AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
RATDispenser a JavaScript Based Loader
HP Threat Research shared findings of an evasive JavaScript loader designated, “RATDispenser.” Its goal is to establish initial access and distribute additional malware. Several malware families have been observed to be the distributor; RemcosRAT, STRRAT, GuLoader, Ratty, AdWind, Panda Stealer, Formbook, and WSHRAT. STRRAT and WSHRAT accounting for the majority with 81% of the samples analyzed. Given the variety of the malware used, it is suggested the dispenser is utilized under a malware-as-a-service model. The infection chain is summarized through a malicious email containing a js file, execution triggers wscript and cmd to set up a VBScript which downloads the malware payload and executes it.
PowerShortShell
Research from SafeBreach Labs investigated activity from an Iranian threat actor utilizing MSHTML vulnerability CVE-2021-40444, along with a PowerShell information stealer script designated as “PowerShortShell.” The PowerShell script is named due to its short 153 lines of code that collects and provides crucial information about the victim’s environment to the adversary. The collected information includs screen captures, telegram files, and document collection. The described attack chain involves a malicious email and word document and a DLL drop to the %temp% directory that downloads and executes the PowerShortSell.
WIRTE Group
The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.
APT37 and APT37Malware
North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.
|
Prodraft Researchers Identify a Conti Server Industry: N/A | Level: Strategic | Source: TheRecordResearchers at Prodaft were able to identify an exposed server associated with the Conti ransomware gang. The server is used for payment or site recovery victim visit to negotiate ransom payments. Researchers were able to maintain access to the server for several weeks observing network traffic connecting to the server. The traffic was largely victim IP addresses, but observed SSH traffic was likely the ransomware operators. Unfortunately, the SSH IP addresses were associated with Tor exit nodes. When Prodaft published their report of this activity, the ransomware gang was immediately aware and took the server offline. |
Vestas Wind Systems Impacted by Cyberattack
Vestas Wind Systems, a wind turbine manufacturer, suffered a cyberattack on Friday, November 19th, 2021. The latest company update as of November 22nd, indicated they were still working to get systems online with investigations still ongoing. Preliminary findings reported by the company have identified impacts to Vestas’ internal IT infrastructure and at this stage no indication the incident impacted third party operations involving customer and supply chain operations.
GoDaddy Data Breach
Hackers gained access to GoDaddy’s WordPress hosting environment through a data breach affecting up to 1.2 million customers. While GoDaddy identified the unauthorized activity on Wednesday, November 17th, the review identified the hackers had been breaching the systems since at least September 6th, 2021. A compromised password was used by the hackers. Impacted data involved customer numbers and email addresses, WordPress admin password, sFTP database username and passwords (for active customers) and for several customers, their SSL private key was exposed.
CVE-2021-41379 Patch Bypass = InstallerFileTakeOver
Security researcher, Abdelhamid Naceri, was able to bypass a vulnerability Microsoft intended to patch as part of the November 2021 patch cycle, tracked under CVE-2021-41379. The exploit is tracked under the name, InstallerFileTakeOver. The exploit affects all supported versions of Windows including Windows 10, 11 and Windows Server 2022, enabling a user to obtain admin level privileges. BleepingComputer validated the ease and use of the exploit, “tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.”
Memento Team, Ransomware Gang
Ransomware gang, Memento Team, was observed by Sophos to have bypassed encryption protection using password-protected archives with WinRAR when the group’s initial Python 3.9 script was stopped by endpoint protection. The group was active in their victim’s network for a long time as there was a six-month dwell time from their initial access in April 2021, exploiting CVE-2021-21972 a vCenter vulnerability. During the threat actor’s time on the compromised network, they also deployed two coin-miners, XMR on May 18th, and XMRig on September 8th, which led to the victim’s network being encrypted with a password archive in October.
|
Red Canary Intelligence Insights from October 2021 Industry: N/A | Level: Tactical | Source: RedCanaryIntelligence insights from October 2021, provided by Red Canary, show Mimikatz, Yellow Cockatoo/Jupiter infostealer and TA551 as the top three threats out of five since August. Notable rises to the top ten threats are Qbot and Wannacry. Anvilogic Use Case
|
