AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
Reported from The Record, a series of ransomware attacks have been targeting oil and chemical suppliers in Belgium, Netherlands and Germany. While the attacks aren’t identified as being linked, European officials investigating the matter have associated the attacks to BlackCat and Conti ransomware groups.
|
Koxic Ransomware Industry: N/A | Level: Tactical | Source: CybleResearch from Cyble Research Labs provides a deep-dive analysis of Koxic ransomware. During malware execution, the sample collects system information and modifies registry keys to assist with lateral movement and tamper with system defenses such as Windows Defender and anti-virus. Any security apps running are terminated and shadow copies are deleted. Prior to ransomware encryption, sensitive information is collected and output to a file in TEMP. Once the desired data is collected, it is exfiltrated to the attacker with the ransomware note distributed to victim hosts on the environment. Encrypted files are appended with the extension “KOXIC_KLIBD.”
|
SEO Poisoning dropping malware
Mandiant Managed Defense has identified a threat campaign distributing BATLOADER malware and malicious installations of remote management software, ATERA from crafting website themes with freeware, and using search engine optimization poisoning to lure victims. The malicious webpages incorporate Traffic Direction System (TDS) to verify user attributes determining if the site visitor should be directed to a malicious or legitimate page in order to avoid detection from security researchers. Two different infection chains are utilized for the malware. BATLOADER users attempting to download the alleged software also receive an installer, that runs native tools such as PowerShell, Msiexec.exe, and Mshta.exe in order to evade detection. A notable DLL file, “AppResolver.dll” contains a malicious VBScript that’s executed with Mshta.exe. With the ATERA infection chain, an MSI file is dropped for the ATERA agent to be installed, To maintain persistence the network discovery component of ATERA, Splashtop would also be installed and scripts will be pushed from the agent to tamper with the host by modifying Windows Defender file exclusions and downloading additional payloads. Currently, no known attribution of the activity is determined for a threat actor group, however, there is some overlap in techniques from the leaked Conti playbooks in August 2021.
|
MuddyWater ATP Group Industry: N/A | Level: Tactical | Source: CiscoTalosCisco Talos provided research for the latest threat activity involving the Iranian APT group, MuddyWater that has been attributed to Iran’s Ministry of Intelligence and Security (MOIS). The threat group has been targeting users in Turkey with malicious PDFs, Office documents and Windows executables to establish initial access. With most threat actors, living-off-the-land binaries (LoLBins) are leveraged to evade detection with prominent usage of tools such as VBS scripts and DLLs. Upon execution of the malicious document, persistence is established through the registry key modifications and the group has incorporated canarytokens into its attack scheme. In the VBA code, HTTP requests are made to canarytokens[.]com which provides a notification to the token’s developer when an “object was opened.” The inclusion of the tokens can provide various capabilities to the attack such as the ability to track code execution, anti-analysis method for “timing checks” and “the server that hosts the final payload may only deliver if it first receives two almost simultaneous requests to the token.”
|
Phosphorus/APT32 New PowerLess Trojan
Iranian group, Phosphorus/APT35/
|
Antlion APT Group Industry: Financial & Manufacturing | Level: Tactical | Source: SymantecSymantec reports of threat activity from Antlion, a Chinese state-backed APT group. For the past 18 months, the threat group has been actively targeting Taiwanese financial institutions. The group’s operations involve long dwell times. Recent attacks observed of a financial organization, having been approximately 250 days on the network, and another attack of a manufacturing organization with an observed 175 days. A custom backdoor, xPack is leveraged by the group. Threat activity observed in a case study, identified the group running various commands (example with WMI), exploiting EternalBlue, gathering credentials from the registry, running PsExec and archiving collected data. There are undefined gaps in threat activity, continuing to emphasize the group’s slow methodical pace.
|
In-depth research, by Palo Alto Unit24 and Microsoft Threat Intelligence Center (MSTIC), found threat group, Gamaredon/ACTINIUM, has been actively targeting organizations in the Ukraine.
|
Global Affairs Canada Cyberattack Industry: Government | Level: Strategic | Source: BleepingComputerGlobal Affairs Canada (GAC) detected a cyberattack on January 19th, 2022, resulting in network disruptions. The attack was successfully mitigated with critical services continuing to be available however some online services are not, as recovery efforts are still in progress. The GAC manages foreign and consular relations for the Canadian government and the current review of the incident did not identify impact to other government departments. |
US Bans “China Unicom Americas”
On January 27th, 2002, the United States Federal Communications Commission (FCC) issued an order for China Unicom Americas to cease its services in the US within 60 days. The decision to revoke the China Unicoms’ subsidiary’s license was cited due to security concerns. In a FCC’s statement, “The Order finds that China Unicom Americas’ ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Unicom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.”
In an effort, to improve the defense of US critical infrastructure, the US government and the Environmental Protection Agency (EPA) are initiating a new “action plan” focusing on securing the water sector.
