The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: APT, cryptocurrency, data exfiltration, Malvertising, Packers, Palestine, phishing, ransomware, and software supply chain. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
CryptoClippy speaks Portuguese
(Post Date: April 5, 2023)
Since at least early 2022, opportunistic cryptocurrency clipper campaigns have been targeting Portuguese-speaking users by driving downloads from websites controlled by actors promoted through SEO poisoning and malvertising abusing Google Ads. This file impersonates WhatsApp Web and delivers malware called CryptoClippy with the purpose of substituting the target clipboard’s cryptocurrency address. The first two files in the infection chain are EXE and BAT or ZIP and LNK. Actors utilize extensive obfuscation and encryption (RC4 and XOR) techniques, log and file sanitization, narrow targets and thorough user profiling to evade defenses. Use of the Invoke-Obfuscation obfuscation type could point to Brazil-based attackers.
Analyst Comments: Wallets controlled by the observed actors generated just over $1,000 in revenue, but complex, multi-stage malware could help magnify the damage. Users are encouraged to verify recipient information before sending financial transactions. Indicators related to CryptoClippy are available on the Anomali platform. Organizations that publish applications for their customers are invited to use Anomali Premium Digital Risk Protection to uncover rogue and malicious apps that impersonate brands that security teams don’t normally search for or monitor.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1620 – Reflective Code Loading | [MITRE ATT&CK] T1547.001 – Run Boot or Logon Autostart: Registry Execution Key/Startup Folder | [MITRE ATT&CK] T1112: Registry Modification | [MITRE ATT&CK] T1136.001 – Create Account: Local Account | [MITRE ATT&CK] T1070.001 – Remove Indicator from Host: Clear Windows Event Log | [MITRE ATT&CK] T1070.004 – Remove Indicator from Host: Delete File | [MITRE ATT&CK] T1055 – Process Injection | [MITRE ATT&CK] T1053.005 – Scheduled Tasks/Tasks: Scheduled Tasks
tag: Malware:CryptoClippy, Malware Type:Clipper, Google Ads, Traffic Distribution System, SEO Poisoning, WhatsApp, File Type:ZIP, File Type:EXE, File Type:LNK, File Type:BAT, RDP, RC4, XOR, PowerShell, target-industry:Cryptocurrency, Ethereum, Bitcoin, Source Country:Brazil, Source Country:BR, Character Padding, Invoke-Obfuscation, Windows
Mantis: A new tool used in attacks on Palestinian targets
(Post Date: April 4, 2023)
Mantis (Arid Viper, Desert Falcon, APT-C-23) Advanced Persistent Threat is a Palestinian-related group observed since 2011. From September 2022 to February 2023, Mantis participated in a new campaign targeting organizations within the Palestinian Territory. . The campaign featured a variety of additional tools, including custom Micropsia and Arid Gopher backdoor versions, the Putty SSH client, and the SetRegRunKey.exe registry-modifying persistence tool. Mantis aggressively changed the logic between variants of the backdoor, occasionally swapping versions in the course of ongoing corruption.
Analyst Comments: Historically, many Mantis attacks began with spearhisting. It’s important to teach users basic online hygiene and phishing awareness. Watch out for suspicious PowerShell runs, suspicious port connections (e.g. through port 4444), and signs of data exfiltration. All known Mantis metrics related to this campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1113 – screen capture | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archiving via Utility | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1547.001 – Run Boot or Logon Autostart: Registry Execution Key/Startup Folder
tag: Actor:Mantis, Malware:Micropsia, Malware Type:Backdoor, Malware:Arid Gopher, PowerShell, PyArmor, Putty, SetRegRunKey.exe, Actor:Arid Viper, Actor:Desert Falcon, Actor:APT-C-23, Target Region:Palestine , source-region:Palestine, Cyberespionage, Data loss, Delphi, Golang, file type:EXE, port:4444, Windows
Who Broke NPM?: A Flood of Malicious Packages Leading to Denial of Service
(Post Date: April 4, 2023)
Multiple campaigns, possibly run by the same threat actor, have targeted the npm JavaScript software registry through automated user account and package creation. In March 2023, monthly packaged versions went from 800,000 to over 1.4 million, sometimes causing denials of service to npm websites. Threat actors created malicious websites and posted attractive package descriptions of cracked software along with links to those websites. Users download and run bloated zero-padded EXE files that start infection chains that take advantage of DLL sideloading and virtualization/sandbox evasion to disable security tools and firewalls. We offer a variety of commodity tools such as Glupteba, RedLine, Smoke Loader, xmrig, etc. to steal credentials and mine cryptocurrencies. Additional fraudulent monetization comes from scams using AliExpress referrals and cryptocurrency schemes in Russian-speaking Telegram groups.
Analyst Comments: Open source libraries and software supply chains are increasingly under attack. These campaigns are abusing the reputation of the npm code sharing environment to promote malicious websites in search engines. As long as individuals continue to download cracked software, threat actors will continue to use it as a distribution method. These types of downloads should be restricted by your company. Supply legitimate software and educate your employees about these risks. Network metrics related to this latest npm targeting are available on the Anomali platform.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1027.001 – Obfuscated File or Information: Binary Padding | [MITRE ATT&CK] T1629.003 – Defensive Damage: Disable or Modify Tools | [MITRE ATT&CK] T1633 – Virtualization/Sandbox Avoidance | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] T1496 – Resource Hijacking | [MITRE ATT&CK] T1499 – Endpoint Denial of Service
tag: npm, Spam, Malware:Glupteba, Malware:RedLine, Malware-Type:Infostealer, Malware:Smoke Loader, Detection:xmrig, Malware-Type:Miner, Open Source Library, SEO, DoS, AliExpress, Referral Scam, Software Supply Chain, Warez, Cracked , Telegram, Target country:Russia, Target country:RU, Target industry:Cryptocurrency, File type:EXE, Windows
Rorschach – New sophisticated and fast ransomware
(Post Date: April 4, 2023)
In February-March 2023, a new ransomware family called Rorschach was discovered. Rorscharch borrows from several advanced ransomware families while being unique overall. Hybrid cryptography and some other routines are inspired or copied from Babuk. Similar to LockBit 2.0, it can propagate from Windows domain controllers by automatically creating domain group policies. Finally, Rorschach ransomware notes had a format similar to DarkSide in some cases and Yanluowang in others. Rorschach did not trademark the banknote, but the exemption to the Commonwealth of Independent States shows its origins. To avoid detection, Rorschach uses direct system calls by finding, storing, and using relevant system call numbers for NT APIs. Rorschach achieves very fast encryption due to an effective encryption scheme, partial file encryption, effective thread scheduling with I/O completion ports and compiler optimizations, and most of the code is inlined.
Analyst Comments: Rorscharch’s ability to abuse the Palo Alto Networks security product Cortex XDR Dump Service Tool has been reported to vendors. Network defenders may consider new group policies targeting honeypots/canary files, new scheduled tasks, and system settings to warn against rogue cryptographic processes. To limit the autonomy of ransomware, it is necessary to appropriately lock down endpoint devices with administrative privileges and implement micro-segmentation of the IT network where possible. Ransomware is a constantly evolving threat, and the most fundamental defense is to have a proper backup and restore process in place to recover affected data without having to decrypt it.
Miter Attack: [MITRE ATT&CK] T1486: Encrypted Data for Impact | [MITRE ATT&CK] T1490: Forbid System Recovery | [MITRE ATT&CK] T1489 – Stop service | [MITRE ATT&CK] T1070.001 – Remove Indicator from Host: Clear Windows Event Log | [MITRE ATT&CK] T1070.004 – Remove Indicator from Host: Delete File | [MITRE ATT&CK] T1053.005 – Scheduled Tasks/Tasks: Scheduled Tasks | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1484.001 – Domain Policy Modification: Group Policy Modification
tag: Malware:Rorschach, Malware-Type:Ransomware, VMProtect, source-region:CIS, curve25519, eSTREAM Password hc-128, I/O Completion Port, Thread Scheduling, Domain Group Policy, Cortex XDR Dump Service Tool, Palo Alto Networks, Destination – Country:USA, Destination Country:USA, FileType:EXE, FileType:DLL, FileType:INI, Windows
Rilide: A New Malicious Browser Extension That Steals Cryptocurrency
(Post Date: April 4, 2023)
A new malicious extension called Rilide targets cryptocurrency users on Chromium-based browsers. It has been shown to be delivered through two chains of infection, starting with a malicious macro in a publisher file that delivers the Ekipa RAT, or through Google Ads that pushes the Aurora Stealer payload. The Rilide malware masquerades as a Google Drive extension. Loads additional JS scripts that collect information and make automatic funds withdrawal requests in the background. A dialog for the user is faked to show two-factor authentication. This includes editing the withdrawal confirmation email on the fly to look like a device authorization request. Trustwave researchers found that the attackers had been advertising malicious extensions with Rilide-like functionality since at least March 2022, with partial code leaks in February 2023.
Analyst Comments: Users are encouraged to keep an eye on browser extensions and ask questions about unauthorized additions. All known indicators related to Rilide are available on the Anomali platform and customers are encouraged to block these indicators in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1113 – screen capture | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1565.003 – Data Manipulation: Runtime Data Manipulation
tag: Malware:Rilide, Malicious Browser Extensions, Target Industry:Cryptocurrency, Chromium-based browsers, Google Chrome, Microsoft Edge, Brave, Opera, Malware:Ekipa, Malware Type:RAT, Malware:Aurora, Malware Type:Infostealer, Themida, VMProtect , file type:PUB, file type:EXE, file type:JS, file type:JSON, malware type:Loader, PowerShell, Rust, Discord CDN, Malvertising, Google Ads, actor:gulantin, macro , Windows