The cyber threat landscape in April 2022 was dominated by attacks from pro-Russian threat actors on strategic targets and from anti-Russian threat actors targeting Russian assets as part of hybrid war activities. We also saw threat actors stepping up their game in April 2022 by modifying their malware to avoid detection and maximize the impact.
Threat actors launched a new version of SolarMarker, aka Jupyter or Polazert, to introduce novel techniques to persist on hacked systems. SolarMarker is a backdoor and information-stealing malware family known for utilizing search engine optimization (SEO) manipulation to convince users to download malicious documents. Apart from exfiltration of auto-fill data, saved passwords, and saved credit card information from victims’ web browsers, SolarMarker also features file transfer and execution of commands received from a C2 server.
- The malware first executes an EXE file, which is a .NETcompiled dropper larger than 250MB to avoid inspection by an automated sandbox or an AV engine.
- Once dropped, the file executed an installer of a legitimate program to avoid suspicion.
- The malware also ran a PowerShell loader in a new thread to load and execute the SolarMarker backdoor payload.
- After reboot, the encrypted payload loaded directly into the PowerShell process thanks to the lnk file from the startup folder.
- The SolarMarker backdoor, a .NET C2 client, communicated with the C2 server inside the encrypted channel using HTTP as the communication protocol.
- RSA encryption with Advanced Encryption Standard (AES) symmetric encryption was used to encrypt the data.
- The client then performed internal reconnaissance and collected and exfiltrated basic information about the victim machine over an existing C2 channel.
- A PowerShell script was run, and files were transferred to the victim’s machine.
- A PowerShell encoded script was run again to deploy the SolarMarker final payload (.NET Infostealer), which was loaded into memory.
- The SolarMarker infostealer module then mined login data, cookies, and web data (auto-fill) from web browsers by reading files specific to the target browser.
- Furthermore, SolarMarker used the API function CryptUnprotectData (DPAPI) to decrypt the credentials.
To conclude, SolarMarker’s latest version augmented its defense and evasion capabilities to avoid detection.
Another malware that made its presence felt was the information-stealing MetaStealer, which is known to mine login information, credit card details, and other sensitive information. Available on the TwoEasy botnet marketplace, it has become a favorite among threat actors in their malware campaigns to steal passwords saved in Firefox, Chrome, and Edge, as well as cryptocurrency wallets. Designed to tamper with Windows Defender, the malware used PowerShell to exclude .exe files from scanning to avoid detection.
The malware followed a familiar pattern:
- Malspam emails were sent to targeted victims.
- The malicious emails contained a macro-laced Excel spreadsheet as an attachment.
- The spreadsheet files included a DocuSign lure to dupe recipients to enable content needed to run the malicious VBS macro in the background.
- The macro downloaded various payloads, including DLLs and executables, from various sites.
- Some downloaded files were base64 encoded to avoid detection.
- The final payload was deployed on the machine as qwveqwveqw[.]exe, which seems to be random.
- A new registry key was added for persistence.
Apart from becoming more and more sophisticated, malware is also speeding up infections, as demonstrated by Quantum ransomware. This malware enabled threat actors to achieve domain-wide ransomware within four hours after gaining initial access, using an IcedID payload delivered via email as the initial access vector.
The threat actors gained access to the network when a user endpoint was compromised by an IcedID payload contained within an ISO image. Within two hours after the initial IcedID payload was executed, the threat actors used Cobalt Strike and RDP to move across the network. They then used WMI and PsExec to deploy the Quantum ransomware, successfully completing a Time-to-Ransom (TTR) of less than four hours.
Once the recipient opened the malicious email attachment, the IceID payload was executed, and the malware started to create persistence and discover information about the system via built-in Windows utilities. After deploying a Cobalt Strike beacon, the threat actors began to:
- Detect the victim’s active directory structure (via Active Directory enumeration tool AdFind)
- Collect and mine host-based network information (via nslookup)
- Extract admin credentials from LSASS memory
- Utilize these credentials to RDP into a server
- Execute a PowerShell Cobalt Strike Beacon on that server and connect remotely to other servers in that environment
- Copy and deploy the ransomware to each host through the C$ share folder
- Remotely execute the Quantum Locker ransomware binary via WMI or PsExec from the Domain Controller
TA410 + FlowingFrog, LookingFrog, and JollyFrog
On a closing note, not only is malware getting more sophisticated, but also threat actors. Researchers found that the notorious threat group TA410, known for its sophisticated FlowCloud RAT and its cyberespionage attacks against U.S. utilities, actually consists of three subgroups that are operating globally. Each group has its own toolsets and targets. TA410 is loosely linked to APT10, another notorious threat group tied to China’s Ministry of State Security. The three subgroups are dubbed FlowingFrog, LookingFrog, and JollyFrog.
Using the Tendyron downloader, and then FlowCloud as a second stage, FlowingFrog targets specific organizations, such as universities, the foreign diplomatic mission of a South Asian country in China, and a mining company in India. Using the malware families X4 and LookBack, LookingFrog typically targets diplomatic missions, charity organizations, and entities in government and industrial manufacturing. Using generic, off-the-shelf malware from known families QuasarRAT and Korplug, aka PlugX, JollyFrog targets organizations in education, religion, the military, and those with diplomatic missions.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!