Threat Simulator: April 2023 Update
In the art of war, Sun Tzu says “To know your enemy you must become your enemy”. But how do you become your enemy? You need to put yourself in the place of your enemy so you can predict their actions. The goal of any conflict is to control your opponent and overcome them.
Luckily our dedicated team of Application and Threat Intelligence (ATI) experts can keep you safe by providing our Threat Simulator product with automated, recurring assessments that are updated daily, so you can stay protected from the latest threats.
Threat Simulator helps you conduct continuous assessments to proactively identify and fix vulnerabilities, with the latest attack techniques and mitigation recommendations, minimizing the window of opportunity for nefarious actors.
Following on from our March latest threats blog we have summarized below, the latest cyberattacks covered by Threat Simulator during April.
MITRE ATT&CK (T1548.001 and T1059.004) - Setuid and Setgid (Bash)
In order to execute code on a Linux system in a user's context with potentially more privileges, adversaries may leverage applications with setuid or setgid bits set. In general, a binary runs in the current user's context, but when setuid or setgid bits are set it runs with the privileges of the user or group that owns it.
This audit uses a custom binary file that executes a command given as argument. It changes the binary's owner and group to 'root:root' and sets its setuid bit. This way, a regular user is able to execute commands that require high privileges via the executor binary.
MITRE ATT&CK(T1059.004) Reflective Code Loading: Ezuri memory executor - Reflectively load an ELF file in memory and run it (Bash)
Reflective code loading is a technique that may be used by adversaries in order to load and execute malicious payloads in the memory of a process.
By using reflective code loading, malicious code can be kept encrypted until its execution in order to avoid detection.
This audit uses a modified version of 'Ezuri', an Open Source project written in Go that can be found at https://github.com/guitmz/ezuri under the MIT license.
The audit runs the Ezuri binary which encrypts the target ELF binary using AES and merges it with an executor binary. Given the key and IV (initialization vector), the executor binary can decrypt the target binary and execute it in memory using the 'memfd_create' syscall.
MITRE ATT&CK(T1059.004) Reflective Code Loading: Memory executor - Reflectively load an ELF file in memory and run it (Bash)
Reflective code loading is a technique that may be used by adversaries in order to load and execute malicious payloads in the memory of a process.
This audit uses 'memrun', an Open Source project written in Go that can be found at https://github.com/guitmz/memrun under the MIT license.
The audit runs an executor ELF binary which loads the target ELF binary in memory and uses the 'memfd_create' syscall to execute it.
New Threat Campaigns
Inside Mispadu massive infection campaign in LATAM
Metabase Q Security Operation Center detected 20 different spam campaigns, focused on credential stealing, specifically online banking, schools, government services, social media, gaming, ecommerce, public repositories, and Outlook email. The threat actors behind these campaigns used various tactics such as creating fake webpages to lure the victims, using HTML pages or PDF password-protected files into opening different types of fake bills. Furthermore the malware used in this campaign is hidden inside a fake certificates allowing to bypass most of endpoint protections.
Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts
ExaTrack discoverd a new malware targeting Linux servers named Mélofée and linked to Winnti group, a china state sponsored group. This malware increases the toolset used to target Linux systems by various nation-state sponsored China groups.
Bad magic: new APT found in the area of Russo-Ukrainian conflict
In October 2022, Kaspersky researchers identified an active campaign targeting administrative organizations in the Donetsk, Lugansk, and Crimea regions. The attack is part of a larger trend of cyber activities related to the Russo-Ukrainian conflict. The attackers use PowerMagic backdoor and CommonMagic framework via a malicious web server hosting a ZIP archive containing a decoy document and a malicious LNK file, likely using spear phishing or similar methods to initiate the attack.
APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations
Mandiant released a report about the activity of APT43 over a period of almost 2 years, detailing its shifts in targets, tactics and overall goal of the campaigns. APT43 is a group believed to be linked with the North Korean regime, and it was seen engaging in espionage and financially-motivated operations, to fund its activities. APT43 relies on a large toolkit, including widely available tools but also non-public malware. Also, this toolkit is improved, with new features being added and enabling multi-platform targeting.
Shining Light on Dark Power: Yet Another Ransomware Gang
Trellix identified a new opportunistic ransomware group named Dark Power using Nim programming language to develop its malware. This gang doesn't targetspecific regions or industries. The ransomware creates a random key for encryption, making it more difficult to decrypt and recover files. Furthermore, it stops processes responsible with backup and disables various other services (backup daemons, data bases, mail clients) in order to encrypt the data within them and to prevent recovery. Encrypts all files which are not critical to the Windows operating system. Finally, it clears event logs for a more difficult investigation by security specialists. The ransomware does not exfiltrate data leading to the assumption that this process is done manually.
Microsoft OneNote File Being Leveraged by Phishing Campaigns to Spread Malware
Fortinet has identified phishing campaigns targeting Windows users and spreading AsyncRAT, the malware being distributed through malicious OneNote files. This is an evolution from traditional phishing campaigns, that use Word or Excel files to execute malicious macros. OneNote does not support macros, but it allows attachments to be inserted. In this campaign, BAT files were inserted in the NoteBook and when the user double-clicks one of the them, it gets executed. The techniques used by the malware include fileless storage of executables and process hollowing. The RAT has a lot of features, allowing full control over the system.
Mantis: New Tooling Used in Attacks Against Palestinian Targets
Symantec discovered a new attack chain used by the Mantis cyber-espionage group to target entities by exfiltrating credential and sensitive data. While the initial infection vector remains unknown, further steps which include downloading malicious payloads, establishing connection with command-and-control servers and exfiltrating data have been analyzed. The Mantis group has achieved remarkable results such as:
1. Compartmentalization of the attack (utilization of multiple toolsets in order to increase the success rate if one is detected)
2. Extensive malware rewriting
The toolsets used are built using various languages (Micropsia backdoor written in Delphi, Arid Gopher built in Go and an exfiltration tool of python3 origins). Micropsia and Arid Gopher variants have custom changes in order to achieve various behaviors from target to target. These backdoors are responsible with initiating connection with command-and-control servers and obtain persistence. Final step is exfiltrating different files. If exfiltration is successful, the information is then deleted from local environment.
Rorschach - A New Sophisticated and Fast Ransomware
Check Point Research identified a new malware strain called Rorschach deployed using a component of Palo Alto Cortex XDR tool and using a wide range ofunique features . It was deployed using a signed component of a commercial product and it makes use of direct syscalls. It is able to spread itself when executed on a Domain Controller and it clears event logs to go undetected. The encryption process is effective and fast. There is no indication on who are the developers behind this ransomware, but it appears to include some features from public malware.
Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities
Cisco Talos released a report related to Typhon infostealer and the enhancements that were done to its codebase, improving its anti-evasion and anti-VM capabilities. Typhon was first observed in 2022 and, since then, it has been continuously improved. Its latest version, Typhon Reborn V2, includes better anti-virtualization and anti-analysis capabilities, string obfuscation, the goal being the exfiltration of sensitive information through Telegram API.
Qakbot Being Distributed in Korea Through Email Hijacking
AhnLab released a report covering the spread of Qakbot malware through email hijacking, where malicious PDFs are attached to existing emails.The victims receive a reply or a forwarded email and are persuaded into opening the attachment containing the Microsoft Azure logo and clicking on a link. They are then redirected to a malicious URL from where a password-protected archive is downloaded. This archive contains a WSF file, which stands for Windows Script File. If executed, the Qakbot malware will be installed.
Are Internet Macros Dead or Alive?
Fortinet released a report on how threat actors take advantage of macro-based documents, even though Microsoft blocked Internet Macros, in order to increase the security of the product.Even though some threat-actors changed their behavior to avoid the use of Office Macros, there are some that still rely on it to initiate the attacks. In this report, Fortinet reviewed some documents used by Emotet, Gozi ISFB, Donot, Confucius, SideCopy APT and other actors.
Ransomware Roundup – Kadavro Vector Ransomware
On 2023-04-14, Fortinet Threat Intelligence, FortiGuard, released a bi-weekly roundup of its ransomware dataset. This report covers variants of Kadavro ransomware.
ALPHV Ransomware Affiliate Targets Vulnerable Backup Installations to Gain Initial Access
Mandiant has discovered a campaign tracked as UNC4466, which is associated with the ALPHV (also known as BlackCat) ransomware and targets publicly exposedVeritas Backup Exec installations to gain initial access to victim environments. A commercial Internet scanning service has identified over 8,500 exposed Veritas Backup Exec instances, some of which may still be unpatched and vulnerable. This is a shift for ALPHV, which previously relied on stolen credentials for access.
Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector
SentinelOne tracked activity of APT36 threat actor deploying Crimson Remote Access Tool (RAT) against India's education sector. APT36, also known as Transparent Tribe, spreads a set of malicious MS Office documents in charge of deploying Crimson RAT, allowing a persistent and remote connection into the compromised infrastructure.
MacStealer: New MacOS-based Stealer Malware Identified
Uptycs has discovered a new macOS stealer called MacStealer that usesTelegram for command and control operations. It was discovered during dark web hunting,and it can extract various sensitive information from a victim's system, including documents, cookies from the browser, and login credentials. The malware affects macOS versions Catalina and later and runs on Intel M1 and M2 CPUs.
Additional Activities of the Tick Group That Attacks with a Modified Q-Dir and Their Ties with Operation Triple Tiang
AhnLab observed additional activities from the Tick Group in Korea and suspects ties with Operation Triple Tiang. AhnLab identified modified Q-Dir and ShadowPY malware variants targeting government agencies, military and various other industry sectors. Based on the similarities found in malware technique and code, AhnLab believes that the Tick Group is related to Operation Triple Tiang.
LockBit for Mac | How Real is the Risk of macOS Ransomware?
SentinelOne explores a LockBit ransomware sample uncovered targeting macOS arm64 architecture. LockBit is a well-known adversary group and ransomware actively used in the wild. Ransomware threat for macOS has been concerning for couple of monthes. However, in this particular case, no active LockBit activity was reported or observed in the wild yet. It seems that this macOS version of the ransomwareinherits of the LockBit for Linux.
Cyber Espionage in India: Decoding APT-36's New Linux Malware Campaign
The Uptycs threat research team discovered a new Linux malware called Poseidon, deployed by the APT-36 (Transparent Tribe) group from Pakistan. They used a backdoored version of an Indian government-provided 2FA solution, Kavach, to target Linux users in Indian government agencies. Poseidon is a general-purpose backdoor that allows attackers to hijack infected systems. This attack could result in loss of sensitive information, compromised systems, and potential geopolitical repercussions.
Introducing DevOpt: A Multifunctional Backdoor Arsenal
Zscaler has identified a new backdoor called DevOpt which includes multiple functionalities like keylogger, stealer, grabber, clipper and persistence mechanisms. The malware was observed on a Russian website where victims are lured into completing a task (that will involve the download of the backdoor) in exchange for financial rewards. This backdoor uses Free Pascal and continuously receives improvements, making it better at evading detection.
BlackBit Ransomware Being Distributed in Korea
AhnLab Security Emergency Response Center (ASEC) has discovered the distribution of BlackBit ransomware disguised as svchost. exe, distributed since September 2022. The ransomware uses . NET Reactor for code obfuscation, likely in an attempt to deter analysis, and shows similarities to LokiLocker ransomware.
Attacks using FlowCloud originating from USB memory
NTT Security released a report regarding the FlowCloud malware used in attacks originating from USB memory devices. This malware is commonly associated with the TA410 group and it consists of an executable stored on an USB device. The execution is similar to a legitimate installer and the goal is to obtain remote access on the victim machine.
Play Ransomware Group Using New Custom Data-Gathering Tools
Symantec has released a report regarding the rise of 2 custom-developed tools used by the Play ransomware group. The first tool called Grixba is a . NET-written infostealer developed with Costura framework. It is primarily used for reconnaissance since it can enumerate all users and computers from a domain and find what security and backup solutions an infected machine has. Second tool known as Play (or PlayCrypt) is a ransomware of . NET origins developed using Costura framework, responsible for exploiting vulnerabilities in Microsoft Exchange and being able to encrypt files faster than its traditional counterparts.
SimpleHarm: Tracking MuddyWater's infrastructure
State-sponsored hacker group MuddyWater, linked to Iran's Intelligence Ministry, has been active in cyber espionage against neighboring countries, using legitimate remote control tools. Some of the legitimate tools used are ScreenConnect, RemoteUtilities, and Syncro, and by using these tools, it becomes more difficult to detect their activity with traditional security tools. In fall 2022, the threat-actor was found to be using another similar tool, SimpleHelp, in order to maintain persistance on victim devices. In this report, Group-IP aims to convey information related to MuddyWater's infrastructure.
3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible
Mandiant released a report about the 3CX supply-chain attack and the initial intrusion vector, which is malicious software downloaded from Trading Technologies website. In this case, a software supply chain attack lead to another software supply chain attack. The first one began with a tampered installer for X_TRADER, a software provided by Trading Technologies and the second one targeted 3CXDesktopApp, a legitimate softphone application. The threat actor behind this is supposed to be UNC4736, which seems to be a North Korean operator.
EvilExtractor – All-in-One Stealer
Fortinet investigated the usage of EvilExtractor malware that is capable of information stealing and deploying a ransomware named Kodex on Windows devices. This malware was created by a company named Kodex, which claims it is an educational tool. In March 2023, Fortinet observed a phishing campaign involving EvilExtractor in which Python or . NET exe files where attached to certain emails. The malware disguises as a legitimate file, but once loaded it starts PowerShell malicious activities. It contains multiple malicious modules such as defense evasion, key logging, data collection and Kodex ransomware.
Daggerfly: APT Actor Targets Telecoms Company in Africa
The Daggerfly APT group, active since at least 2014, has recently targeted a telecomunication organization in Africa, using plugins from MgBot malware framework, which were previously unseen. The malicious activity was first detected in November 2022and is believed to be ongoing. The threat-actor has been seen using MgBot modular malware framework and a PlugX loader, along with abusing the legitimate AnyDesk remote desktop software. MgBot and PlugX have been associated with China-linked APTs in the past.
8220 Gang Uses Log4Shell Vulnerability to Install CoinMiner
AhnLab released a report covering the activity of 8220 Gang threat-actor, that takes advantage of Log4Shell on unpatched systems to install CoinMiner. They have been seen exploiting CVE-2022-26134 (Atlassian Confluence server vulnerability) in order to mine Monero coins on the vulnerable systems. Lately, they exploited CVE-2021-44228 (Log4Shell vulnerability) in VMware Horizon servers, with the same goal of installing XMRig CoinMiner.
Qakbot Malware Continues to Morph
Cyble has released a report about the increase in using OneNote attachments to deliver Qakbot malware. The attack pattern starts with spam emails containing OneNote Attachments. When opened, it drops on the victim’s computer various files that masquerade the attack (. iso, . chm or html files). Once these files are opened as well, a PowerShell script is executed with the intent of downloading the Qakbot malware as a DLL. The malware has the capability to steal sensitive data such as login credentials or install other malicious tools.
X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U. S. and Europe
Symantec discovered that the North Korean-linked X_Trader software supply chain attack affected not only 3CX, but also other organizations. Among the affected targets there are two critical infrastructure organizations operating in the energy sector (one in US and the other in Europe) and two financial trading related organizations.
ChatGPT-Themed Scam Attacks Are on the Rise
Unit 42 observed, between november 2022 and early april 2023, a 910% increase in monthly domain registrations, along with a staggering 17,818% growth in squatting domains and 118 daily detections of malicious URLs related to ChatGPT. Scammers are taking advantage of its popularity to trick users into downloading malware or sharing sensitive information. Unit 42 presents case studies to highlight various scamming methods, particularly with the release of OpenAI's official API for ChatGPT on March 1, 2023.
Dog Hunt: Finding Decoy Dog Toolkit via Anomalous DNS Traffic
Infoblox released a report regarding Decoy Dog, a tool kit designed to evade detection by using DNS as C2 channel. Decoy Dog is used by threat actors who employ techniques such as strategic aging of domains, where they register a domain but do not use it immediately to avoid detection.
Tomiris called, they want their Turla malware back
SecureList released a report sharing new information about the Tomiris threat actor and its possible ties to Turla. Acording to the report, Tomiris concentrates on gathering intelligence across Central Asia, targeting CIS (Commonwealth of Independent States) government entities or their respective diplomatic entities in other countries. Their analysis concluded that Tomiris is an agile Russian-speaking threat actor that uses a wide range of malware implants developed in various programming languages. It also frequently experiments with different delivery methods or C2 channels. Despite malware similarities, SecureList believes that Tomiris and Turla are two separate threat actors that sometimes deliberately cooperate.
ViperSoftX Updates Encryption, Steals Data
Trend Micro has released a report regading the ViperSoftX malware, an information stealer with sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking. The malware is sophisticated, using techniques like WMI Query Language (WQL), DLL sideloading/DLL load order hijacking, PowerShell reflective loading, browser hijacking, and C&C protection. The malware is packaged in software activators, patchers, or keygens, all being effective methods for delivering malware to consumers.
RokRAT Malware Distributed Through LNK Files (*. lnk): RedEyes (ScarCruft)
AhnLab released a report stating that the RedEyes threat group (also known as APT37, ScarCruft) recently distributed the RokRAT malware via LNK files. This malware is able to steal credentials and download other malicious software. Previously, it was distributed via HWP and Word files. The recently discovered LNK files contain Powershell commands that create and execute a malicious script in temp folder.
EDUCATED MANTICORE – IRAN ALIGNED THREAT ACTOR TARGETING ISRAEL VIA IMPROVED ARSENAL OF TOOLS
Check Point research has uncovered new findings related to Educated Manticore, an activity cluster closely associated with Phosphorus, an Iran-affiliated threat group known for operating in the Middle East and North America. Educated Manticore has adopted recent trends by using ISO images and other archive files to initiate infection chains. The research reveals an improved infection chain that deploys a new version of the PowerLess implant. The new version of PowerLess shows significant improvements in loading mechanisms, utilizing rarely seen techniques like . NET binary files created in mixed mode with assembly code.
Print Management Software PaperCut Actively Exploited In The Wild
Cyble has released a report regarding CVE-2023-27350 and CVE-2023-27351, 2 vulnerabilities affecting PaperCut that are being exploited in the wild. The 2 vulnerabilities allow attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges. CISA added CVE-2023-27350 to its list of actively exploited vulnerabilities and users are urged to update their systems. Attackers took advantage of these vulnerabilities to execute PowerShell commands that install Atera and Syncro remote management software and the activities have been linked to the Silence threat actor.
Tonto Team Using Anti-Malware Related Files for DLL Side-Loading
AhnLab has been tracking the Tonto Team, a threat group that distributes Bisonal malware and targets Asian countries, including Korean education, construction, diplomatic, and political institutions. They have been using a file related to anti-malware products to execute their malicious attacks and have been involved in the distribution of CHM malware in Korea since 2021, changing their methods to evade detection.
Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack
Welivesecurity blogpost showcased 2 campaigns (Operation DreamJob and the 3CX supply-chain attack) and proved their link to the Lazarus threat actor by investigating their similarities. The first campaign, studied by several security companies showed that a trojanized VOIP application developed by 3CX is used to deploy other malwares (TAXHAUL, CODLCAT). The second campaign, called Operation Dramjob, uses social engineering to spread malwares through LinkedIn job offers. Once a victim downloads an archive with a presumably job description, it is infected with a Go written loader and a C++ Linux backdoor called SimplexTea. These campaigns were linked to Lazarus since both of them use the same key for encryption and obfuscation and the SimplexTea backdoor share similarities to a Windows backdoor (BADCALL) known in 2017 to be made by Lazarus.
Threat Actor Selling New Atomic macOS (AMOS) Stealer on Telegram
Cyble released a report about a new information stealer malware named Atomic macOS Stealer (AMOS) that is being advertised via a Telegram channel. The threat actor behind this malware constantly makes it more effective by adding improvements and new features. AMOS is able to steal a wide range of sensitive data from the targeted machine including files, keychain passwords, system information or even the macOS password. It can also target various browsers stealing credit card information, passwords, auto-fill information, cookies and wallets.
Evasive Panda APT group delivers malware via updates for popular Chinese software
Welivesecurity released a report regarding a campaign where MgBot was delivered by Evasive Panda against Chinese users. The malware was delivered through updates of legitimate applications. There are 2 compromise scenarios through which the malware could have been delivered: supply-chain compromise or adversary-in-the-middle, both leaving some questions unanswered. MgBot is the backdoor used by this threat actor and it extends its functionality through plugin modules designed to steal information, like credentials, files, cookies and capture audio streams.
Chinese Alloy Taurus Updates PingPull Malware
Unit 42 released a report regarding a new variant of PingPull malware targeting Linux systems, attributed to Alloy Taurus. During the analysis, the use of a backdoor, tracked as Sword2033, was observed, due to its communication with the same C2 server as PingPull. The C2 domains give the impression of connection to South African military, but there is no affiliation between the IPs and the South African government.
ASEC Weekly Malware Statistics (April 17th, 2023 – April 23rd, 2023)
AhnLab released a weekly malware statistics report for April 17th, 2023 – April 23rd, 2023. In the collected data, downloader was first with 61. 2%, infostealer second with 30. 8%, followed by backdoor with 7. 1% and ransomware with 1. 0%. The top 5 malware identified were: Amadey, AgentTesla, Formbook, Guloader and njRAT.
Deepwatch Observes Unauthenticated Remote Code Execution Vulnerability Exploitation in Avaya Aura Device Services
Deepwatch released a report regarding the exploitation of an unauthenticated remote code execution vulnerability in Avaya Aura Device Services. The vulnerable software acts as an administrator for endpoints. During an incident response, Deepwatch observed the exploitation of the RCE and the attempts to deliver XMRig cryptocurrency miner to the systems. The exploitation seems to be opportunistic and automated, probably through the Mirai botnet. Earlier this year, an XSS vulnerability was found in the product, but no CVE has been assigned.
Ex-Conti and FIN7 Actors Collaborate with New Backdoor
IBM Security X-Force showcased the collaboration of 2 threat-actor groups in creating a new malware called Minodo. Minodo Backdoor campaigns have been observed using the Dave Loader, which researchers have linked to the Trickbot/Conti syndicate (ITG23) and its former members. A second group (labeled as ITG14) was linked to this campaign due to the backdoor sharing similarities with another malware called Lizar. One of Minodo’s final payloads is the Project Nemesis infostealer, framework which was first advertised on the dark web in December 2021, though has been rarely used since then. The campaign is complex and utilizes components of different natures (Minodo written in Visual C++, Project Nemesis made in . NET).
Increased exploitation of PaperCut drawing blood around the Internet
Sophos X-Ops MDR and SophosLabs have been monitoring and researching the PaperCut vulnerability CVE-2023-27350, used to deliver Cobalt Strike and remote management software, since April 13, 2023. The vulnerability affects PaperCut MF and NG Application and Site Servers version 8. 0 and above across all supported operating systems. A patch was made available on March 8 and Sophos recommends that users apply it as soon as possible on all vulnerable servers.
Threat Source newsletter (April 27, 2023) — New Cisco Secure offerings and extra security from Duo
Talos released its new weekly Threat Source Newsletter (April 27, 2023) including the most prevalent malware observed over the past week. The highlights of the week include the ongoing research of the 3CX supply chain attack, the PaperCut printer management software vulnerability, AI-generated spam and the disruption of dark web networks.
That’s all for April, look out for our May update, coming soon.
And remember you may not be as safe as you think you are. Start using Threat Simulator today so you can stay safe and respond quickly to the latest attacks.
For more information on how we can help you stay safe from the latest threats, check out our ebook https://www.keysight.com/zz/en/library/articles-and-casestudies/ebook/keysight-threat-simulator.html