AdvIntel intelligence well-known for tracking Conti activity has discovered the shutdown of Conti ransom operations, as critical ransom features were identified to have been removed from the infamous Conti News blog.
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals.
Cybereason has been analyzing Quantum ransomware, a rebrand of various ransomware starting with Mount Locker (September 2020) to Astro Locker (March 2021) and Xing Locker (May 2021).
Identified from Cloudflare, a cryptocurrency platform was targeted with 15.3 million requests distributed denial-of-service attack.
Windows Event Logs Abused for Malware
In February 2022, Kaspersky observed a new stealthy attack technique planting malware in Windows event logs, used by an unattributed threat actor. The threat actor initiated a sophisticated and targeted attack, employing many custom and commercially available tools. The initial infection appeared to have begun in September 2021, with the target lured into downloading a compressed archive file housing offensive tools including Cobalt Strike and Silent Break. The actor injected into various programs “Windows system processes or trusted applications.” Following injection, the drop of OS error program WerFault.exe is made to directory C:\Windows\Tasks, along with a encrypted dll dropper ‘wer.dll’ for search order hijacking and persistence is established through an autorun registry key entry. Shellcode written in Windows event logs is searched by the dll dropper, “The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter). Created event IDs are automatically incremented, starting from 1423.” The campaign has been correlated with no other threat actor and as attribution remains undetermined, the activity is tracked as SilentBreak
|
NAIKON Threat Group Resurfaces Industry: Foreign Affairs, Government, Military, Science, Technology | Level: Tactical | Source: Cluster25Cluster25 has recently identified advanced persistent threat (APT) group, NAIKON (aka Override Panda) as resurfacing. The threat group’s activity has been targeting countries in the Association of Southeast Asian Nations (ASEAN). An observed attack from the threat group begins with a phishing email containing a document with malicious VBA code that writes executables to the temp folder. Finally, a beacon using Viper, an offensive security framework is injected into svchost.exe. Based on the group’s past activity, their targets appear to be foreign affairs, government, military, science, and technology organizations aligned with Chinese interests. Their campaigns focus on intelligence collection and espionage.
|
Mandiant Tracks APT29 Phishing Campaigns
Mandiant has identified Russian state-sponsored threat group, APT29 as having launched phishing campaigns against verticals in government and diplomacy, since January 17th, 2022. Geographically the targets are located in Europe, the Americas, and Asia. The phishing emails were themed as administrative notices and sent through compromised email accounts. The malicious emails would contain an HTML dropper to write files to disk, either an IMG or ISO. When mounted a LNK and DLL file is presented to the victim, triggering an infection when the LNK file is executed. Various custom malware was utilized by the group during initial access and post-compromise to establish a foothold in the environment such as ROOTSAW, BOOMMIC, and BEATDROP. Techniques observed within the environment include abusing certificates, modifying registry run keys, creating/modifying scheduled tasks, conducting discovery with native commands, and kerberoasting. APT29 has demonstrated the ability to move quickly within the environment as Domain Admin privileges are reached by the group typically within 12 hours.
Mustang Panda Targets Europe
Activity from Chinese threat actor, Mustang Panda has been tracked by Cisco Talos with the group targeting U.S, Asia, and European entities, in addition to Russian organizations. The phishing campaign employed by Mustang Panda has utilized themes for COVID-19, political matters, and current events. Activity from this campaign was observed in February 2022, coinciding with the start of the Russian and Ukraine conflict. Some phishing themes have reported on the border situations in Ukraine and Belarus. The malware deployed in the campaign is PlugX, a remote access trojan. Threat activities involve the use of multiple shells and beacons, with the group’s goal in these campaigns to conduct espionage. The tactics, techniques, and procedures from the group have been observed with a benign executable to initiate DLL sideloading, a malicious DLL loader, the PlugX implant, and the use of various stagers and reverse shells.
Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses.
|
Conti Ransomware Hits Costa Rica Electricity Industry: Energy | Level: Strategic | Source: TheRecordJunta Administrativa del Servicio Eléctrico de Cartago (JASEC), a government agency controlling electricity in Cartago, Costa Rica, has been impacted with Conti ransomware as administrative systems were impacted this past weekend. The attack occurred on Saturday, using systems managing the company’s emails, website, and administrative collection systems being encrypted. The electric operator’s general manager Luis Solano has assured customers “electricity and internet services operate normally,” however, the incident has inhibited customers from paying electric or internet bills. Until the incident is resolved the company has suspended bill payments. |
New Black Basta, Ransomware Gang
Bursting into the cyber threat landscape in April 2022, the newly identified Black Basta ransomware group, has compromised at least twelve organizations. As reported by BleepingComputer, the group employs a double extortion tactic to exfiltrate data prior to launching the ransomware. The Black Basta group site lists ten victim organizations and its likely several impacted organizations have paid/negotiated with the threat actors had their listing removed. Research from MalwareHunterTeam, is predicting the Black Basta gang as a potential rebrand of Conti, given the need to dodge law enforcement and refresh from damaging leaks. Similarities identified include a leak and payment site as well as mannerisms from support personnel. The group doesn’t appear to be currently recruiting or marketing its operations.
Stormous Ransomware Breaches Coca-Cola
Beverage corporation Coca-Cola is investigating a claim made by threat group, Stormous, of a breach to the company’s network, exfiltrating 161GB of data. As reported by BleepingComputer, the threat group claim to have stolen “compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other type of sensitive information.” A Telegram post made by Stormous announced the group is selling compromised data for 1.65 Bitcoin/approximately $64,000. Similar to Lapsus$, the Stormous group created a poll the week prior listing targets to breach, with coca-cola.com receiving the most votes at 74%. Other noted targets included Mattel, Danaher, Blackboard, and GE Aviation.
Hive0117 Phishing Campaigns
Security intelligence from IBM Security X-Force shared research, from tracking financially motivated threat group, Hive0117’s latest phishing campaigns. Identified in February 2022, the campaign targets sectors in electronic, industrial, and telecommunications to deploy DarkWatchman, a remote access trojan (RAT). The email campaigns masquerade as communication from the Russian Government’s Federal Bailiffs Service, targeting company leaders in Lithuania, Estonia, and Russia. Activity from this campaign doesn’t appear to be related to the Russia and Ukraine conflict. The motive is suspected to “enable illegal access to numerous distributed clients and end-users” by compromising telecommunication providers and their respective suppliers.
