Cymulate’s December 2021 Cyberattacks Wrap-up

‘Tis the season for cyberattacks with Black Friday, New Year, and Christmas themes. Read ahead to see who was taking advantage of holiday busyness to wreak havoc this month.

Log4j Logs On

The news that sent the most shockwaves was the critical Apache Log4j vulnerability being exploited in the wild.

 Often used in popular Java projects, it’s a logging library designed to replace the built-in log4j package. Threat actors exploited the Log4Shell vulnerability to infect vulnerable devices with the notorious Dridex banking Trojan. This Trojan is used as a loader for downloading various modules that can be used to perform different malicious behaviors, such as installing additional payloads, spreading to other devices, taking screenshots, etc.

 Threat actors used the Log4j RMI (Remote Method Invocation) exploit variant to force vulnerable devices to load and execute a Java class from an attacker-controlled remote server. Once executed, the Java class first attempts to download and launch an HTA file from various URLs to install the Dridex Trojan. On Windows, the Java class downloads and opens an HTA file, which creates a VBS file in the C:ProgramData folder. This file acts as the main downloader for Dridex. If the user was part of a domain, the VBS file downloaded and executed the Dridex DLL using Rundll32.exe. On a Unix/Linux device, it downloaded an ‘m.py’ python script to install and execute Meterpreter, a pen-testing tool that provides a reverse shell back to the threat actors. It enabled them to connect to the compromised Linux server and remotely execute commands to spread further on the network, steal data, or deploy ransomware.

Cymulate added several Log4j variants to be tested using the platform. Not a customer yet, you can test log4j by going here.

Belgium Ministry of Defense Gets Attacked

Researchers also observed the deployment of another ransomware family, TellYouThePass. This ransomware was used to attack cloud services hosted in Amazon and Google in the U.S. and several sites in Europe. One of the victims was the Belgium Ministry of Defense, which admitted that threat actors accessed its computer network by exploiting the Log4j vulnerability. Belgium’s Centre for Cyber Security, a government organization, quickly released a press release. They stated that those companies using Apache Log4j software, who have not yet taken action, could expect major problems in the coming days and weeks.

Alibaba Cloud’s Silver Lining

Interestingly, despite the Apache Software Foundation crediting Alibaba Cloud for identifying and reporting the Log4j flaw, China’s Ministry of Industry and Information Technology (MIIT) suspended Alibaba Cloud’s membership of an influential security board for six months. This is in protest of Alibaba’s handling of the Log4j flaw. The Ministry blamed Alibaba Cloud for not reporting the security vulnerabilities to MIIT in a timely manner and not effectively supporting the Ministry’s network security threat and vulnerability management efforts.

More about this vulnerability can be read on our blog from December 13^th.

DarkHotel Opens Again

Also during December, the South Korea-based DarkHotel APT group made its presence felt again.

The group has been active since at least 2007. They’re known to target senior business executives by uploading malicious code to their computers through infiltrated hotel WiFi networks, and by using spear-phishing and P2P attacks.

How did the December attack start?

1. With a multi-layered malicious document that defined an AltChunk element for loading an embedded DOCX file.
2. The embedded DOCX file defined another AltChunk element for loading an embedded malicious RTF file that contained three OLE objects.
3. Once the RTF file was loaded, the three OLE objects were dropped in the %temp% directory with the names “p”, “b”, and “googleofficechk.sct”.
4. Out of these three dropped files, the scriptlet file (googleofficechk.sct) was executed.
5. The scriptlet file sent a Base64 encoded list of running processes to the configured C2 server. A POST request was sent to the URL “http://signing-config[.]com/cta/key.php” with DATA “L=G641giQQOWUiXE&q={Base64 encoded list of running processes}”.
6. The scriptlet file then performed subsequent operations, such as detecting if the machine was already infected.
7. The binary qq3104.exe got executed as part of the operations performed by the scriptlet file. This binary mainly performs three operations:

1) Spoof the process-related information in the PEB structure to pretend as explorer.exe

2) Perform UAC bypass using elevation moniker against the vulnerable COM interfaces  {3E5FC7F9-9A51-4367-9063-A120244FBEC7} and {D2E7041B-2927-42fb-8E9F-7CE93B6DC937}

3)  Execute the binary qq2688.exe

8. The executed PowerShell command read, decoded and executed the data stored under registry value “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesXs”.
9. The decoded data, an obfuscated PowerShell script that executed another PowerShell command, loaded and executed an encoded .NET dll in-memory.
10. The passive DNS data showed that the threat actors created a lot of domains to spoof the names of organizations in China related to the government, education, and political think tanks and to spoof cryptocurrency projects popularly used in China, such as the Deeper network.

—

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!

Stay cyber-safe!