Blog

Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More

Anomali Threat Research
April 27, 2021
Table of contents
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Android Malware, RATs, Phishing, QLocker Ransomware</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/TLtbQcmmR7yXJgayH7z0"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/zero-day-vulnerabilities-in-sonicwall-email-security-are-being-exploited-in-the-wild/#ftag=RSSbaffb68" target="_blank">Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited </a></h3> <p>(published: April 21, 2021)</p> <p>US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.<br/> <b>Analyst Comment:</b> The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a><br/> <b>Tags:</b> CVE-2021-20021, CVE-2021-20023, CVE-2021-20022</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/" target="_blank">Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices </a></h3> <p>(published: April 21, 2021)</p> <p>The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.<br/> <b>Analyst Comment:</b> Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947241" target="_blank">[MITRE ATT&amp;CK] Credentials in Files - T1081</a><br/> <b>Tags:</b> Tor, Qlocker, CVE-2020-2509, CVE-2020-36195</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://threatpost.com/email-campaign-targets-bloomberg-clients/165514/" target="_blank">Novel Email-Based Campaign Targets Bloomberg Clients with RATs</a></h3> <p>(published: April 21, 2021)</p> <p>A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to clients of Bloomberg BNA, which has since been rebranded Bloomberg Industry Group. The emails claim to contain an invoice for clients but instead include an attached Excel spreadsheet that contains macro code to either download the next infection stage or drop and run the final payload, which is always a Javascript- or VB-based RAT.<br/> <b>Analyst Comment:</b> All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service. In lieu of that, antivirus should be configured to automatically scan downloaded attachments.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947256" target="_blank">[MITRE ATT&amp;CK] Uncommonly Used Port - T1065</a><br/> <b>Tags:</b> NanoCore RAT, Government, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.infosecurity-magazine.com:443/news/multiple-apt-groups-exploit-pulse/" target="_blank">Multiple APT Groups Exploit Critical Pulse Secure Zero-Day</a></h3> <p>(published: April 21, 2021)</p> <p>A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets,The vulnerability (CVE-2021-22893) has a CVSS score of 10.0 and is listed as a critical authentication bypass vulnerability in Pulse Connect Secure. It's being used in combination with multiple legacy CVEs (CVE-2019-11510, CVE-2020-8243, CVE-2020-8260) in the product from 2019 and 2020. The UK's NCSC and US CISA have released emergency guidance on this breaking threat.<br/> <b>Analyst Comment:</b> Pulse Secure has released a tool for their customers in response to the vulnerability that can be found here: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755. All companies that use Pulse Connect Secure should review the mitigation documents and run the tool to check the integrity of Pulse Connect Secure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2336969" target="_blank">[MITRE ATT&amp;CK] Registry Run Keys / Startup Folder - T1060</a><br/> <b>Tags:</b> UNC2630, APT5, CVE-2019-11510, CVE-2020-8243, CVE-2021-22893, CVE-2020-8260, Banking And Finance, GovernmentEU &amp; UK, China</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/" target="_blank">HabitsRAT Used to Target Linux and Windows Servers</a></h3> <p>(published: April 20, 2021)</p> <p>Researchers have discovered a new malware written in Go, which is being called HabitsRAT. The Windows version of the malware was first reported on by Brian Krebs and The Shadowserver Foundation in attacks against Microsoft Exchange servers. In addition to this version,a newer Windows variant and a variant targeting Linux environments have been identified. The malware allows the attacker to control the compromised machine remotely.<br/> <b>Analyst Comment:</b> Always keep servers patched and up to date to prevent possible attacks. New malware is constantly being developed and it’s important that security measures are in place. Customers should also use backup solutions in the event of extensive malware persistence.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947210" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947101" target="_blank">[MITRE ATT&amp;CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947139" target="_blank">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a><br/> <b>Tags:</b> sCHtAsks.exe, systemd, HabitsRAT, Intezer</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.zdnet.com/article/lazarus-state-hacking-group-now-hides-payloads-in-bmp-image-files/#ftag=RSSbaffb68" target="_blank">Lazarus Group Hides Payloads in BMP Image Files </a></h3> <p>(published: April 20, 2021)</p> <p>The Lazarus Group, reportedly a North Korean state-sponsored advanced persistent threat (APT) group, is using a malicious phishing document to infect South Korean organizations. In this campaign,the Word document requires the user to enable macros and launches an HTA executable from within the BMP file, which is the RAT payload. A C2 connection is then made and control is established. Known as one of the most prolific and sophisticated APTs out there, Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks that include the WannaCry ransomware outbreak, bank thefts and assaults against cryptocurrency exchanges.<br/> <b>Analyst Comment:</b> Avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Lazarus group, Lazarus, WannaCry, North Korea</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clever-billing-fraud-applications-on-google-play-etinu/" target="_blank">Clever Billing Fraud Applications on Google Play: Etinu</a></h3> <p>(published: April 19, 2021)</p> <p>A new wave of fraudulent apps has made its way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula. The malware embedded in these fraudulent apps hijacks SMS message notifications and then makes unauthorized purchases. While apps go through a review process to ensure they are legitimate, these apps made their way into the store by submitting a clean version of the app for review and then introducing the malicious code via updates later.<br/> <b>Analyst Comment:</b> It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources that are more likely to allow malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947268" target="_blank">[MITRE ATT&amp;CK] Hidden Files and Directories - T1158</a><br/> <b>Tags:</b> Joker, Android, Mobile Malware</p> </div>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

April 27, 2021
-
Anomali Threat Research
,

Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Android Malware, RATs, Phishing, QLocker Ransomware</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/TLtbQcmmR7yXJgayH7z0"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/zero-day-vulnerabilities-in-sonicwall-email-security-are-being-exploited-in-the-wild/#ftag=RSSbaffb68" target="_blank">Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited </a></h3> <p>(published: April 21, 2021)</p> <p>US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.<br/> <b>Analyst Comment:</b> The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947278" target="_blank">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a><br/> <b>Tags:</b> CVE-2021-20021, CVE-2021-20023, CVE-2021-20022</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.bleepingcomputer.com/news/security/massive-qlocker-ransomware-attack-uses-7zip-to-encrypt-qnap-devices/" target="_blank">Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices </a></h3> <p>(published: April 21, 2021)</p> <p>The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.<br/> <b>Analyst Comment:</b> Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947241" target="_blank">[MITRE ATT&amp;CK] Credentials in Files - T1081</a><br/> <b>Tags:</b> Tor, Qlocker, CVE-2020-2509, CVE-2020-36195</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://threatpost.com/email-campaign-targets-bloomberg-clients/165514/" target="_blank">Novel Email-Based Campaign Targets Bloomberg Clients with RATs</a></h3> <p>(published: April 21, 2021)</p> <p>A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to clients of Bloomberg BNA, which has since been rebranded Bloomberg Industry Group. The emails claim to contain an invoice for clients but instead include an attached Excel spreadsheet that contains macro code to either download the next infection stage or drop and run the final payload, which is always a Javascript- or VB-based RAT.<br/> <b>Analyst Comment:</b> All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service. In lieu of that, antivirus should be configured to automatically scan downloaded attachments.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947256" target="_blank">[MITRE ATT&amp;CK] Uncommonly Used Port - T1065</a><br/> <b>Tags:</b> NanoCore RAT, Government, Middle East</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://www.infosecurity-magazine.com:443/news/multiple-apt-groups-exploit-pulse/" target="_blank">Multiple APT Groups Exploit Critical Pulse Secure Zero-Day</a></h3> <p>(published: April 21, 2021)</p> <p>A critical zero-day security vulnerability in Pulse Secure VPN devices has been exploited by nation-state actors to launch cyberattacks against U.S. defense, finance and government targets,The vulnerability (CVE-2021-22893) has a CVSS score of 10.0 and is listed as a critical authentication bypass vulnerability in Pulse Connect Secure. It's being used in combination with multiple legacy CVEs (CVE-2019-11510, CVE-2020-8243, CVE-2020-8260) in the product from 2019 and 2020. The UK's NCSC and US CISA have released emergency guidance on this breaking threat.<br/> <b>Analyst Comment:</b> Pulse Secure has released a tool for their customers in response to the vulnerability that can be found here: https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755. All companies that use Pulse Connect Secure should review the mitigation documents and run the tool to check the integrity of Pulse Connect Secure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2336969" target="_blank">[MITRE ATT&amp;CK] Registry Run Keys / Startup Folder - T1060</a><br/> <b>Tags:</b> UNC2630, APT5, CVE-2019-11510, CVE-2020-8243, CVE-2021-22893, CVE-2020-8260, Banking And Finance, GovernmentEU &amp; UK, China</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/" target="_blank">HabitsRAT Used to Target Linux and Windows Servers</a></h3> <p>(published: April 20, 2021)</p> <p>Researchers have discovered a new malware written in Go, which is being called HabitsRAT. The Windows version of the malware was first reported on by Brian Krebs and The Shadowserver Foundation in attacks against Microsoft Exchange servers. In addition to this version,a newer Windows variant and a variant targeting Linux environments have been identified. The malware allows the attacker to control the compromised machine remotely.<br/> <b>Analyst Comment:</b> Always keep servers patched and up to date to prevent possible attacks. New malware is constantly being developed and it’s important that security measures are in place. Customers should also use backup solutions in the event of extensive malware persistence.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947210" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Command and Control Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947101" target="_blank">[MITRE ATT&amp;CK] Code Signing - T1116</a> | <a href="https://ui.threatstream.com/ttp/947139" target="_blank">[MITRE ATT&amp;CK] Remote Access Tools - T1219</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a><br/> <b>Tags:</b> sCHtAsks.exe, systemd, HabitsRAT, Intezer</p> </div> <div class="trending-threat-article"> <h3 id="article-6"><a href="https://www.zdnet.com/article/lazarus-state-hacking-group-now-hides-payloads-in-bmp-image-files/#ftag=RSSbaffb68" target="_blank">Lazarus Group Hides Payloads in BMP Image Files </a></h3> <p>(published: April 20, 2021)</p> <p>The Lazarus Group, reportedly a North Korean state-sponsored advanced persistent threat (APT) group, is using a malicious phishing document to infect South Korean organizations. In this campaign,the Word document requires the user to enable macros and launches an HTA executable from within the BMP file, which is the RAT payload. A C2 connection is then made and control is established. Known as one of the most prolific and sophisticated APTs out there, Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks that include the WannaCry ransomware outbreak, bank thefts and assaults against cryptocurrency exchanges.<br/> <b>Analyst Comment:</b> Avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a><br/> <b>Tags:</b> Lazarus group, Lazarus, WannaCry, North Korea</p> </div> <div class="trending-threat-article"> <h3 id="article-7"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clever-billing-fraud-applications-on-google-play-etinu/" target="_blank">Clever Billing Fraud Applications on Google Play: Etinu</a></h3> <p>(published: April 19, 2021)</p> <p>A new wave of fraudulent apps has made its way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula. The malware embedded in these fraudulent apps hijacks SMS message notifications and then makes unauthorized purchases. While apps go through a review process to ensure they are legitimate, these apps made their way into the store by submitting a clean version of the app for review and then introducing the malicious code via updates later.<br/> <b>Analyst Comment:</b> It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources that are more likely to allow malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947268" target="_blank">[MITRE ATT&amp;CK] Hidden Files and Directories - T1158</a><br/> <b>Tags:</b> Joker, Android, Mobile Malware</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.