Anomali Cyber Watch: SMS Phishing Campaign Targets UPS, USB-Driven Malware Propagation, Evasive BatLoader executes Ransomware, and More
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Botnets, Data leak, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Trending Cyber News and Threat Intelligence
SMS Phishing Campaign Targets UPS Tracking Tool, Harvesting Phone Numbers and Shipment Data
(published: June 22, 2023)
UPS Canada has experienced a targeted SMS phishing (smishing) campaign where fraudsters harvested phone numbers and shipment information from the company's online tracking tool. The phishing messages, spoofing UPS and other prominent brands, addressed recipients by name and included details about recent orders. The attack, which took place in February and March 2021, was the first known instance of smishing using data from a major package delivery company. They have issued privacy incident notification letters to affected individuals in Canada and provided resources to combat such attempts. UPS has since taken steps to protect customer data, including adding additional authentication measures and limiting the amount of data that can be accessed.
Analyst Comment: It is important that businesses take the necessary steps to ensure that their systems are secure and that customer information is protected. First, exercise caution when receiving unexpected messages demanding additional payments or personal information. Verify the legitimacy of such messages by contacting the company directly through official channels. Second, regularly monitor and update your mobile device's security software and operating system to ensure protection against known vulnerabilities.
MITRE ATT&CK: [MITRE ATT&CK] T1590 - Gather Victim Network Information | [MITRE ATT&CK] T1574 - Hijack Execution Flow | [MITRE ATT&CK] T1566.003 - Phishing: Spearphishing Via Service | [MITRE ATT&CK] T1563.002 - Remote Service Session Hijacking: Rdp Hijacking | [MITRE ATT&CK] T1556 - Modify Authentication Process
Tags: UPS, technique:Phishing, technique:Smishing, technique:Targeted-phishing, Data breach, Fraudulent text messages, Information leakage, target-system:Mobile browser, target-country:Canada
BatLoader Executes Ransomware Payloads on the Fly
(published: June 22, 2023)
The Mallox ransomware, also known as "TargetCompany," has been evolving with a new variation that employs an evasive infection technique. Instead of relying on a remote server to retrieve the ransomware payload, this variant utilizes a batch script injected into "MSBuild.exe" without saving it to the disk. The ransomware appends the file extension ".malox" to encrypted files, deviating from its previous ".mallox" extension. The geographical distribution of victims indicates a significant impact on manufacturing, energy, utilities, IT, ITES, and professional services industries. The use of BatLoader suggests the involvement of the Mallox ransomware group, known for distributing various malware families like Quasar RAT, Async RAT, Redline Stealer, and DC RAT. These evolving tactics demonstrate the threat actors' ongoing efforts to enhance evasion techniques and maintain their malicious activities.
Analyst Comment: To protect against the evolving tactics of the Mallox ransomware group and similar threats, it is crucial to implement strong cybersecurity practices. These include regularly backing up data and storing backups offline, enabling automatic software updates, using reputable antivirus and internet security software, and exercising caution when opening links and email attachments. Indicators related to Mallox ransomware can be easily found on the Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1562: Impair Defenses | [MITRE ATT&CK] T1222: File and Directory Permissions Modification | [MITRE ATT&CK] T1564 - Hide Artifacts | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1070 - Indicator Removal On Host | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] Discovery - File and Directory Discovery [T1083] | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1071 - Application Layer Protocol | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1204.003 - User Execution: Malicious Image
Tags: malware:Mallox, malware-type:Ransomware, malware:Batloader, technique:Initial-access, technique:Process-tree, target-industry:IT, target-industry:Manufacturing, target-industry:Energy, target-region:Global, target-country:India, target-country:America,file-type:mallox, file-type:malox
USB-Driven Malware Propagation: Unveiling Camaro Dragon's Global Reach
(published: June 22, 2023)
This threat research report exposes the extensive reach and impact of Camaro Dragon (Mustang Panda, LuminousMoth), a China-based espionage threat actor, through the use of self-propagating USB malware. While their focus is primarily on Southeast Asian countries, the malware spread globally through infected USB drives. The investigation conducted by the Check Point Incident Response Team (CPIRT) at a European healthcare institution revealed the infiltration of systems by a malware variant called WispRider. The malware not only exhibits backdoor capabilities but also bypasses popular antivirus solutions in Southeast Asia, such as SmadAV. Furthermore, the malware utilizes components of security software and major gaming companies for DLL-side-loading. By infecting USB drives originating in Southeast Asia, the malware spreads uncontrollably across networks worldwide, affecting countries like Great Britain, India, Myanmar, Russia and South Korea. This research underscores the critical need for organizations, even those not directly targeted, to protect against the growing threat of USB-driven malware campaigns.
Analyst Comment: Implement strict policies regarding the use of USB devices within the organization. Educate employees about the risks associated with unknown or unverified USB drives and encourage the use of secure and sanitized USB drives. Indicators regarding Camara Dragon can be found on the Anomali platform for references and insights.
MITRE ATT&CK: [MITRE ATT&CK] T1055.003 - Process Injection: Thread Execution Hijacking | [MITRE ATT&CK] T1064 - Scripting | [MITRE ATT&CK] T1204.002 - User Execution: Malicious File | [MITRE ATT&CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks | [MITRE ATT&CK] T1566.001 - Phishing: Spearphishing Attachment | [MITRE ATT&CK] T1566.002 - Phishing: Spearphishing Link | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1087.002 - Account Discovery: Domain Account
Tags: malware:CamaroDragon, malware:MustangPanda, malware:LuminousMoth, target-region:Southeast Asia, target-industry:Healthcare institution,malware:WispRider, malware-type:Backdoor, technique:DLL-side loading, Chinese threat actors, Infection vector, USB malware, target-country:Myanmar, target-country:South Korea, target-country:Great Britain, target-country:India
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attack
(published: June 21, 2023)
A new malware named Condi has been discovered, targeting TP-Link Archer AX21 Wi-Fi routers to create a DDoS botnet. The botnet exploits vulnerable TP-Link Archer AX21 routers using CVE-2023-1389 which is a command injection vulnerability. The botnet is advertised on a Telegram channel and offers DDoS services and malware source code for sale. The malware associated with the Condi botnet employs various techniques to ensure its persistence on infected systems and terminates processes associated with competing botnets. It propagates by scanning for open ports 80 and 8080 and exploiting vulnerabilities. The botnet uses a modified Mirai protocol for communication and offers a range of attack methods.
Analyst Comment: TP-Link Archer AX21 router users should update their firmware to the latest version to patch the CVE-2023-1389 vulnerability. Administrators of Linux servers should implement strong and complex passwords for user accounts and periodically change them. Additionally, ensure that the servers are up to date with the latest patches to prevent vulnerability attacks. Implement measures to guard against brute force and dictionary attacks, such as account lockouts and rate limiting. Indicators related to Condi are available on the Anomali Platform for reference.
MITRE ATT&CK: [MITRE ATT&CK] T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique — T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1190 - Exploit Public-Facing Application | [MITRE ATT&CK] T1110 - Brute Force | [MITRE ATT&CK] T1003 - Os Credential Dumping | [MITRE ATT&CK] T1547 - Boot Or Logon Autostart Execution | [MITRE ATT&CK] T1070 - Indicator Removal On Host
Tags: malware:Condi, malware-technique:DDoS Botnet, vulnerability:CVE-2023-1389, malware:Mirai, malware:ShellBot, malware:Tsunami, Ziggy, malware-type:Botnet, technique:Exploit, technique:Brute Force,target-system:Linux Server
Global Exploitation of Barracuda ESG Zero-Day (CVE-2023-2868) Vulnerability: Suspected State-Linked Actors from China Involved
(published: June 15, 2023)
Mandiant researchers documented the Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868), a remote command injection vulnerability that was exploited globally by an aggressive and skilled actor, suspected to have links to China. Researchers found that UNC4841 targeted vulnerable Barracuda ESG appliances by sending malicious emails containing file attachments exploiting the CVE-2023-2868 vulnerability. Once compromised, the actor employed multiple malware families, including SALTWATER, SEASPY, and SEASIDE, to maintain a presence on the ESG appliances. The affected organizations spanned the public and private sectors worldwide, with a notable focus on government agencies.
Analyst Comment: To effectively respond to the Barracuda ESG zero-day vulnerability and the associated threat actor campaign, organizations should take immediate action. It is crucial to replace compromised Barracuda ESG appliances promptly. Conducting a comprehensive investigation is essential, involving the review of logs, revocation of credentials, and ongoing monitoring for any signs of further compromise. CVE references and indicators related to UNC4841 are provided on the Anomali platform.
MITRE ATT&CK: [MITRE ATT&CK] T1205 - Traffic Signaling | [MITRE ATT&CK] T1018 - Remote System Discovery | [MITRE ATT&CK] T1134 - Access Token Manipulation | [MITRE ATT&CK] T1036 - Masquerading | [MITRE ATT&CK] T1071.001 - Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1014 - Rootkit
Tags: actor:UNC4841, malware: SALTWATER, malware: SEASPY, malware: SEASIDE, vulnerability: CVE-2023-2868, Email security, Barracuda ESG, Espionage, Data exfiltration, Lateral movement, technique:Spearphishing, technique:Command and control, Defense evasion, target-industry:Public sector, target-industry:Government agencies