September 13, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: Iran-Albanian Cyber Conflict, Ransomware Adopts Intermittent Encryption, DLL Side-Loading Provides Variety to PlugX Infections, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>China, Cyberespionage, Defense evasion, DDoS, Iran, Ransomware, PlugX,</b> and <b>Spearphishing</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/90DBsiW5R8agmJj1bFsQ"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank">Microsoft Investigates Iranian Attacks Against the Albanian Government</a></h3> <p>(published: September 8, 2022)</p> <p>Microsoft researchers discovered that groups working under Iran’s Ministry of Intelligence and Security (MOIS, tracked as OilRig) attacked the government of Albania. The attackers started with initial intrusion in May 2021, proceeded with mailbox exfiltrations between October 2021 and January 2022, organized controlled leaks, and culminated on July 15, 2022, with disruptive ransomware and wiper attacks. This attack is probably a response to the June 2021 Predatory Sparrow’s anti-Iranian cyber operations promoting the Mujahedin-e Khalq (MEK), an Iranian dissident group largely based in Albania.<br/> <b>Analyst Comment:</b> MOIS attack on Albania uses messaging and targeting similar to the previous MEK-associated attack on Iran. It tells us that Iran has chosen to engage in a form of direct and proportional retaliation as it sees it. Still, the attack and its attribution caused Albania to cut diplomatic ties with Iran and expel the country's embassy staff. Organizations should implement multifactor authentication (MFA) for mailbox access and remote connectivity. Anomali platform users advised to block known OilRig network indicators.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3905778" target="_blank">[MITRE ATT&amp;CK] Impair Defenses - T1562</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a><br/> <b>Tags:</b> OilRig, Helix Kitten, APT34, MOIS, Ministry of Intelligence and Security, Predatory Sparrow, Wiper, CVE-2021-26855, CVE-2019-0604, CVE-2022-28799, Government, Albania, target-country:AL, Iran, source-country:IR, DEV-0842, DEV-0861, DEV-0166, DEV-0133, Europium, APT, detection:Jason, detection:Mellona</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.secureworks.com/blog/bronze-president-targets-government-officials" target="_blank">BRONZE PRESIDENT Targets Government Officials</a></h3> <p>(published: September 8, 2022)</p> <p>Secureworks researchers detected a new campaign by China-sponsored group Mustang Panda (Bronze President). In June and July 2022, the group used spearphishing to deliver the PlugX malware to government officials in Europe, the Middle East, and South America. To bypass mail-scanning antiviruses, the archived email attachment had malware embedded eight levels deep in a sequence of hidden folders named with special characters.<br/> <b>Analyst Comment:</b> Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macros. It is important to teach your users basic online hygiene and phishing awareness.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a><br/> <b>Tags:</b> mitre-group:Mustang Panda, actor:Bronze President, mitre-software:PlugX, China, source-country:CN, target-industry:Government (NAICS 92), APT, Windows, target-region:Europe, target-region:Middle East, target-region:South Africa</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/" target="_blank">Ransomware Developers Turn to Intermittent Encryption to Evade Detection</a></h3> <p>(published: September 8, 2022)</p> <p>SentinelOne researchers describe a new technique used by multiple ransomware operators: intermittent encryption. Starting from a certain file size, their ransomware does a partial encryption: it encrypts the start of the file and then alternates between skipping a portion of the file and encrypting a portion. Intermittent encryption allows for faster disk encryption and helps evade detection based on detecting high intensity of file I/O operations. Several ransomware groups use it including Agenda, Black Basta, BlackCat, PLAY, and Qyick ransomware.<br/> <b>Analyst Comment:</b> Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Ransomware, Intermittent encryption, Defense evasion, Intensity of file I/O operations, detection:Qyick, detection:Agenda, detection:BlackCat, detection:BlackBasta, detection:PLAY</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cybereason.com/blog/threat-analysis-report-plugx-rat-loader-evolution" target="_blank">PlugX RAT Loader Evolution</a></h3> <p>(published: September 8, 2022)</p> <p>Cybereason researchers analyzed the evolution of the PlugX malware family, a modular Remote Access Trojan (RAT) with backdoor, exfiltration, and keystroke grabbing functionality. Since 2008, PlugX has been used for high-profile targeting by several China-sponsored groups such as Emissary Panda (APT27). One typical PlugX infection chain includes an archived spearphishing attachment containing two malicious files and one legitimate executable used for DLL side-loading. From 2012 through 2022, PlugX was updated regularly, as its new versions were varying in defense evasion and obfuscation implementations.<br/> <b>Analyst Comment:</b> The DLL side-loading technique provides the malware developer with various combinations, allowing the PlugX developers to avoid major changes in the malware and its deployment methods. PlugX remains a well-maintained malware project for China-sponsored APTs. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open and execute it. It is important to teach your users basic online hygiene and phishing awareness. Organizations should implement defense-in-depth and patch management approaches.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947243" target="_blank">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905769" target="_blank">[MITRE ATT&amp;CK] Native API - T1106</a> | <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/3905040" target="_blank">[MITRE ATT&amp;CK] Create or Modify System Process - T1543</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&amp;CK] Hide Artifacts - T1564</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947293" target="_blank">[MITRE ATT&amp;CK] Trusted Developer Utilities - T1127</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947200" target="_blank">[MITRE ATT&amp;CK] System Network Connections Discovery - T1049</a> | <a href="https://ui.threatstream.com/ttp/947252" target="_blank">[MITRE ATT&amp;CK] Query Registry - T1012</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947123" target="_blank">[MITRE ATT&amp;CK] Network Share Discovery - T1135</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a> | <a href="https://ui.threatstream.com/ttp/947079" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/947250" target="_blank">[MITRE ATT&amp;CK] Standard Non-Application Layer Protocol - T1095</a> | <a href="https://ui.threatstream.com/ttp/947203" target="_blank">[MITRE ATT&amp;CK] Web Service - T1102</a><br/> <b>Tags:</b> PlugX, APT27, Emissary Panda, Government, Military, Tourism, Geopolitics, Cyberespionage, APT, China, source-country:CN, RAT, Backdoor, Keylogger, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-249a" target="_blank">Alert (AA22-249A) #StopRansomware: Vice Society</a></h3> <p>(published: September 6, 2022)</p> <p>Following a number of ransomware attacks on US colleges and especially K-12 institutions, the Cybersecurity and Infrastructure Security Agency issued a warning regarding the Vice Society ransomware group. This double-extortion ransomware group has been active since May 2021. It relied on ransomware-as-a-service offerings: in 2021, HelloKitty ransomware for Linux, and in 2022, Zeppelin ransomware for Windows. Once inside, the group was using tools including Cobalt Strike, PowerShell Empire, and SystemBC to move laterally, and it was observed exploiting the PrintNightmare vulnerability to escalate privileges, specifically, two of the three PrintNightmare variants were abused: CVE-2021-1675 and CVE-2021-34527.<br/> <b>Analyst Comment:</b> Threat actors will often attempt to exploit old vulnerabilities that already have patches because there is a lot of open source information on said vulnerabilities. This makes it easier to use an exploit for the vulnerability because proof-of-concept code is likely available and ready to be weaponized. Therefore, having patch policies and business continuity plans in place are crucial in maintaining a good security posture. Additionally, organizations should schedule vulnerability scanning and pentesting services and close unused remote capabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/3905040" target="_blank">[MITRE ATT&amp;CK] Create or Modify System Process - T1543</a> | <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947110" target="_blank">[MITRE ATT&amp;CK] Taint Shared Content - T1080</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/3297598" target="_blank">[MITRE ATT&amp;CK] Account Access Removal - T1531</a><br/> <b>Tags:</b> Vice Society, Ransomware, Double extortion, HelloKitty, Linux, Zeppelin, Ransomware-as-a-Service, Windows, WMI, SystemBC, PowerShell Empire, Cobalt Strike, PrintNightmare, CVE-2021-1675, CVE-2021-34527</p> </div> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/" target="_blank">DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa</a></h3> <p>(published: September 6, 2022)</p> <p>Check Point researchers described DangerousSavanna, a spearphishing campaign targeting financial institutions in Cameroon, Ivory Coast, Morocco, Senegal, and Togo. Since the end of 2020, DangerousSavanna has been employing various tools and methods, trying different file types and infection chains. Most recently, DangerousSavanna spearphishing lures written in French had ZIP or ISO attachments containing maldocs. User execution leads to PowerShell script downloading and executing beacons and payloads belonging to the PoshC2 post-exploitation C2 framework. DangerousSavanna employs various evasion techniques including waiting for a mouse click and employing AMSI bypass measures.<br/> <b>Analyst Comment:</b> Despite heavy reliance on open-source tools and penetration testing software, the DangerousSavanna’s persistent attempts at infiltration allowed them to breach some of the targets. It is important to keep in mind that even a single employee who can be confused by social engineering puts the whole organization at risk.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905339" target="_blank">[MITRE ATT&amp;CK] Event Triggered Execution - T1546</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a><br/> <b>Tags:</b> DangerousSavanna, Metasploit, DWservice, AsyncRAT, PoshC2, Meterpreter, PowerShell, AMSI bypass, Banking, Finance, Ivory Coast, target-country:CI, Morocco, target-country:MA, Cameroon, target-country:CM, Senegal, target-country:SN, Togo, target-country:TG, French-speaking, Africa</p> </div> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/moobot-d-link-devices/" target="_blank">Mirai Variant MooBot Targeting D-Link Devices</a></h3> <p>(published: September 6, 2022)</p> <p>Palo Alto Networks researchers analyzed a new Mirai botnet variant dubbed MooBot. It spreads by exploiting four known vulnerabilities in D-Link network and connectivity devices (CVE-2015-2051, CVE-2018-6530, CVE-2022-28958, and CVE-2022-26258). The main objective for the botnet handlers is the ability to launch distributed denial-of-service (DDoS) attacks.<br/> <b>Analyst Comment:</b> D-Link users should apply security upgrades and patches where possible. Otherwise, your organization should have specific DDoS protection tools deployed across its internet-facing assets and a solid business resilience and DDoS recovery plan.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> MooBot, D-Link, Mirai, Botnet, CVE-2018-6530, CVE-2015-2051, CVE-2022-28958, CVE-2022-26258, Linux, DDoS</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Anomali Cyber Watch can be found below:</p> <p><a href="https://ui.threatstream.com/actor/244182" target="_blank">Vice Society</a><br/> Vice Society is a double-extortion ransomware group active since May 2021. It relies on commodity crypters (ransomware). In 2021, Vice Society was using HelloKitty ransomware for Linux, and in 2022, switched to the Zeppelin Ransomware-as-a-Service targeting Windows. Vice Society has been starting its intrusions with exploiting internet-facing applications. Once inside, the group was using tools including SystemBC, PowerShell Empire, and Cobalt Strike to move laterally, and it was observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate privileges. "Vice Society" is a self-identification name, the group also has a preferred extension “.v-society.” for the encrypted files.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar