The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

RATDispenser a JavaScript Based Loader

November 24, 2021

RATDispenser a JavaScript Based Loader

Industry: N/A | Level: Tactical | Source: HP – ThreatResearch

HP Threat Research shared findings of an evasive JavaScript loader designated, “RATDispenser.” Its goal is to establish initial access and distribute additional malware. Several malware families have been observed to be the distributor; RemcosRAT, STRRAT, GuLoader, Ratty, AdWind, Panda Stealer, Formbook, and WSHRAT. STRRAT and WSHRAT accounting for the majority with 81% of the samples analyzed. Given the variety of the malware used, it is suggested the dispenser is utilized under a malware-as-a-service model. The infection chain is summarized through a malicious email containing a js file, execution triggers wscript and cmd to set up a VBScript which downloads the malware payload and executes it.

  • Anvilogic Scenario: RATDispenser – JavaScript Loader Behaviors

PowerShortShell

November 24, 2021

PowerShortShell

Industry: N/A | Level: Tactical | Source: SafeBreach

Research from SafeBreach Labs investigated activity from an Iranian threat actor utilizing MSHTML vulnerability  CVE-2021-40444, along with a PowerShell information stealer script designated as “PowerShortShell.” The PowerShell script is named due to its short 153 lines of code that collects and provides crucial information about the victim’s environment to the adversary. The collected information includs screen captures, telegram files, and document collection. The described attack chain involves a malicious email and word document and a DLL drop to the %temp% directory that downloads and executes the PowerShortSell.

WIRTE Group

November 24, 2021

WIRTE Group

Industry: Financial, Government, Law, Military and Technology | Level: Operational | Source: SecureList

The WIRTE group has been conducting campaigns utilizing malicious Excel 4.0 macros, targeting high-profile public and private entities, Kaspersky research recently shared. While there is a specification of attacks with entities in the Middle East, researchers are reporting impacts from other regions as well. The WIRTE group utilizes living-off-the-land (LotL) techniques to evade detection and Kaspersky places low confidence attribution that the WIRTE group is associated with the Gaza Cybergang threat actor. An observed attack chain involves a phishing campaign to distribute the malicious document. Once ran a VBS script writes an embedded PowerShell command and creates persistence in the registry. LitePower, a PowerShell implant, acts as the downloader and secondary stage by communicating with the C2 to download or deploy additional malware.

  • Anvilogic Scenario: WIRTE’s LotL campaign
  • Anvilogic Use Cases:
    • Wscript/Cscript Execution
    • Add DLL/EXE Registry Value
    • Registry key added with reg.exe
    • Create/Modify Schtasks

APT37 and Chinotto Malware

November 24, 2021

APT37 and APT37Malware

Industry: Media & Nonprofit | Level: Tactical | Source: SecureList

North Korean nation-state sponsored group APT37/ScarCruft/Temp.Reaper has been identified by Kaspersky for targeting South Korean journalists defectors, and human rights activists. The group utilized malware, Chinott, distributing through watering holes, spear-phishing emails, and smishing attacks. A news organization had data stolen and evidence found the attackers had access to their environment for several months. The malware versions were observed in PowerShell, Windows, and Android with similar command and control schemes based in HTTP. Additional malware capabilities observed the ability to modify registry keys (specifically enabling trust access for VBA), register a PowerShell command in the Run registry for persistence to execute an HTA file with mshta, and collect files staged a bat folder.

  • Anvilogic Scenario: APT37 & “Chinotto” Malware
  • Anvilogic Use Cases:
    • Query Registry
    • New AutoRun Registry Key
    • MSHTA.exe execution
    • Data Staged to File

Prodraft Researchers Identify a Conti Server

November 23, 2021

Prodraft Researchers Identify a Conti Server

Industry: N/A | Level: Strategic | Source: TheRecord

Researchers at Prodaft were able to identify an exposed server associated with the Conti ransomware gang. The server is used for payment or site recovery victim visit to negotiate ransom payments. Researchers were able to maintain access to the server for several weeks observing network traffic connecting to the server. The traffic was largely victim IP addresses, but observed SSH traffic was likely the ransomware operators. Unfortunately, the SSH IP addresses were associated with Tor exit nodes. When Prodaft published their report of this activity, the ransomware gang was immediately aware and took the server offline.

Vestas Wind Systems Impacted by Cyberattack

November 23, 2021

Vestas Wind Systems Impacted by Cyberattack

Industry: Manufacturing | Level: Strategic | Source: Vestas

Vestas Wind Systems, a wind turbine manufacturer, suffered a cyberattack on Friday, November 19th, 2021. The latest company update as of November 22nd, indicated they were still working to get systems online with investigations still ongoing. Preliminary findings reported by the company have identified impacts to Vestas’ internal IT infrastructure and at this stage no indication the incident impacted third party operations involving customer and supply chain operations.

GoDaddy Data Breach

November 23, 2021

GoDaddy Data Breach

Industry: Technology | Level: Strategic | Source: BleepingComputer

Hackers gained access to GoDaddy’s WordPress hosting environment through a data breach affecting up to 1.2 million customers. While GoDaddy identified the unauthorized activity on Wednesday, November 17th, the review identified the hackers had been breaching the systems since at least September 6th, 2021. A compromised password was used by the hackers. Impacted data involved customer numbers and email addresses, WordPress admin password, sFTP database username and passwords (for active customers) and for several customers, their SSL private key was exposed.

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

November 23, 2021

CVE-2021-41379 Patch Bypass = InstallerFileTakeOver

Industry: N/A | Level: Tactical | Source: BleepingComputer

Security researcher, Abdelhamid Naceri, was able to bypass a vulnerability Microsoft intended to patch as part of the November 2021 patch cycle, tracked under CVE-2021-41379. The exploit is tracked under the name, InstallerFileTakeOver. The exploit affects all supported versions of Windows including Windows 10, 11 and Windows Server 2022, enabling a user to obtain admin level privileges. BleepingComputer validated the ease and use of the exploit, “tested the exploit and used it to open to command prompt with SYSTEM privileges from an account with only low-level ‘Standard’ privileges. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.”

  • Anvilogic Use Case: Potential InstallerFileTakeOver CVE-2021-41379

Memento Team, Ransomware Gang

November 23, 2021

Memento Team, Ransomware Gang

Industry: N/A | Level: Operational | Source: Sophos

Ransomware gang, Memento Team, was observed by Sophos to have bypassed encryption protection using password-protected archives with WinRAR when the group’s initial Python 3.9 script was stopped by endpoint protection. The group was active in their victim’s network for a long time as there was a six-month dwell time from their initial access in April 2021, exploiting CVE-2021-21972 a vCenter vulnerability. During the threat actor’s time on the compromised network, they also deployed two coin-miners, XMR on May 18th, and XMRig on September 8th, which led to the victim’s network being encrypted with a password archive in October.

  • Anvilogic Scenario: Memento Team – Behavior

Red Canary Intelligence Insights from October 2021

November 23, 2021

Red Canary Intelligence Insights from October 2021

Industry: N/A | Level: Tactical | Source: RedCanary

Intelligence insights from October 2021, provided by Red Canary, show Mimikatz, Yellow Cockatoo/Jupiter infostealer and TA551 as the top three threats out of five since August. Notable rises to the top ten threats are Qbot and Wannacry.

Anvilogic Use Case

    • Mimikatzs
    • Certutil File Download
    • Windows Copy Files
    • Inhibit System Recovery Commands
    • Clear Windows Event Logs
    • Windows Firewall Disabled