Cymulate’s Cyberthreat Breakdown
October 2022

Our monthly cyberthreat breakdown has a revamped format.

The Newcomers 

This October saw the first appearance of some new threats as yet unattributed to known threat actors. 

Maggie 

Targeting Microsoft SQL Service, Maggie is a new malware able to brute-force administrator logins to other Microsoft SQL servers with SqlScan and WinSockScan commands and add a hardcoded backdoor user when successful. 

Maggie malware is managed by SQL queries and supports 51 commands, including running programs, executing processes, interacting with files, installing remote desktop services, and configuring port forwarding. It covers itself as an Extended Stored Procedure DLL (sqlmaggieAntiVirus_64.dll). These files employ an API to allow remote users to make arguments in SQL queries. 

The file is digitally signed by DEEPSoft Co. Ltd., a South Korean business. 

By mid-October, that backdoor had already spread to hundreds of computers and was specifically designed to attack Microsoft SQL servers. 

Unattributed Phishing Kit Uncovered by Cymulate Research Team

The Cymulate Research team spotted an indicator part of a phishing kit used to conduct phishing attacks on various organizations around the world using fake Microsoft login pages. 

The initial infection file is a javascript containing a malicious script encoded to avoid detection. 

This javascript loads another malicious javascript located on an external URI. 

The last javascript payload is a phishing page mimicking a Microsoft login page which attempts to steal the target’s credentials. 

Prestige Ransomware

New on the Russia-Ukraine cyber frontline, an unknown threat actor tracked under DEV-0960 targeted multiple sectors across Ukraine and Poland. 

Microsoft Threat Intelligence Center (MSTIC) identified evidence of a novel ransomware campaign targeting organizations in the transportation and related logistics industries in Ukraine and Poland with a previously unidentified ransomware payload. This new ransomware, self-identified as “Prestige ransomware”, ran a series of attacks occurring within an hour of each other across all victims on October 11.  

The activity shares victimology with recent Russian state-aligned activity, specifically on affected geographies and countries, and overlaps with previous victims of the FoxBlade malware (also known as HermeticWiper). 

MSTIC is tracking this activity as DEV-0960. 

Exbite

The latest tool developed by Blackbite, Infostealer.Exbite is designed to expedite the theft of data from the victim’s network and upload it to an external server. 

BlackByte is a ransomware-as-a-service operation that is run by the Hecamede cyber-crime group that sprang to public attention in February 2022 when the U.S. Federal Bureau of Investigation (FBI) issued an alert stating that BlackByte had been used to attack multiple entities in the U.S., including organizations in at least three critical infrastructure sectors. 

In recent months, BlackByte has become one of the most frequently used payloads in ransomware attacks. 

The Comebacks  

Known threat actors have been busy creating new tools or improving on old ones. 

Originlogger/Agent Tesla

Palo Alto Networks Unit 42 detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla. 

According to Unit 42, what has been tagged as Agent Tesla version 3 is actually OriginLogger, which is said to have sprung up to fill the void left by the former after its operators shut it down following legal troubles. 

The executable is a builder binary that allows a purchased customer to specify the kinds of data to capture, including clipboard, screenshots, and the list of applications and services (e.g., browsers, email clients, etc.) from which to extract credentials. 

User authentication is achieved by sending a request to an OriginLogger server, which resolves to the domain names 0xfd3[.]com and its newer counterpart originpro[.]me based on two builder artifacts. 

OrionLogger, like Agent Tesla, is delivered via a decoy Microsoft Word document that, when opened, is designed to display an image of a passport for a German citizen and a credit card, along with several Excel Worksheets embedded into it. 

The worksheets, in turn, contain a VBA macro that uses MSHTA to invoke an HTML page hosted on a remote server, which, for its part, includes an obfuscated JavaScript code to fetch two encoded binaries hosted on Bitbucket. 

The first of the two pieces of malware is a loader that utilizes the technique of process hollowing to inject the second executable, the OrionLogger payload, into the aspnet_compiler.exe process, a legitimate utility to precompile ASP.NET applications. 

Lazarus

Responsible for several high-profile incidents such as the Sony Pictures Entertainment hack, cyber-heists, Wannacry, and disruptive attacks against and disruptive attacks against the South Korean public and critical Infrastructure, Lazarus made a comeback this October with spearphishing emails containing malicious Amazon-themed documents. 

Lazarus abused the CVE-2021-21551 vulnerability present in a user-mode module of the Dell DBUtil driver that had been downloaded into the victim’s computer and gained the ability to read and write kernel memory, which in turn allowed the attackers to disable several security mechanisms. It also downloaded; droppers, loaders, HTTP(S) backdoor, HTTP(S) uploader, and an HTTP(S) downloader.  

Bubmblebee

Though a relatively recent threat, Bumblebee loader deserves a lot of attention due to its many links to several well-known malware families. 

This October, it has been increasing its capacity and evolving its TTPs and used in association with third-party tools and malware, including BumbleBee Loader, Meterpreter, Cobalt Strike, ProcDump, AnyDesk, AdFind, 7Zip, and Windows binaries, including nltest, net.exe, arp, nbbtstat, the Windows Command Shell, RDP, ping, ipconfig, RunDll32, and tasklist. 

Bumblebee is in constant evolution, which is best demonstrated by the fact that the loader system has undergone radical change this month – from the use of ISO format files to VHD format files containing a PowerShell script and back again. 

Changes in the behavior of Bumblebee’s servers that occurred around June 2022 indicate that the attackers may have shifted their focus from extensive malware testing to reaching as many victims as possible. 

Bumblebee payloads vary greatly based on their target type. 

Infected standalone computers will likely be hit with banking trojans or infostealers, whereas organizational networks can expect to be hit with more advanced post-exploitation tools such as CobaltStrike. 

Spyder Loader Seen in Hong Kong

Identified by Symantec as an apparent continuation of Operation CuckooBees, this month’s Spider Loader Hong Kong campaign is a modified copy of sqlite3.dll compiled as a 64-bit PE DLL and containing a malicious export. 

Symantec saw assorted other malware samples that carried out various other types of activity on victim networks, including a modified SQLite DLL with the malicious export sqlite3_extension_init, which creates and starts a service named GeneralManintenanceWork for a file named data.dat. 

Symantec also saw Mimikatz being executed on victim networks, as well as a Trojanized ZLib DLL that had multiple malicious exports, one of which appeared to be waiting for communication from a command-and-control (C&C) server, while the other would load a payload from the provided file name in the command-line. 

Ransom Cartel Raas

Ransom Cartel RAAS has been spotted using an apparently new tool called DonPAPI that uses compromised credentials for initial access and encrypts files on both Windows and Linux VMWare ESXi servers. 

The Ransom Cartel ransomware-as-a-service (RaaS) acted on the threat landscape during 2022 with many similarities to the REvil ransomware family. 

Ursnif

A new variant of the URSNIF malware marks a significant milestone for the tool. 

Unlike previous iterations of URSNIF, this new variant, dubbed LDR4, is not a banker, but a generic backdoor (similar to the short-lived SAIGON variant), which may have been purposely built to enable operations like ransomware and data theft extortion. 

The LDR4 variant appears as a DLL module on the infected computer, which is invoked via the DllRegisterServer function, but there are often other randomly named decoy functions exported to confuse sandboxes, and some of the binaries were using valid code-signing certificates. 

URSNIF is the latest malware following the same path that EMOTET and TRICKBOT did before by focusing on a new strategy and leaving behind its banking fraud legacy. 

LDR4 proves that statement by removing all its banking malware features and modules and only focusing on getting VNC and/or remote shell into the compromised machine. 

It is a common practice in offensive software operations to apply some obfuscation to the code itself or at least to API calls to thwart analysis efforts. 

Qakbot

After a brief hiatus, QAKBOT’s malware distribution resumed with several distribution mechanisms. 

Those included SmokeLoader (using the ‘snow0x’ distributor ID), Emotet (using the ‘azd’ distributor id), and malicious spam that used the ‘BB’ and ‘Obama20x’ IDs. 

A recent case involving the QAKBOT ‘BB’ distributor led to the deployment of Brute Ratel (detected by Trend Micro as Backdoor.Win64.BRUTEL) – a framework similar to Cobalt Strike – as a second-stage payload. 

This is a noteworthy development because it is the first time Analysts have observed Brute Ratel as a second-stage payload via a QAKBOT infection. The attack also involved the use of Cobalt Strike itself for lateral movement. Analysts attribute these activities to the threat actors behind the Black Basta ransomware. 

Cranefly

Symantec discovered a previously undocumented dropper used to install a new backdoor and other tools using the novel technique of reading commands from seemingly innocuous Internet Information Services (IIS) logs. 

The dropper (Trojan.Geppei) is being used by an actor Symantec calls Cranefly (aka UNC3524), to install another piece of hitherto undocumented malware (Trojan.Danfuan) and other tools. 

The technique of reading commands from IIS logs is not something Symantec researchers have seen being used to date in real-world attacks. 

The Oldies  

Known actors, even if they are not creating new offensive tools, can increase their activities enough to raise alarm. 

Daixin Team

Towards the end of October, a recrudescence in Daixin Team, a ransomware and data extortion group predominantly targeting the HPH Sector with ransomware and data extortion operations since at least June 2022, led the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) to release USCert Alert (AA22-294A) requesting information about “Daixin Team”. 

And that concludes this month’s cyberthreat breakdown.

 —–

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI! 

Stay cyber-safe!