eSentire Conti Leaks Analysis

April 05, 2022

eSentire Conti Leaks Analysis

Industry: N/A | Level: Tactical | Source: eSentire

eSentire’s Threat Response Unit (TRU) dove into Conti intrusion procedures sharing detection tactics from the group’s 2021 and 2022 data leaks containing operation manuals and chat logs. The ransomware group’s chat logs, from the recent February 2022 data leak, often reference the usage of manuals that assist Conti operators to carry out their operations. The ransomware gang operates with a clear structure, involving a management chain, organized personnel with roles and responsibilities and training programs. The reference materials help to ensure Conti operators initiate their threat activity with consistency and efficiency. Analysis of the tools identified the reliance on many known tools and techniques including AdFind, Cobalt Strike, Mimikatz, Powerview, 7zip, AnyDesk, Rubeus, Rclone and native living off the land binaries (LOLBins).

  • Anvilogic Scenario: ZeroLogon Compromise
  • Anvilogic Use Cases:
    • Adfind Commands
    • Adfind Execution
    • Common Reconnaissance Commands
    • Cobalt Strike Beacon
    • Cobalt Strike style Shell invocation
    • Create/Add Local/Domain User
    • Locate Credentials
    • Mimikatz
    • Modify Group Policy
    • Native Archive Commands
    • Potential Web Shell
    • Registry key added with reg.exe
    • Rclone Execution

Wizard Spider’s Naver Phishing Campaign

March 22, 2022

Wizard Spider’s Naver Phishing Campaign

Industry: N/A | Level: Tactical | Source: Prevailion

Analysis of a large-scale phishing campaign was observed by Prevailion’s Adversarial Counterintelligence Team (PACT), took place in late January 2022, with the goal to collect Naver credentials. Naver services are operated in South Korea, providing a variety of services for search, email, news, etc. and is a comparable service to  Google and Yahoo. From investigating the threat campaign’s infrastructure, an overlap was identified with threat group “WIZARD SPIDER [a.k.a. TrickBot] infrastructure.” The infrastructure used is very large as from PACT’s review “542 unique domains had been identified as part of this malicious cluster of web infrastructure, 532 of which were assessed with high confidence to be part of the ongoing phishing campaign targeting Naver logins; the oldest domain identified by PACT was registered in August of 2021, other registrations are as recent as February of 2022.” A particular phishing domain has a strong association to TrickBot, as the IP used for the Naver phishing campaign was also tied to a Cobalt Strike beacon sample that had been analyzed on VirusTotal. The Cobalt Strike sample was used in a threat campaign that abused CVE-2021-40444 to ultimately deploy Conti ransomware.

  • Anvilogic Use Case: Malicious Document Execution

Threat Group Delivers Cobalt Strike Through AV Updates

March 18, 2022

March 14th, 2022: Threat Group Delivers Cobalt Strike Through AV Updates

Industry: Critical Infrastructure | Level: Strategic | Source: BleepingComputer

The Ukrainian Computer Emergency Response Team alerted users to a phishing campaign impersonating the Ukrainian government. The campaign prompts potential victims into downloading fraudulent “critical security updates” to ultimately deliver a Cobalt Strike beacon. The alerted activity has been observed by the MalwareHunterTeam and is reported by BleepingComputer. The phishing email contains a malicious link that downloads a executable masquerading as “itdefenderWindowsUpdatePackage.exe” and when executed, prompts itself to “installing the Windows update package” however, if installed the user actually downloads a Cobalt Strike beacon from Discord. Additional backdoors are dropped on the victim host, establishing persistence, conducting reconnaissance and command execution to achieve the threat actor’s objective. The Ukrainian Computer Emergency Response Team attributed this threat activity with medium confidence to the Russian threat group, UAC-0056/Lorec53.

CISA Update on Conti Ransomware

March 15, 2022

CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

  • Anvilogic Use Cases:
    • RDP Brute-force Detection
    • Kerberos RC4 Encrypted Tickets
    • Common Reconnaissance Commands
    • Windows Share Multiple File Access
    • Service Stop Commands
    • Inhibit System Recovery Commands

BazarLoader Malware Leverages Contact Forms

March 15, 2022

BazarLoader Malware Leverages Contact Forms

Industry: N/A | Level: Tactical | Source: AbnormalSecurity

Abnormal Security has observed, BazarLoader to be incorporating online contact forms in its communication and distribution tactic. This recent campaign occurred between December 2021 to January 2022, in which threat actors would pose as a prospective customer looking to obtain a product supply quote. As the communication would appear genuine, the targeted company would typically follow-up the inquiry by initiating an email to which the attacker would respond by providing a link to download a malicious file using file sharing services such as TransferNow and WeTransfer. If downloaded, files for a .iso and .log would be dropped on the victim’s workstation. The ISO file is actually a .lnk shortcut file and the .log file is the malicious BazarLoader DLL file. The shortcut file if executed calls regsvr32.exe to run the DLL file in disguise which conducts process injection into svchost.exe. Further analysis of the campaign could not be completed as the command and control (C2) infrastructure was down. The threat actor’s objective is likely to be using BazarLoader to deploy Conti ransomware or Cobalt Strike.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • regsvr32 Execution

APT29/Nobelium Targets Embassies

March 01, 2022

APT29/Nobelium Targets Embassies

Industry: Government | Level: Tactical | Source: Fortinet

Research from FortiGuard has identified threat actor group, APT29/Nobelium/Cozy Bear to be targeting embassies as an observed email impersonating the “Embassy of the Republic of Turkey.” Analysis of the email’s malicious HTML attachment uncovers a malicious JavaScript, which creates an ISO file requiring the user to execute the ISO file. A shortcut pointing to a malicious DLL file is executed for Cobalt Strike. This tactic is likely conducted to monitor activity in embassies to assist in Russian operations.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Suspicious File written to Disk

Cybereason Threat Analysis Report

February 15, 2022

Cybereason’s Global Security Operations Center Team (GSOC) provides a threat analysis report detailing comprehensive attack scenarios from malware loaders IcedID, QBot, and Emotet that lead to compromises with Cobalt Strike.

FIN8 Connection to White Rabbit Ransomware

January 25, 2022

FIN8 Connection to White Rabbit Ransomware

Industry: N/A | Level: Tactical | Source: TrendMicro

New ransomware White Rabbit, has been identified from an attack against a US bank in December 2021. Given the infrastructure and tool usage it is potentially associated with the FIN8 threat group. There are currently limited details for the attack chain with only the identification of a PowerShell download through Cobalt Strike shared from TrendMicro’s observed telemetry. A distinction was also found in the White Rabbit’s payload having similarities with Egregor ransomware, described by TrendMicro, “One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.” Current observations find White Rabbit’s targets to be few and likely the malware is still being tested by threat actors.

  • Anvilogic Use Cases:
    • Invoke-Expression Command
    • Invoke-WebRequest Command
    • Cobalt Strike Beacon

Signed DLL Campaigns / Polyglot

January 18, 2022

Signed DLL Campaigns / Polyglot

Industry: N/A | Level: Operational | Source: Medium

Security researchers – Jason Reaves and Joshua Platt, shared campaign details associated with tactics from ‘Polyglotting’ to help bypass security checks. As found by the researchers “Recently an actor has begun using a technique of embedding VBScript data at the end of Microsoft signed DLLs in order to GPG decrypt and then detonate payloads.” Recent campaigns have distributed malicious files through illegitimate software installers, malware that has been distributed includes AterAgent RAT, Zloader, Gozi, and Cobalt Strike. There is a variation of activity, with most associated with the VBScript altering window defender, invoking a PowerShell download, registry modification, and some with shutdown commands.

  • Anvilogic Scenario: Polyglot – Signed DLLs
  • Anvilogic Use Cases:
    • Cscript or Wscript execution
    • Invoke-WebRequest Command
    • Modify Windows Defender