Here is the October 2023 breakdown of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.
Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.
Note: The period character ‘.’ in the hash names has been replaced with a ‘·’ out of an abundance of security caution.
Unit 42 researchers have identified an active campaign we are calling EleKtra-Leak which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories.
As a result of this the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations.
We believe these operations have been active for at least two years and are still active today.
Security researchers have discovered a new Linux malware called BiBi-Linux Wiper which is a malicious x64 ELF executable lacking protection measures.
It can potentially destroy an entire operating system when executed with root permissions.
The malware allows attackers to specify target folders uses the “nohup” command to mitigate its extensive output and employs multiple threads and a queue to corrupt files concurrently making it faster and more widespread.
BiBi-Linux Wiper overwrites and renames files with a random string containing “BiBi” and excludes certain file types from corruption.
Unlike other malware it doesnt establish communication with remote servers or employ encryption for data theft.
Instead it corrupts files by overwriting their contents with random data rendering them unusable.
StripedFly is a sophisticated modular malware framework compatible with both Linux and Windows.
It utilizes a built-in TOR network tunnel for communication with command servers updating via trusted platforms like GitLab GitHub and Bitbucket and employs custom encrypted archives.
This malware has evaded detection for five years infecting over a million Windows and Linux systems.
It injects shellcode into the WININIT.EXE process has a lightweight TOR network client disables SMBv1 spreads through SSH and EternalBlue and uses a TOR-based command and control server.
For Windows persistence it adapts its tactics based on privileges and PowerShell presence creating hidden files or modifying system settings.
On Linux it goes by the name sd-pam and achieves persistence through systemd services .desktop files or by modifying various profile and startup files.
The Mystic Stealer info stealer emerged in early 2023 it is known for targeting web browsers cryptocurrency wallets and Steam game credentials among other files on an infected system.
The malware is constantly being developed to include improved obfuscation techniques and communication methods.
In a recent change a shift from a custom binary TCP-based protocol to an HTTP-based one was seen likely to bypass network restrictions in corporate environments.
Behavior and obfuscation methods were also changed decrypting command and control (C2) communications after a specific date check and then use of a custom XTEA-based algorithm to decode a contained HTTP C2 list.
Once compromised infected systems are registered with the C2 server targeted data is collected including system information browser data browser extensions and browser-based database files that are parsed via a downloaded sqlite3.dll.
Additionally cookies certificates keys and browsing history are collected from Firefox and Chromium based browsers along with screen captures and cryptocurrency wallets.
Data is then Base64 encoded and an HTTP POST request is used for data exfiltration.
Loader functionality allows the malware to request second-stage executables that are received Base64 encoded and executed on the infected system.
Security firm Kaspersky has identified and identified the malware used in a series of attacks carried out by the group known as Lazarus which has previously targeted high-profile companies and the cryptocurrency industry.
The Russian APT28 hacking group also known as Strontium or Fancy Bear has been actively targeting various entities in France since the second half of 2021.
APT28 associated with Russias military intelligence service GRU has been linked to exploiting security vulnerabilities including CVE-2023-38831 in WinRAR and CVE-2023-23397 in Microsoft Outlook.
Instead of traditional backdoors these hackers have compromised peripheral devices on critical French organization networks to evade detection.
They employ techniques such as brute-forcing and using leaked credentials to breach accounts and Ubiquiti routers.
In a recent case from April 2023 APT28 utilized a phishing campaign to trick victims into running PowerShell scripts revealing system configurations and running processes.
Theyve also exploited other vulnerabilities including CVE-2022-30190 CVE-2020-12641 CVE-2020-35730 and CVE-2021-44026.
Their initial attack tools include Mimikatz and the reGeorg traffic relaying tool as well as Mockbin and Mocky open-source services.
APT28 uses a variety of VPN clients including SurfShark ExpressVPN ProtonVPN and others.
Data access and exfiltration are central to APT28s goals and they retrieve authentication information steal sensitive emails and use CVE-2023-23397 to trigger an SMB connection for NetNTLMv2 authentication hash retrieval.
They operate command and control servers using legitimate cloud services like Microsoft OneDrive and Google Drive to avoid detection.
APT28 also employs the CredoMap implant to target information in victims web browsers such as authentication cookies and uses Mockbin and the Pipedream service for data exfiltration.
Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) encountered a previously unnamed ransomware strain which was dubbed Rorschach deployed against a US-based company.
Rorschach ransomware appears to be unique sharing no overlaps that could easily attribute it to any known ransomware strain.
In addition it does not bear any kind of branding which is a common practice among ransomware groups.
The ransomware is partly autonomous carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment such as creating a domain group policy (GPO).
In the past similar functionality was linked to LockBit 2.0.
The ransomware is highly customizable and contains technically unique features such as the use of direct syscalls rarely observed in ransomware.
Moreover due to different implementation methods Rorschach is one of the fastest ransomware observed by the speed of encryption.
The ransomware was deployed using DLL side-loading of a Cortex XDR Dump Service Tool a signed commercial security product a loading method which is not commonly used to load ransomware.
The vulnerability was properly reported to Palo Alto Networks.
Given the prevalence of sideloading techniques in malware campaigns its vital to understand their mechanisms to defend against them effectively.
The case of QuasarRAT provides an insightful example.
ESET Research discover campaigns by the Winter Vivern APT group that exploit a zero-day XSS vulnerability in the Roundcube Webmail server and target governmental entities and a think tank in Europe.
CVE-2023-38831 Exploited by Pro-Russia Hacking Groups in RU-UA Conflict Zone for Credential Harvesting Operations
Cluster25 observed and analyzed several phishing-based attacks to be linked to a Russia-nexus nation-State threat actor.
The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831.
Recently Antian CERT has captured a number of active WatchDog data samples.
The organization mainly uses exposed Docker Engine API endpoints and Redis servers to launch attacks.
The WatchDog cryptojacking org has been discovered since January 2019 and is still active.
Internet-exposed unpatched WS_FTP servers are being targeted in ransomware attacks due to a severe vulnerability (CVE-2023-40044) in the Ad Hoc Transfer Module which allows remote execution of commands through unauthenticated HTTP requests.
The Reichsadler Cybercrime Group in a recent incident attempted to deploy ransomware using a stolen LockBit 3.0 builder but their attempt was foiled.
They also tried privilege escalation with the GodPotato tool.
Progress Software released security updates on September 27 to address the critical WS_FTP Server vulnerability advising administrators to update their vulnerable instances.
In early 2023 the Iranian Crambus espionage group also known as OilRig MuddyWater and APT34 conducted an extensive eight month long cyber intrusion against a Middle Eastern government.
They stole files and passwords installed a PowerShell backdoor on one occasion to monitor and control an Exchange Servers incoming emails and covertly forwarded the results to their own servers.
This malicious activity was detected on multiple computers and theres evidence that the attackers deployed backdoors and keyloggers on numerous other systems.
In their efforts the attackers utilized the publicly available network administration tool Plink to configure port-forwarding rules enabling remote access through the Remote Desktop Protocol (RDP).
They also manipulated Windows firewall rules to facilitate remote access.
Their toolkit included various malware such as the Tokel backdoor for executing PowerShell commands and downloading files the Dirps trojan for file enumeration and executing PowerShell commands and Clipog for stealing clipboard data logging keystrokes and monitoring keystroke entry processes.
Additionally they employed the PowerExchange backdoor for accessing Exchange Servers with hardcoded credentials and monitoring emails used Mimikatz to extract credentials and utilized Plink to establish SSH tunnels to command-and-control servers.
Expanding Kasperskys research scope Kaspersky investigated and discovered additional new active actor campaigns with full infection chains including an implant designed to work within air-gapped networks over USB sticks as well as a Linux MATA backdoor.
A threat actor targeted Italian-speaking users using a Tor Browser phishing website.
They distributed an obfuscated .Net binary employing SmartAssembly which acted as a dropper.
This dropper installed both a legitimate Tor installer and a malicious payload named “Pure Clipper.” The threat actor used “PureCrypter” as a loader and crypter for the Clipper payload and it employed a fileless malware technique by storing its binary data in the Windows Registry enhancing its stealth and persistence.
To ensure continuous operation in the background the malware created a Task Scheduler entry running a Base64-encoded PowerShell script to retrieve and execute the binary data from the Registry.
The Clipper payload interacted with a command-and-control server when a user copied or pasted a cryptocurrency address.
It replaced the address with the attackers address captured a screenshot and sent the stolen data to the threat actors Discord webhook for exfiltration.
Researchers observed multiple attempts by an unknown actor to exploit vulnerabilities in outdated unsupported versions of Adobes ColdFusion Server software.
The aim was to gain access to Windows servers running this software and then deploy ransomware.
Although these attacks were unsuccessful they provided valuable telemetry enabling researchers to attribute them to a single actor or group and retrieve the payload they were attempting to use.
The retrieved files revealed an attempt to deploy ransomware which was created using leaked source code from the LockBit 3.0 ransomware family.
This new ransomware variant is associated with a group or individual called “BlackDog 2023” and appears to be a distinct ransomware family with potential ties to the leaked LockBit 3.0 source code.
This connection is evident when examining properties of the static executable file and similarities in the unpacked code in memory triggering the same in-memory protection as the source code Mem/Lockbit-B.
A long-running Iranian espionage group staged an eight-month cyber attack against a government in the Middle East according to a report from security firm Symantec which assessed the extent of the attack.
The Kimsuky threat group employs a range of tactics to compromise and control infected systems.
They often use open-source malware like xRAT and their own custom malware alongside legitimate tools to establish backdoors and steal sensitive information.
Remote Desktop Protocol (RDP) is their preferred method of remote control and if not available they use RDP Wrapper.
Theyve recently used spear phishing attacks to deploy BabyShark and various RDP-related malware.
Additionally a new malware called “RevClient” has been discovered which allows the threat actor to add user accounts and enable port forwarding based on received commands from the command-and-control server.
Cado Security Labs researchers have discovered a new cryptojacking campaign targeting exposed Jupyter Notebooks.
The malware includes relatively sophisticated command and control (C2) infrastructure with the controller using Discords bot functionality to issue commands on compromised nodes and monitor the progress of the campaign.
After successful compromise Qubitstrike hunts for a number of hardcoded credential files for popular cloud services (including AWS and Google Cloud) and exfiltrates these via the Telegram Bot API.
Cado researchers were alerted to the use of one such credential file demonstrating the attackers intent to pivot to cloud resources after using Qubitstrike to retrieve the appropriate credentials.
The payloads for the Qubitstrike campaign are all hosted on codeberg[.]org an alternative Git hosting platform providing much of the same functionality as Github.
This is the first time Cado researchers have encountered this platform in an active malware campaign.
Akira is a relatively new ransomware variant with Windows and Linux versions that came out in April 2023.
Like many attackers the gang behind this variant only uses the ransomware to encrypt files after first breaking into a network and stealing data.
This group also employs a double extortion tactic demanding a ransom from victims in exchange for file decryption and not leaking stolen information to the public.
Threat Actor Leverages WinRAR Vulnerability To Deploy Mythic Athena Agent To Russian Semi-Conductor Suppliers
An unidentified threat actor exploited a WinRAR vulnerability (CVE-2023-38831) to target Russian semiconductor suppliers and dropped the Mythic C2 Framework Athena agent.
Access to the systems was gained through a spear-phishing attachment that contained a PDF file and CMD script file.
A malicious script was executed that included a Base64 PowerShell script that fetched the agent and saved it within the compromised system.
The malware subsequently gathered sensitive information by executing pre-defined commands and exfiltrated the data to adversarial command and control (C2) servers.
The cyber group known as Sticky Werewolf has been conducting a series of attacks on public organizations in Russia and Belarus since April 2023 using the NetWire RAT.
To enhance the effectiveness of their malware they employ protectors like Themida making analysis difficult.
They initially access target systems through phishing emails containing links to malicious downloads generated with the help of IP Logger.
This tool not only created the phishing links but also gathered information about victims such as timestamp IP address location browser and operating system versions.
This data allowed the group to profile potentially compromised systems and select significant ones avoiding sandboxes and unrelated countries.
Additionally IP Logger enabled the use of their domain names to make the phishing links appear more authentic.
These links contained malicious files disguised as Microsoft Word or PDF documents which when opened installed the NetWire RAT.
ANY.RUN analyzed the info stealer malware Snake Keylogger.
Written in the .NET programming language it is a type of malicious software designed to covertly record a users keystrokes on a compromised computer or device.
The Snake Keylogger steals various information from the victim such as saved credentials clipboard data keystrokes and screenshots of the victims screen.
Snake Keylogger is typically delivered through phishing emails which are crafted to appear legitimate and often contain malicious attachments or links.
Once activated the keylogger runs in the background capturing all keystrokes made by the user including login credentials credit card information and other sensitive data.
The malware also checks and collects system information which includes the systems hostname username IP address geolocation date and time and more.
It then exfiltrates the collected information through protocols such as FTP SMTP and Telegram.
The captured information is sent to a remote server controlled by the attacker who can use it for various malicious purposes such as identity theft or unauthorized access to accounts.
Snake Keylogger poses a significant threat to individuals and organizations making it crucial to maintain strong cybersecurity practices to prevent infection and promptly detect and remove such threats.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs TTPs and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023.
AvosLocker operates under a ransomware-as-a-service (RaaS) model.
AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States affecting Windows Linux and VMware ESXi environments.
AvosLocker affiliates compromise organizations networks by using legitimate software and open-source remote system administration tools.
AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.
In September 2023 our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits.
Thirteen payloads were included in this variant including D-Link devices Netis wireless router Sunhillo SureLine Geutebruck IP camera Yealink Device Management Zyxel devices TP-Link Archer Korenix Jetwave and TOTOLINK routers.
In September of 2023 X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials.
Since early 2023 a notable increase in email-based cybercrime activity suspected to originate from China has been observed.
This activity involves the distribution of malware including the Sainbox Remote Access Trojan (RAT) a variant of Gh0stRAT and a newly discovered malware called ValleyRAT.
The term “Chinese-themed” is used to describe content related to this malicious activity including lures malware targeting and metadata that contains Chinese language elements.
These campaigns are relatively low-volume and typically target global organizations with operations in China.
The emails are written in Chinese and revolve around business-related themes such as invoices payments and new products.
Targeted individuals often have Chinese-language names or company email addresses related to China.
There was one instance of a campaign targeting Japanese organizations indicating a potential expansion of activity.
These recent activity clusters use flexible delivery methods employing both simple and moderately complex techniques.
Email messages often contain URLs linking to compressed executables responsible for installing the malware.
Researchers also observed instances where Sainbox RAT and ValleyRAT are delivered through Excel and PDF attachments containing URLs to compressed executables.
The emergence and resurgence of Chinese-themed malware in 2023 represent a new trend in the threat landscape.
This combination of historical malware like Sainbox and the newly uncovered ValleyRAT may challenge the dominance of the Russian-speaking cybercrime market.
However at present Chinese-themed malware primarily targets Chinese-speaking users although there is ongoing monitoring for signs of expanded adoption in other languages.
NoEscape Ransomware, which is believed to be a rebrand of Avaddon, is targeting enterprises in a double-extortion attack
RedLine stealer was first discovered in March 2020 and is one of the most popular stealer malwares.
It is designed to steal sensitive information from compromised systems.
It is being sold by cybercriminals on underground forums as MaaS (malware-as-a-service).
Threat actors are leveraging RedLine Stealer due to its availability and flexibility.
This malware is capable of harvesting information from web browsers such as saved credentials and payment card details.
It also looks over the system for information including username hardware configuration installed general and security software installed VPN client network configurations cryptocurrency related data and sends the stolen information to the adversary.
Researchers have uncovered a cluster of malicious activity focused on companies in the energy sector.
This activity involved spear phishing emails and domain typo squatting primarily targeting energy companies and their Liquified Natural Gas (LNG) branches along with generic domains related to the LNG industry.
The objective of these campaigns was to deploy GuLoader implants followed by Agent Tesla implants.
GuLoader is a loader used to avoid detection and analysis by employing various techniques including checking the execution environment and encrypting the payload it injects into infected systems.
The actor using GuLoader must provide a URL for the software they want to protect and load onto the system which must be encrypted and can be hosted on legitimate services like Google Drive or other domains.
GuLoader can be delivered in different file formats such as VBS scripts or NSIS installers.
ReversingLabs researchers have identified a new malicious supply chain attack affecting the npm platform.
The typosquatting campaign first appeared in August and pushed a malicious package node-hide-console-windows which downloaded a Discord bot that facilitated the planting of an open source rootkit r77.
As long as cybercriminals want to make money theyll keep making malware and as long as they keep making malware well keep analyzing it publishing reports and providing protection.
Last month we covered a wide range of cybercrime topics.
For example we published a private report on a new malware found on underground forums that we call ASMCrypt (related to the DoubleFinger loader).
But theres more going on in the cybercrime landscape so we also published reports on new versions of the Lumma stealer and Zanubis Android banking trojan.
This blog post contains excerpts from those reports.
Cyberespionage Events Targeting Southeast Asian Government Linked To Stately Taurus aka Mustang Panda
From mid-2021 to late 2023 the advanced persistent threat (APT) group Stately Taurus (aka Mustang Panda) targeted a Southeast Asian government that spanned multiple sectors from healthcare to financial administration.
This suspected Chinese-affiliated cyberespionage group executed intrusions exfiltrating sensitive data and secured long-term persistent access using unique tools like ToneShell.
During their extensive intrusions the group conducted detailed reconnaissance using tools like LadonGo and Impacket as well as used commodity credential-stealing malware like Mimikatz.
Additionally an undocumented variant of the ToneShell backdoor was identified and techniques were used to evade detection by manipulating security software present in the environment.
BunnyLoader is a new MaaS threat continuously evolving its tactics and adding new features to carry out successful campaigns against its targets.
BunnyLoader features rapid iterations anti-sandbox tactics second-stage payload executions keylogging stealing capabilities and remote execution.
Proofpoint identified a new malware called ZenRAT being distributed via fake installation packages of the password manager Bitwarden.
The Budworm advanced persistent threat (APT) group also known as LuckyMouse Emissary Panda and APT27 has recently been discovered using an updated version of their SysUpdate backdoor to target a Middle Eastern telecommunications organization and an Asian government in August 2023.
SysUpdate is a unique tool exclusively used by Budworm.
In these attacks the group employed various living-off-the-land and publicly available tools primarily focusing on credential harvesting suggesting that the attacks might have been halted in their early stages.
Budworms technique involves executing SysUpdate on victim networks by DLL sideloading through the legitimate INISafeWebSSO application.
This method has been used by the group since at least 2018 and can help them avoid detection by exploiting the DLL search order mechanism in Windows.
SysUpdate is a versatile backdoor with multiple functionalities including managing services taking screenshots handling files browsing directories and executing commands.
Budworm has developed both Windows and Linux versions of SysUpdate to enhance its capabilities and evade detection.
In addition to SysUpdate Budworm utilized various legitimate or publicly available tools like AdFind Curl SecretsDump and PasswordDumper for network mapping and credential extraction in their campaign.
A warning has been issued regarding the proliferation of malicious plugins targeting the Openfire messaging server.
Over 3000 servers globally running Openfire software have fallen victim to a vulnerability allowing hackers to compromise them turning them into botnet nodes.
An Investigation revealed that this was due to the CVE-2023-32315 vulnerability in Openfire software.
The exploit allowed unauthorized access to Openfires administrative interface where attackers created an admin account and then installed a malicious plugin which enabled the execution of arbitrary code ultimately deploying the encryption trojan.
A trojan called Kinsing was used for crypto mining.
Another trojan Tsunami allowed unauthorized access with a randomly generated admin account.
Attackers also used a malicious Openfire plugin to gather information about the compromised server including network connections IP addresses users and the systems kernel version.
All these malicious plugins were JSP.BackDoor.8 backdoors written in Java enabling various commands via GET and POST requests.
The Openfire vulnerability has been addressed in versions 4.6.8 and 4.7.5 and users are advised to update.
If not possible security measures like restricting network access modifying Openfire settings or using the AuthFilterSanitizer plugin are recommended.
New Ransomware attack on IFX Colombia
That is all for now!
Stay cyber safe and see you next month!
APT-Ready in Four Steps: Your Action Plan
Learn how to establish a continuous, repeatable system to defend SMB and enterprise networks with Cymulate.READ MORE
Defending Against Immediate Threats
With Cymulate’s technology, you can simulate the latest cyber threat to see if and how it penetrates your organization, giving you immediate answers to immediate threats.WATCH NOW
Euronext Secures Trading with Breach and Attack Simulation
Learn how simulations of the latest immediate threats, across the company’s infrastructure, enable Euronext to benefit from breach and attack simulation.READ MORE