Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the conflict in Ukraine. Source: Security Affairs.
OverviewBlackBerry Threat Intelligence has identified a new Ransomware-as-a-Service (Raas) family, and tracked its lineage to its probable beta stage release.…
UNC1151是疑似具有东欧国家背景的APT团伙,该APT组织与“Ghostwriter”攻击活动相关。2020年,国外安全厂商Mandiant(前身为FireEye)披露“Ghostwriter”攻击活动[1]。该活动至少自 2017 年 3 月开始,行动主要针对立陶宛、拉脱维亚和波兰等国,攻击者在这些国家散播具有反北约组织(NATO)立场观点的内容,攻击者通常借助网站入侵和伪造电子邮件账号传播虚假内容,伪造的内容还包括来自军方官员的虚假信件。此后,Mandiant观察到UNC1151组织发起与“Ghostwriter”相似的攻击活动,攻击活动涉及波兰官员和德国政客,Mandiant认为UNC1151组织为一个新的APT组织[2]。2021年11月,Mandiant发布报告将该组织归属于东欧某国政府[3]。
2022年2月,俄乌冲突爆发后,乌克兰计算机应急响应小组(CERT-UA)和乌克兰国家特殊通讯和信息保护局(SSSCIP Ukraine)发布钓鱼邮件警报,警报涉及 UNC1151针对乌克兰武装部队成员的私人电子邮件账户的广泛网络钓鱼活动。3月1日,Proofpoint披露攻击者利用疑似被窃取的乌克兰军队人员邮箱,向参与管理逃离乌克兰的难民后勤工作的欧洲政府人员发起钓鱼攻击[4],攻击手法与UNC1151此前攻击活动相似。
概述近日,奇安信威胁情报中心红雨滴团队在社交平台上发现有安全研究员发布一个针对乌克兰的攻击样本。
乌克兰CERT也于3月7日发布通告,将该攻击样本归属为UNC1151[5]。该样本使用的攻击手法与UNC1151之前被披露的攻击手法有些不同。经过深入挖掘,我们发现此类攻击样本至少从2021年9月开始出现,攻击目标涉及乌克兰、立陶宛等国,同时在早期样本中发现了与UNC1151历史攻击活动的相似之处。
样本信息本次获取的初始样本为довідка.zip,“довідка”是乌克兰语“证书”的意思,压缩包内部为dovidka.chm,chm全称Compiled Help Manual,是微软新一代的帮助文件格式,利用HTML作源文,把帮助内容以类似数据库的形式编译储存,也就是被编译并保存在一个压缩的HTML格式。当我们双击文件时,微软默认使用HTML帮助执行程序打开并显示相关内容。
诱饵内容为一张图片,图片顶部为乌克兰总统办公室,乌克兰内阁以及乌克兰安全的标志,标题翻译为中文为“我该怎么办?。图片中的具体内容为“有关战争的一些安全建议”。当我们打开此文件时会执行HTML代码,解压缩dovidka.chm得到内嵌的html代码。
样本分析 HTMLHTML中包含两段代码,一段为js代码,用于显示诱饵内容,另一段为vbs代码。vbs代码经过混淆,执行的功能主要为释放ignit.vbs并调用WScript.exe执行。
VBS释放的ignit.vbs也经过混淆,主要执行三个函数,分别释放core.dll, desktop.ini, Windows Prefetch.lnk。
desktop.ini调用“C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe”加载core.dll
Windows Prefetch.lnk 用于持久化。
core.dllcore.dll为ConfuserEx加壳的C#程序,脱掉壳之后进行反编译得到代码,RegisterClass与UnRegisterClass 功能相同,实现数据的内存加载。
两个数组存储需要内存加载的数据。
将数组中的数据解压并写入分配的可执行内存中。
然后创建线程执行。
内存加载的代码主要分为两个部分,第一部分为dll loader,用于加载第二部分的dll,dll为开源的后门程序MicroBackdoor[6]。后门首先从conf段中获取到C2地址xbeta.online和端口(8443)并建立连接。
成功与服务器连接后获取服务器下发的指令并执行,指令包含获取本机信息,执行程序,反弹shell,上传下载文件等常规远控功能,值得一提的是与原版程序的指令相比,此样本添加了截屏的功能。
关联分析经过深入挖掘,我们发现其他三个同源样本,均为chm文件,样本信息如下:
– – – – MD5 样本名称 针对国家 VT初次上传时间 62b8db1d541775fba717fc76b2e89353 cert.chm…By Edmund Brumaghin, with contributions from Jonathan Byrne, Perceo Lemos and Vasileios Koutsoumpogeras.
This post is also available in:日本語 (Japanese)
Українська (Ukrainian)
Executive Summary Since the beginning of the war in Ukraine, we have observed threat actors using email lures with themes related to the conflict, including humanitarian assistance and various types of fundraising.…Since its reemergence on Nov. 14, 2021, Black Lotus Labs has once again been tracking Emotet, one of the world’s most prolific malware distribution families which previously infected more than 1.6M devices and caused hundreds of millions of dollars in damage across critical infrastructure, healthcare, government organizations and enterprises around the world.…
For additional information regarding deserialization exploits and our new hunting rule generation tool ‘HeySerial’, read our blog post, Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits.
USAHerds (CVE-2021-44207) Zero-DayIn three investigations from 2021, APT41 exploited a zero-day vulnerability in the USAHerds web application.…
In the past few months, a new wave of cyberattacks has been flooding Iran. These attacks are far from minor website defacements – the recent wave is hitting national infrastructure and causing major disruptions to public services.
This article provides an in-depth technical analysis of one of the attacks against the Iranian national media corporation, Islamic Republic of Iran Broadcasting (IRIB) which occurred in late January 2022.…
Over the past year, FortiEDR has prevented multiple attacks that attempted to exploit various Microsoft Exchange server vulnerabilities, some of which we have previously covered.
Among these attacks, we identified a campaign operated by Moses Staff, a geo-political motivated threat group believed to be sponsored by the Iranian government.…
In recent months, there has been continuous media coverage of the geopolitical tensions in Eastern Europe around the threats of a Russian invasion of Ukraine. As one may expect, there has been an observable uptick in cyberattacks on related government networks and personnel. One notable case is the so-called “#WhisperGate” malware which is destructive to the systems which it infects.…
The ShadowPad advanced modular remote access trojan (RAT) has been deployed by the Chinese government-sponsored BRONZE ATLAS threat group since at least 2017. A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals.…
Recently, we’ve been researching several threat actors operating in South Asia: Transparent Tribe, SideCopy, etc., that deploy a range of remote access trojans (RATs). After a hunting session in our malware sample repositories and VirusTotal while looking into these actors, we gathered a small collection of VBA code samples that eventually allowed us to connect certain IOCs to individual threat actors based on the final payload, victimology and submission locations.…
February 3, 2022
[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. This vulnerability was later assigned CVE-2022-24682 and was fixed in version 8.8.15P30 Update 2 of Zimbra Collaboration Suite.…
A new phishing campaign is using specially crafted CSV text files to infect users’ devices with the BazarBackdoor malware.
A comma-separated values (CSV) file is a text file containing lines of text with columns of data separated by commas. In many cases, the first line of text is the header, or description, for each column.…
Cisco Talos has observed a new campaign targeting Turkish private organizations alongside governmental institutions.
Talos attributes this campaign with high confidence to MuddyWater — an APT group recently attributed to Iran’s Ministry of Intelligence and Security (MOIS) by the U.S. Cyber Command. This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target’s enterprise.…Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country.
Active since at least 2013, Shuckworm specializes in cyber-espionage campaigns mainly against entities in Ukraine. The group is known to use phishing emails to distribute either freely available remote access tools, including Remote Manipulator System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon to targets.…
Over the past months, the Cybereason Nocturnus Team has been tracking the Iranian hacker group known as Moses Staff. The group was first spotted in October 2021 and claims their motivation is to harm Israeli companies by leaking sensitive, stolen data. …