AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
The Anvilogic Threat Reports
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.
We are committed to (read more…)
Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.
- Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
- Strategic: General information security news, for awareness
About the Team
The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.
Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.
Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:
- Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
- Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
- Reports Hot off the forge:
- Threat News Reports
- Trending Threat Reports
- Research Articles
If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at email@example.com.
Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.
If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: firstname.lastname@example.org
Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
Reported from The Record, a series of ransomware attacks have been targeting oil and chemical suppliers in Belgium, Netherlands and Germany. While the attacks aren’t identified as being linked, European officials investigating the matter have associated the attacks to BlackCat and Conti ransomware groups.
Industry: N/A | Level: Tactical | Source: Cyble
Research from Cyble Research Labs provides a deep-dive analysis of Koxic ransomware. During malware execution, the sample collects system information and modifies registry keys to assist with lateral movement and tamper with system defenses such as Windows Defender and anti-virus. Any security apps running are terminated and shadow copies are deleted. Prior to ransomware encryption, sensitive information is collected and output to a file in TEMP. Once the desired data is collected, it is exfiltrated to the attacker with the ransomware note distributed to victim hosts on the environment. Encrypted files are appended with the extension “KOXIC_KLIBD.”
SEO Poisoning dropping malware
Industry: N/A | Level: Tactical | Source: Mandiant
Mandiant Managed Defense has identified a threat campaign distributing BATLOADER malware and malicious installations of remote management software, ATERA from crafting website themes with freeware, and using search engine optimization poisoning to lure victims. The malicious webpages incorporate Traffic Direction System (TDS) to verify user attributes determining if the site visitor should be directed to a malicious or legitimate page in order to avoid detection from security researchers. Two different infection chains are utilized for the malware. BATLOADER users attempting to download the alleged software also receive an installer, that runs native tools such as PowerShell, Msiexec.exe, and Mshta.exe in order to evade detection. A notable DLL file, “AppResolver.dll” contains a malicious VBScript that’s executed with Mshta.exe. With the ATERA infection chain, an MSI file is dropped for the ATERA agent to be installed, To maintain persistence the network discovery component of ATERA, Splashtop would also be installed and scripts will be pushed from the agent to tamper with the host by modifying Windows Defender file exclusions and downloading additional payloads. Currently, no known attribution of the activity is determined for a threat actor group, however, there is some overlap in techniques from the leaked Conti playbooks in August 2021.
- Anvilogic Scenario: Malicious Software Download via MSI
- Anvilogic Use Cases:
- MSHTA.exe execution
- MSIExec Install MSI File
- Modify Windows Defender
MuddyWater ATP Group
Industry: N/A | Level: Tactical | Source: CiscoTalos
Cisco Talos provided research for the latest threat activity involving the Iranian APT group, MuddyWater that has been attributed to Iran’s Ministry of Intelligence and Security (MOIS). The threat group has been targeting users in Turkey with malicious PDFs, Office documents and Windows executables to establish initial access. With most threat actors, living-off-the-land binaries (LoLBins) are leveraged to evade detection with prominent usage of tools such as VBS scripts and DLLs. Upon execution of the malicious document, persistence is established through the registry key modifications and the group has incorporated canarytokens into its attack scheme. In the VBA code, HTTP requests are made to canarytokens[.]com which provides a notification to the token’s developer when an “object was opened.” The inclusion of the tokens can provide various capabilities to the attack such as the ability to track code execution, anti-analysis method for “timing checks” and “the server that hosts the final payload may only deliver if it first receives two almost simultaneous requests to the token.”
Phosphorus/APT32 New PowerLess Trojan
Industry: N/A | Level: Tactical | Source: Cybereason
Iranian group, Phosphorus/APT35/
- Anvilogic Use Cases:
- Executable Process from Suspicious Folder
- Suspicious Powershell
- Potential CVE-2021-44228 – Log4Shell
Antlion APT Group
Industry: Financial & Manufacturing | Level: Tactical | Source: Symantec
Symantec reports of threat activity from Antlion, a Chinese state-backed APT group. For the past 18 months, the threat group has been actively targeting Taiwanese financial institutions. The group’s operations involve long dwell times. Recent attacks observed of a financial organization, having been approximately 250 days on the network, and another attack of a manufacturing organization with an observed 175 days. A custom backdoor, xPack is leveraged by the group. Threat activity observed in a case study, identified the group running various commands (example with WMI), exploiting EternalBlue, gathering credentials from the registry, running PsExec and archiving collected data. There are undefined gaps in threat activity, continuing to emphasize the group’s slow methodical pace.
In-depth research, by Palo Alto Unit24 and Microsoft Threat Intelligence Center (MSTIC), found threat group, Gamaredon/ACTINIUM, has been actively targeting organizations in the Ukraine.
Global Affairs Canada Cyberattack
Industry: Government | Level: Strategic | Source: BleepingComputer
Global Affairs Canada (GAC) detected a cyberattack on January 19th, 2022, resulting in network disruptions. The attack was successfully mitigated with critical services continuing to be available however some online services are not, as recovery efforts are still in progress. The GAC manages foreign and consular relations for the Canadian government and the current review of the incident did not identify impact to other government departments.
US Bans “China Unicom Americas”
Industry: Telecommunications | Level: Strategic | Source: BleepingComputer
On January 27th, 2002, the United States Federal Communications Commission (FCC) issued an order for China Unicom Americas to cease its services in the US within 60 days. The decision to revoke the China Unicoms’ subsidiary’s license was cited due to security concerns. In a FCC’s statement, “The Order finds that China Unicom Americas’ ownership and control by the Chinese government raise significant national security and law enforcement risks by providing opportunities for China Unicom Americas, its parent entities, and the Chinese government to access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States.”
In an effort, to improve the defense of US critical infrastructure, the US government and the Environmental Protection Agency (EPA) are initiating a new “action plan” focusing on securing the water sector.