February 22, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: Earth Kitsune Uses Chrome Native Messaging for Persistence, WIP26 Targets Middle East Telco from Abused Clouds, Azerbaijan-Sponsored Group Geofenced Its Payloads to Armenian IPs

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Abused cloud instances, APT, Armenia, Azerbaijan, Cyberespionage, Phishing, Social engineering,</b> and <b>Watering hole attacks</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/HkSA2QN3RW6LaaU4sy0Z"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/coinbase-cyberattack-targeted-employees-with-fake-sms-alert/" target="_blank">Coinbase Cyberattack Targeted Employees with Fake SMS Alert</a></h3> <p>(published: February 20, 2023)</p> <p>On February 5th, 2023, several employees at the Coinbase cryptocurrency exchange platform received a fake SMS alert on their mobile phones. The message indicated that they need to urgently log in via the link provided to receive an important message. One employee got phished by the attackers, but they failed to login due to the MFA restrictions. The attackers, likely associated with the previously-documented 0ktapus phishing campaign, proceeded to call the employee and phish him for more information by pretending to be from the corporate IT. Coinbase was able to detect the unusual activity and stop the breach, although the attackers have obtained some contact information belonging to multiple Coinbase employees in addition to the login credentials of the phished user.<br/> <b>Analyst Comment:</b> Network defenders are advised to monitor for access attempts from a third-party VPN provider, such as Mullvad VPN. Monitor for download of remote desktop viewers such as AnyDesk or ISL Online. Set up monitoring for Incoming phone calls / text messages from Bandwidth dot com, Google Voice, Skype, and Vonage/Nexmo. Anomali Premium Domain Monitoring service notifies customers regarding registration of potential phishing domains. And as always with these types of social engineering attacks employee awareness is key - not just of the threat but how to independently verify the legitimacy of any contact and what to do with anything suspicious.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9812" target="_blank">[MITRE ATT&amp;CK] T1219 - Remote Access Software</a><br/> <b>Tags:</b> campaign:0ktapus, Coinbase, Social engineering, SMS, Typosquatting, AnyDesk, ISL Online, Mullvad VPN, Google Voice, Skype, Vonage/Nexmo, Bandwidth, Browser extension, EditThisCookie</p> </div> <div class="trending-threat-article"> <h3 id="article-2"><a href="https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html" target="_blank">Earth Kitsune Delivers New WhiskerSpy Backdoor via Watering Hole Attack</a></h3> <p>(published: February 17, 2023)</p> <p>Since the end of 2022, a new campaign by the state-sponsored Earth Kitsune group targets visitors of pro-North Korea websites. A malicious JavaScript embedded into their video pages prompts a viewer to download a codec installer. Only visitors from particular subnets located in Nagoya, Japan and Shenyang, China, and users of a VPN provider in Brazil are receiving the malicious payload. The legitimate codec installer was patched to increase the PE image size and add an additional section. The attackers employ elliptic cryptography to protect encryption keys and use rare hashing algorithms: 32-bit Fowler-Noll-Vo hash (FNV-1) to compute machine IDs and a 32-bit Murmur3 hash of the 16-byte AES key to compute the session ID. Finally the group added an unique persistent method based on the abuse of the NativeApp.exe, a native messaging host that communicates with Chrome extensions.<br/> <b>Analyst Comment:</b> When a website prompts to download or upgrade a software, it is prudent to close the website, check if the software is needed and missing, and proceed to download it from the official distributor website.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/3716" target="_blank">[MITRE ATT&amp;CK] T1189: Drive-by Compromise</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&amp;CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9717" target="_blank">[MITRE ATT&amp;CK] T1573.001 - Encrypted Channel: Symmetric Cryptography</a><br/> <b>Tags:</b> actor:Earth Kitsune, malware:WhiskerSpy, malware-type:Backdoor, detection:Backdoor.Win64.WHISPERSPY, malware:SLUB, detection:Trojan.JS.SLUB, detection:Trojan.Win32.SLUB, malware-type:Dropper, malware-type:Loader, Watering hole, APT, North Korea, PowerShell, target-country:China, target-country:CN, target-country:Japan, target-country:JP, Fowler-Noll-Vo, Murmur3, ECC, AES, Windows</p> </div> <div class="trending-threat-article"> <h3 id="article-3"><a href="https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/" target="_blank">WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks</a></h3> <p>(published: February 16, 2023)</p> <p>A new cyberespionage campaign dubbed WIP26 targets employees of telecommunication providers in the Middle East. The infection chain starts with a WhatsApp message containing a malicious Dropbox link. The link leads to an archive containing the malicious PDFelement.exe loader. Two custom backdoors, CMD365 and CMDEmber have a C2 server hosted on a Microsoft 365 Mail or a Google Firebase Realtime Database instance, respectively. Data exfiltration and additional malware hosting is utilized via Microsoft Azure instances. The only direct access connection not abusing a public cloud infrastructure was observed from the use of the Chisel tunneling tool. Additional defense avoidance is achieved via extensive use of masquerading including the use of application icons, filenames, and invalid digital signatures that indicate existing software vendors.<br/> <b>Analyst Comment:</b> Network defenders are advised to monitor for binaries with expired certificates, and suspected traffic associated with tunneling and Cobalt Strike. Users should be trained to raise suspicion of trojans sent via social networks and messengers. For sensitive workstations, consider limiting certain public clouds on a need-to-access basis. All known network indicators associated with this WIP26 campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&amp;CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9598" target="_blank">[MITRE ATT&amp;CK] T1036.001 - Masquerading: Invalid Code Signature</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&amp;CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9631" target="_blank">[MITRE ATT&amp;CK] T1033 - System Owner/User Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9717" target="_blank">[MITRE ATT&amp;CK] T1573.001 - Encrypted Channel: Symmetric Cryptography</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a><br/> <b>Tags:</b> campaign:WIP26, Cyberespionage, target-industry:Telecom, APT, Cloud, target-region:Middle East, malware:CMD365, malware:CMDEmber, malware-type:Backdoor, Microsoft 365 Mail, Google Firebase, malware:PDFelement.exe, malware-type:Loader, malware:Chisel, malware-type:Tunneling tool, Microsoft Azure, Dropbox, WhatsApp, .NET, PowerShell, Microsoft Graph API, Base64, AES, Triple DES, file-type:EXE, Windows</p> </div> <div class="trending-threat-article"> <h3 id="article-4"><a href="https://research.checkpoint.com/2023/operation-silent-watch-desktop-surveillance-in-azerbaijan-and-armenia/" target="_blank">Operation Silent Watch: Desktop Surveillance in Azerbaijan and Armenia</a></h3> <p>(published: February 16, 2023)</p> <p>An Azerbaijan-sponsored threat actor has been using AutoIt-based malware for its cyberespionage campaigns since at least 2015. Their new campaign features a SCR self-extracting archive that masquerades as a PDF file and delivers an updated version of the OxtaRAT spyware when opened by the user. OxtaRAT comes as a polyglot file, which combines compiled AutoIT script and a PNG/JPG image. It is capable of performing port scanning, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC or PHP web shell, and searching for and exfiltrating files from the infected machine using the PHP FileManager. With this campaign the attackers targeted Armenian individuals and corporate environments, while previously the group was focused on dissidents inside Azerbaijan.<br/> <b>Analyst Comment:</b> Security researchers should be aware of sandboxing limitations as the attackers use IP-based geofencing to deliver their malware only to a certain country (in this case, Armenia). It is important for anti-phishing training to include the ability to recognize executable files masquerading as documents.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9842" target="_blank">[MITRE ATT&amp;CK] T1125 - Video Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9646" target="_blank">[MITRE ATT&amp;CK] T1021.005 - Remote Services: Vnc</a> | <a href="https://ui.threatstream.com/attackpattern/9869" target="_blank">[MITRE ATT&amp;CK] T1505.003 - Server Software Component: Web Shell</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/10007" target="_blank">[MITRE ATT&amp;CK] T1046 - Network Service Scanning</a> | <a href="https://ui.threatstream.com/attackpattern/3717" target="_blank">[MITRE ATT&amp;CK] T1564.001: Hidden Files and Directories</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&amp;CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a><br/> <b>Tags:</b> malware:OxtaRAT, malware-type:RAT, malware-type:Backdoor, Cyberespionage, target-country:Armenia, target-country:AM, target-country:Azerbaijan, target-country:AZ, source-country:Azerbaijan, source-country:AZ, Azeri Ministry of Internal Affairs, Polyglot, AutoIT, PHP web shell, PHP FileManager, Putty plink, file-type:SCR, file-type:EXE, file-type:BAT, file-type:PDF, file-type:PNG, Geofencing, Windows</p> </div> <div class="trending-threat-article"> <h3 id="article-5"><a href="https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-america" target="_blank">Uncle Sow: Dark Caracal in Latin America</a></h3> <p>(published: February 10, 2023)</p> <p>Electronic Frontier Foundation researchers successfully registered the secondary C2 domain for a new version of the Bandook malware. It allowed them to monitor an ongoing campaign that began in March 2022 and targeted predominantly computers located in The Dominican Republic (75%) and Venezuela (20%). Judging by victim IP addresses, up to 700 victims were infected by the Bandook Windows spyware attributed to the cyber mercenary group Dark Caracal. The new Bandook version expanded the list of possible commands to 148 including: adding or removing files from the computer, downloading other libraries for additional functionality, recording the screen, starting a remote desktop session, taking control of the mouse, and turning on the webcam.<br/> <b>Analyst Comment:</b> All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9638" target="_blank">[MITRE ATT&amp;CK] T1105 - Ingress Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9842" target="_blank">[MITRE ATT&amp;CK] T1125 - Video Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a><br/> <b>Tags:</b> actor:Dark Caracal, target-region:Latin America, target-country:Dominican Republic, target-country:DO, target-country:Venezuela, target-country:VE, APT, Cyber mercenary, malware:Bandook, malware-type:Spyware, malware-type:RAT, file-type:DLL, Sinkholing, DES, RIPEMD-128, port:2222, SSH, Windows</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar