Cymulate’s Cyber Threat Breakdown December 2022

December has been a busy month for cyber attackers. Here is a navigable summary of their main activity.

Contents

The Newcomers

UNC4191

Ducklogs MAAS

New attack pathing targeting exposed remote desktop protocol to deploy ransomware

Black Magic

RISEPRO

The Comebacks

Cuba Ransomware.

Wannaren, aka life ransomware

Redigo backdoor malware

TRIGONA

APT37

Custom python backdoor for vmware esxi server

Polonium

AZOV Ransomware.

Raspberry Robin Malware.

The Oldies

Chaos rat added to Linux cryptocurrency mining attacks

DROKBK Malware

NITOL DDOS And Amadey

Royal Ransomware

Dark Tortilla

Doorme and Siestagraph Backdoors

FIN7

The Newcomers

UNC4191

China-linked UNC4191 cyberespionage group launched a campaign focusing on the Philippines that also affected Southeast Asia and overflowed into the US and Europe. The campaign instrumentalizes USB devices as both an initial infection vector and a propagation vector. It leverages legitimately signed binaries to side-load malware, including three new families:

• MISTCLOAK: a launcher disguising itself as a DLL
• DARKDEW: the payload that can be executed directly from a removable drive or by the hard drive
• BLUEHAZE the malware component that creates a registry key for persistence and a hard-coded C2 reverse shell that provides backdoor access to the threat actor.

The malware can auto-replicate into other systems by infecting removable drives plugged into an already compromised system, potentially leading to data collection from air-gapped systems.

Ducklogs MAAS

DuckLogs Malware-as-a-Service (MaaS) offered on cybercrime forums features a range of capabilities, including remotely accessing infected devices, capturing keystrokes, taking screenshots, and exfiltrating stolen data to command-and-control servers. In addition, the malware includes a web panel that allows attackers to build malicious binaries, monitor infected devices, and download stolen data.

To establish persistence, the malware copies itself into the Startup folder and bypasses User Access Control (UAC) to gain elevated privileges on the infected system.

New attack pathing targeting exposed remote desktop protocol to deploy ransomware

Unidentified threat actors use new variants from ransomware families, including Redeemer, NYX, Vohu, Amelia, BlackHunt, and MedusaLocker, to target open Remote Desktop Protocol (RDP) ports to deploy ransomware.

Black Magic

Self-named BlackMagic, this new ransomware group exfiltrates data before encrypting them. It appears to be of Iranian origin and targets Israel particularly. The absence of a ransom payment option indicates that Black Magic’s actions might be politically motivated.

BlackMagic ransomware utilizes a 64-bit dynamic link library (DLL) file that contains a single function responsible for executing all of the main functionality of the ransomware. Upon execution, the function employs the “sleep()” function multiple times to evade sandbox detection. It also utilizes the “taskill” command to terminate specific processes and adds a registry key to disable the task manager.

The function also retrieves the IP address of the victim machine using the “ipconfig” utility. Once the victim’s files are encrypted and the ransom note dropped, the function creates a batch file named “next.bat” and carries out various actions, including deleting traces, terminating certain processes, and restarting the system while also deleting itself.

RISEPRO

“RisePro” is a malicious software known as a “stealer,” that has been used to steal login credentials and other personal information. It was first offered for sale on the Russian Market, an illegal online marketplace, on December 13, 2022. Its presence in that market shows its increasing popularity among cybercriminals.

There is evidence that “RisePro” has been distributed by a pay-per-install service called “PrivateLoader.” Pay-per-install services distribute malware in exchange for payment. The fact that “RisePro” is offered through such a service indicates that the creators of the stealer believe it is effective at stealing information.

“RisePro” is written in the C++ programming language and appears to be based on another stealer called “Vidar.” It has similar capabilities to this malware, including stealing login credentials and other personal information.

Several sets of stolen login credentials have been advertised for sale on the Russian Market and are believed to have been taken by “RisePro.” It is not clear how many people have been affected by this stealer.

The Comebacks

Cuba Ransomware

Since December 2021 FBI flash alert, the Cuba ransomware has garnered more attention from CISA, with two advisory updates in August 2022 and another two this December with an updated list of IoCs.

Wannaren, aka life ransomware

Reemerged in 2022 as Life ransomware, Wannaren new variant switched from using a PowerShell downloader to using a batch file to download and execute WINWORD.exe and threatened to publish stolen data if no contact was made with the threat actor within a week.

Redigo backdoor malware

Initially uncovered last February, and written in Go, the Redigo backdoor now also targets Redis servers unpatched CVE-2022-0543 vulnerable to a Lua scripting engine defect.

Redigo allows the remote attacker to execute arbitrary commands, attempting to hide communication by sending data from the malware to command-and-control servers over Redis port 6379.

TRIGONA

Trigona is a ransomware that infects a computer and encrypts its files, adding the “.locked” extension to the filenames. For example, a file named “1.jpg” would be renamed to “1.jpg._locked” after being encrypted by Trigona. The ransomware also drops a ransom note on the infected computer, specifically  a file called “how_to_decrypt.hta” that contains instructions for paying the ransom to decrypt the encrypted files.

APT37

Active since 2012 at least, the North-Korean state-sponsored cyberespionage group APT37, AKA ScarCruft,  InkySquid, Reaper, and Ricochet Chollima, was spotted this December exploiting an Explorer Zero Day exploit, instrumentalizing the Seoul Halloween crowd crush catastrophe to trick users into downloading malware.

The initial infection vector consisted of malicious Microsoft Office documents and a rich text file (RTF) remote template. Successful exploitation requires the victim to disable the protected view before downloading the remote RTF template.

Custom python backdoor for vmware esxi server

Juniper Threat Labs has discovered a backdoor on a VMware ESXi virtualization server. The server was likely hacked through one of two vulnerabilities in the ESXi’s OpenSLP service that in-the-wild attacks have targeted since 2019: CVE-2019-5544 and CVE-2020-3992. Unfortunately, the analysts investigating the compromise could not determine which of these vulnerabilities was exploited due to limited log retention on the host. The implanted backdoor is notable for its simplicity, persistence, and capabilities, and had not been documented publicly until now.

The ESXi virtualization platform runs a lightweight UNIX-like host operating system and can run multiple virtual machines simultaneously. While the virtual disk images for these VMs are stored on the ESXi’s physical disks, the system files for the host OS are stored in RAM and discarded upon a reboot. Only a few specific system files are automatically backed up and restored upon a reboot.

Polonium

Polonium is a cyber threat group based in Lebanon that focuses on attacking Israeli companies. It was first identified in 2022 by analysts at Deep Instinct, who discovered that the group uses a multi-step attack process involving loaders and separating components to evade detection. Further analysis by Deep Instinct and ESET research revealed three additional samples believed to be loaders used to deploy the MegaCreep backdoor as well as other tools from Polonium’s arsenal. Polonium is known to reuse code and infrastructure from other APT groups, including APT-C-23 and Gaza Cybergang.

AZOV Ransomware

Azov is a type of ransomware that infects 64-bit executables, allowing it to spread quickly through a victim’s system. It uses the SmokeLoader botnet and trojanized programs to spread and is effective at speedily and irrecoverably wiping data.

It has a “logic bomb” that allows it to detonate at a specific time and uses anti-analysis and code obfuscation techniques to avoid detection. It also has a persistence mechanism that trojanizes system binaries and creates a registry entry to ensure it continues to run on the victim’s system.

Two versions of Azov have been identified, with only minor differences. It is manually crafted in assembly language and uses a seeded decryption algorithm to decrypt its shellcode.

The wiping routine overwrites blocks of data with random noise but leaves some intact and stops once it reaches a 4GB limit. It then adds the .azov file extension to the original filename.

Raspberry Robin Malware

The Raspberry Robin malware family has been targeting the telecommunications and government sectors in various countries. It is often delivered as a shortcut or LNK file on an infected USB device and is heavily obfuscated with more than ten layers to evade detection.

Additionally, Raspberry Robin can drop a fake payload when it detects sandboxing or security analytics tools. This makes it difficult to analyze and identify.

The Oldies

Chaos rat added to Linux cryptocurrency mining attacks

A cryptocurrency mining operation has been found to be using the Chaos Remote Administrative Tool as part of its operation.

This malicious software modifies the crontab file on infected devices to maintain persistence and installs an XMRig miner. In order to continue operating and infecting as many devices as possible, the main downloader script and additional payloads are hosted in different locations.

DROKBK Malware

The Cobalt Mirage threat group was responsible for an intrusion that utilized the Drokbk malware to maintain a presence on the infected system and execute further commands received from the command-and-control server.

The actor exploited two Log4j vulnerabilities in a VMware Horizon server to gain initial access. To locate its C2 server, the malware employed the dead drop resolver technique and accessed legitimate Internet services.

NITOL DDOS And Amadey

Some people looking for cheap or unauthorized software versions like Hangul or Microsoft Office have also accidentally downloaded Nitol malware. When the Nitol malware is installed, it establishes a connection with the attackers’ command and control server. It receives instructions to conduct distributed denial of service (DDoS) attacks, retrieve additional payloads, or destroy the master boot record (MBR) of the victim’s system.

If the MBR is destroyed, the system may display “Game Over” upon reboot and be unable to restart. In some cases, Nitol malware has been used to download and install Amadey Bot malware, which can disguise itself as legitimate utilities like AnyDesk, TeamViewer, Explorer.exe, and ServcieManager.exe.

Together, Nitol and Amadey Bot can be used for DDoS attacks, payload retrieval, and data theft.

Royal Ransomware

The Royal ransomware group was seen conducting attacks against organizations in multiple countries, with a high concentration of infections in the US, Brazil, and Mexico.

These attacks involved phishing emails and social engineering techniques to trick victims into installing remote access software, which gave the attackers control of the system. The group was observed using a variety of malware and open-source tools, including QakBot, Cobalt Strike, PCHunter, PowerTool, GMER, and Process Hacker.

Dark Tortilla

Threat actors have recently been using the DarkTortilla downloader to spread malware through phishing websites and emails that mimic popular vendors such as Cisco and Grammarly. When users click on the malicious Grammarly links, they are directed to fake websites and tricked into downloading malware disguised as legitimate software but containing an infected installer in an archive file. Upon execution, the installer drops a .Net file to retrieve an encrypted png file, which is then decrypted and loaded into memory to perform malicious tasks. Similarly, on the fake Cisco site, a malicious TeamViewer executable containing encrypted content is decrypted and executed via PowerShell commands assembled with MOV techniques.

Doorme and Siestagraph Backdoors

Unknown threat actors apparently targeted a foreign affairs office belonging to ASEAN member countries. The attackers likely exploited a vulnerability in an Internet-facing Microsoft Exchange server to gain initial access to the network. Once inside, they used the DoorMe and SiestaGraph backdoors, as well as a Cobalt Strike beacon and various Windows binaries, to move laterally, extract sensitive data, and conduct reconnaissance.

FIN7

The FIN7 hacking group, AKA Carbanak Group, has been active in recent years and has been known to deploy ransomware in its attacks. However, despite these shifts in tactics, the group’s techniques, procedures, and processes (TTPs) have remained consistent enough for analysts to confidently attribute these attacks to FIN7.

In addition, security researchers have managed to infiltrate FIN7 and gain access to their Jabber chat logs. These logs have provided valuable insights into the group’s inner workings, including its hierarchy, team structures, and conflicts within the organization. The researchers have also identified associates and connections with which FIN7 is actively involved. This information has helped to paint a clearer picture of the group and its operations.