The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: Clipboard Injector, Infostealer, Malvertising, Pay Per Install, Supply Chain, and weakness. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
Patch High Severity Vulnerability in WordPress Elementor Pro
(Post date: March 31, 2023)
Balada Injector campaigns have been targeting vulnerable website plugins and themes since at least 2017. The most recent target is a WordPress WooCommerce website compromised by an access control vulnerability in Elementor Pro, a popular website builder plugin. This high severity (CVSS v3.1: 8.8, High) vulnerability received a security patch on March 22, 2023, so the Balada Injector targets websites that have not yet been patched. An attacker creates a new admin user and inserts a script that sends visitors to multi-hop redirects to spam, scam, or install adware.
Analyst Comments: Website administrators should update immediately if Elementor Pro version 3.11.6 or earlier is installed. Uses server-side scans to detect unapproved malicious content. All known metrics related to Balada Injector campaigns are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1587.004 – Development Feature: Exploit | [MITRE ATT&CK] T1190 – Public Application Abuse
tag: Campaign: Balada Injector, Broken Website, Redirect, Spam, Scam, Malware Type: Adware, Broken Access Control, Vulnerability, Elementor Pro, WordPress
3CX: A Supply Chain Attack Affecting Thousands of Users Worldwide
(Post date: March 30, 2023)
An unidentified threat group linked to North Korea has trojanized 3CX’s DesktopApp, an audio and video calling desktop client used by 12 million users in 190 countries. The software installer on newer Windows (18.12.407 and 18.12.416) and Mac (18.11.1213, 18.12.402, 18.12.407 and 18.12.416) versions is broken. Windows installers include clean versions of apps with malicious DLLs against DLL sideloading attacks. Affected versions of macOS are compromised in a similar way and contain a trojanized version of a dynamic library called libffmpeg.dylib. The last observed payload was information-stealing malware downloaded from certain GitHub repositories as ICO files.
Analyst Comments: Supply chain attacks, such as those leveraging SolarWinds and 3CX, are difficult to defend against. After the 3CX corruption is disclosed, it is recommended to uninstall all affected versions. Google and several security vendors have invalidated the 3CX software security certificates used to sign affected (and previous) software. We recommend that 3CX DesktopApp users use only version 18.12.422 or higher. All known indicators related to this 3CX supply chain attack are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1195.002 – Compromised Supply Chain: Compromised Software Supply Chain | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding
signature: Icon_3cx_stealer. Symantec’s YARA
tag: 3CX, 3CXDesktopApp, Malware:Icon 3cx Stealer, Malware Type:Infostealer, File Type:DLL, File Type:JSON, File Type:ICO, File Type:DYLIB, Source Country:North Korea, Source Country:KP, Supply Chain, GitHub, Windows , macOS
Copy-paste robbery or clipboard injector attack on password users
(Post date: March 28, 2023)
From August 2022 to February 2023, Kaspersky researchers detected a significant increase in clipboard injector campaigns targeting cryptocurrency users. This campaign is using a trojanized version of the TOR browser. The most targeted country was Russia, which banned the Tor Project’s official website, followed by Ukraine, the United States and Germany. The target user was activating a self-extracting executable containing a valid TOR installer, a command-line RAR extraction tool, and a password-protected RAR archive along with the clipboard injector malware. By infecting over 16,000 users and replacing cryptocurrency wallet addresses, the attackers obtained approximately $400,000 in traceable cryptocurrency and an unknown amount of Monero.
Analyst Comments: Users should only download software from reliable and trustworthy sources. If for some reason that’s not an option, check your downloads with an antivirus and sandbox. Isolate financial activity on devices with suspicious downloads.
Miter Attack: [MITRE ATT&CK] T1547 – Execute Boot or Logon Autostart | [MITRE ATT&CK] T1036 – Camouflage | [MITRE ATT&CK] T1565 – Data Manipulation | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding
tag: Malware-type:Clipboard-injector, target-industry:Cryptocurrency, Enigma packer v4.0, Bitcoin, Litecoin, Dogecoin, ERC-20, Ethereum, Monero, File-type:EXE, File-type:RAR, TOR, target-country:RU , Destination Country:Russia, Destination Country:UA, Destination Country:Ukraine, Destination Country:US, Destination Country:USA, Destination Country:Germany, Destination Country:DE, Windows
MaaS Update: New Threat Delivered via NullMixer
(Post date: March 27, 2023)
The NullMixer malware delivery campaign is advertising fake software pirate cracks from September 2022. Their new wave of campaigns, tracked as ATK-16, target tech-savvy users and system administrators to install backdoor cracked versions of PC maintenance software such as EaseUS Partition Master and Driver. easy pro. ATK-16 surged in March 2023, reaching territories outside of previously targeted North America (Mexico and the United States), with targeting expanded to include Italy, Indonesia, France, and other countries. The attackers created a YouTube video asking them to download backdoor pirate software. The payload is hidden behind a Bitly URL shortener and a Blogspot account. The WinRAR executable archive launches multiple binaries simultaneously, delivered to various actors on a pay-per-install basis: loaders (CrashedTech, Koi, and PseudoManuscript), infostealers (Fabookie, RacconStealer, and RedLine), and GCleaner spyware. PseudoManuscript has previously been associated with state-sponsored actors based in Asia. Koi loader-stealer (Sqlcmd Loader) is a new malware that likely operates in the Commonwealth of Independent States. Advanced features include redirecting specific memory streams directly to a remote server, without touching the disk before leaking, and cryptographically obfuscating memory streams after compression.
Analyst Comments: As long as individuals continue to download cracked software, threat actors will continue to use it as a distribution method. These types of downloads should be restricted by companies, often giving legitimate people to dedicated development teams that continually improve and implement new patches. Employees should be well educated about the risks posed by these downloads. The metrics and YARA rules related to the ATK-16 NullMixer campaign are available on the Anomali platform.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] T1555.003 – Credentials in Password Store: Credentials in Web Browsers | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1497.001 – Virtualization/Sandbox Avoidance: System Check | [MITRE ATT&CK] T1560 – Collected Data Archive | [MITRE ATT&CK] T1573 – Encrypted Channel | [MITRE ATT&CK] T1090.002 – Proxy: External proxy
signature: CrashedTech Loader. Luca Mella’s Yara | Sqlcmd loader. Luca Mella’s Yara | carp loader. Luca Mella’s Yara | Pakookie Thief. Luca Mella’s Yara
tag: campaign:NullMixer, campaign-wave:ATK-16, malware:PseudoManuscript, malware:Koi, malware:CrashedTech, malware-type:Loader, malware:RacconStealer, malware:RedLine, malware:Fabookie, malware-type:Infostealer, malware:GCleaner, Malware Type:Spyware, Pay Per Install, Malware-as-a-Service, MaaS, Target Region:North America, Target Country:USA, Target Country:US, Target Country:Mexico, Target-Country:MX, Target Region: Europe, Target Country:Italy, Target Country:IT, Target Country:France, Target Country:FR, Target Country:ID, Target Country:TR, Source Region:CIS, SEO Poisoning, Social Engineering, Malvertising, target-industry: IT, target-identity:System administrator, EaseUS Partition Master, Driver Easy Pro, Youtube, Bitly, BlogSpot, file type:EXE, PowerShell, ConfuseEx v1.0.0 , Windows Embedded, Windows Server, Windows
MacStealer: Identify new macOS-based Stealer malware
(Post Date: March 24, 2023)
In March 2023, a new macOS Python-based stealer called MacStealer was introduced on dark web forums. Despite being in beta and in active development, it can steal passwords, cookies and credit card data from Brave, Firefox and Google Chrome browsers, as well as extract files and KeyChain databases. Also, on startup, MacStealer attempts to obtain system credentials by displaying a fake password prompt. Collected data is archived as a ZIP file for exfiltration via Telegram.
Analyst Comments: MacStealer is a new threat targeting the latest macOS versions and is expected to receive new features in the near future. MacOS users are advised to only install software from official app stores or verified developers. All known indicators related to the MacStealer version are available on the Anomali platform and customers are encouraged to block these indicators in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1059.004 – Command and Scripting Interpreter: Unix Shell | [MITRE ATT&CK] T1555.001 – Credentials in Password Store: Keychain | [MITRE ATT&CK] T1555.003 – Credentials in Password Store: Credentials in Web Browsers | [MITRE ATT&CK] T1560 – Collected Data Archive | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocol
tag: Malware:MacStealer, Malware-Type:Infostealer, File Type:Mach-O, File Type:DMG, File Type:ZIP, Fake Password Prompt, Python, Telegram, macOS