The various threat intelligence stories featured in this iteration of the Anomali Cyber Watch cover the following topics: APT, China, cyberspy, India, spam, ransomware, Russia, spear phishing, and weakness. The IOC related to this story is attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC Summary Chart. This chart summarizes the IOCs attached to this magazine and outlines the threats discussed.
Latest cyber news and threat intelligence
Interested in | Russian organization under attack by Chinese APT
(Posted: July 7, 2022)
SentinelLabs researchers have detected another Chinese-backed threat group targeting Russia with cyber espionage. The attack begins with a spear-phishing email containing a Microsoft Office malicious document built with the Royal Road Malicious Document Builder. These malicious programs have deleted the Bisonal Backdoor Remote Access Trojan (RAT). In addition to targeted Russian organizations, the same attackers continue to target other countries, such as Pakistan. This China-sponsored activity has medium confidence in the Tonto Team (CactusPete, Earth Akhlut).
Analyst Comments: Defense-in-depth (security mechanisms layering, redundancy, and failsafe defense processes) is the best way to ensure safety from Advanced Persistent Threats (APTs), including focusing on network and host-based security. Prevention and detection should also be in place. Additionally, all employees must be trained on the risks of spear phishing and how to identify such attempts.
Miter Attack: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Run – T1204 | [MITRE ATT&CK] Exploit to run client – T1203
tag: China, Source Country:CN, Russia, Target Country:RU, Ukraine, Pakistan, Target Country:PK, Bisonal RAT, Tonto Team, APT, CactusPete, Earth Akhlut, Royal Road, 8.t builder, CVE-2018 -0798
OrBit: A new undetected Linux threat uses a unique execution flow hijacking.
(Posted: July 6, 2022)
Intezer researchers describe a new Linux malware called OrBit that was not fully detected at the time of its discovery. This malware attaches a function and adds itself to any running process, but does not use LD_PRELOAD like the Linux threat described earlier. Instead, persistence is achieved by loading the malicious shared object by adding the malware path to /etc/ld.so.preload and patching the loader’s own binary. OrBit establishes an SSH connection and then prepares and infiltrates the stolen credentials. Avoid detection by running processes or multiple functions that display network connections. Because it connects these functions and filters the output.
Analyst Comments: We recommend that defenders use network telemetry to detect unusual SSH traffic related to OrBit exfiltration attempts. Consider segmenting your network, storing sensitive data offline, and deploying your security solution as statically linked executables.
Miter Attack: [MITRE ATT&CK] Hijacking Execution Flow – T1574 | [MITRE ATT&CK] Hide Artifacts – T1564 | [MITRE ATT&CK] Data Ready – T1074
tag: OrBit, Linux, Hooking, Detect:Orbit, Shared Objects, ld.so.preload
Whatever floats the boat – Bitter APT continues to target Bangladesh.
(Posted: July 6, 2022)
Bitter (T-APT-17) is an organization suspected of being sponsored by the Indian government. Bitter has been targeting Bangladesh, China, Pakistan and Saudi Arabia since 2013. Secuinfra researchers describe a new Bitter company targeting Bangladeshi military organizations in or around May 2022. The observed chain of infections included malicious Excel files, a ZxxZ (MuuyDownloader) downloader confirmed to be used by the group in early 2022, and a new .Net-based remote access Trojan (RAT) called Almond.
Analyst Comments: All users should be informed about the threat phishing posture and how to use email safely. Detect and prevent users from becoming victims of phishing.
Miter Attack: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Exploit to run client – T1203 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated files or information – T1027 | [MITRE ATT&CK] Non-standard port – T1571 | [MITRE ATT&CK] Outflow via C2 channel – T1041 | [MITRE ATT&CK] Data transfer size limit – T1030 | [MITRE ATT&CK] File and Directory Search – T1083 | [MITRE ATT&CK] Data Destruction – T1485
tag: Bitter, T-APT-17, Almond RAT, ZxxZ, MuuyDownloader, CVE-2018-0798, Government, Military, APT, Bangladesh, Target Country:BD, India, Source Country:IN, Cyber espionage, Equation Editor Exploit
Warning (AA22-187A). North Korean state-sponsored cybercriminals use Maui ransomware to target healthcare and public health sectors
(Posted Date: July 6, 2022, Revision Date: July 7, 2022)
US agencies warn that North Korean-backed groups have been using the Maui ransomware against organizations in the medical and public health (HPH) sector starting at least May 2021. Using an unidentified initial access vector, the attackers eventually encrypted servers responsible for medical services such as diagnostic services. , electronic health record services, imaging services and intranet services. Maui ransomware is designed to be manually executed by remote attackers. It uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption.
Analyst Comments: Targeted HPH organizations should avoid paying ransom. Doing so does not guarantee data recovery and may pose a risk of sanctions. We use technologies such as Transport Layer Security (TLS) to protect personally identifiable information (PII)/patient health information (PHI) and to encrypt data at rest and in transit. Only store PII and PHI on internal systems behind a firewall, and make extensive backups available in case data is compromised.
Miter Attack: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059
tag: Maui Ransomware, Medical, USA, Target Country: USA, Ransomware, HPH, North Korea, Source Country:KP, Windows
When Pentest Tools Get Brutal: Red Team Tools Exploited by Malicious Actors
(Posted: July 5, 2022)
Unit 42 researchers discovered an Advanced Persistent Threat (APT) campaign that exploits a relatively new and stealthy tool, the Brute Ratel C4 (BRc4) infiltration framework. From February 2021 to May 2022, the campaign mainly targeted large-scale virtual private server (VPS) hosting providers in various countries and regions. The BRc4 remote access payload was packaged in a self-contained ISO along with Windows shortcut (LNK) files, malicious payload DLLs, and legitimate Microsoft executables used by actors to hijack the DLL search order. This packaging is consistent with known Cozy Bear (APT29) technology, but its properties are not clear.
Analyst Comments: Defense-in-depth (security mechanisms layering, redundancy, and fail-safe defense processes) is the best way to ensure safety from APTs, including focusing on both network and host-based security. Anti-phishing staff training should also be conducted.
Miter Attack: [MITRE ATT&CK] Hijacking Execution Flow – T1574 | [MITRE ATT&CK] User Run – T1204 | [MITRE ATT&CK] Masquerade – T1036 | [MITRE ATT&CK] Obfuscate/decode files or information – T1140 | [MITRE ATT&CK] Obfuscated files or information – T1027
tag: Brute Ratel C4, BRc4, APT29, Cozy Bear, Argentina, Mexico, Ukraine, target-region:North America, target-region:South America, DLL search order hijacking, ISO, LNK, Windows
Hive Ransomware Upgrades From Rust
(Posted: July 5, 2022)
In February 2022, Korean researchers who could be the trigger to rewrite the Hive ransomware defeated the existing Hive encryption. Five days after publication, Microsoft discovered a new variant of Hive with a new, unique cryptography and other major upgrades. Hive ransomware has been completely rewritten in the Go to Rust programming language, making reverse engineering more difficult and providing fast and secure encryption. The new Hive variant uses constants to XORing to store strings in encrypted .rdata sections and only decrypted during runtime. Hive introduces command-line parameters, including parameters for providing the username and password used to access the Hive ransomware payment website. Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 encryption with ChaCha20 symmetric ciphers) are used to encrypt strings used in XOR victim files.
Analyst Comments: Defenders should always consider requiring MFA on any device, anywhere. Implement credential hygiene, update automation, and cloud hardening recommendations.
Miter Attack: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Obfuscated files or information – T1027 | [MITRE ATT&CK] Obfuscate/decode files or information – T1140 | [MITRE ATT&CK] Stop Service – T1489 | [MITRE ATT&CK] No System Recovery – T1490
tag: Ransomware, Hive, Rust, Ransomware-as-a-service, ChaCha20, ECDH, Curve25519, XChaCha20-Poly1305, String Encryption, XOR, Medical
IconBurst NPM software supply chain attack gets data from app website.
(Posted: July 5, 2022, updated July 6, 2022)
ReversingLabs researchers discovered an extensive supply chain breach campaign called IconBurst, which is based on a malicious NPM module that collects sensitive data from forms embedded in mobile applications and websites. IconBust misspelled a popular module to hide a malicious module obfuscated with the jQuery ajax() function in order to leak serialized form data into an attacker-controlled domain. As of December 2021, IconBust has affected thousands of downstream mobile and desktop applications and websites, exposing users and visitors to data theft.
Analyst Comments: Developers should be aware of the risk of malicious typosquatting caused by misspelled library names in their code. An organization’s defense posture should include consideration of open source dependencies and associated supply chain risks.
Miter Attack: [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Masquerade – T1036
tag: IconBurst, npm, supply chain, malicious libraries, Typosquatting, jQuery, Javascript, Javascript obfuscator, ionic-io
Observed Threats
Additional information on the threats discussed this week on the Anomali Cyber Watch can be found below.
CVE-2018-0798
The Equation Editor in Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, and Microsoft Office 2016 allows a remote code execution vulnerability due to the way objects are handled in memory, also known as “Microsoft Office Memory Corruption Vulnerability”.