Cymulate’s January 2022 Cyberattacks Wrap-up
Starting off 2022, threat actors kept on refining their malware and attack strategies for maximizing profits.
Microsoft Outlook was at the receiving end of malware, this time a backdoor dubbed ComLook due to its similarity to the malware variant ComRAT, which is used by the Russian-sponsored advanced persistent threat (APT) actor Turla.
ComLook has the same functionalities as ComRAT. The malware contained three hard-coded credentials for Mailboxes with a different folder for new commands and uploaded results for each mailbox. ComLook used encrypted commands allowing the threat actor to execute cmd commands, upload and download files, and update malware’s configuration. Turla used three comprised mail servers to run its own mail server instance. The communication was encrypted (imaps).
For registering in Microsoft Outlook, ComLook uses “The Bat!”, which is similar to Turla Outlook. It looked like the backdoor detected in January 2022 was targeting an Azerbaijani target.
Another piece of malware detected in the wild was a simple batch file (.bat) with a very low (1/53) VT score. One antivirus was able to detect this file, but only at the end of the script. The file used the BlockInput API call through a PowerShell one-liner file. This API is provided by Microsoft to prevent a user from performing actions when the computer executes sensitive operations.
The function expects one parameter: TRUE or FALSE. When TRUE is passed, it blocks keyboard and mouse input events from reaching applications. No user interaction with the computer is possible until the API is called a second time with “FALSE”. Using a call to BlockInput in a batch file is an effective way for malware to prevent debugging by blocking interaction with the debugger from the user side.
Crazy like a Fox
As we have seen many times before, threat actors often use legitimate software for dropping malicious files to stay undetected by AV solutions. This time, a threat actor took it to the next level by separating the attack into several small files with very low detection rates by AV engines in order to deploy the Purple Fox rootkit infection. The attackers used a malicious Telegram Installer consisting of a compiled AutoIt script called “Telegram Desktop.exe”. AutoIt is a freeware programming language for Microsoft Windows.
Also, the Lazarus Group, one of the most sophisticated North Korean APTs, made itself felt again in January. This time, the APT launched spear-phishing attacks weaponized with malicious documents. The emails were masquerading as job opportunities from Lockheed Martin.
The attack consisted of the following stages:
- The emails contained two macro-embedded documents.
- Once the malicious micro was executed, the malware performed a series of injections.
- The malicious code used a very unusual and lesser-known technique to hijack the control flow and execute malicious code.
- The code then changed the memory protection permissions and overwrote the existing “WMIsAvailableOffline” code in memory with the malicious base64 decoded shellcode.
- The shellcode loaded by the macro contained an encrypted DLL that used a custom hashing method to resolve the APIs.
- The threat actors used Windows Update to execute the malicious payload.
- They used GitHub (username “DanielManwarningRep”) as a command and control server to make it harder for security products to differentiate between legitimate and malicious connections.
On a lighter note, the Russian Federal Security Service (FSB) arrested 14 REvil ransomware members in January, raiding more than two dozen addresses in Moscow, St. Petersburg, Leningrad, and Lipetsk. The FSB seized more than $600,000 US dollars, 426 million rubles (~$USD 5.5 million), 500,000 euros, and 20 luxury cars purchased with funds obtained from cybercrime.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!