Cymulate’s February 2022 Cyberattacks Wrap-up
In February, several large enterprises were hit by cyberattacks, including US chipmaker Nvidia Corp. The malicious network intrusion caused outages in Nvidia’s email systems and developer tools for two days.
The threat actor behind the attack was the South American hacker group Lapsus$, which also stole from the compromised network one terabyte of data, including source code and information related to Nvidia RTX GPUs. Lapsus$ is a ransomware gang recently linked to an attack on Portugal’s largest TV channel.
State of Cybersecurity
February was also the month of state-sponsored cyberattacks.
China-linked threat actors targeted government computers at multiple foreign agencies using a stealthy backdoor program to retain a presence on sensitive networks and exfiltrate data while remaining undetected. The Russia-sponsored Shuckworm group (aka Gamaredon and Armageddon) conducted cyber-espionage attacks against targets in Ukraine pre-invasion. Shuckworm specializes in cyber-espionage campaigns, mainly against entities in Ukraine. Shuckworm is known to use phishing emails to distribute Remote Manipulator System (RMS), UltraVNC, and customized malware Pterodo/Pteranodon to steal credentials and move laterally on compromised networks.
Iran-sponsored APT35 (aka Phosphorus and Charming Kitten) was also active during February. APT35 attacked medical research organizations in the US and Israel in late 2020 and academic researchers from the US, France, and the Middle East in 2019. The threat actors have now added a new PowerShell backdoor to remain undetected. Dubbed PowerLess Backdoor, it is a .NET context rather than spawning the PowerShell process. The new toolset includes modular and multi-staged malware in addition to a range of open-source tools, including cryptography libraries. The threat actors also used an IP address as a C2 for the Memento ransomware.
Another Iran-sponsored group, MuddyWater (aka Mercury and Static Kitten), is an APT group that frequently conducts campaigns against high-value targets in the US, EU, and Asia. In February, MuddyWater targeted Turkish government entities, including the Scientific & Technological Research Council of Turkey (Tubitak), with a spear-phishing attack.
The motives behind the attacks are normally threefold – espionage, IP theft, or disrupting operations.
The attack followed a familiar pattern:
- The users received a spoofed email with malicious PDFs and Microsoft Office documents (maldocs).
- These PDF files showed an error message asking to click on the embedded link to get
- Once the victims clicked on the embedded links, a decoy document was displayed to the victims while malicious excel documents (XLS maldocs) and executables were executed from a remote location.
- A directory was created in the user’s home folder for storing the PowerShell and Visual Basic scripts.
- The malware then executed a series of scripts using PowerShell and Visual Basic scripting combined with living-off-the-land binaries (LoLBins).
- The initial contact with hosting servers was obtained via HTTP.
- After the initial infection, the scripts downloaded additional payloads.
- A registry key was added for persistence.
- DNS was used to contact the command and control (C2).
The North-Korean Lazarus Group also started using LoLBins in its campaigns. In February, it launched a spear-phishing campaign targeting the defense sector. Posing as the Lockheed Martin Corporation, the email enticed users with job openings.
- The email contained two phishing documents (Lockheed_Martin_JobOpportunities.docx and Salary_Lockheed_Martin_job_opportunities_confidential.doc.
- Once clicked, the macro loaded WMVCORE.DLL, a legitimate windows DLL for Windows Media.
- The macro checked for a document variable before entering its main functionality block to prevent it from being executed again.
- Next, the shellcode, which was embedded as a base64 encoded string array inside the macro, was decoded using CryptStringToBinaryW or UuidFromStringA.
- These functions decoded the embedded payload and wrote it to an executable Heap.
- The decoded shellcode retrieved the address and memory permissions of the WMIsAvailableOffline function to overwrite.
- The KernelCallbackTable pointer was retrieved from the PEB structure of the current process via NtQueryInformationProcess to achieve a callback to the shellcode.
- The _fnDWORD pointer was patched to point to WMIsAvailableOffline.
- The shellcode was executed upon a graphical winword call.
- The macro established a document variable to prevent the execution of the shellcode during subsequent runs.
- The macro also retrieved and displayed a decoy document.
- The shellcode created a new staging folder C:WMAuthorization, wrote a VBS file (WMVxEncd.vbs) to it, and created a corresponding Scheduled task to run the vbs file every 20 minutes.
In addition to the cyberattacks against the websites of Ukraine’s defense ministry, army, and the interfaces of the country’s two largest banks, threat actors also attacked Polish targets. The website of the Polish national clearing system and servers dedicated to the government email network was attacked, as well as the IT networks of Poland’s main power utility PGE SA. The Polish power utility was not the only critical infrastructure that suffered ransomware attacks in February.
The German petrol distributor Oiltanking was also the victim of a ransomware attack conducted by a new ransomware group dubbed ALPHV/BlackCat. Major oil terminals in Antwerp and Rotterdam, two of Western Europe’s biggest ports, were also attacked.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!