September 12, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: XModule Quietly Processes Resort Data, Fancy Bear Abused Mocky API, and More

<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Iran, Geofencing, Named pipes, Russia, Social engineering, Supply-chain compromise,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img alt="Image" src="https://cdn.filestackcontent.com/z6b7wh8uRJyJWaSoO5tt"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.welivesecurity.com/en/eset-research/sponsor-batch-filed-whiskers-ballistic-bobcats-scan-strike-backdoor/" target="_blank">Sponsor with Batch-Filed Whiskers: Ballistic Bobcat’s Scan and Strike Backdoor</a></h3> <p>(published: September 11, 2023)</p> <p> ESET researchers have discovered five versions of a new backdoor, dubbed Sponsor, employed by Iran-sponsored group Charming Kitten (APT35, Ballistic Bobcat, PHOSPHORUS). Retrospective search allowed to identify 32 targets in Israel, one in Brazil and another in the United Arab Emirates. From March 2021 to June 2022, this campaign, dubbed Sponsoring Access, has been exploiting known Microsoft Exchange vulnerabilities such as CVE-2021-26855. This exploitation appears opportunistic in nature, and 18 of the targets were co-infected by other threat actors. Sponsoring Access has been associated with a number of open-source tools and living-off-the-land-binaries (LOLBins) including Chisel, GOST, Mimikatz, Plink, ProcDump, RevSocks, and Sqlextractor. Prior to deployment of the Sponsor backdoor, Charming Kitten were deploying C2-communication configuration files needed for its run that included encrypted sleep and server settings.<br/> <b>Analyst Comment:</b> Charming Kitten has been striving to remain undetected by utilizing LOLBins, low-profile tools and modular malware such as Sponsor. Aligning patch and vulnerability processes to cyber threat intelligence significantly enhances the precision and priority of managing your security posture versus emerging threats from exploited vulnerabilities. Organizations keen to understand and maintain grip across their external attack surface are invited to use the Anomali Attack Surface Management service. All known host-based indicators associated with the Sponsoring Access campaign are available in the Anomali platform for retrospective analysis.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/22196" target="_blank">[MITRE ATT&amp;CK] Reconnaissance - Active Scanning [T1595]</a> | <a href="https://ui.threatstream.com/attackpattern/23223" target="_blank">[MITRE ATT&amp;CK] Resource Development - Develop Capabilities: Malware [T1587.001]</a> | <a href="https://ui.threatstream.com/attackpattern/10159" target="_blank">[MITRE ATT&amp;CK] T1588.002 - Obtain Capabilities: Tool</a> | <a href="https://ui.threatstream.com/attackpattern/24897" target="_blank">[MITRE ATT&amp;CK] Initial Access - Exploit Public-Facing Application [T1190]</a> | <a href="https://ui.threatstream.com/attackpattern/23233" target="_blank">[MITRE ATT&amp;CK] Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003]</a> | <a href="https://ui.threatstream.com/attackpattern/3718" target="_blank">[MITRE ATT&amp;CK] T1569.002: Service Execution</a> | <a href="https://ui.threatstream.com/attackpattern/27800" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Create or Modify System Process: Windows Service [T1543.003]</a> | <a href="https://ui.threatstream.com/attackpattern/10003" target="_blank">[MITRE ATT&amp;CK] T1078.003 - Valid Accounts: Local Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/10025" target="_blank">[MITRE ATT&amp;CK] T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a><br/> <b>Tags:</b> campaign:Sponsoring Access, actor:Ballistic Bobcat, actor:APT35, actor:Charming Kitten, actor:PHOSPHORUS, malware:Alumina, malware:Sponsor, malware-type:Backdoor, malware:RevSocks, malware-type:Reverse tunneling, malware:Mimikatz, malware:GOST, malware-type:Tunneling, malware:Chisel, Plink, malware:WebBrowserPassView, malware-type:Credential stealer, malware:sqlextractor, tool:ProcDump, target-country:AE, target-country:BR, target-country:IL, source-country:IR, target-industry:Automotive, target-industry:Communications, target-industry:Engineering, target-industry:Financial services, target-industry:Healthcare, target-industry:Insurance, target-industry:Law, target-industry:Manufacturing, target-industry:Media, target-industry:Retail, target-industry:Technology, target-industry:Telecommunications, vulnerability:CVE-2021-26855, language:C++, file-type:BAT, file-type:DLL, file-type:EXE, file-type:PDB, file-type:TXT, file-type:XML, target-system:Windows </p> <h3 id="article-1"><a href="https://www.sentinelone.com/blog/macos-metastealer-new-family-of-obfuscated-go-infostealers-spread-in-targeted-attacks/" target="_blank">macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks </a></h3> <p>(published: September 11, 2023)</p> <p> A new infostealer malware named MetaStealer is targeting Apple macOS in its Intel x86_64 ​​architecture. The malware is distributed through malicious application bundles in disk image format (DMG). The threat actors have been targeting organizations by posing as potential clients with the malware bundles having business-related topics, or impersonating Adobe files or installers for Adobe Photoshop. The main component of the payload is an obfuscated Go-based executable that harvests data from iCloud Keychain, saved passwords, and files from the compromised host. SentinelOne researchers have reported an increase in MetaStealer infection since its first instances in the wild in March 2023.<br/> <b>Analyst Comment:</b> In September 2023, Apple updated its malware blocking to include some, but not all of the observed MetaStealer samples. It is important to be extra vigilant when asked to install additional software. All known network indicators associated with MetaStealer are available in the Anomali platform and customers are advised to block these on their infrastructure. In addition SentinelOne, along with other Advisory, News and Blog sources are available as RSS feeds, and for AutoLens+ subscribers these are also tagged and summarized.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/22184" target="_blank">[MITRE ATT&amp;CK] Execution - User Execution: Malicious File [T1204.002]</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9600" target="_blank">[MITRE ATT&amp;CK] T1555.001 - Credentials from Password Stores: Keychain</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a><br/> <b>Tags:</b> malware:MetaStealer, malware-type:Infostealer, language:Golang, impersonated:Adobe, impersonated:TradingView, open-port:3000, file-type:DMG, file-type:Mach-O, file-type:ZIP, target-system:Intel x86_64, target-system:macOS </p> <h3 id="article-1"><a href="https://www.bitdefender.com/blog/businessinsights/deep-dive-into-supply-chain-compromise-hospitalitys-hidden-risks/" target="_blank">Deep Dive into Supply Chain Compromise: Hospitality's Hidden Risks</a></h3> <p>(published: September 7, 2023)</p> <p> Bitdefender researchers have discovered a series of security breaches within the IRM-NG booking engine software produced by Resort Data Processing for the hospitality industry. In a particular case, unknown financially-motivated actors targeted a small resort in the US. They exploited a number of zero-day vulnerabilities for initial access, placing a webshell file and changing its extension for activation. The attackers used a number of modified open-source tools: a Themida-packed version of the PrintSpoofer privilege escalation tool, a customized variant of the CVE-2020-0787 proof-of-concept exploit, and a customized version of the open-source Micro Backdoor. Further, XModule, a custom malicious IIS module was automatically loaded by the targeted IIS server. Using the named pipes mechanism, XModule acts as a proxy between the C2 server and Micro Backdoor. Hard to detect, this communication simply required the actors to make a POST request with specific content to any legitimate page on the compromised web server.<br/> <b>Analyst Comment:</b> The attackers demonstrated an intimate knowledge of the software's architecture and inner workings, developing custom malware designed to seamlessly integrate with legitimate network traffic and ultimately steal hotel visitors’ credit card data. Network defenders should aim for a multi-layered and adaptive security strategy, combining technological enhancements with vigilant monitoring and proactive measures. All known indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/24897" target="_blank">[MITRE ATT&amp;CK] Initial Access - Exploit Public-Facing Application [T1190]</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&amp;CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/9629" target="_blank">[MITRE ATT&amp;CK] T1090.001 - Proxy: Internal Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/24156" target="_blank">[MITRE ATT&amp;CK] Collection - Data Staged: Local Data Staging [T1074.001]</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9772" target="_blank">[MITRE ATT&amp;CK] T1070.006 - Indicator Removal on Host: Timestomp</a> | <a href="https://ui.threatstream.com/attackpattern/22198" target="_blank">[MITRE ATT&amp;CK] Persistence - Server Software Component: Web Shell [T1505.003]</a> | <a href="https://ui.threatstream.com/attackpattern/24895" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Exploitation for Privilege Escalation [T1068]</a> | <a href="https://ui.threatstream.com/attackpattern/23217" target="_blank">[MITRE ATT&amp;CK] Privilege Escalation - Valid Accounts [T1078]</a><br/> <b>Tags:</b> malware:XModule, malware-type:Malicious IIS module, malware:Micro Backdoor, malware-type:Backdoor, malware-type:Webshell, malware:PrintSpoofer, tool:Themida, malware-type:Packer, malware:KingHamlet, malware-type:Process ghosting tool, target-industry:Hospitality, technique:Named pipes, technique:Supply-chain-compromise, technique:Timestomping, target-software:IRM-Next-Generation, target-software:IRM-NG, target-company:Resort Data Processing, target-country:US, target-region:North America, vulnerability:CVE-2020-0787, vulnerability:CVE-2023-39420, vulnerability:CVE-2023-39421, vulnerability:CVE-2023-39422, vulnerability:CVE-2023-39423, vulnerability:CVE-2023-39424, file-type:ASPX, file-type:CSS, file-type:DLL, file-type:EXE, target-software:IIS, target-system:Windows </p> <h3 id="article-1"><a href="https://www.zscaler.com/blogs/security-research/steal-it-campaign" target="_blank">Steal-It Campaign</a></h3> <p>(published: September 6, 2023)</p> <p> A new information-stealing campaign dubbed Steal-It is attributed to Fancy Bear (APT28), a Russia-sponsored group. The threat actors in this campaign use ZIP archives with malicious LNK files, and abuse legitimate Mockbin APIs for command-and-control and exfiltration. At least four variations of the infection chain were detected by Zscaler researchers. Fancy Bear used update or illicit imagery-themed lures. In three infection chain cases a geofencing strategy was used, targeting either Australia, Belgium, or Poland. Various malicious JavaScript and PowerShell scripts were utilized to steal information directly or to upload a second-stage infostealer. In half of the studied cases, the actors achieved persistence by copying files to the Startup folder.<br/> <b>Analyst Comment:</b> Fancy Bear is an experienced cyberespionage group and should be taken seriously. Network defenders are advised to enforce anti-phishing training, and monitoring for the abuse of legitimate cloud services such as Mocky/Mockbin. All known network indicators associated with the Steal-It campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9688" target="_blank">[MITRE ATT&amp;CK] T1212 - Exploitation For Credential Access</a> | <a href="https://ui.threatstream.com/attackpattern/9746" target="_blank">[MITRE ATT&amp;CK] T1567 - Exfiltration Over Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/9678" target="_blank">[MITRE ATT&amp;CK] T1037 - Boot Or Logon Initialization Scripts</a> | <a href="https://ui.threatstream.com/attackpattern/23222" target="_blank">[MITRE ATT&amp;CK] Discovery - System Owner/User Discovery [T1033]</a> | <a href="https://ui.threatstream.com/attackpattern/9621" target="_blank">[MITRE ATT&amp;CK] T1132 - Data Encoding</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&amp;CK] T1614 - System Location Discovery</a><br/> <b>Tags:</b> campaign:Steal-It, actor:APT28, actor:Fancy Bear, malware:Start-CaptureServer, malware-type:Credential stealer, source-country:RU, technique:Geofencing, abused:IPAPI, abused:Mockbin API, target-region:Europe, target-country:AU, target-country:BE, target-country:PL, file-type:BAT, file-type:CMD, file-type:HTML, file-type:LNK, file-type:PS1, file-type:ZIP, target-system:Windows </p> <h3 id="article-1"><a href="https://www.truesec.com/hub/blog/darkgate-loader-delivered-via-teams" target="_blank">DarkGate Loader Malware Delivered via Microsoft Teams</a></h3> <p>(published: September 6, 2023)</p> <p> Since 2018, DarkGate Loader had been used as a private malware by its author, but in June 2023, the author started advertising it as a Malware-as-a-Service offering on popular cybercrime forums. Until recently, DarkGate Loader was seen delivered via traditional email malspam campaigns. In late-August 2023, Truesec researchers detected a usage of Microsoft Teams to deliver the malware via HR-themed social-engineering chat messages. These Microsoft Teams chat messages were sent from two external Office 365 accounts compromised prior to the campaign (put up for sale on the Dark Web in August 2023). The attack chain features ZIP archives containing a double-extension LNK file masquerading as PDF. User execution leads to a VBS script activating an AutoIt script extracting the final DarkGate Loader payload.<br/> <b>Analyst Comment:</b> At the time of the detection, current Microsoft Teams security features such as Safe Attachments or Safe Links were not able to detect or block this DarkGate Loader attack. Network defenders should enhance their organization's phishing awareness and block known indicators associated with this DarkGate Loader campaign (available in the Anomali platform).<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/24158" target="_blank">[MITRE ATT&amp;CK] Initial Access - Phishing: Spearphishing Attachment [T1566.001]</a> | <a href="https://ui.threatstream.com/attackpattern/22184" target="_blank">[MITRE ATT&amp;CK] Execution - User Execution: Malicious File [T1204.002]</a> | <a href="https://ui.threatstream.com/attackpattern/12870" target="_blank">[MITRE ATT&amp;CK] T1036.007 - Masquerading: Double File Extension</a> | <a href="https://ui.threatstream.com/attackpattern/22657" target="_blank">[MITRE ATT&amp;CK] Execution - Command and Scripting Interpreter: Visual Basic [T1059.005]</a> | <a href="https://ui.threatstream.com/attackpattern/24154" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/24152" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a><br/> <b>Tags:</b> malware:DarkGate, malware-type:Loader, detection:BAT/Tisifi.A#, threat-type:Malware-as-a-Service, abused:Microsoft Teams, technique:AutoIT, technique:Malspam, technique:Social engineering, technique:Chat messages, file-type:AU3, file-type:EXE, file-type:LNK, file-type:PDF.LNK, file-type:VBS, file-type:ZIP, target-system:Windows </p> </div> </p></div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.