The various threat intelligence stories in this iteration of Anomali Cyber Watch cover the following topics: Prepaid fare fraud, cyber spying, extortion, info-stealer, SQL injection, traffic information system, and weakness. IOCs related to these stories are attached to the Anomali Cyber Watch and can be used to check logs for potentially malicious activity.
Figure 1 – IOC summary chart. This chart summarizes the IOCs attached to this magazine and provides a glimpse into the threats discussed.
The latest cyber news and threat intelligence
It’s time to re-patch your MOVEit transport solution!
(Post date: 12 June 2023)
On June 9, 2023, Progress Software discovered additional SQL injection vulnerabilities that could potentially be used by an unauthenticated attacker to retrieve data from the MOVEit Transfer database. The company released a patch/fix to address the new vulnerability and deployed the new patch to all MOVEit cloud clusters. The Cl0p cyber extortion gang is actively exploiting another recently disclosed MOVEit Transfer vulnerability (CVE-2023-34362), targeting a wide variety of organizations from small businesses to large corporations in a variety of sectors around the world. Aer Lingus, BBC, Boots, British Airways, Nova Scotia Provincial Government (Canada), and Zellis are among the victim organizations. Researchers Kroll found evidence of similar activity in April 2022 and July 2021. This indicates that the attacker is testing access to organizations and pulling information from the MOVEit Transfer server to identify which organizations have access.
Analyst Comments: MOVEit Transfer 2020.0.x (12.0) or earlier versions must be upgraded to a supported version. For the latest version, apply the security patch provided by Progress Software after June 10, 2023. (link). Organizations should get vendors, especially vendors that process data on behalf of vendors, whether their services utilize MOVEit, check for trade-offs, and ensure they are up to date with recommended mitigations and patches.
Miter Attack: [MITRE ATT&CK] T1190 – Public Application Abuse | [MITRE ATT&CK] T1036 – Camouflage | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archiving via Utility
tag: Target Software:MOVEit Transport, Vulnerability:CVE-2023-34362, Target Country:Canada, Target Country:USA, Actor:Cl0p, Skill:SQL Injection, Threat Type:Data Exfiltration, Threat Type:Extortion, Target-Country:United Kingdom, Target Country:Canada, Target System:Windows
Infected Minecraft mods lead to multi-level, multi-platform Infostealer malware.
(Post Date: June 9, 2023)
A new stage 4 infostealer malware called Fractureiser has been identified in several Minecraft mods and plugins hosted by the CurseForge and Bukkit modding communities. Starting in April 2023, this malware spread via malicious updates from compromised accounts and has been downloaded millions of times. Fractureiser primarily targeted both Windows and Linux systems located in the United States. A final stage attempt to escape the sandbox via persistent clipboard poisoning was observed on Windows Sandbox instances often used for mod testing. Fractureiser steals cookies and login data from browsers, steals Minecraft and Discord authentication tokens, and exchanges cryptocurrency wallet addresses.
Analyst Comments: If malware manipulates data and changes payment details from the clipboard or messages, it is important to double-check payment information (including alternative channels such as phone calls) to detect and prevent possible losses. All known Fractureiser indicators are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1195 – Supply chain compromise | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] T1565 – Data Manipulation | [MITRE ATT&CK] T1555.003 – Credentials in Password Store: Credentials in Web Browsers | [MITRE ATT&CK] T1539 – Web Session Cookie Stealing | [MITRE ATT&CK] T1553.006 – Subvert Trust Control: Modify Code Signing Policy
tag: Malware:Fractureiser, Malware-Type:Infostealer, Detected:Trojan.Java.Fractureiser, target-identity:Minecraft User, Skill:Supply Chain Compromise, Skill:Sandbox Escape, Target Country:US, File Type:DLL, File-Type:EXE, File Type:JAR, Target System:Linux, Target System:Windows
Asylum Ambuscade: Crimeware or Cyber Spy?
(Public Date: June 8, 2023)
Asylum Ambuscade is a cybercriminal group that has been carrying out cybercriminal and cyberespionage activities since at least 2020, targeting all inhabited continents. Cybercriminal activity usually begins with malicious redirects triggered by malicious Google advertisements or specific traffic direction systems. It is called 404 TDS. The most targeted regions were North America (Canada, after the US) and Europe (especially Germany), which included cryptocurrency traders, individuals and various small and medium-sized businesses. The Asylum Ambuscade cyberespionage operation targeted government agencies in Europe and Central Asia with malicious spear-phishing attachments. The next stage of infection is similar for both types of campaigns. An MSI package that installs a first-stage downloader (SunSeed), followed by a second-stage downloader (AHKBOT, NODEBOT) and various download plugins for screenshots, password stealing, and other downloads. activity. To avoid detection, the group rewrites plugins and downloaders in other languages such as AutoHotkey, JavaScript, Lua, Python, Tcl and VBS.
Analyst Comments: Many advanced attacks start with basic techniques such as unwarranted emails with malicious attachments that the user must open to enable macros. It’s important to teach users basic online hygiene and awareness about phishing attachments and malicious Google Ads. Metrics related to the recent (Q1 2022-2023) Asylum Ambuscade campaign are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] T1583.003 – Secure Infrastructure: Virtual Private Server | [MITRE ATT&CK] Resource Development – Feature Development: Malware [T1587.001] | [MITRE ATT&CK] T1189: Drive-by Compromise | [MITRE ATT&CK] T1566.001 – Fishing: Spearfishing Attachment | [MITRE ATT&CK] T1059.005 – Command and Scripting Interpreter: Visual Basic | [MITRE ATT&CK] T1059.006 – Command and Scripting Interpreter: Python | [MITRE ATT&CK] T1059.007 – Command and Scripting Interpreter: Javascript | [MITRE ATT&CK] picus-security: Most used ATT&CK technology — T1059 command and scripting interpreter | [MITRE ATT&CK] T1204.002 – User Executed: Malicious File | [MITRE ATT&CK] T1547.001 – Run Boot or Logon Autostart: Registry Execution Key/Startup Folder | [MITRE ATT&CK] Defense evasion – obfuscated files or information [T1027] | [MITRE ATT&CK] T1555.003 – Credentials in Password Store: Credentials in Web Browsers | [MITRE ATT&CK] T1087.002 – Account Search: Domain Account | [MITRE ATT&CK] T1010 – Search Application Window | [MITRE ATT&CK] T1482 – Domain Trust Discovery | [MITRE ATT&CK] T1057 – Process Search | [MITRE ATT&CK] T1518.001 – Software Search: Security Software Search | [MITRE ATT&CK] Picus: System Information Retrieval Technology Explained – MITER ATT&CK T1082 | [MITRE ATT&CK] T1016 – Retrieve system network configuration | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1115 – Clipboard Data | [MITRE ATT&CK] T1113 – screen capture | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocol | [MITRE ATT&CK] T1041 – Outflow through C2 channel
tag: Actor:Asylum Ambuscade, Malware:AHKBOT, Malware:NODEBOT, Malware-Type:Downloader, Malware-Type:Infostealer, Malware:SunSeed, Malware:Cobalt Strike, Malware-Type:RAT, Target Region:North America, Target Region:Europe, Target Region: Central Asia; :Lua, abused:Python, abused:Tcl, abused:VBS, vulnerability:Follina, vulnerability:CVE-2022-30190, file type:AHK, file type:DLL, file type:DOC, file type:EXE, file type: Excel, Files of type:MSI, Files of type:JS, Target system:Windows
Stealth Soldier backdoor used in targeted espionage attacks in North Africa
(Public Date: June 8, 2023)
Check Point researchers have identified ongoing espionage against targets in North Africa involving a previously undisclosed modular backdoor called the Stealth Soldier. The malware is most likely delivered using social engineering, and the infection chain includes 6 additional file downloads. Stealth Soldier regularly checks for updates and supports features such as keystroke logging, screenshot and microphone recording, and file exfiltration. The version was observed targeting government agencies in Libya from October 2020 to February 2023. The hosting infrastructure and domain naming conventions overlap with The Eye on the Nile campaign for Egyptian civil society in 2019.
Analyst Comments: Stealth Soldier tends to reuse previously detected infrastructure and uses hard-coded XOR keys and specific HTTP POST headers. Network defenders need to educate users to be aware of social engineering such as spear phishing. All known Stealth Soldier indicators are available on the Anomali platform and customers are encouraged to block them in their infrastructure.
Miter Attack: [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] Defense evasion – obfuscated files or information [T1027] | [MITRE ATT&CK] Defense Evasion – File or Information Obfuscation/Decoding [T1140] | [MITRE ATT&CK] T1053.005 – Scheduled Tasks/Tasks: Scheduled Tasks | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocol | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] Search – Search for files and directories [T1083] | [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1555.003 – Credentials in Password Store: Credentials in Web Browsers | [MITRE ATT&CK] T1112: Registry Modification
tag: Malware:Stealth Soldier, Malware-Type:Backdoor, Detection:Trojan.Wins.StealthSoldier, Detection:Backdoor.WIN32.StealthSoldier, Malware-Type:Downloader, Malware-Type:Loader, Target Country:Libya, Target Region:North Africa, Abuse:. NET, abuse:PowerShell, file type:EXE, file type:TXT, target system:Windows
Impulse Team’s Massive Cryptocurrency Scam Almost Undetected Over Years
(Post date: June 6, 2023)
Russian-speaking threat actors called Impulse Team have been running large-scale affiliate cryptocurrency fraud campaigns since at least January 2021, possibly dating back to 2016. Trend Macro researchers identified more than 1,000 websites served by various affiliates receiving a percentage. Through a program called the Impulse Project, this scam works through an advanced fee scam that tricks victims into believing that they have won a certain amount of cryptocurrency and that they have to pay a smaller fee to open an account on the website. Different affiliates used different methods of domain registration and different social engineering delivery methods including Twitter and Mastodon private messages, TikTok videos and advertisements.
Analyst Comments: Users should especially avoid clicking on questionable ads and links sent directly through private messages and social media. Research advertised companies and be skeptical of too good opportunities. All known domains associated with this campaign are available on the Anomali platform and customers are encouraged to block these domains from their infrastructure.
tag: Actor: Impulse Team, Affiliate Program: Impulse Project, Target Industry: Cryptocurrency, Abuse: Twitter, Abuse: Mastodon, Abuse: TikTok, Threat Type: Fraud, Threat Type: Fraud, Technique: Prepaid Fee Scam