Cymulate’s April 2021 Cyberattacks Wrap-up
Threat actors stepped up their game during April 2021, with ransomware groups finding new ways to increase their profits by putting on corporate victims. For instance, the DarkSide ransomware group is openly approaching stock traders to offer them inside knowledge of their latest corporate victims, which would allow the brokers to short sell the breached company’s stock before any data is leaked and the breach becomes public. The Babuk ransomware group also changed its business model, moving from offering ransomware-as-a-service (RaaS) to data theft extortion. The group will still demand ransom for the data stolen from compromised networks before deploying encryption.
State-sponsored threat actors were active again. In April, a new malware dubbed PortDoor was used to infiltrate the systems of Rubin Central Design Bureau for Marine Engineering in Saint Petersburg, which is an engineering company that designs submarines for the Russian Navy. The threat actors, suspected to work for the Chinese government, used a spear-phishing campaign that followed a familiar pattern.
- The threat actors sent a crafted email to the CEO of the company.
- The email had an attachment with a general description for an autonomous underwater vehicle.
- The attacked RTF file, created with RoyalRoad v7, contained RoyalRoad, a tool for building malicious documents to exploit multiple vulnerabilities in Microsoft’s Equation Editor. RoyalRoad has been linked to Tick, Tonto Team, TA428, Goblin Panda, Rancor, and Naikon that are all threat actors linked to the Chinese government.
- Once the RFT document was opened, it dropped the PortDoor backdoor in the Microsoft Word startup folder, disguising it as the add-in file “winlog.wll.
When we take a closer look at the malware that was used in cyberattacks during April, we see that it also included multi-purpose malware such as Phorpiex. As one of the oldest and most persistent threats, Phorpiex was also used for distributing other malware payloads such as GandCrab or Avaddon ransomware.
The Sysrv-hello also made its presence felt in April. First discovered in December 2020, the malware used a multi-component architecture with miner and worm modules. The crypto mining malware is now able to build an army of Windows and Linux Monero mining botnets, which is an upgrade from the original single binary capability to mine and auto-spread the malware to other devices. In April, we saw that the crypto mining botnet was actively scanning for vulnerable Windows and Linux enterprise servers for infecting them with a Monero (XMRig) miner and self-spreader malware payloads. The propagator component aggressively scanned the Internet for more vulnerable systems to add to its army of botnets with exploits targeting vulnerabilities that allowed for executing the malicious code remotely. The cloud workloads were targeted through remote code injection and remote code execution vulnerabilities in PHPUnit, Apache Solar, Confluence, Laravel, JBoss, Jira, Sonatype, Oracle WebLogic, and Apache Struts for access. Once the servers were compromised, any already present cryptocurrency miners were removed. Sysrv-hello then infiltrated the network using brute force attacks with SSH private keys collected from various locations on the infected servers, which allowed for lateral movement on the infected machines. Hosts were identified from bash history files, ssh config files, and known_hosts files. The Sysrv-hello XMrig mining configuration file contained one of the Monero wallets used by the botnet to collect Monero mined on the F2Pool mining pool. The latest samples spotted in the wild have also added support for the Nanopool mining pool after removing support for MineXMR. In general, crypto mining botnets are using more than one wallet linked to multiple mining pools to collect illegally earned cryptocurrency to increase profits.
Another new development we saw in April was the leveraging of the Process Doppelgänging by SynAck ransomware. Both of them are not new; they both have been around since 2017. Process Doppelgänging is similar to process hollowing, which consists of the creation of a process for the sole purpose of running a malicious executable inside it, fooling the system, and deployed security software into classifying the process as legitimate and safe to run. Process Doppelgänging leverages a Transactional New Technology File System (TxF) to roll back any processes it has altered into legitimate states, leaving no trace of the attack behind. This enables the malicious code to be mapped on the disk without a trace. It basically works as a code injection that takes advantage of NTFS transactions used in Windows to run a malicious executable code under the impression of a legitimate process. In April, SynAck was using Process Doppelgänging to evade detection and to make analysis difficult due to the heavy binary obfuscation. Furthermore, the executable Trojan was not wrapped in a packer.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable.
Also, IOCs are available at the Cymulate UI!