Mandiant Tracks APT29 Phishing Campaigns

May 10, 2022

Mandiant Tracks APT29 Phishing Campaigns

Industry: Diplomatic, Government | Level: Tactical | Source: Mandiant

Mandiant has identified Russian state-sponsored threat group, APT29 as having launched phishing campaigns against verticals in government and diplomacy, since January 17th, 2022. Geographically the targets are located in Europe, the Americas, and Asia. The phishing emails were themed as administrative notices and sent through compromised email accounts. The malicious emails would contain an HTML dropper to write files to disk, either an IMG or ISO. When mounted a LNK and DLL file is presented to the victim, triggering an infection when the LNK file is executed. Various custom malware was utilized by the group during initial access and post-compromise to establish a foothold in the environment such as ROOTSAW, BOOMMIC, and BEATDROP. Techniques observed within the environment include abusing certificates, modifying registry run keys, creating/modifying scheduled tasks, conducting discovery with native commands, and kerberoasting. APT29 has demonstrated the ability to move quickly within the environment as Domain Admin privileges are reached by the group typically within 12 hours.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • Suspicious Certificate Modification
    • Create/Modify Schtasks
    • New AutoRun Registry Key
    • Registry key added with reg.exe
    • WinRM Tools
    • Common Reconnaissance Commands
    • Locate Credentials

Mandiant’s Research of FIN7

April 12, 2022

Mandiant’s Research of FIN7

Industry: Financial Services, Food, Medical, Technology, Transportation, Utilities | Level: Tactical | Source: Mandiant

Mandiant provided updated research tracking the evolution of threat activity from threat group FIN7 between late 2021 to early 2022. The threat group has many associations with overlaps in many ransomware operations including Maze, Darkside, Blackmatter and ALPHV/Blackcat. Added by Mandiant, activity linking FIN7 and ransomware is identified though “Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time.” A variety of industries are targeted by FIN7 including financial services, food, medical, technology, transportation, and utilities. Activity associated with FIN7 is abundant and Mandiant has been tracking multiple UNCs (Uncategorized threat groups), appearing to be affiliated with FIN7. The threat group has continuously refined its arsenal, for example, their PowerShell backdoor called PowerPlant has gone through multiple iterations since 2022 and has been observed more frequently in newer intrusions as opposed to older malware such as LOADOUT and/or GRIFFON.

  • Anvilogic Use Cases:
    • Suspicious Executable by CMD.exe
    • Windows Admin$ Share Access
    • Windows Service Created
    • Executable Process from Suspicious Folder
    • Common Reconnaissance Commands
    • RDP Connection
    • RDP Logon/Logoff Event
    • Rundll32 Command Line
    • Create/Add Local/Domain User
    • Query Registry

Mandiant Insight on Russia & Ukraine

March 08, 2022

Mandiant’s review of the conflict between Russia and Ukraine warns of retaliation by Russia against organizations that condemn Russia and/or support Ukraine.

UNC2596 & Cuba Ransomware

March 01, 2022

UNC2596 & Cuba Ransomware

Industry: Construction Engineering, Education, Energy, Financial, Government, Healthcare, Legal, Manufacturing, Media, Oil, Technology and Transportation | Level: Tactical | Source: Mandiant

Mandiant reports activity from threat group, UNC2596, deploying Cuba/COLDDRAW ransomware utilizing Exchange vulnerabilities ProxyShell and ProxyLogon. The threat group has targeted over 10 countries with 80% of the organizations based in North America. Industry targets involved many different verticals including construction engineering, education, energy, financial, government, health care, legal, manufacturing, media, oil, technology and transportation. The threat group’s extortion model incorporates a shaming website distributed to victims since 2021. UNC2596 attack tactics have included Mimikatz and user account creation for privilege escalation. Reconnaissance has involved a ping sweeping tool and a PowerShell script that uses “Get-ADComputer”. Lateral movement is facilitated with the use of RDP, SMB, and PsExec. UNC2596 completes its operation by collecting, encrypting and exfiltrating data using batch scripts.

  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Potential PHP Webshell
    • Mimikatz
    • Create/Add Local/Domain User
    • Potential Ping Sweep
    • Common Active Directory Commands
    • Remote Admin Tools
    • RDP Hijacking

SEO Poisoning dropping malware

February 08, 2022

SEO Poisoning dropping malware

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant Managed Defense has identified a threat campaign distributing BATLOADER malware and malicious installations of remote management software, ATERA from crafting website themes with freeware, and using search engine optimization poisoning to lure victims. The malicious webpages incorporate Traffic Direction System (TDS) to verify user attributes determining if the site visitor should be directed to a malicious or legitimate page in order to avoid detection from security researchers. Two different infection chains are utilized for the malware. BATLOADER users attempting to download the alleged software also receive an installer, that runs native tools such as PowerShell, Msiexec.exe, and Mshta.exe in order to evade detection. A notable DLL file, “AppResolver.dll” contains a malicious VBScript that’s executed with Mshta.exe. With the ATERA infection chain, an MSI file is dropped for the ATERA agent to be installed, To maintain persistence the network discovery component of ATERA, Splashtop would also be installed and scripts will be pushed from the agent to tamper with the host by modifying Windows Defender file exclusions and downloading additional payloads. Currently, no known attribution of the activity is determined for a threat actor group, however, there is some overlap in techniques from the leaked Conti playbooks in August 2021.

  • Anvilogic Scenario: Malicious Software Download via MSI
  • Anvilogic Use Cases:
    • MSHTA.exe execution
    • MSIExec Install MSI File
    • Modify Windows Defender

Mandiant – AVADDON Ransomware

January 25, 2022

Mandiant – AVADDON Ransomware

Industry: N/A | Level: Operational  | Source: Mandiant

Mandiant has provided research on AVADDON ransomware operating between June 2020 and June 2021, when the group shut down since private encryption keys were released. The ransomware was advertised initially on Russian-speaking forums and targeted a variety of industry verticals. Nearly all sectors were impacted however, the highest based on victim count was in education, finance, government, healthcare, and technology. Based on the RaaS TTPs, Mandiant has speculated a potential link between AVADDON, BLACKMATTER and SABBATH. TTP observations included utilizing initial access brokers for compromised credentials, BLACKCROW and DARKRAVEN for custom web shells, RDP for lateral movement, EMPIRE and POWERSPLOIT for post-exploitation, scheduled tasks for persistence, 7zip for data archival, and MEGAsync for data staging and exfiltration.

  • Anvilogic Scenario: Avaddon Ransomware – Behaviors
  • Anvilogic Use Cases:
    • Potential Web Shell
    • Mimikatz
    • RDP Hijacking
    • Create/Modify Schtasks
    • PowerSploit Get-system.ps1

Nobelium Groups UNC3004 and UNC2652 from Mandiant

December 01, 2021

Nobelium Groups UNC3004 and UNC2652 from Mandiant

Industry: Government & Technology | Level: Tactical | Source: Mandiant

Mandiant continues to track activity from Nobelium, specifically associated with cluster groups UNC3004 and UNC2652. Activities conducted by the group have involved data exploits relevant to Russian interests. Targets observed by Mandiant included, compromising technology solution companies, services and resellers. The groups use credentials likely from info-stealer malware or compromised entities and a new downloader dubbed “CEELOADER.” Abusing Azure permissions and commands, harvesting mail data from user accounts with application impersonation privileges, abusing MFA push notifications, utilizing many native Windows services for lateral movement, discovery, credential access and data collection through RAR/7zip file and exfiltrated to Mega cloud storage are many of the tactics Nobelium has been utilizing.

  • Anvilogic Scenario: APT29/Nobelium Behaviors
  • Anvilogic Use Cases:
    • Azure Command Execution on Virtual Machine
    • Task Manager lsass Dump
    • NTDSUtil.exe execution

UNC2190 – Arcane and Sabbath

November 24, 2021

UNC2190 – Arcane and Sabbath

Industry: Critical Infrastructure, Education, Health & Natural Res. | Level: Strategic | Source: Mandiant

Mandiant’s latest research on ransomware affiliates focused on UNC2190, operating as Arcane and Sabbath (potentially a rebranding to Sabbath). The threat group is identified to be targeting critical infrastructure groups in the United States and Canada, as well as sectors in education, health, and natural resources. The malware of interest, ROLLCOAST/Eruption was observed to have infected/compromised companies/users. However, since it was identified, no evidence of the code has been identified, VirusTotal is a source where people consistently upload samples so having a long time of no being able to submit a copy of the ransomware for review for roughly 2 years now is relevant. The group uses a multifaceted extortion model, stealing data in bulk and actively destroying backups, victims are then threatened to meet ransom demands over potential data leaks. Mandiant has observed six victims being publicly extorted over the span of two days in mid-November. On the tactical side, UNC2190 is known to use cobalt strike with a malleable profile, some elements include GET requests ending with “kitten.gif” and the usage of signed TLS certificate “Microsoft IT TLS CA 5.” Known elements of the ROLLCOAST ransomware is that it’s a DLL file, only detected in memory and the malware conducts a language check terminating if it matches one of 43 different languages.