The Anvilogic Threat Reports

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge.

We are committed to (read more…)

Here you can find an accumulation of trending threats published weekly by our Anvilogic team, The Anvilogic Forge. We are committed to helping the community detect attacks by helping your team look for malicious exploit strings, as well as, run exposure checks on your endpoint devices/servers, which can help identify a successful payload delivery and compromise using this vulnerability.

Intelligence Levels
  • Tactical: Detectable threat behaviors for response with threat scenarios or threat identifiers
  • Strategic: General information security news, for awareness
About the Team

The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry.

Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections in order to defend themselves in an ever-changing threat landscape.

Our Craft

Curate threat intelligence to provide situational awareness and actionable intelligence to our clients. The results of our crafts are:

  • Detections
    • Threat Identifiers: atomic detections that serve as the foundation of our detection framework.
    • Threat Scenarios: risk, pattern, and sequence-based detections utilizing the outputs of Threat Identifiers as a means of identifying actual threats.
  • Reports Hot off the forge:
    • Threat News Reports
    • Trending Threat Reports
    • Research Articles
Want more?

If this information is useful, please feel free to get in touch with us to see how Anvilogic can help you grow your security operations at yo@anvilogic.com.

Sign-up for Anvilogic’s weekly threat reports and receive a threat round-up, active notifications of relevant threats to harden your security posture, and ready-to-deploy threat detection logic & content associated with applicable trending threats.

If you are not a customer but would like to get the detection code for a specific vulnerability or exploit, reach out to us we’re happy to help: detection.support@anvilogic.com

Learn More about The Anvilogic Threat Detection and Incident Response (TDIR) Platform

(read less…)

Windows Event Logs Abused for Malware

May 10, 2022

Windows Event Logs Abused for Malware

Industry: N/A | Level: Tactical | Source: Kaspersky

In February 2022, Kaspersky observed a new stealthy attack technique planting malware in Windows event logs, used by an unattributed threat actor. The threat actor initiated a sophisticated and targeted attack, employing many custom and commercially available tools. The initial infection appeared to have begun in September 2021, with the target lured into downloading a compressed archive file housing offensive tools including Cobalt Strike and Silent Break. The actor injected into various programs “Windows system processes or trusted applications.” Following injection, the drop of OS error program WerFault.exe is made to directory C:\Windows\Tasks, along with a encrypted dll dropper ‘wer.dll’ for search order hijacking and persistence is established through an autorun registry key entry. Shellcode written in Windows event logs is searched by the dll dropper, “The dropped wer.dll is a loader and wouldn’t do any harm without the shellcode hidden in Windows event logs. The dropper searches the event logs for records with category 0x4142 (“AB” in ASCII) and having the Key Management Service as a source. If none is found, the 8KB chunks of shellcode are written into the information logging messages via the ReportEvent() Windows API function (lpRawData parameter). Created event IDs are automatically incremented, starting from 1423.” The campaign has been correlated with no other threat actor and as attribution remains undetermined, the activity is tracked as SilentBreak

  • Anvilogic Use Cases:
    • Compressed File Execution
    • New AutoRun Registry Key
    • Rare Remote Thread

NAIKON Threat Group Resurfaces

May 10, 2022

NAIKON Threat Group Resurfaces

Industry: Foreign Affairs, Government, Military, Science, Technology | Level: Tactical | Source: Cluster25

Cluster25 has recently identified advanced persistent threat (APT) group, NAIKON (aka Override Panda) as resurfacing. The threat group’s activity has been targeting countries in the Association of Southeast Asian Nations (ASEAN). An observed attack from the threat group begins with a phishing email containing a document with malicious VBA code that writes executables to the temp folder. Finally, a beacon using Viper, an offensive security framework is injected into svchost.exe. Based on the group’s past activity, their targets appear to be foreign affairs, government, military, science, and technology organizations aligned with Chinese interests. Their campaigns focus on intelligence collection and espionage.

  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Executable Process from Suspicious Folder
    • Rare Remote Thread

Mandiant Tracks APT29 Phishing Campaigns

May 10, 2022

Mandiant Tracks APT29 Phishing Campaigns

Industry: Diplomatic, Government | Level: Tactical | Source: Mandiant

Mandiant has identified Russian state-sponsored threat group, APT29 as having launched phishing campaigns against verticals in government and diplomacy, since January 17th, 2022. Geographically the targets are located in Europe, the Americas, and Asia. The phishing emails were themed as administrative notices and sent through compromised email accounts. The malicious emails would contain an HTML dropper to write files to disk, either an IMG or ISO. When mounted a LNK and DLL file is presented to the victim, triggering an infection when the LNK file is executed. Various custom malware was utilized by the group during initial access and post-compromise to establish a foothold in the environment such as ROOTSAW, BOOMMIC, and BEATDROP. Techniques observed within the environment include abusing certificates, modifying registry run keys, creating/modifying scheduled tasks, conducting discovery with native commands, and kerberoasting. APT29 has demonstrated the ability to move quickly within the environment as Domain Admin privileges are reached by the group typically within 12 hours.

  • Anvilogic Use Cases:
    • Symbolic OR Hard File Link Created
    • Suspicious Certificate Modification
    • Create/Modify Schtasks
    • New AutoRun Registry Key
    • Registry key added with reg.exe
    • WinRM Tools
    • Common Reconnaissance Commands
    • Locate Credentials

Mustang Panda Targets Europe

May 10, 2022

Mustang Panda Targets Europe

Industry: Government, Non-Governmental Organization, Think Tanks | Level: Tactical | Source: Cisco Talos

Activity from Chinese threat actor, Mustang Panda has been tracked by Cisco Talos with the group targeting U.S, Asia, and European entities, in addition to Russian organizations. The phishing campaign employed by Mustang Panda has utilized themes for COVID-19, political matters, and current events. Activity from this campaign was observed in February 2022, coinciding with the start of the Russian and Ukraine conflict. Some phishing themes have reported on the border situations in Ukraine and Belarus. The malware deployed in the campaign is PlugX, a remote access trojan. Threat activities involve the use of multiple shells and beacons, with the group’s goal in these campaigns to conduct espionage. The tactics, techniques, and procedures from the group have been observed with a benign executable to initiate DLL sideloading, a malicious DLL loader, the PlugX implant, and the use of various stagers and reverse shells.

  • Anvilogic Scenario: Mustang Panda – LNK-based Infection Chain
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Executable Process from Suspicious Folder
    • Windows Copy Files
    • Executable Create Script Process
    • Compressed File Execution
    • Suspicious File written to Disk
    • New AutoRun Registry Key
    • Rundll32 Command Line
    • Create/Modify Schtasks
    • Meterpreter Reverse Shell
    • Symbolic OR Hard File Link Created
    • Wscript/Cscript Execution
    • Registry key added with reg.exe
    • Executable File Written to Disk

AvosLocker Infection with Abused Driver

May 10, 2022

Trend Micro observed a AvosLocker infection chain deployed within the US abusing a legitimate Windows driver for defense evasion and to disable security defenses.

Conti Ransomware Hits Costa Rica Electricity

May 03, 2022

Conti Ransomware Hits Costa Rica Electricity

Industry: Energy | Level: Strategic | Source: TheRecord

Junta Administrativa del Servicio Eléctrico de Cartago (JASEC), a government agency controlling electricity in Cartago, Costa Rica, has been impacted with Conti ransomware as administrative systems were impacted this past weekend. The attack occurred on Saturday, using systems managing the company’s emails, website, and administrative collection systems being encrypted. The electric operator’s general manager Luis Solano has assured customers “electricity and internet services operate normally,” however, the incident has inhibited customers from paying electric or internet bills. Until the incident is resolved the company has suspended bill payments.

New Black Basta, Ransomware Gang

May 03, 2022

New Black Basta, Ransomware Gang

Industry: N/A | Level: Strategic | Source: BleepingComputer

Bursting into the cyber threat landscape in April 2022, the newly identified Black Basta ransomware group, has compromised at least twelve organizations. As reported by BleepingComputer, the group employs a double extortion tactic to exfiltrate data prior to launching the ransomware. The Black Basta group site lists ten victim organizations and its likely several impacted organizations have paid/negotiated with the threat actors had their listing removed. Research from MalwareHunterTeam, is predicting the Black Basta gang as a potential rebrand of Conti, given the need to dodge law enforcement and refresh from damaging leaks. Similarities identified include a leak and payment site as well as mannerisms from support personnel. The group doesn’t appear to be currently recruiting or marketing its operations.

Stormous Ransomware Breaches Coca-Cola

May 03, 2022

Stormous Ransomware Breaches Coca-Cola

Industry: Food & Beverage | Level: Strategic | Source: BleepingComputer

Beverage corporation Coca-Cola is investigating a claim made by threat group, Stormous, of a breach to the company’s network, exfiltrating 161GB of data. As reported by BleepingComputer, the threat group claim to have stolen “compressed documents, text files with admin, emails, and passwords, account and payment ZIP archives, and other type of sensitive information.” A Telegram post made by Stormous announced the group is selling compromised data for 1.65 Bitcoin/approximately $64,000. Similar to Lapsus$, the Stormous group created a poll the week prior listing targets to breach, with coca-cola.com receiving the most votes at 74%. Other noted targets included Mattel, Danaher, Blackboard, and GE Aviation.

Hive0117 Phishing Campaigns

May 03, 2022

Hive0117 Phishing Campaigns

Industry: Electronic, Industrial, Telecommunication | Level: Strategic | Source: SecurityIntelligence

Security intelligence from IBM Security X-Force shared research, from tracking financially motivated threat group, Hive0117’s latest phishing campaigns. Identified in February 2022, the campaign targets sectors in electronic, industrial, and telecommunications to deploy DarkWatchman, a remote access trojan (RAT). The email campaigns masquerade as communication from the Russian Government’s Federal Bailiffs Service, targeting company leaders in Lithuania, Estonia, and Russia. Activity from this campaign doesn’t appear to be related to the Russia and Ukraine conflict. The motive is suspected to “enable illegal access to numerous distributed clients and end-users” by compromising telecommunication providers and their respective suppliers.