The various threat intelligence stories in this iteration of the Anomaly Cyber Watch discuss the following topics: China, DLL sideloading, life from the country, operational technology, ransomware, and Russia. The IOCs associated with these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – Summary charts of IOC. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending cyber news and threat intelligence
Shadow Force Group’s Viticdoor and CoinMiner
(Published: May 27, 2023)
Shadow Force is a threat that has been targeting South Korean organizations since 2013. It mainly targets Windows servers. Ahnlab researchers analyzed the group’s activities in 2020-2022. Shadow Force activities are relatively easy to spot because the actors tend to reuse the same filenames for their malware. At the same time, the group developed: after March its files often exceed 10MB due to binary packaging. The players also started introducing various cryptocurrency miners and a new backdoor called Viticdoor.
Analyst Note: Organizations need to keep their servers updated and properly configured with security in mind. Extremely high CPU usage and overheating can be a sign of malicious cryptocurrency mining resource hijacking. Network and host-based indicators associated with Shadow Force are available on the Anomali platform and customers are advised to block them in their infrastructure.
MITER ATT&CK: [MITRE ATT&CK] T1588.003 – Achieving Capabilities: Code Signing Certificates | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1027.002 – Obscure files or information: software packaging | [MITRE ATT&CK] T1569.002: Service execution | [MITRE ATT&CK] T1059.003 – Command and Script Interpreter: The Windows Command Shell | [MITRE ATT&CK] T1547.001 – Automatic activation of boot or login: registry activation keys / boot folder | [MITRE ATT&CK] T1546.008 – Event-triggered execution: accessibility features | [MITRE ATT&CK] T1543.003 – Create or modify system process: Windows service | [MITRE ATT&CK] T1554 – Compromise Client Software Binary | [MITRE ATT&CK] T1078.001 – Valid Accounts: Default Accounts | [MITRE ATT&CK] T1140 – Decryption/decryption of files or information | [MITRE ATT&CK] T1036.001 – Mask: Invalid code signing | [MITRE ATT&CK] T1553.002 – Subvert Trust Controls: Code Signing | [MITRE ATT&CK] T1036.004 – Masks: Task or service masks | [MITRE ATT&CK] T1574 – Hijack execution flow | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1003.001 – Dumping OS credentials: Lsass memory | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1057 – Discovery of processes | [MITRE ATT&CK] T1087.001 – Account disclosure: local account | [MITRE ATT&CK] Picus: Explanation of System Information Discovery Technique – MITER ATT&CK T1082 | [MITRE ATT&CK] T1021.002 – Remote Services: Smb/Windows Admin Shares | [MITRE ATT&CK] T1056.001 – Input Capture: Keylogging | [MITRE ATT&CK] T1115 – Board data | [MITRE ATT&CK] T1113 – Screen capture | [MITRE ATT&CK] T1219 – Remote access software | [MITRE ATT&CK] T1571 – Non-standard port | [MITRE ATT&CK] T1565.001 – Data manipulation: manipulation of stored data | [MITRE ATT&CK] T1496 – Resource hijacking
tags: actor:Shadow Force, malware:Viticdoor, detection:Backdoor/Win.Viticdoor, malware-type:Backdoor, detection:CoinMiner/Win.ShadowForce, malware-type:Miner, target-country:South Korea, target-industry: Government , Target Industry:Politics, Target Industry:IT, Target Industry:Food, Target Industry:Outsourcing, File Type:EXE, File Type:DLL, Target System:Windows Server, Target System:Windows
COSMICENERGY: New malware may be linked to Russian emergency response exercises
(Published: May 25, 2023)
Preventive researchers discovered a new malware called COSMICENERGY, which was specifically designed to target Windows-based Operational Technology (OT) systems used in electricity distribution. Similar to previously discovered OT malware INDUSTROYER and INDUSTROYER.V2, COSMICENERGY interacts with IEC 60870-5-104 (IEC-104) devices, such as Remote Terminal Units (RTU), common in Europe, the Middle East, and Asia. COSMICENERGY has two derivative jammers: PIEHOP and LIGHTWORK. PIEHOP is a Python-based jamming tool that connects to a remote MSSQL server to issue commands to the RTU, while LIGHTWORK is a C++ tool that uses the IEC-104 protocol to change the state of the RTUs over TCP, generating configurable IEC-104 ASDU messages to control the state of RTU information object addresses. The malware was observed using open source libraries for implementing the OT protocol, including IRONGATE, TRITON and INCONTROLLER.
Analyst Note: Although COSMICENERGY has some signs of being a red team tool in development, threat actors regularly adapt and make use of legitimate tools. Network defenders should monitor logs on critical systems, look for the execution of packaged Python scripts and the creation of a temporary PyInstaller folder “_MEIPASS”. Identifying a session and using SQL extended stored procedures to execute Windows shell commands. Host-based indicators related to COSMICENERGY are available on the Anomali platform for historical reference.
MITER ATT&CK: [MITRE ATT&CK] T1140 – Decryption/decryption of files or information | [MITRE ATT&CK] T0807 – Command line interface | [MITRE ATT&CK] T0809 – Data destruction | [MITRE ATT&CK] T0831 – Control manipulation | [MITRE ATT&CK] T0855 – Unauthorized command message | [MITRE ATT&CK] picus-security: ATT&CK’s most common technique – command interpreter and scripts T1059 | [MITRE ATT&CK] T1059.006 – Command and script interpreter: Python | [MITRE ATT&CK] T1027 – Obscure files or information | [MITRE ATT&CK] T1070 – Removing an indicator on the host | [MITRE ATT&CK] T1070.004 – Removing an indicator on the host: deleting a file | [MITRE ATT&CK] T1083 – Discovery of files and directories
Signatures: PIEHOP – Yara by Mendiant | LIGHTWORK – YARA by Mendiant.
tags: Malware:COSMICENERGY, Malware:PIEHOP, Malware:LIGHTWORK, Malware:Jamware, Exploited:PyInstaller, Exploited:Pyhon, Exploited:C++, Exploited:IRONGATE, Exploited:TRITON, Exploited:INCONTROLLER, File Type:EXE, Exploits: IEC-104, target-system:OT, target-system:Windows
Buhti: New ransomware operation relies on reloads
(Published: May 25, 2023)
Buhti (Blacktail) is a relatively new ransomware that targets Windows and Linux systems with dual extortion attacks. The group is quick to take advantage of new exploits for initial access, it was seen exploiting vulnerabilities in PaperCut NG and MF (CVE-2023-27350) and IBM’s Aspera Faspex file exchange application (CVE-2022-47986). Bihti has developed its own custom data exchange tool, but for ciphers the group uses versions of the leaked LockBit and Babuk ransomware families.
Analyst Note: Keeping software updated with the latest security patches is critical for users and organizations. This includes both the operating system and any applications in use. Ensure a security system is in place that can proactively provide comprehensive protection against attackers targeting new vulnerabilities. Host-based indicators related to Buhti campaigns are available on the Anomali platform for ongoing infections and historical reference.
MITER ATT&CK: [MITRE ATT&CK] T1190 – Utilization of a public facing application | [MITRE ATT&CK] T1005: Data from local system | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1486: Encrypted data for impact
tags: Malware:Buhti, Malware:LockBit, Malware:Babuk, malware-type:Ransomware, actor:Blacktail, actor:Buhti, malware-type:Exfiltration Tool, malware:Cobalt Strike Beacon, malware:Meterpreter, malware:Cobalt Strike , malware: shard, exploit:AnyDesk, exploit:ConnectWise, target software:PaperCut, vulnerability:CVE-2023-27350, target software:Aspera Faspex, vulnerability:CVE-2022-47986, target system:Windows, target system: Linux
A cyber actor sponsored by the People’s Republic of China, lives out of the country to avoid detection
(Published: May 24, 2023)
International cyber security authorities (Australia, Canada, New Zealand, UK and US) have issued a joint cyber security advisory regarding recently discovered activity attributed to the China-sponsored Volt Typhoon threat group. The group has targeted Windows-based systems across critical US infrastructure while hiding Behind previously compromised office/small home office network devices in the target geographic area. The group relied mainly on Living off the Land: using built-in network management tools such as netsh, ntdsutil, PowerShell and Windows Management Instrumentation Line (WMIC). This allows Vault Typhoon to merge their operations while achieving goals such as gathering information about the storage devices on the local host and extracting password hashes from the main Active Directory database file. The player used several hacking tools: earthworm tunneling tools, custom Fast Reverse Proxy (FRP) clients, Impacket, Mimikatz, and various remote management tools.
Analyst Note: Network defenders need to detect suspicious commands and distinguish them from legitimate system administration commands. Activities such as using a proxy server are not common for legitimate system administration, and should have limited use on an as-needed basis. Use the available indicators and signatures to identify and investigate potentially suspicious activity.
MITER ATT&CK: [MITRE ATT&CK] T1190 – Utilization of a public facing application | [MITRE ATT&CK] T1047 – Windows Management Instrumentation | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1059.003 – Command and Script Interpreter: The Windows Command Shell | [MITRE ATT&CK] T1505.003 – Server Software Component: Web Shell | [MITRE ATT&CK] T1546 – Execution is triggered by an event | [MITRE ATT&CK] T1070.001 – Remove indicator on host: Clean Windows event logs | [MITRE ATT&CK] T1003.003 – Operating system certificate streaming: Ntds | [MITRE ATT&CK] T1110 – Brute Force | [MITRE ATT&CK] T1110.003 – Brute Force: Password Spraying | [MITRE ATT&CK] T1003 – Os Credential Dumping | [MITRE ATT&CK] T1555 – Certificates from password stores | [MITRE ATT&CK] Picus: Explanation of System Information Discovery Technique – MITER ATT&CK T1082 | [MITRE ATT&CK] T1033 – System owner/user disclosure | [MITRE ATT&CK] T1069.001 – Disclosure of Permission Groups: Local Groups | [MITRE ATT&CK] T1069.002 – Disclosure of permission groups: domain groups | [MITRE ATT&CK] T1016 – System Network Configuration Discovery | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1090.002 – Proxy: external proxy
Signatures: ShellJSP – YARA | EncryptJSP – YARA | Volt Typhoon custom FRP tool – YARA | HACKTOOL_FRPClient – YARA.
tags: Actor: Volt Typhoon, Target-Country: USA, Target-Sector: Critical Infrastructure, Origin-Country: China, Technique: Live Off Country, Malware: Earthworm, Malware: Fast Reverse Proxy, Malware: FRP, Malware Type:Tunnel, Malware:Mimikatz, abused:netsh, abused:ntdsutil, abused:PowerShell, abused:wmic, abused:Impacket, open-port:8080, open-port:8443, open-port:8043, open -port:8000, open-port -port:10443, target-system:Windows
The Lazarus group targets Windows IIS web servers
(Published: May 23, 2023)
Lazarus Group, a group of actors sponsored by North Korea, has been detected targeting Windows Internet Information Services (IIS) web servers. After gaining access to a misconfigured or vulnerable IIS server, the threat actor deploys a DLL loading trio (DAT, DLL, and EXE files) via the Windows IIS web server process, w3wp.exe. In the second step, it loads additional malware (diagn.dll) by exploiting the open-source Color Picker plugin, and decrypts an information thief that dumps LSASS memory credentials. After acquiring system credentials, Lazarus Group performed an internal reconnaissance before using Remote Desktop Protocol (port 3389) to perform lateral traffic into the internal network.
Analyst Note: The network defenders are advised to monitor abnormal process execution ratios. Host-based indicators associated with Lazarus Group IIS targeting are available on the Anomali platform for historical reference.
MITER ATT&CK: [MITRE ATT&CK] T1190 – Utilization of a public facing application | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Sideloading Dll | [MITRE ATT&CK] T1070.004 – Removing an indicator on the host: deleting a file | [MITRE ATT&CK] T1003.001 – Dumping OS credentials: Lsass memory | [MITRE ATT&CK] T1027 – Obscure files or information | [MITRE ATT&CK] T1140 – Decryption/decryption of files or information
tags: mitre-group:Lazarus Group, detection:Trojan/Win.LazarLoader, target-software:IIS Web Server, abused:w3wp.exe, abused:Salsa20, open-port:3389,-type file:DLL, file-type:EXE , file type: DAT, target-system: Windows