<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, North Korea, Package-name typosquatting, Polyglot files, Ransomware,</b> and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img alt="Image" src="https://cdn.filestackcontent.com/5tCown8ISEOxVeTnMMJQ"/> <br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/attacks-on-citrix-netscaler-systems-linked-to-ransomware-actor/" target="_blank">Attacks on Citrix NetScaler Systems Linked to Ransomware Actor</a></h3> <p>(published: August 28, 2023)</p> <p> A threat actor, assessed with moderate confidence to be linked to the FIN8 group and the BlackCat/ALPHV ransomware, has been exploiting the CVE-2023-3519 remote code execution vulnerability to compromise unpatched Citrix NetScaler systems. The campaign, which has been monitored by Sophos since mid-August 2023, involves payload injections, the use of BlueVPS for malware staging, deployment of obfuscated PowerShell scripts, and dropping of PHP webshells on victim machines. These recent attacks are believed to be part of the same ransomware campaign reported by Fox-IT earlier in August 2023.<br/> <b>Analyst Comment:</b> Fox-IT estimated that over 31,000 Citrix NetScaler instances remained vulnerable to CVE-2023-3519, more than a month after the security update was made available. Therefore organizations with Citrix NetScaler infrastructure should immediately check it for signs of compromise and also patch the vulnerability. Network defenders are advised to examine their data from before mid-July 2023 against newly-released indicators available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9869" target="_blank">[MITRE ATT&amp;CK] T1505.003 - Server Software Component: Web Shell</a><br/> <b>Tags:</b> vulnerability:CVE-2023-3519, target-software:Citrix NetScaler, abused:BlueVPS, abused:PowerShell, threat-type:Ransomware, actor:FIN8, malware:BlackCat, malware:ALPHV, malware-type:Webshell, file-type:DLL, file-type:EXE, file-type:PHP, file-type:PS1, target-system:Windows </p> <h3 id="article-1"><a href="https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html" target="_blank">Maldoc in PDF - Detection Bypass by Embedding a Malicious Word File into a PDF File</a></h3> <p>(published: August 28, 2023)</p> <p> A new technique dubbed “MalDoc in PDF” has been detected in the wild. In July 2023, the Japan Computer Emergency Response Team (JPCERT) detected a polyglot PDF/MHT file. It had magic numbers and file structure of PDF, but had a .DOC extension and allowed users to enable malicious macros when opened in Microsoft Word. This technique aims at evading detection by PDF analysis tools, antiviruses, and sandbox software. MalDoc in PDF can use DOC, MHT, and XLS files, but in the latter case the user will be facing an additional warning from Excel that the file extension is different.<br/> <b>Analyst Comment:</b> Security settings that disable auto-execution of macros on Microsoft Office can provide protection against this threat. Traditional PDF analysis tools may not detect the malicious content, but other analysis tools like OLEVBA can. All known indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure. In addition JPCERT, along with other Advisory, News and Blog sources are available as RSS feeds, and for AutoLens+ subscribers these are also <a href="https://ui.threatstream.com/tip/9382751" target="_blank">tagged and summarized</a>.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23223" target="_blank">[MITRE ATT&amp;CK] Resource Development - Develop Capabilities: Malware [T1587.001]</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a><br/> <b>Tags:</b> technique:Maldoc in PDF, technique:Polyglot file, target-software:Microsoft Word, file-type:DOC, file-type:MHT, file-type:PDF, file-type:VBS, file-type:MSI, target-system:Windows </p> <h3 id="article-1"><a href="https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/" target="_blank">Flax Typhoon Using Legitimate Software to Quietly Access Taiwanese Organizations</a></h3> <p>(published: August 24, 2023)</p> <p> Since mid-2021 the China-sponsored cyberespionage group Flax Typhoon (Ethereal Panda) has targeted critical manufacturing, education, government agencies, and information technology organizations in Taiwan and other regions. Microsoft researchers have detected a new campaign targeting multiple organizations in Taiwan. Observed from November 2022 to August 2023, this activity stops at gaining and maintaining long-term access, as no follow-up data exfiltration was detected by the time of publication. Initial access was achieved by exploiting known vulnerabilities in services like Java, SQL, VPN, and web applications. The attackers were deploying web shells such as China Chopper, and if needed, used open-source privilege-escalation tools such as BadPotato and Juicy Potato. Flax Typhoon has frequently used Mimikatz for dumping credentials. Besides deploying these malware families, Flax Typhoon has been focusing on using living-off-the-land binaries (LOLBins), disabling network-level authentication (NLA) for RDP, abusing the Sticky Keys feature, and establishing a VPN-over-HTTPS tunneling communication by installing a legitimate VPN SoftEther bridge. <br/> <b>Analyst Comment:</b> Organizations should adhere to vulnerability and patch management, particularly on systems and services exposed to the Internet. Consider system hardening, segmentation, monitor for registry changes, unauthorized RDP traffic, and enforce strong multifactor authentication (MFA) policies or passwordless sign-in methods. Compromised systems must be isolated and investigated, potentially compromised passwords must be changed and account activity investigated. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9869" target="_blank">[MITRE ATT&amp;CK] T1505.003 - Server Software Component: Web Shell</a> | <a href="https://ui.threatstream.com/attackpattern/14432" target="_blank">[MITRE ATT&amp;CK] picus-security: The Most Used ATT&amp;CK Technique — T1059 Command and Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9799" target="_blank">[MITRE ATT&amp;CK] T1546.008 - Event Triggered Execution: Accessibility Features</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9860" target="_blank">[MITRE ATT&amp;CK] T1543.003 - Create or Modify System Process: Windows Service</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9733" target="_blank">[MITRE ATT&amp;CK] T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/9808" target="_blank">[MITRE ATT&amp;CK] T1003.001 - OS Credential Dumping: Lsass Memory</a> | <a href="https://ui.threatstream.com/attackpattern/9684" target="_blank">[MITRE ATT&amp;CK] T1003.002 - OS Credential Dumping: Security Account Manager</a> | <a href="https://ui.threatstream.com/attackpattern/9973" target="_blank">[MITRE ATT&amp;CK] T1550.002 - Use Alternate Authentication Material: Pass The Hash</a><br/> <b>Tags:</b> actor:Flax Typhoon, actor:ETHEREAL PANDA, source-country:CN, malware:Mimikatz, malware-type:Credential stealer, malware-type:Web shell, malware:China Chopper, malware:Juicy Potato, malware:BadPotato, malware-type:Privilege escalation tool, detection:HackTool:Win32/Mimikatz, detection:Trojan:Win32/Swrort, detection:HackTool:Win32/Badcastle, detection:Behavior:Win32/CobaltStrike, detection:Backdoor:ASP/Chopper, target-country:TW, Cyberespionage, threat-type:LOLBin, abused:PowerShell, abused:Invoke-WebRequest, abused:certutil, abused:bitsadmin, abused:WinRM, abused:WMIC, abused:SoftEther VPN, technique:VPN-over-HTTPS, abused:Sticky Keys, open-port:443, target-system:Windows </p> <h3 id="article-1"><a href="https://blog.talosintelligence.com/lazarus-collectionrat/" target="_blank">Lazarus Group's Infrastructure Reuse Leads to Discovery of New Malware</a></h3> <p>(published: August 24, 2023)</p> <p> The North Korea-sponsored Lazarus Group (APT38) has launched a new campaign exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966). Cisco Talos researchers detected targeting of internet backbone infrastructure and healthcare entities in Europe and the United States. The group is deploying a new malware called CollectionRAT in addition to their QuiteRAT malware first discovered in February 2023. CollectionRAT is delivered as a packed Microsoft Foundation Class library-based Windows binary that decrypts and executes the actual malware code on the fly. It has the added feature to create a reverse shell, allowing it to run arbitrary commands on the system. The associated staging infrastructure hosted additional open-source tools (PuTTY’s Plink) and C2 frameworks (an ELF binary for the DeimosC2 agent).<br/> <b>Analyst Comment:</b> Lazarus Group brings new private and public tools, but it continues to reuse the infrastructure and signing certificates seen in its previous campaigns, providing additional detection capability for security researchers. All known network indicators associated with CollectionRAT and QuiteRAT are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9733" target="_blank">[MITRE ATT&amp;CK] T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/10061" target="_blank">[MITRE ATT&amp;CK] T1588.003 - Obtain Capabilities: Code Signing Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/9633" target="_blank">[MITRE ATT&amp;CK] T1003 - Os Credential Dumping</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a><br/> <b>Tags:</b> actor:Lazarus Group, actor:Andariel, malware:CollectionRAT, malware:QuiteRAT, malware-type:RAT, vulnerability:CVE-2022-47966, target-software:ManageEngine ServiceDesk, malware:PuTTY, malware-type:Reverse-tunneling tool, malware:DeimosC2, malware-type:C2 framework, target-region:Europe, target-country:US, target-industry:IT, target-industry:Healthcare, abused:Microsoft Foundation Class, target-system:Linux, target-system:Windows </p> <h3 id="article-1"><a href="https://www.secureworks.com/blog/smoke-loader-drops-whiffy-recon-wi-fi-scanning-and-geolocation-malware" target="_blank">Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware</a></h3> <p>(published: August 23, 2023)</p> <p> On August 8, 2023, Secureworks researchers discovered a new malware dubbed Whiffy Recon, which was being dropped by the Smoke Loader botnet. The malware persists on the system by creating a shortcut in the user's Startup folder. The malware checks for the presence of the WLANSVC service before proceeding to run two main loops, one for registering the bot with the C2 server and the other for performing Wi-Fi scanning via the Windows WLAN API. It triangulates the infected systems' positions using nearby Wi-Fi access points as data points for Google's geolocation API.<br/> <b>Analyst Comment:</b> The location data could potentially be leveraged for reconnaissance, surveillance, victim extortion, and physical targeting. All known Whiffy Recon indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&amp;CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/23232" target="_blank">[MITRE ATT&amp;CK] Discovery - Network Service Discovery[T1046]</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/10082" target="_blank">[MITRE ATT&amp;CK] T1614 - System Location Discovery</a><br/> <b>Tags:</b> malware:Whiffy Recon, malware-type:Tracking, malware:Smoke Loader, malware-type:Botnet, abused:Google geolocation API, abused:Windows WLAN API, target-system:Windows </p> <h3 id="article-1"><a href="https://www.reversinglabs.com/blog/fake-roblox-api-packages-luna-grabber-npm" target="_blank">Fake Roblox Packages Target npm with Luna Grabber Information-Stealing Malware</a></h3> <p>(published: August 22, 2023)</p> <p> Since August 1, 2023, a new malicious campaign spreading via the npm public repository has been targeting developers of the Roblox gaming platform. The actor used malicious packages imitating the legitimate package noblox.js, a Node.js Roblox API wrapper. The code from the legitimate noblox.js package was reproduced but the postinstall.js script was edited. The first uploaded version of the typosquatted package had postinstall.js empty, the second was exfiltrating system name information if installed on Windows. Subsequent versions were additionally calling Discord CDN to download a PyInstaller-compiled executable and running it. This executable delivers the open-source Luna Grabber infostealer.<br/> <b>Analyst Comment:</b> This noblox.js impersonation campaign went to a great length to re-create believable profiles for the packages, and obfuscate the real purpose of the malicious scripts. Software developers should be very precise when downloading dependencies. Static code analysis can uncover potential malicious packages by looking for signs like embedded URLs pointing to Discord, linking to a frequently-abused file format, enumerating user and file information from the local host, and adding a function to listen for a specific event. Host-based indicators associated with this campaign are available in the Anomali platform for ongoing infections and historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a><br/> <b>Tags:</b> malware:Luna Grabber, malware-type:Infostealer, abused:Discord CDN, abused:npm, technique:Typosquatting, threat-type:Malicious package, file-type:BAT, target-system:Windows </p> </div> </p></div>