The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: APT, Byte Remapping, Cloud C2, Infostealer, Iran, North Korea, RAT, and weakness. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
Chain Reaction: RokRAT’s Missing Link
(Post Date: May 1, 2023)
Starting in 2022, the North Korean-backed group APT37 (Group123, Ricochet Chollima) shifted delivery methods, primarily from maldocs to hiding payloads inside large LNK files. Check Point researchers identified several infection chains used by the group from July 2022 to April 2023. They have been used to deliver one of APT37’s custom tools (GOLDBACKDOOR and ROKRAT) or the commercial malware Amadey. All lures studied appear to be aimed at Korean speakers with Korea-related themes.
Analyst Comments: Switching to an LNK-based infection chain allows APT37 to require less user interaction as the chain can be triggered with a simple double-click. The group continues to use the tried-and-true ROKRAT, which remains a stealthy tool with additional layers of encryption, cloud C2, and in-memory execution. Metrics related to this campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1055 – Process Injection | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1204.002 – User Executed: Malicious File | [MITRE ATT&CK] T1059.005 – Command and Scripting Interpreter: Visual Basic | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1218.011 – Run Signed Binary Proxy: Rundll32
tag: Malware:ROKRAT, mitre-software-id:S0240, Malware-Type:RAT, Actor:Group123, mitre-group:APT37, Actor:Ricochet Chollima, Source Country:North Korea, Source Country:KP, Destination Country:South Korea, Destination Country: KR, file type:ZIP, file type:DOC, file type:ISO, file type:LNK, file type:BAT, file type:EXE, file type:VBS , malware:Amadey, malware:GOLDBACKDOOR, malware type :Backdoor, Exploit:pCloud, Exploit:Yandex Cloud, Exploit:OneDrive, Exploit:Hangul Word Processor, Exploit:Themida, Target System:Windows
Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware
(Post Date: Apr 26, 2023)
A group sponsored by Charming Kitten Iran has been detected using the new BellaCiao implant dropper. Covered North America (United States), Europe (Austria and Italy), and Middle East (Israel and Turkey). The Microsoft Exchange server may have been compromised by exploiting an unconfirmed vulnerability. Charming Kitten installs and sets up persistence for BellaCiao and attempts to download two Microsoft’s Internet Information Services (IIS) backdoors: a native IIS-Raid module for remote command execution and a .NET IIS module for credential leaking. BellaCiao calls the actor control server with a DNS resolution request for the target specific domain. The resolved IP address is actually a code indicating the follow-up action (deleting itself, skipping, or deleting the add-on component) and the file path to use. BellaCiao drops a webshell downloader or Plink tool along with a PowerShell script to set up a reverse proxy.
Analyst Comments: Organizations should update publicly available critical systems, such as Microsoft Exchange servers, with the latest security patches. Network metrics related to this campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure. Anomali customers concerned about risks to their digital assets (including pseudo/error domains) can try out Anomali’s premium digital risk protection service.
Miter Attack: [MITRE ATT&CK] T1190 – Public Application Abuse | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1071.004 – Application Layer Protocol: Dns | [MITRE ATT&CK] T1070 – Remove indicator from host | [MITRE ATT&CK] T1070.004 – Remove Indicator from Host: Delete File | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1124 – Retrieve system time | [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1489 – Stop service
tag: Malware:BellaCiao, Malware-Type:Implant, Malware-Type:Dropper, Actor:Charming Kitten, Abuse:IIS-Raid, Malware-Type:Backdoor, Malware-Type:Infostealer, Abuse:Plink, Target-Country:IL, Target-Country:Israel, Destination Country:TR, Destination Country:Turkey, Destination Country:AT, Destination Country:Austria, Destination Country:IN, Destination Country:India, Destination Country:IT, Destination Country:Italy, Destination Area:Europe, Destination Area:Middle East, Target Country:US, Target Country:US, Target System:Windows
FIN7 Tradecraft Discovered in Attack on Veeam Backup Server
(Post Date: Apr 26, 2023)
Starting on March 28, 2023, a new attack targeting Veeam Backup servers using TCP open port 9401 occurred. This attack exploits CVE-2023-27532, a high severity vulnerability in Veeam Backup and Replication (VBR) software. The exploit was available on March 23, 2023, and approximately 7,500 VBR hosts exposed to the internet were considered vulnerable. Some of the malware, commands, and overall tactics, techniques, and procedures observed in the attacks were similar to those previously attributed to FIN7. The chain of infection included multiple stages with malware and scripts such as the DICELOADER backdoor, the DUBLOADER loader, the POWERHOLD persistence setup script, and the POWERTRASH obfuscation loader.
Analyst Comments: Veeam/VBR users should update their servers with the latest security patches. Since FIN7 intrusions can lead to ransomware or data theft, we recommend blocking the relevant indicators available on the Anomali platform.
Miter Attack: [MITRE ATT&CK] T1190 – Public Application Abuse | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1055.001 – Process Injection: Dynamic Link Library Injection | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1547.001 – Run Boot or Logon Autostart: Registry Execution Key/Startup Folder
tag: Target:Veeam, Actor:FIN7, Vulnerability:CVE-2023-27532, Tactics:Flanking, Abuse:PowerShell, Malware:POWERTRASH, Malware:POWERHOLD, Malware:DICELOADER, Malware:DUBLOADER, File Type:VBS, file type:BAT, file type:EXE, file type:DLL, file type:PS1, open port:9401, target system:Windows
Threat actor selling new Atomic macOS (AMOS) stealer on Telegram
(Post Date: Apr 26, 2023)
Cyble researchers have discovered a new infostealer called Atomic macOS Stealer (AMOS) sold through the Telegram channel. This Golang-based malware is being delivered using a user-activated DMG file. AMOS steals system information, files in Desktop and Documents folders, keychain passwords and macOS passwords. This stealer is designed to target multiple browsers (Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Vivaldi and Yandex) and extract autofill, passwords, cookies, cryptocurrency wallet and credit card information. AMOS can target standalone crypto wallets such as Atomic, Binance, Coinomi, Electrum, and Exodus, as well as 50+ crypto wallet browser extensions.
Analyst Comments: Users should only download and install software from the official Apple App Store. Be careful not to open unsolicited links. Keep your device, operating system and applications up to date. Indicators related to AMOS are available on the Anomali platform.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1204.002 – User Executed: Malicious File | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1555.001 – Credentials in Password Store: Keychain | [MITRE ATT&CK] T1555.003 – Credentials in Password Store: Credentials in Web Browsers | [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1539 – Web Session Cookie Stealing | [MITRE ATT&CK] T1560 – Collected Data Archive | [MITRE ATT&CK] T1083 – File and Directory Search | [MITRE ATT&CK] T1132.001 – Data Encoding: Standard Encoding | [MITRE ATT&CK] T1041 – Outflow through C2 channel
tag: Malware:Atomic macOS Stealer, Malware:AMOS, Malware-Type:Infostealer, Abuse:Telegram, Abuse:Golang, Malware-Type:Infostealer, File-Type:DMG, target-industry:Cryptocurrency, target-system:macOS
ViperSoftX updates encryption and steals data.
(Post Date: Apr 24, 2023)
First documented in November 2022, the ViperSoftX infostealer has received several major updates through April 2023. According to Trend Micro researchers, it has incorporated DLL sideloading into the infection chain and started using a unique byte-remapping encryption. The actors behind ViperSoftX have started replacing the Phase 2 C2 servers monthly. Secure your infrastructure using Domain Generation Algorithm (DGA) and browser traffic blocking. ViperSoftX has been focused on stealing cryptocurrencies and has added targeting to KeePass 2 and 1Password password managers. ViperSoftX campaigns represent global targeting, with consumer targeting having the greatest impact in Australia, Japan, and the United States, with the corporate sector accounting for over 40% of the total number of victims, with the most targeted countries being India, Pakistan, and the Philippines, in that order.
Analyst Comments: As long as individuals continue to download cracked software, threat actors will continue to use it as a distribution method. These types of downloads should be restricted by your company. Supply legitimate software and educate your employees about these risks. Network metrics related to updated ViperSoftX targeting are available on the Anomali platform.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1568.002 – Dynamic Resolution: Domain Generation Algorithm | [MITRE ATT&CK] T1555.005 – Credentials in Password Store: Password Manager | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1497 – Virtualization/Sandbox Avoidance
tag: Malware:ViperSoftX, Malware-Type:Infostealer, Detection:TrojanSpy.PS1.VIPERSOFTX, Detection:Trojan.Win64.VIPERSOFTXA, Abuse:PowerShell, Technology:DGA, File Type:DLL, File Type:EXE, Technology:Byte Remapping , Target Country:Australia, Destination Country:Japan, Destination Country:USA, Destination Country:India, Destination Country:Pakistan, Destination:Philippines, Destination:KeePass 2, Destination:1Password, Destination System:Windows