Tricks from SocGholish and Zloader

May 03, 2022

In the latest report by Cybereason, tracking of malware activity from SocGholish and Zloader has detailed the malware’s capabilities and infection tactics. SocGholish is named (partially) due to its social engineering tactics to lure victims with drive-by-downloads, often themed as critical browser updates.

MetaStealer Malware

April 19, 2022

New information-stealing malware, META has been gaining popularity amongst cybercriminals. Research from SANS and BleepingComputer shares the malware has been distributed through malspam campaigns.

Conti Source Code Leak

March 22, 2022

Conti Source Code Leak

Industry: N/A | Level: Strategic | Source: BleepingComputer

Conti leaks continue from a Ukrainian security researcher under Twitter handle @ContiLeaks. The latest leak on March 20th, 2022 provided on VirusTotal, contains the source for “conti v3.” A review of the uploaded files was conducted by BleepingComputer having identified the code to be dated to January 25th, 2021, and newer than previously leaked code. The code is authentic, as BleepingComputer was able successfully to compile the code without issue.

Wizard Spider’s Naver Phishing Campaign

March 22, 2022

Wizard Spider’s Naver Phishing Campaign

Industry: N/A | Level: Tactical | Source: Prevailion

Analysis of a large-scale phishing campaign was observed by Prevailion’s Adversarial Counterintelligence Team (PACT), took place in late January 2022, with the goal to collect Naver credentials. Naver services are operated in South Korea, providing a variety of services for search, email, news, etc. and is a comparable service to  Google and Yahoo. From investigating the threat campaign’s infrastructure, an overlap was identified with threat group “WIZARD SPIDER [a.k.a. TrickBot] infrastructure.” The infrastructure used is very large as from PACT’s review “542 unique domains had been identified as part of this malicious cluster of web infrastructure, 532 of which were assessed with high confidence to be part of the ongoing phishing campaign targeting Naver logins; the oldest domain identified by PACT was registered in August of 2021, other registrations are as recent as February of 2022.” A particular phishing domain has a strong association to TrickBot, as the IP used for the Naver phishing campaign was also tied to a Cobalt Strike beacon sample that had been analyzed on VirusTotal. The Cobalt Strike sample was used in a threat campaign that abused CVE-2021-40444 to ultimately deploy Conti ransomware.

  • Anvilogic Use Case: Malicious Document Execution

Malicious Microsoft Exchange IIS Module Owowa

December 21, 2021

Malicious Microsoft Exchange IIS Module – Owowa

Industry: Government & Transportation | Level: Tactical | Source: SecureList

Kaspersky shared intelligence of a malicious implant targeting Outlook Web Access (OWA) applications of Exchange servers dubbed “Owowa.” The implant is capable of enabling remote command execution and capturing user credentials of users who successfully authenticate through OWA. The discovery of Owowa came about in late 2020 from sample submission to VirusTotal and from tracking with Kaspersky’s telemetry data. Since April 2021 the malware appears to circulate through parts of Europe, Malaysia, Mongolia, Indonesia, and the Philippines. The malicious add-in module uses the name “ExtenderControlDesigner” and is loaded through a PowerShell script.

  • Anvilogic Use Case: IIS Worker (W3WP) Spawn Command Line

UNC2190 – Arcane and Sabbath

November 24, 2021

UNC2190 – Arcane and Sabbath

Industry: Critical Infrastructure, Education, Health & Natural Res. | Level: Strategic | Source: Mandiant

Mandiant’s latest research on ransomware affiliates focused on UNC2190, operating as Arcane and Sabbath (potentially a rebranding to Sabbath). The threat group is identified to be targeting critical infrastructure groups in the United States and Canada, as well as sectors in education, health, and natural resources. The malware of interest, ROLLCOAST/Eruption was observed to have infected/compromised companies/users. However, since it was identified, no evidence of the code has been identified, VirusTotal is a source where people consistently upload samples so having a long time of no being able to submit a copy of the ransomware for review for roughly 2 years now is relevant. The group uses a multifaceted extortion model, stealing data in bulk and actively destroying backups, victims are then threatened to meet ransom demands over potential data leaks. Mandiant has observed six victims being publicly extorted over the span of two days in mid-November. On the tactical side, UNC2190 is known to use cobalt strike with a malleable profile, some elements include GET requests ending with “kitten.gif” and the usage of signed TLS certificate “Microsoft IT TLS CA 5.” Known elements of the ROLLCOAST ransomware is that it’s a DLL file, only detected in memory and the malware conducts a language check terminating if it matches one of 43 different languages.