The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: China, DLL Side-Loading, Living off the Land, Operation Technology, Ransomware, and russia. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
Viticdoor and CoinMiner by Shadow Force Group
(Post Date: May 27, 2023)
Shadow Force is a threat that has been targeting Korean organizations since 2013. It is primarily aimed at Windows servers. Researchers at Ahn Cheol-soo Research Institute analyzed the group’s activities from 2020 to 2022. Shadow Force activity is relatively easy to detect as attackers tend to reuse the same filenames for malware. At the same time, the group developed. After March, files often exceeded 10MB due to binary packing. The actors also started introducing various cryptocurrency miners and a new backdoor called Viticdoor.
Analyst Comments: Organizations need to keep their servers up-to-date and properly configured with security in mind. Abnormally high CPU usage and overheating can be signs of malicious resource hijacking for cryptocurrency mining. Network and host-based metrics related to Shadow Force are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1588.003 – Get Features: Code Signing Certificate | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1569.002: Running Services | [MITRE ATT&CK] T1059.003 – Command and Scripting Interpreter: Windows Command Shell | [MITRE ATT&CK] T1547.001 – Run Boot or Logon Autostart: Registry Execution Key/Startup Folder | [MITRE ATT&CK] T1546.008 – Event Trigger Execution: Accessibility Features | [MITRE ATT&CK] T1543.003 – Create or Modify System Process: Windows Service | [MITRE ATT&CK] T1554 – Corrupted client software binaries | [MITRE ATT&CK] T1078.001 – Valid Account: Default Account | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T1036.001 – Masquerading: Bad Code Signing | [MITRE ATT&CK] T1553.002 – Breaking Trust Control: Code Signing | [MITRE ATT&CK] T1036.004 – Impersonation: Impersonation Task or Service | [MITRE ATT&CK] T1574 – Stealing Execution Flow | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1003.001 – Dump OS Credentials: Lsass Memory | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1057 – Process Search | [MITRE ATT&CK] T1087.001 – Search Accounts: Local Accounts | [MITRE ATT&CK] Picus: System Information Retrieval Technology Explained – MITER ATT&CK T1082 | [MITRE ATT&CK] T1021.002 – Remote Services: Smb/Windows Admin Share | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1115 – Clipboard Data | [MITRE ATT&CK] T1113 – screen capture | [MITRE ATT&CK] T1219 – Remote Access Software | [MITRE ATT&CK] T1571 – non-standard port | [MITRE ATT&CK] T1565.001 – Data Manipulation: Stored Data Manipulation | [MITRE ATT&CK] T1496 – Resource Hijacking
tag: Actor: Shadow Force, Malware: Viticdoor, Detection: Backdoor/Win. Viticdoor, Malware Type:Backdoor, Detection:CoinMiner/Win.ShadowForce, Malware Type:Miner, Target Country:South Korea, Target Industry:Government, Target Industry:Politics, Target Industry:IT, Target Industry:Food, Target Industry: Outsourcing, File Type:EXE, File Type:DLL, Target System:Windows Server, Target System:Windows
COSMICENERGY: New OT Malware Possibly Linked to Russian Emergency Response Exercises
(Post Date: May 25, 2023)
Mandiant researchers have discovered a new piece of malware called COSMICENERGY specifically designed to target Windows-based operating technology (OT) systems used for power distribution. Similar to the previously discovered OT malware INDUSTROYER and INDUSTROYER.V2, COSMICENERGY interacts with IEC 60870-5-104 (IEC-104) devices such as Remote Terminal Units (RTUs) commonly found in Europe, Middle East and Asia. do. COSMICENERGY has two derivation break tools: PIEHOP and LIGHTWORK. PIEHOP is a Python-based break tool that connects to a remote MSSQL server to issue commands to the RTU, and LIGHTWORK is a C++ tool that uses the IEC-104 protocol to modify the state of the RTU over TCP to create a configurable IEC-104 ASDU. Messages that control the state of RTU information object addresses. This malware has been observed to utilize open source libraries for OT protocol implementations including IRONGATE, TRITON and INCONTROLLER.
Analyst Comments: There are indications that COSMICENERGY is a Russian red team tool in development, but threat actors regularly adapt and use legitimate tools. Network defenders should monitor the logs of critical systems and look for the execution of packaged Python scripts and the creation of temporary “_MEIPASS” PyInstaller folders. Detects the activation and use of SQL extended stored procedures for Windows shell command execution. Host-based metrics related to COSMICENERGY are available on the Anomali platform for historical reference.
Miter Attack: [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding | [MITRE ATT&CK] T0807 – Command Line Interface | [MITRE ATT&CK] T0809 – Data Destruction | [MITRE ATT&CK] T0831 – Control Manipulation | [MITRE ATT&CK] T0855 – Unacknowledged Command Message | [MITRE ATT&CK] picus-security: Most used ATT&CK technology — T1059 command and scripting interpreter | [MITRE ATT&CK] T1059.006 – Command and Scripting Interpreter: Python | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1070 – Remove indicator from host | [MITRE ATT&CK] T1070.004 – Remove Indicator from Host: Delete File | [MITRE ATT&CK] T1083 – File and Directory Search
signature: PIEHOP – Yara by Mandiant | Lightwork – YARA by Mandiant.
tag: Malware:COSMICENERGY, Malware:PIEHOP, Malware:LIGHTWORK, Malware Type:Disability Tool, Abuse:PyInstaller, Abuse:Python, Abuse:C++, Abuse:IRONGATE, Abuse:TRITON, Abuse:INCONTROLLER, File Type:EXE, Abuse:IEC -104, Target System:OT, Target System:Windows
Buhti: New ransomware operation relies on repurposed payload
(Post Date: May 25, 2023)
Buhti (Blacktail) is a relatively new ransomware operation that targets Windows and Linux systems and uses a double extortion attack. The group quickly took advantage of the new exploits for initial access and were seen exploiting vulnerabilities in PaperCut NG and MF (CVE-2023-27350) and IBM’s Aspera Faspex file exchange application (CVE-2022-47986). Bihti has developed its own custom data exfiltration tool, but for its crypters, the group leverages leaked variants of the LockBit and Babuk ransomware families.
Analyst Comments: Keeping your software up to date with the latest security patches is very important for users and businesses. This includes both the operating system you are using and all applications. Make sure you have a security system that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Host-based metrics related to Buhti campaigns are available on the Anomali platform for persistent infection and historical reference.
Miter Attack: [MITRE ATT&CK] T1190 – Public Application Abuse | [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1105 – Transmit Receive Tool | [MITRE ATT&CK] T1486: Encrypted Data for Impact
tag: Malware:Buhti, Malware:LockBit, Malware:Babuk, MalwareType:Ransomware, Actor:Blacktail, Actor:Buhti, MalwareType:Breach Tool, Malware:Cobalt Strike Beacon, Malware:Meterpreter, Malware:Cobalt Strike, Malware:Sliver, Abuse:AnyDesk, Abuse:ConnectWise, Target Software:PaperCut, Vulnerability:CVE-2023-27350, Target Software:Aspera Faspex, Vulnerability:CVE-2022-47986, Target System:Windows, Target System:Linux
People’s Republic of China state-sponsored cyber actors live on land to avoid detection
(Post Date: May 24, 2023)
International cybersecurity authorities (Australia, Canada, New Zealand, United Kingdom and United States) recently issued a joint cybersecurity advisory regarding activity discovered by the Chinese-sponsored Volt Typhoon threat group. The group targeted Windows-based systems across critical infrastructure in the United States, hiding behind previously compromised small office/home office network devices in the target’s geographic area. This group relied primarily on Living off the Land using built-in network management tools such as netsh, ntdsutil, PowerShell, and the Windows Management Instrumentation Command Line (WMIC). This allows Volt Typhoon to mix activities while achieving goals such as gathering information about the local host’s storage devices and extracting password hashes from the underlying Active Directory database files. The attackers used several hacking tools such as the Earthworm tunneling tool, custom Fast Reverse Proxy (FRP) clients, Impacket, Mimikatz, and various remote administration tools.
Analyst Comments: Network defenders must detect suspicious commands and distinguish them from legitimate system administration commands. Activities such as the use of port proxies are not common for legitimate system administration and should be used sparingly and as needed. Detect and investigate potentially suspicious activity using available indicators and detection signatures.
Miter Attack: [MITRE ATT&CK] T1190 – Public Application Abuse | [MITRE ATT&CK] T1047 – Windows Management Instrumentation | [MITRE ATT&CK] T1059.001: Powershell | [MITRE ATT&CK] T1059.003 – Command and Scripting Interpreter: Windows Command Shell | [MITRE ATT&CK] T1505.003 – Server Software Components: Web Shell | [MITRE ATT&CK] T1546 – Event Trigger Execution | [MITRE ATT&CK] T1070.001 – Remove Indicator from Host: Clear Windows Event Log | [MITRE ATT&CK] T1003.003 – Dump OS Credentials: Ntds | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1110.003 – Brute Force: Password Scattering | [MITRE ATT&CK] T1003 – Os Credential Dumping | [MITRE ATT&CK] T1555 – Credentials in Password Store | [MITRE ATT&CK] Picus: System Information Retrieval Technology Explained – MITER ATT&CK T1082 | [MITRE ATT&CK] T1033 – Search system owner/user | [MITRE ATT&CK] T1069.001 – Permission Group Search: Local Group | [MITRE ATT&CK] T1069.002 – Search for Authorization Groups: Domain Groups | [MITRE ATT&CK] T1016 – Retrieve system network configuration | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1090.002 – Proxy: External proxy
signature: ShellJSP – Yara | EncryptJSP – YARA | Custom FRP Tools by Volt Typhoon – YARA | HACKTOOL_FRPClient – YARA.
tag: Actor: Volt Typhoon, Target Country:USA, Target Sector:Critical Infrastructure, Source Country:China, Technology:Living off the Land, Malware:Earthworm, Malware:Fast Reverse Proxy, Malware:FRP, Malware Type:Tunneling, Malware:Mimikatz , abuse:netsh, abuse:ntdsutil, abuse:PowerShell, abuse:wmic, abuse:Impacket, open-port:8080, open-port:8443, open-port:8043, open-port:8000, open-port:10443 , target system:Windows
Lazarus group targeting Windows IIS web servers
(Post Date: May 23, 2023)
A North Korean-sponsored actor group, the Lazarus Group, has been detected targeting Windows Internet Information Services (IIS) web servers. After accessing a misconfigured or vulnerable IIS server, an attacker deploys a DLL sideloading triad (DAT, DLL, and EXE files) via the Windows IIS web server process, w3wp.exe. The second step exploits the open-source Color Picker Plugin to sideload additional malware (diagn.dll) and decrypt infostealer that performs LSASS memory credential dumping. After obtaining system credentials, the Lazarus Group performed internal reconnaissance before performing a lateral move to the internal network using Remote Desktop Protocol (port 3389).
Analyst Comments: Network defenders are advised to monitor for abnormal process execution relationships. Host-based metrics related to Lazarus Group IIS targets are available in the Anomali platform for historical reference.
Miter Attack: [MITRE ATT&CK] T1190 – Public Application Abuse | [MITRE ATT&CK] T1574.002 – Stealing Execution Flow: Dll Sideloading | [MITRE ATT&CK] T1070.004 – Remove Indicator from Host: Delete File | [MITRE ATT&CK] T1003.001 – Dump OS Credentials: Lsass Memory | [MITRE ATT&CK] T1027 – Obfuscated files or information | [MITRE ATT&CK] T1140 – File or Information Obfuscation/Decoding
tag: mitre-group:Lazarus group, detection:Trojan/Win.LazarLoader, target-software:IIS Web Server, abuse:w3wp.exe, abuse:Salsa20, open-port:3389, file type:DLL, file type:EXE , File Type:DAT, Target System:Windows