<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, HTML smuggling, Iran, Ransomware, Spearphishing, </b>and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/SaQ7qxZKQBOSlBQrn6fa"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.trendmicro.com/en_us/research/23/g/tailing-big-head-ransomware-variants-tactics-and-impact.html" target="_blank">Tailing Big Head Ransomware’s Variants, Tactics, and Impact</a></h3> <p>(published: July 7, 2023)</p> <p> The Big Head ransomware was first discovered in May 2023 and it still appears to be in the development stage. Trend Micro researchers have uncovered a significant number of versions of this malware, all likely connected to the same malware developer. Big Head attacks start with malvertising featuring fake Windows updates and Microsoft Word installers. The Big Head ransomware exhibits unique behaviors, such as distracting with the Windows update screen, renaming the encrypted files using Base64 encoding, and disabling the Task Manager to prevent users from terminating or investigating the ransomware process. Different Big Head variants were accompanied by different types of additional malware such as: a backdoor, the WorldWind infostealer, or the Neshta file infector. <br/> <b>Analyst Comment:</b> Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations. Host-based indicators associated with the Big Head ransomware variants are available in the Anomali platform for ongoing infections and historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/3709" target="_blank">[MITRE ATT&amp;CK] T1562: Impair Defenses</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&amp;CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&amp;CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/10089" target="_blank">[MITRE ATT&amp;CK] T1497.001 - Virtualization/Sandbox Evasion: System Checks</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a><br/> <b>Tags:</b> malware:Big Head, malware-type:Ransomware, detection:Ransom.MSIL.EGOGEN, malware:WorldWind, malware-type:Infostealer, malware:Neshta, malware-type:Virus, malware-type:File infector, actor:poop69news, actor:Big Head, technique:Malvertising, abused:AES, abused:Telegram, abused:YouTube, file-type:BAT, file-type:EXE, file-type:POOP, file-type:PS1, target-system:Windows </p> <h3 id="article-2"><a href="https://www.proofpoint.com/us/blog/threat-insight/welcome-new-york-exploring-ta453s-foray-lnks-and-mac-malware" target="_blank">Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware</a></h3> <p>(published: July 6, 2023)</p> <p> In May 2023, the Iran-sponsored group Charming Kitten (TA453) started targeting foreign affairs experts in the Middle East and nuclear security experts in the US and possibly other countries. Similar to prior Charming Kitten campaigns, the group utilized spearphishing but switched to LNK infection chains instead of Microsoft Word documents with macros. Charming Kitten continued to abuse multiple cloud services for resiliency, this time relying on CleverApps, Dropbox, and Google Scripts. Proofpoint researchers have identified a new, custom PowerShell backdoor GorjolEcho targeting Windows systems. When it failed to execute on a target’s Mac, the attackers followed up with a new modular macOS malware dubbed NokNok. These new malwares were reusing source code pieces from older Charming Kitten tools.<br/> <b>Analyst Comment:</b> Organizations are advised to monitor for their branding impersonation and for typosquatting attacks (add Anomali’s <a href="https://www.anomali.com/resources/data-sheets/anomali-premium-digital-risk-protection" target="_blank">Premium Digital Risk Protection</a> service to your arsenal). All known indicators associated with GorjolEcho and NokNok are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9717" target="_blank">[MITRE ATT&amp;CK] T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9985" target="_blank">[MITRE ATT&amp;CK] T1518 - Software Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9622" target="_blank">[MITRE ATT&amp;CK] T1132.001 - Data Encoding: Standard Encoding</a> | <a href="https://ui.threatstream.com/attackpattern/9804" target="_blank">[MITRE ATT&amp;CK] T1074.001 - Data Staged: Local Data Staging</a><br/> <b>Tags:</b> actor:TA453, actor:Charming Kitten, mitre-group:Magic Hound, malware:NokNok, abused:PowerShell, malware:GorjolEcho, malware-type:Backdoor, source-country:Iran, actor-identity:IRGC, target-country:USA, target-industry:Think tank, target-industry:Foreign affairs, impersonated:Royal United Services Institute, abused:Google Script, abused:CleverApps, abused:Dropbox, file-type:LNK, file-type:Mach-O, file-type:PDF.LNK, file-type:RAR, target-system:Windows, target-system:macOS </p> <h3 id="article-3"><a href="https://www.microsoft.com/en-us/security/blog/2023/07/06/the-five-day-job-a-blackbyte-ransomware-intrusion-case-study/" target="_blank">The Five-Day Job: A BlackByte Ransomware Intrusion Case Study</a></h3> <p>(published: July 6, 2023)</p> <p> Microsoft researchers have analyzed a full attack chain for an intrusion that in less than five days resulted in the deployment of BlackByte 2.0 ransomware. The target organization was breached through unpatched Microsoft Exchange Servers exploiting the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). The threat actor employed a range of tools and techniques, including web shell deployment, use of living-off-the-land tools, deployment of Cobalt Strike beacons, process hollowing, and the ExByte custom-developed data collection and exfiltration tool. On one server, an ExByte executable has been detected (Trojan:Win64/WinGoObfusc.LK!MT) and quarantined by Microsoft Defender Antivirus. Unfortunately, the tamper protection wasn’t enabled, and the threat actor was able to disable the antivirus service, and run the file.<br/> <b>Analyst Comment:</b> Network defenders should ensure that patch management for internet-exposed devices is up to date. Enable tamper protection and restrict unauthorized system changes. Block inbound traffic from TOR exit nodes and inbound access from unauthorized public VPN services. All known indicators associated with this BlackByte 2.0 ransomware incident are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9701" target="_blank">[MITRE ATT&amp;CK] T1087.002 - Account Discovery: Domain Account</a> | <a href="https://ui.threatstream.com/attackpattern/9873" target="_blank">[MITRE ATT&amp;CK] T1482 - Domain Trust Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9619" target="_blank">[MITRE ATT&amp;CK] T1069.002 - Permission Groups Discovery: Domain Groups</a> | <a href="https://ui.threatstream.com/attackpattern/10019" target="_blank">[MITRE ATT&amp;CK] T1018 - Remote System Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9633" target="_blank">[MITRE ATT&amp;CK] T1003 - Os Credential Dumping</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/9733" target="_blank">[MITRE ATT&amp;CK] T1572 - Protocol Tunneling</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&amp;CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9775" target="_blank">[MITRE ATT&amp;CK] T1562.004 - Impair Defenses: Disable Or Modify System Firewall</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/9920" target="_blank">[MITRE ATT&amp;CK] T1055.012 - Process Injection: Process Hollowing</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&amp;CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/9772" target="_blank">[MITRE ATT&amp;CK] T1070.006 - Indicator Removal on Host: Timestomp</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&amp;CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&amp;CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a><br/> <b>Tags:</b> malware:BlackByte 2.0, malware-type:Ransomware, detection:Trojan:Win32/Kovter, detection:Trojan:Win64/WinGoObfusc, detection:Trojan:Win64/BlackByte, mitre-software:AdFind, detection:HackTool:Win32/AdFind, detection:Trojan:Win64/CobaltStrike, malware:Cobalt Strike, malware:ExByte, malware-type:Exfiltration tool, malware:Mimikatz, vulnerability:CVE-2021-34473, vulnerability:CVE-2021-34523, vulnerability:CVE-2021-31207, vulnerability:CVE-2019-16098, vulnerability:ProxyShell, abused:AnyDesk, abused:GoLang, abused:PowerShell, abused:RDP, file-type:EXE, file-type:LOG, file-type:TXT, target-system:Microsoft Exchange Server, target-system:Windows </p> <h3 id="article-4"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2023/07/malicious-ad-for-usps-phishes-for-jpmorgan-chase-credentials" target="_blank">Malicious Ad for USPS Fishes for Banking Credentials</a></h3> <p>(published: July 5, 2023)</p> <p> A new malvertising campaign was uncovered on July 3, 2023. It has been targeting both mobile and desktop users looking to track packages with malicious ads containing the official logo and website of the United States Postal Service. After being redirected to a phishing page the targets are being tricked into providing their credit card information and banking login credentials. <br/> <b>Analyst Comment:</b> After the original phishing domain was blocked by the GoDaddy registrar, the actor directed their campaign to additional Cloudflare infrastructure before being further blocked. Users are advised to regularly check their banking statements. Consider not using promoted content until search engines apply stricter controls. Domains associated with this malvertising campaign are available in the Anomali platform for historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10058" target="_blank">[MITRE ATT&amp;CK] T1585 - Establish Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10106" target="_blank">[MITRE ATT&amp;CK] T1608 - Stage Capabilities</a><br/> <b>Tags:</b> technique:Malvertising, technique:Redirecting, abused:Google Ads, impersonated:USPS, industry:Banking And Finance, target-industry:Postal Service, target-region:North America, target-country:USA </p> <h3 id="article-5"><a href="https://research.checkpoint.com/2023/chinese-threat-actors-targeting-europe-in-smugx-campaign/" target="_blank">Chinese Threat Actors Targeting Europe in Smugx Campaign</a></h3> <p>(published: July 3, 2023)</p> <p> Since at least December 2022, a new China-sponsored cyberespionage campaign dubbed SmugX has been targeting foreign affairs ministries and embassies in several European countries (including Czechia, Hungary, Slovakia, UK, and Ukraine). The campaign starts with a phishing attachment and leverages HTML Smuggling to hide malicious payloads inside HTML documents, and deploys a new variant of the PlugX remote access trojan. Check Point researchers identified two variants of the infection chain: one relies on ZIP and LNK files, and another uses JS and MSI files. In both cases, a DLL side-loading triad is being delivered and executed to load an encrypted PlugX payload. The exact attribution is not conclusive, but the techniques and infrastructure used in SmugX has some overlap with previously-described Mustang Panda (RedDelta) and overlapping activity tracked as Camaro Dragon.<br/> <b>Analyst Comment:</b> Network defenders should harden their approach towards HTML attachments. All known indicators associated with the SmugX campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10176" target="_blank">[MITRE ATT&amp;CK] T1590.005 - Gather Victim Network Information: Ip Addresses</a> | <a href="https://ui.threatstream.com/attackpattern/12882" target="_blank">[MITRE ATT&amp;CK] T1027.006 - Obfuscated Files or Information: Html Smuggling</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&amp;CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&amp;CK] T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9767" target="_blank">[MITRE ATT&amp;CK] T1070 - Indicator Removal On Host</a><br/> <b>Tags:</b> malware:PlugX, detection:Win.PlugX, malware-type:RAT, campaign:SmugX, source-country:China, actor:RedDelta, actor:Mustang Panda, actor:Camaro Dragon, target-region:Eastern Europe, target-region:Europe, target-country:Czechia, target-country:Hungary, target-country:Slovakia, target-country:UK, target-country:Ukraine, targeted-industry:Government, target-identity:Foreign Affairs ministry, technique:HTML smuggling, technique:Pixel tracking, abused:PowerShell, file-type:DAT, file-type:DLL, file-type:HTML, file-type:JS, file-type:LNK, file-type:MSI, file-type:ZIP, target-system:Windows </p> </div> </p></div>