The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: APT, defense evasion, info-stealer, North Korea, spear phishing, and typosquatting. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
Deconstructing Amadey’s latest multi-stage attack and malware distribution
(Post Date: May 5, 2023)
McAfee researchers have detected a multi-stage attack that starts with the trojanized wextract.exe, a Windows executable used to extract files from cabinet (CAB) files. It has been used to deliver AgentTesla, Amadey botnet, LockBit ransomware, Redline Stealer, and other malicious binaries. To evade detection, attackers use obfuscation and disable Windows Defender via the registry, preventing users from turning Windows Defender back on via Defender settings.
Analyst Comments: Threat actors always adapt to the security environment to remain effective. Behavior analysis defense and social engineering training can help you discover new skills. Users should report suspicious files with double extensions such as .EXE.MUI. Metrics related to this campaign are available on the Anomali platform and users are encouraged to block these metrics in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] T1486: Encrypted Data for Impact | [MITRE ATT&CK] T1027 – Obfuscated files or information
tag: Malware:Amadey, Malware Type:Botnet, Malware:RedLine, Malware:AgentTesla, Malware Type:Infostealer, Malware:LockBit, Malware Type:Ransomware, Abuse:Wextract.exe, File Type:CAB, File Type: EXE, File Type: MUI, Target Program:Windows Defender, Target System:Windows
East Asian Android Attack – FluHorse
(Post Date: May 4, 2023)
Active since May 2022, a newly detected Android stealer named FluHorse imitates popular apps or circulates as fake dating apps. According to Check Point researchers, FluHorse targeted East Asia (Taiwan and Vietnam) and went undetected for several months. This stealth can be achieved by sticking to the bare minimum while relying on the custom virtual machine that comes with the Flutter user interface software development kit. FluHorse is being distributed via email that prompts recipients to install the app, and once installed, requests the user’s credit card or banking data. If second factor authentication is required to commit bank fraud, FluHorse installs a listener on every incoming SMS message, instructing the user to wait 10-15 minutes while the code is intercepted.
Analyst Comments: The FluHorse is a dangerous threat because of its ability to go undetected for months. Users should not install applications by following download links received via email or other messages. Official companies (banks, tolls) websites verify app authenticity. Metrics related to FluHorse campaigns are available on the Anomali platform for persistent infection and historical reference.
Miter Attack: [MITRE ATT&CK] T1517 – Access Notification | [MITRE ATT&CK] T1417.002 – Input Capture: Gui Input Capture | [MITRE ATT&CK] T1646 – Outflow through C2 channel
tag: Malware:FluHorse, Detection:Stealer.Android.FluHorse.TC, Malware Type:Infostealer, Technology:Custom Virtual Environment, Target Language:Chinese, Target Country:Taiwan, Target Country:Vietnam, Target Region:East Asia , Target Industry:Banking , Abuse:Flutter, Abuse:Dart, Target System:Android
Kimsuky Evolves Scouting Features in New Global Campaign
(Post Date: May 4, 2023)
The North Korean-backed group Kimsuky (Thallium, Velvet Chollima) has been involved in cyber espionage since at least 2012. SentinelOne researchers describe a new campaign targeting the Korea Risk Group analytics firm, likely covering a wide range of audiences including Asia, Europe and the US. Including government agencies, research universities and think tanks. The group begins with a carefully crafted spear-phishing email containing a link to a password-protected maldoc containing a Microsoft Office macro that activates when the document is closed. The group uses ReconShark infostealer-downloader, a new variant of the group’s custom BabyShark malware family.
Analyst Comments: Defense in depth is the best way to ensure safety from advanced permanent groups. These can include network and endpoint security, social engineering training for employees (such as training exercises to help detect phishing emails), and powerful threat intelligence capabilities. All known indicators related to this Kimsuky campaign are available on the Anomali platform and customers are encouraged to block these indicators in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1566.002 – Phishing: Spear Phishing Links | [MITRE ATT&CK] T1204.001 – User Executed: Malicious Links | [MITRE ATT&CK] T1204.002 – User Executed: Malicious File | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1137.001 – Starting Office Applications: Office Template Macros | [MITRE ATT&CK] T1057 – Process Search | [MITRE ATT&CK] T1518.001 – Software Search: Security Software Search | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocol | [MITRE ATT&CK] T1059.005 – Command and Scripting Interpreter: Visual Basic | [MITRE ATT&CK] picus-security: Most used ATT&CK technology — T1059 command and scripting interpreter | [MITRE ATT&CK] T1105 – Transmit Receive Tool
tag: Actor:Kimsuki, Malware:ReconShark, Malware Type:Infostealer, Malware Type:Downloader, Technology:SpearPhishing, Source Country:North Korea, Target Country:South Korea, Abuse:OneDrive, Abuse:WMI, File Type: DOC, File Type:VBS , files type:HTA, files type:GIF, files type:DLL, files type:DOTM, target system:Windows
Not an Easter Egg: Google Play’s New Trojan Horse Subscriber Family
(Post Date: May 4, 2023)
A new subscription trojan called Fleckpe, active since 2022, spreads through Google Play via trojan photo editors, smartphone wallpapers, and other similar apps. According to Kaspersky researchers, 11 Fleckpe-infected apps from Google Play have been installed on more than 620,000 devices. The campaign focused on Thailand and additionally targeted Indonesia, Malaysia, Poland and Singapore. Trojan-infected apps load highly obfuscated native libraries that contain malicious droppers that decrypt and execute payloads from app assets. The payload hits C2 with information about the infected device’s country and carrier. The C2 server returns a paid subscription page that opens in an invisible web browser. Fleckpe extracts the verification code from the notification and attempts to subscribe on your behalf.
Analyst Comments: All 11 Fleckpe-infected apps have been removed from Google Play, but the actors may be publishing other apps. Indicators are available on the Anomali platform for persistent infection and historical reference. Users should exercise caution when installing applications and granting additional permissions. Monitor statements regularly to identify false subscriptions.
Miter Attack: [MITRE ATT&CK] T1406 – Obfuscated files or information | [MITRE ATT&CK] T1646 – Outflow through C2 channel | [MITRE ATT&CK] T1437 – standard application layer protocol | [MITRE ATT&CK] T1517 – Access Notification | [MITRE ATT&CK] T1422 – Retrieve System Network Configuration
tag: Malware:Fleckpe, Malware Type:Subscription Trojan, Detection:Trojan.AndroidOS.Fleckpe, Technology:Native Library, Target Country:Thailand, Target Country:Indonesia, Target Country:Malaysia, Target Country:Poland, Target- Country:Singapore, Abuse: Google Play, Target System: Android
New KEKW malware variant identified in PyPI package distribution
(Post Date: May 3, 2023)
Cyble researchers have detected a number of malicious packages distributing the KEKW infostealer-clipper in the Python Package Index (PyPI). This package is an archive in wheel distribution format (WHL file). When activated, it installs additional libraries, performs virtual environment scans, stops certain anti-malware and debugging processes, and achieves persistence through startup items. KEKW replaces cryptocurrency wallet addresses and steals cookies, credentials and other sensitive information from a variety of sources including browsers, popular applications (email, gaming, retail, ridesharing, streaming) and text files.
Analyst Comments: Software developers should be aware of an ongoing index poisoning campaign that relies on typosquatting of popular libraries. After compromised systems are cleaned by KEKW, target users are advised to immediately change passwords, replace compromised bank cards, and take steps to protect their bank and cryptocurrency deposits. Metrics related to this campaign are available on the Anomali platform for persistent infection and historical reference.
Miter Attack: [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1047 – Windows Management Instrumentation | [MITRE ATT&CK] T1547 – Execute Boot or Logon Autostart | [MITRE ATT&CK] T1497 – Virtualization/Sandbox Avoidance | [MITRE ATT&CK] T1562: Weak Defense | [MITRE ATT&CK] T1056 – Input Capture | [MITRE ATT&CK] T1057 – Process Search | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: System Information Retrieval Technology Explained – MITER ATT&CK T1082 | [MITRE ATT&CK] T1083 – File and Directory Search | [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1071 – Application Layer Protocol
tag: Malware:KEKW, Malware Type:Infostealer, Malware Type:Clipper, Abuse:PyPI, File Type:WHL, Target Industry:Cryptocurrency, Bitcoin, Actor:KEKW LTD, Target System:Windows