Cymulate’s May 2022 Cyberattacks Wrap-up

Cyberattacks never take a day off, as May 2022 has shown us once again. As we mentioned before, cybercrime gangs keep stepping up their game. For instance, Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk, and Trickbot, has grown into a multimillion-dollar organization operating similar to a regular corporation.  

This Panda’s Not Cute

Another well-known threat group made a comeback: Lotus Panda, the Chinese APT. This time, it launched spear-phishing attacks using malware Viper and ARL (Asset Reconnaissance Lighthouse). Viper, which integrates numerous attack modules, is a penetration tool for tactics and technologies commonly used as part of the attackers’ processes. The ARL tool assists security teams or penetration testers to perform reconnaissance and retrieval of assets and discover existing weak points and attack surfaces. 

1. The attack started with a spear-phishing email containing a malicious Word document titled “Tender Documents for Centralized Procurement of Web Application Firewall (WAF) Equipment of China Mobile from 2022 to 2024”. 
2. Once opened, the Macro code extracted the embedded data from Comments and Subject properties, writing it in the file system. 
3. The small HexINI executable acted as a loader for a shellcode for opening and reading functions. It then converted the hexadecimal string to a byte array, which, in turn, loaded an array into process memory space using VirtualAlloc and memcpy. 
4. The code was executed on a new thread through the CreateThread function. 
5. Once the shellcode was executed, a suspended process of svchost.exe was created for infecting the final beacon. 
6. In this case, the injection mechanism used the classic flow of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThreadEx WinApi functions. 
7. The HTTP beacon embedded the user-agent and got new commands for execution. 
8. The C2 server contained a Viper framework and ARL dashboards. 

 

Check Your Windows

Chinese-linked threat actors also actively exploited the Microsoft Office zero-day vulnerability Follina for executing malicious code remotely on Windows systems. This remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) impacted all Windows client and server platforms still receiving security updates (Windows 7 or later and Windows Server 2008 or later). 

No Rest for the Wicked

The Magecart hackers attacked Germany-based mattress giant Emma – The Sleep Company. Magecart used online skimming techniques to steal data from customers entering credit or debit card information on e-commerce websites. JavaScript skimmers were injected on checkout pages to steal the data, regardless of whether the customer completed the online transaction or not. Magecart also breached other sites by infiltrating site vendors and e-commerce sites that use those vendors. This allowed Magecart to infiltrate thousands of sites with a single vendor infiltration. 

 Mail-ware

Malware keeps on being updated for maximum impact. In May 2022, we saw that its range of vulnerabilities to exploit keeps expanding. For instance, the new variant Sysrv-K deployed a Monero cryptocurrency miner on infected machines to abuse computer resources so as to generate digicash. Sysry-K was also observed to search through WordPress files on compromised machines to take control of web server software using a Telegram bot. as a communications channel. Using the Go programming language, Sysrv is basically a worm and a cryptocurrency miner that initiates port scans against random IPs to find vulnerable Tomcat, WebLogic, and MySQL services to infiltrate the servers with hard-coded password dictionary attacks. 

A RAT in the Org

Another type of malware rearing its ugly head in May 2022 is the Remote Access Trojan Nerbian RAT, which targeted organizations in Italy, Spain, and the United Kingdom. The malware was distributed via COVID-19-themed phishing emails claiming to be sent by the World Health Organization. 

1. Once the victims opened the email, they were duped into accessing the malicious Word document titled the “latest health advice.” 
2. The micros displayed COVID-19 guidance, including steps for self-isolation, at first glance. 
3. The micros also triggered an infection chain in the background. 
4. The “UpdateUAV.exe” payload was delivered for dropping the Nerbian RAT from a remote server. 
5. The dropper also used the open-source Chacal “anti-VM framework” to make reverse engineering difficult by carrying out anti-reversing checks. 
6. Once it encountered a debugger or memory analysis program, it terminated itself. 
7. The RAT logged keystrokes, capturing screenshots, and execute arbitrary commands before exfiltrating the results back to the server. 

 

Skip this ZIP

Threat actors are always finding ways to stay obfuscated. One way of doing so is the so-called “ZIP bomb” tactic by delivering a malicious archive (ZIP folder) to a victim’s mailbox. Once the very small malicious archive was decompressed, it consumed a lot of resources to unzip. This tactic is a highly efficient way to bypass security controls. 

IoT Tales

In May 2022, the Mirai botnet operators incorporated new vulnerabilities and different hardware architectures to target IoT devices, x86 (32 and 64 bit), ARM, MIPS, Motorola 68K, Sparc, and PowerPC architectures. We saw that, although the ARM CPU architecture – used in most mobile and IoT devices – remained the favorite, 32-bit x86 Mirai variants used on Linux servers and networking equipment are becoming more popular.  

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI! 

Stay cyber safe!