Threat actors kept on stepping up their game in November. To illustrate, let’s have a look at the elusive new ransomware launched by threat group UNC2190. Dubbed Sabbath, it was launched last September and was able to fly under the radar until the end of November. Sabbath seems to operate as a ransomware-as-a-service where the operators hire individual “affiliate” hackers to infiltrate networks and install the ransomware. The ransomware has its roots in Arcane and Eruption that were also traced to threat group UNC2190. During November, we also saw the Emotet malware making a comeback. It infiltrated the inboxes of organizations in Japan with email messages and then infected some computers via those messages.
Squid Game Gets Phishy
UNC2190 was not the only threat actor group active; A575 also made its presence felt by leveraging the popular Netflix show “Squid Games” to distribute Dridex malware. TA575 criminal group is made up of prolific, financially-motivated opportunists who specialize in Dridex malware and operate swaths of Cobalt Strike servers. In November, the threat group pretended to be entities associated with Squid Game, sending out emails promising early access to a new season of the show and chances to become part of the cast.
The emails enticed the recipients to either fill out an attached document to get early access to the new season of the show, or to fill out a talent form to become part of the background casting. The attachments were Excel documents with macros that, once enabled, downloaded the Dridex banking Trojan. In general, TA575 themes include invoicing and payments requests, and occasionally popular news, events, and cultural references. TA575 also often uses the Discord content delivery network (CDN) to host and distribute Dridex. Discord has become increasingly popular as a malware-hosting service for cybercriminals.
New Threat: Tortilla Group
A new threat actor, the Tortilla group, entered the scene, exploiting ProxyShell flaws in attacks aimed at Microsoft Exchange servers to deploy the Babuk ransomware in corporate networks. The attack pattern was as follows:
- The attacker installed a downloader module on a victim’s server as a standalone executable format and a DLL. The DLL downloader was run by the Exchange IIS worker process w3wp.exe.
- A modified EfsPotato exploit was used to target proxyshell and PetitPotam flaws as an initial downloader.
- The downloader ran an embedded obfuscated PowerShell command to download a packed downloader module from the threat actor’s infrastructure.
- The PowerShell command also executed an AMSI bypass to circumvent endpoint protection.
- The loader then connected to ‘pastebin.pl’ to download an intermediate unpacker module that decrypted the embedded Babuk ransomware payload in memory and injected it into a newly created NET Framework process (AddInProcess32).
- The Babuk ransomware module ran within the process AddInProcess32, enumerating the processes running on the victim’s server and attempting to disable a number of processes related to backup products.
- The ransomware also deleted volume shadow service (VSS) snapshots from the server using the vssadmin utility to make sure the encrypted files could not be restored from their VSS copies.
- The ransomware module encrypted the files in the victim’s server and appended a file extension .babyk to the encrypted files.
- Ransom demands were made for $10,000 USD ransom in Monero to recover the encrypted documents.
Victims were mainly located in the US, but also in the UK, Germany, Ukraine, Finland, Brazil, Honduras, and Thailand.
Iranian APT Actors
State-sponsored threat actors were also acting during November, most notably APT actors sponsored by Iran. These APT actors were actively targeting a broad range of victims across multiple critical infrastructure sectors in the US, such as the transportation, healthcare, and public health sector. They also targeted Australian organizations. The threat actors exploited known Microsoft Exchange and Fortinet vulnerabilities to access networks, also for follow-on operations, e.g., data exfiltration or encryption, ransomware, and extortion.
- The APT actors first canned devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerated devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591.
- They then exploited a Fortigate appliance to access a webserver that hosted the domain and created an account for further malicious activities.
- By exploiting a Fortigate appliance, they gained access to environmental control.
- They leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20 (associated with Iran) and accessed known user accounts from IP address 154.16.192[.]70 (also associated with Iran)
- The threat actors also leveraged the Microsoft Exchange ProxyShell vulnerability CVE-2021-34473 to gain initial access to systems.
- It looks like they made modifications to the Task Scheduler [T1053.005] to access e.g., SynchronizeTimeZone, GoogleChangeManagement, MicrosoftOutLookUpdater, and OutLookUpdateSchedule tasks.
- They forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and contact information.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!