AvosLocker Infection with Abused Driver

May 10, 2022

Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses.

RURansom Wiper

March 18, 2022

March 9th, 2022: RURansom Wiper

Industry: N/A | Level: Strategic | Source: TrendMicro

A new wiper has been discovered associated with the Russian and Ukraine conflict. This wiper is targeted against Russia and is named RURansom Wiper. As reported by TrendMicro the malware was detected between February 26 and March 2, 2022, and is likely in development due to different variations being observed. Identified in the malware, the “ransom note” contained the following translated message, “on February 24, President Vladimir Putin declared war on Ukraine….To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President.”, There is no way to decrypt your files. No payment, only damage. And yes, this is \peacekeeping\ like Vladi Papa does, killing innocent civilians.” The malware appears to only be targeting Russian assets as versions analyzed, identified it only executing if the host’s software is Russian or the IP is in Russia. Additionally the developer of the malware appears to also be developing a malware,  dnWipe, which encodes specific files “file extensions: .doc, .docx, .png, .gif, .jpeg, .jpg, .mp4, .txt, .flv, .mp3, .ppt, .pptx, .xls, and .xlsx” in base64.

APT36’s Malware Arsenal

February 01, 2022

APT36’s Malware Arsenal

Industry: N/A | Level: Tactical | Source: TrendMicro

TrendMicro’s tracking of APT36/Earth Karkaddan shared research from January 2020 to September 2021, detailing the threat group’s recent campaigns. Crimson RAT (Windows), ObliqueRat (Windows) and CapaRAT (Android), were the three malware observed from the group. The threat group utilizes spear-phishing emails or a USB for initial access. The phishing emails lure victims, leveraging themes involving the government, coronavirus and others. Following the execution of a malicious link, file, or document, the RAT drops and executes on the system. Activities following, vary with the RATs having numerous capabilities for system reconnaissance, data collection and exfiltration.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • New AutoRun Registry Key

FIN8 Connection to White Rabbit Ransomware

January 25, 2022

FIN8 Connection to White Rabbit Ransomware

Industry: N/A | Level: Tactical | Source: TrendMicro

New ransomware White Rabbit, has been identified from an attack against a US bank in December 2021. Given the infrastructure and tool usage it is potentially associated with the FIN8 threat group. There are currently limited details for the attack chain with only the identification of a PowerShell download through Cobalt Strike shared from TrendMicro’s observed telemetry. A distinction was also found in the White Rabbit’s payload having similarities with Egregor ransomware, described by TrendMicro, “One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis.” Current observations find White Rabbit’s targets to be few and likely the malware is still being tested by threat actors.

  • Anvilogic Use Cases:
    • Invoke-Expression Command
    • Invoke-WebRequest Command
    • Cobalt Strike Beacon

Chinese Cyber-Espionage Group Earth Lusca

January 25, 2022

Chinese Cyber-Espionage Group Earth Lusca

Industry: Education, Finance, Gambling, Government, News, Telecommunications and Religion |
Level: Operational | Source: TrendMicro

An identified Chinese cyber-espionage group Earth Lusca, has been conducting undercover operations on multiple institutions in a variety of locations of interest to the Chinese government whilst, also being financially-motivated for profit. Geographic spread is wide with the following industries education, finance – cryptocurrency, gambling, government, news, telecommunications and religion having been targeted. From TrendMicro’s, research the group’s operations began in mid 2021 targeting service companies with watering hole attacks. Additionally, initial access could be obtained from spear phishing campaigns or exploiting public-facing vulnerabilities such as ProxyShell or Oracle vulnerabilities.

  • Anvilogic Scenarios:
    • Earth Lusca – InitialAccess – Behaviors
    • Earth Lusca – PostExploit – Behaviors
  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • MSHTA.exe execution
    • Certutil De-Obfuscate/Decode Files
    • Potential ProxyShell

Squirrelwaffle + ProxyShell and ProxyLogon

November 23, 2021

Squirrelwaffle + ProxyShell & ProxyLogon

Industry: N/A | Level: Tactical | Source: TrendMicro

Trend Micro has shown research, of Squirrelwaffle loader, that emerged in September 2021, has likely been utilizing ProxyLogon and ProxyShell exploits, in order to send malicious emails from preexisting email chains. Observed threat actors utilizing this email thread hijacking technique, did not drop or use tools for lateral movement after gaining access to vulnerable Exchange servers, nor was any malware installed prior to the spread of the malicious email across the targeted network. Upon the victim executing the attached macro-enabled Excel file, a malicious Qbot DLL is downloaded from hardcoded URLs and the DLL is executed with regsvr32.

  • Anvilogic Scenario: SquirrelWaffle – Behaviors