Cymulate’s March 2022 Cyberattacks Wrap-up

In March 2022, threat actors took advantage of the conflict in Ukraine to push their agenda.  

Bear With Us 

A group called Ember Bear was behind the new malware dubbed Whispergate, which targeted Ukrainian government agencies. HermeticWiper is another wiper also used by threat actors in Ukraine. This data-wiping malware impacted hundreds of computers on their networks across Ukraine. We also saw a new variant of LokiLocker, a ransomware-as-a-service (RaaS) family with possible origins in Iran. That malware was updated with a built-in wiper to erase all non-system files from infected Windows PCs. 

TA416  

Also in March, TA416, a threat actor linked to the Chinese government, increased its campaigns against European governments. TA416 updated the payload of its PlugX malware with the PotPlayerDB.dat variant that used an updated encoding method and featured additional payload configuration capabilities. That malware used web bugs to profile the targets. The tracking pixels embedded a hyperlinked, non-visible object in the email body.

Once enabled, the object retrieved a benign image file from the actor-controlled server to verify the validity of the targeted account. The malware leveraged the vulnerability of potplayermini.exe to load the file PotPlayer.dll, which contained an obfuscated launcher that, in turn, executed the file PotPlayerDB.dat. The DocConvDll.dll file was also used as a loader of the PlugX DAT configuration files, similar to the Trident Loader method, which TA416 used in previous campaigns to install PlugX.  

Furthermore, this version also contained obfuscation to avoid detection by resolving API functions during runtime. Most functions containing the malware’s “business logic” were obfuscated with a state machine by maintaining a state variable with many comparisons in the function. This made analysis difficult as the states are not hardcoded as the result of a function. 

PT41 Attacks NA 

Another notorious state-sponsored Chinese threat group, PT41, was targeting North American state governments. The threat actors are known to use malicious ViewStates to trigger code execution against targeted web applications. ViewState is a method for storing the application’s page and control values in HTTP requests to and from the server in the ASP.NET framework. It was sent to the server with each HTTP request as a Base64 encoded string in a hidden form field. The web server decodes the string and applies additional transformations for unpacking it into data structures for the server to use. To prevent manipulation, the ViewState is protected by a Message Authentication Code (MAC) to keep the application’s machineKey confidential. 

1. A threat actor with knowledge of the machineKey can construct (by using, e.g., YSoSerial.NET) a malicious ViewState to generate a new and valid MAC that the server accepts. 
2. With such a valid MAC, the server will then deserialize the malicious ViewState, resulting in the execution of code on the server. 
3. After gaining initial access to an internet-facing server, APT41 performed extensive reconnaissance and credential harvesting. 
4. The threat actors deployed a ConfuserEx obfuscated BADPOTATO binary to abuse for local NT AUTHORITYSYSTEM privilege escalation. 
5. Once APT41 escalated to NT AUTHORITYSYSTEM privileges, the local SAM and SYSTEM registry hives were copied to a staging directory for credential harvesting and exfiltration. 
6. APT41 also used Mimikatz to execute the lsadump::sam command on the dumped registry hives to obtain locally stored credentials and NTLM hashes. 
7. The threat actors also conducted Active Directory reconnaissance by uploading the Windows command-line tool dsquery.exe 
8. Advanced malware was used, such as the DEADEYE launcher, LOWKEY backdoor, and DEADEYE.APPEND to avoid detection.  
9. APT41 also incorporated another anti-analysis technique by chunking a VMProtect packaged DEADEYE binary into multiple sections on disk to thwart forensic investigations. 
10. The threat actors continued to update tech community forum posts frequently with new dead drop resolvers to help keep their C2 infrastructure hidden. The usage of Cloudflare services for C2 communications and data exfiltration was substantially increased. 

The Chips Are Down 

In our previous wrap-up of the month, we covered the cyberattack that hit US chipmaker, Nvidia Corp. In March, Lapsus$, the threat actors behind the cyberattack, leaked an Nvidia code-signing certificate that expired in 2014. Code signed with this certificate could still be accepted by Windows. The threat actors seem to blackmail Nvidia into removing Lite Hash Rate (LHR), which cripples cryptocurrency mining, from its GPU firmware. Lapsus$ announced on its Telegram page that it will leak more internal materials and details of chip blueprints unless LHR is removed and Nvidia will open-source its drivers for Macs, Linux, and Windows PCs. 

— 

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!  

Stay cyber safe!