target="_blank">[MITRE ATT&amp;CK] T1573.002 - Encrypted Channel: Asymmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9617" target="_blank">[MITRE ATT&amp;CK] T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/9742" target="_blank">[MITRE ATT&amp;CK] T1048 - Exfiltration Over Alternative Protocol</a><br/> <b>Tags:</b> malware:​​Pupy, malware-type:RAT, malware:Decoy Dog, malware-type:Toolkit, detection:Trojan:Linux/Pupy, detection:Linux/Patpooty, actor:n1nj4sec, filetype:ELF, Anomalous DNS traffic, technique:Dynamic DNS, technique:Strategic aging, target-system:Linux</p> <h3 id="article-4"><a href="https://www.fortinet.com/blog/threat-research/evil-extractor-all-in-one-stealer" target="_blank">EvilExtractor – All-in-One Stealer</a></h3> <p>(published: April 20, 2023)</p> <p>Commodity infostealer EvilExtractor was first released on underground markets in October 2022. Its malicious activity increased significantly in March 2023 mostly targeting America and Europe. EvilExtractor is typically delivered in an obfuscated form as a phishing attachment. It downloads additional archived modules for information stealing and ransom operations. Its Kodex Ransomware is a 7-zip standalone console that encrypts files by archiving them with a password. EvilExtractor uploads stolen data to the attacker’s FTP server that is provided by the malware developer.<br/> <b>Analyst Comment:</b> The best defense against EvilExtractor is anti-phishing training. Never click on attachments or links from spam emails or untrusted senders. Legitimate account confirmation requests typically do not ask users to open an attachment. ​​Network and host-based indicators associated with EvilExtractor are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9742" target="_blank">[MITRE ATT&amp;CK] T1048 - Exfiltration Over Alternative Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a><br/> <b>Tags:</b> malware:EvilExtractor, malware-type:Infostealer, detection:W32/EvilExtractor, abused:FTP, actor:Kodex, abused:Python, abused:PyInstaller, abused:Pyarmor, malware:Kodex Ransomware, malware-type:Ransomware, abused:.NET, abused:Base64, abused:PowerShell, abused:PS2EXE-GUI, technique:Phishing, target-region:America, target-region:Europe, file-type:GZ, file-type:EXE, file-type:ZIP, target-system:Windows</p> <h3 id="article-5"><a href="https://www.secureworks.com/blog/bumblebee-malware-distributed-via-trojanized-installer-downloads" target="_blank">Bumblebee Malware Distributed Via Trojanized Installer Downloads</a></h3> <p>(published: April 20, 2023)</p> <p>A new infection chain delivering the Bumblebee modular loader was detected by Secureworks researchers. It starts with malicious Google Ads pointing to a page on a compromised WordPress site impersonating popular downloads such as ChatGPT, Citrix, Cisco AnyConnect, and Zoom. A target downloads an MSI installer containing a legitimate installer and a malicious PowerShell script that reflectively loads Bumblebee into memory. A follow-up activity on selected networks includes installing of additional tools: Active Directory database dumping batch script, AnyDesk, DameWare, Cobalt Strike, netscanold.exe network scanning utility, and pshashes.txt Kerberoasting attack script.<br/> <b>Analyst Comment:</b> Before clicking to download a software, check if the domain name is misspelled. As is always the case, end user education and awareness remains a key component in any organization’s protective arsenal. Until search engines get better in recognizing these kinds of abuse, take extra caution with search results, especially promoted ones. Organizations are advised to consider restricting the download and execution of third-party software. Network and host-based indicators associated with this Bumblebee campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9885" target="_blank">[MITRE ATT&amp;CK] T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a><br/> <b>Tags:</b> malware:Bumblebee, malware-type:Loader, abused:Google Ads, abused:PowerShell, abused:Cisco AnyConnect, abused:Zoom, abused:ChatGPT, abused:Citrix, malware:Cobalt Strike, abused:AnyDesk, abused:DameWare, target-system:WordPress, technique:Compromised website, file-type:MSI, file-type:EXE, technique:Kerberoasting, target-system:Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar