Since the last quarter of 2020 MuddyWater has maintained a “long-term” infection campaign targeting Middle East countries. We have gathered samples from November 2020 to January 2022, and due to the recent samples found, it seems that this campaign might still be currently active. The latest campaigns of the Muddy Water threat group, allegedly sponsored by the Iranian government and linked to the Iranian revolutionary guard (the main armed forces of the Iranian government), could be framed within the dynamics of maintaining Iran’s regional sovereignty.…
Tag: APT
Cyble Research Labs has constantly been tracking emerging threats and their delivery mechanisms. We have observed a surge in the use of .lnk files by various malware families. Some of the prevalent malware families using .lnk files for their payload delivery of late are:
Additionally, we have seen many APT instances where the Threat Actors (TAs) leverage .lnk…
ToddyCat is a relatively new APT actor that we have not been able to relate to other known actors, responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. We still have little information about this actor, but we know that its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.…
Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonates various services appearing to be legitimately created on the “azurefd.net” domain – This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts.…
The ASEC analysis team has discovered the active distribution of APT files that are exploiting a feature of HWP files (OLE object insertion) recently. After the case introduced in the post “Malicious HWP File Disguised as Press Release of 20th Presidential Election Early Voting for Sailors Being Distributed” on March 8th, the attacker is continuously distributing malicious HWP files targeting people in the field of national defense, North Korea-related materials, and broadcasting.…
June 15, 2022
by Steven Adair, Thomas Lancaster, Volexity Threat Research
Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week.…
Introduction
Read More Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties.…
This post is also available in: 日本語 (Japanese)
Executive SummaryUnit 42 recently identified a new, difficult-to-detect remote access trojan named PingPull being used by GALLIUM, an advanced persistent threat (APT) group.
Unit 42 actively monitors infrastructure associated with several APT groups. One group in particular, GALLIUM (also known as Softcell), established its reputation by targeting telecommunications companies operating in Southeast Asia, Europe and Africa.…
Active since 2017, Lyceum group is a state-sponsored Iranian APT group that is known for targeting Middle Eastern organizations in the energy and telecommunication sectors and mostly relying on .NET based malwares.
Zscaler ThreatLabz recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET…
Executive SummaryAoqin Dragon, a threat actor SentinelLabs has been extensively tracking, has operated since 2013 targeting government, education, and telecommunication organizations in Southeast Asia and Australia.
Aoqin Dragon seeks initial access primarily through document exploits and the use of fake removable devices.
Other techniques the attacker has been observed using include DLL hijacking, Themida-packed files, and DNS tunneling to evade post-compromise detection.…
Read More 概述
奇安信威胁情报中心曾在2021年曾经发表过《Operation Magichm:浅谈蔓灵花组织的CHM文件投放与后续操作》一文,时隔一年我们发现蔓灵花团伙(APT-Q-37)在四月份最新的攻击活动中使用了新的攻击手法和样本,除此之外文末还会对摩耶象(APT-Q-41)近期的钓鱼活动和响尾蛇(APT-Q-39)今年以来的基础设施进行分享。
从南亚方向近两年的攻击活动来看,各个组织仍然处于“吃老本”的状态,没有推陈出新的倾向,存在针对11882和8570等古董漏洞的路径依赖,在木马免杀方向也非常不理想,往往被天擎查杀四五次后还未到达免杀状态。这令我们感到失望。我们推测产生这种现象的原因可能与南亚地区的安全环境有关。
与之前的文章类似,本文内容也仅仅是对在过去一段时间内攻击手法做一个分享。文末会分享相关组织历史或未启用的基础设施。
APT-Q-37(蔓灵花)
邮件分析
蔓灵花组织仿冒军贸客户(孟加拉海军)以维修船体声纳为主题向军工企业投递的带有chm附件的钓鱼邮件。
除了chm,蔓灵花还投递了带有DDE auto的文档作为附件。仿冒军工企业以推销反无人机系统为主题向军贸客户(孟加拉空军)投递钓鱼邮件。
攻击者拿到军贸客户的邮箱权限后,会在正常来往邮件中新增的一个恶意的DDE附件,以此来提高钓鱼的成功率。
正常PDF如下:
使用可信邮箱向列表全员发送带有新年祝福的SFX样本。
投递带有宏文档的钓鱼邮件
诱饵分析
DDE AUTO
由于Chm过于常见,故这里不做分析,DDE文档如下:
文件名
MD5
类型
Technical Proposal of Portable Anti-Drone System.docx
54ea5083ad67b15a249e07bb1a4fb3e0
DDE AUTO
China Great Wall Industry Corp (CGWIC) Profile and POC.docx
54ea5083ad67b15a249e07bb1a4fb3e0
DDE AUTO
Payment Detail.docx
54ea5083ad67b15a249e07bb1a4fb3e0
DDE AUTO
Invitation to Visit Bangladesh(Officials of Chinaship).docx…
In this multi-day intrusion, we observed a threat actor gain initial access to an organization by exploiting a vulnerability in ManageEngine SupportCenter Plus. The threat actor, discovered files on the server and dumped credentials using a web shell, moved laterally to key servers using Plink and RDP and exfiltrated sensitive information using the web shell and RDP.…
Introduction
Read More LuoYu is a lesser-known threat actor that has been active since 2008. It primarily goes after targets located in China, such as foreign diplomatic organizations established in the country, members of the academic community, or companies from the defense, logistics and telecommunications sectors. In their initial disclosures on this threat actor, TeamT5 identified three malware families: SpyDealer, Demsty and WinDealer.…
Summary
Read More During 2019-2021 I was focused on analyzing campaigns orchestrated by the APT-C-36 group and RATs used by this same group and other cybercriminal groups such as RemcosRAT, AsyncRAT, Imminent Monitor RAT, etc. In the last few months I have seen some modifications of TTPs in many of these families that have caught my attention and I wanted to analyze them to see what is new.…
Table of contents
Read More This blog post on TURLA was originally published as a FLINT report (SEKOIA.IO Flash Intelligence) sent to our clients on May 11, 2022.
Executive SummarySEKOIA.IO Threat & Detection Research (TDR) Team have expanded the search on Russian-linked TURLA’s infrastructures from a Google’s TAG blog post.…
An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four separate spear phishing campaigns since late February, 2022.
The campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely.…
Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict. Source: Security Affairs.
It’s not often that we get to observe the behind-the-scenes drama that can accompany the creation of new malware, but when we do, it gives us a fascinating glimpse into how threat actors operate.…
In the past two months, we observed multiple APT groups attempting to leverage the Russia and Ukraine war as a lure for espionage operations. It comes as no surprise that Russian entities themselves became an attractive target for spear-phishing campaigns that are exploiting the sanctions imposed on Russia by western countries.…
APT-C-24 响尾蛇
Read More 近期我们捕获了一起略为特殊的攻击活动事件。该攻击活动由APT-C-24(响尾蛇)组织发起,一改往日的攻击框架,使用了全新的攻击方式和流程。有意思的是,在这次攻击活动中,因为软件版本原因,导致按照正常代码执行逻辑无法正常完成攻击活动,似乎我们的老朋友响尾蛇APT组织在代码的测试环境上并未完全与中文环境同步。
响尾蛇组织在本次攻击活动围绕FileSyncShell.dll构建了前期的执行流程,使用恶意程序替换FileSyncShell.dll,以DLL侧加载的方式通过explorer.exe来启动FileSyncShell.dll,从而实现攻击流程。我们捕获的攻击流程如下:
攻击流程预览
在攻击流程中,响尾蛇将宏代码文档分为两个阶段执行,通过投递第一个阶段的诱饵文档文件,来释放并执行第二阶段的文档文件。
1. 诱饵文档在我们捕获的文档文件中,该组织通过宏代码来完成后续代码执行,函数Document_Open代码如下:
通过SaveAs函数将文档解析为Html模式保存至路径“%Temp%Loading..htm”,同时该文档包含的图像内容、宏代码等等会保存至“ .files ” 文件夹,文件夹内包含内容如下:
但是这里一个比较有意思的现象在于响尾蛇在代码中使用的是” _files”( 对应路径 “%Temp%Loading._files” )。但由于微软将文档保存为网页“.htm、.html”时,在不同版本上存在差异,导致实际上响尾蛇的代码在中文版本中无法正常运行。
在“ _files” 即支持文件夹中,保存着如项目符号、背景、图片等等文件。响尾蛇从该文件夹中的image003.png中读取服务器配置信息,文件数据如下分为三个部分,前面120字节为png文件头,后续则按照每个数据库255字节进行分割。
image003.png
从上方可以看到数据库分为两段,第一段URL的作用为在代码执行错误时上传错误日志,第二段则是后续文件下载地址,通过函数“Shapes.AddPicture”将文件下载本地,随后另存为Web文件”%Temp%Loading…htm”。
代码片段1
代码片段2
代码片段3
“image001.png”的数据结构如下,带有一个doc文件以及保存的文件路径等。在宏代码中会将文档文件保存至该路径(%userprofile%AppDataRoamingMicrosoftTemplatesrec2.doc),并打开以执行文档文件内携带的宏代码。
image001.png
2. rec2.doc与诱饵文档的执行流程相似,在“rec2.doc”中,也会将自身保存为“.htm”文件来获取其中包含的图像文件,但略微不同的是,它会将支持文件夹内保存了文档文件内宏和 OLE 对象相关数据的“editdata.mso”文件数据清除。
在“image003.png”中获取服务器配置信息,结构同上:
第一段数据块中包含的URL作为代码执行异常时,向服务器发送错误日志。
第二段到第四段数据块内包含的URL通过函数”Shapes.AddPicture”将文件下载本地,随后解析文件中数据,释放文件到指定路径。文件名对应路径如下:
文件名
路径
image001.png
%UserProFile%AppDataLocalMicrosoftOneDrive*amd64filesyncshell64.dll
%UserProFile%AppDataLocalMicrosoftOneDrive*filesyncshell64.dll
image002.png
%UserProFile%AppDataRoamingMicrosoftTemplatesIntroduction to Canton Fair Global Cooperative Partnership Program.doc…
ВведениеОбщие сведенияАнализ ВПО и инструментовMyKLoadClientСхема 1Схема 2Тестовый образецПолезная нагрузкаZupdaxПолезная нагрузкаСвязь с RedsipСвязи с Winnti и FF-RATСвязи с Bronze Union и TA428ЗагрузчикиDownloader.Climax.ADownloader.Climax.BRtlShareДроппер rtlstat.dllИнжектор rtlmake.dllПолезная нагрузка rtlmain.dll (rtlmainx64.dll)Использование RtlSharePlugXDemo dropperBH_A006Стадия 0.…
Read More