January 25, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: MoonBounce, AccessPress, QR Code Scams and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, Linux Malware, Supply-Chain Attacks, Malspam, Phishing,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/Vf3Pw5pyTYuwPJutETfK"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/fbi-warns-of-malicious-qr-codes-used-to-steal-your-money/" target="_blank">FBI Warns Of Malicious QR Codes Used To Steal Your Money</a></h3> <p>(published: January 23, 2022)</p> <p>The Federal Bureau of Investigation (FBI) recently released a notice that malicious QR codes have been found in the wild. These codes, when scanned, will redirect the victim to a site where they are prompted to enter personal and payment details. The site will then harvest these credentials for cybercriminals to commit fraud and empty bank accounts. This threat vector has been seen in Germany as of December 2021.<br/> <b>Analyst Comment:</b> Always be sure to check that emails have been sent from a legitimate source, and that any financial details or method of payment is done through the website. While QR codes are useful and being used by businesses more often, it is easy for cybercriminals to perform this kind of scam. If scanning a physical QR code, ensure the code has not been replaced with a sticker placed on top of the original code. Check the final URL to make sure it is the intended site and looks authentic.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> EU &amp; UK, Banking and Finance</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/" target="_blank">MoonBounce: The Dark Side Of UEFI Firmware</a></h3> <p>(published: January 20, 2022)</p> <p>Kaspersky has reported that in September 2021, a bootloader malware infection had been discovered that embeds itself into UEFI firmware. The malware patches existing UEFI drivers and resides in the SPI flash memory located on the motherboard. This means that it will persist even if the hard drive is replaced. Code snippets and IP addresses link the activity to APT41, a group that is operated by a group of Chinese-speaking individuals. MoonBounce is highly sophisticated and very difficult to detect.<br/> <b>Analyst Comment:</b> Systems should be configured to take advantage of Trusted Platform Module (TPM) hardware security chips to secure their systems' boot image and firmware, where available. Secure boot is also a viable option to mitigate against attacks that would patch, reconfigure, or flash existing UEFI firmware to implant malicious code.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905341" target="_blank">[MITRE ATT&amp;CK] Pre-OS Boot - T1542</a> | <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/947217" target="_blank">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3905084" target="_blank">[MITRE ATT&amp;CK] Shared Modules - T1129</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a><br/> <b>Tags:</b> MoonBounce, APT41, UEFI, ScrambleCross, SideWalk, StealthVector, StealthMutant, Microcin, Mimikat_ssp, Go, xTalker, China, Russia, Transportation</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply-chain-attack.html" target="_blank">AccessPress Themes Hit With Targeted Supply Chain Attack</a></h3> <p>(published: January 20, 2022)</p> <p>A supply chain attack has been disclosed that occurred in September 2021 against the site AccessPress. Once the infected plugins are installed, the attacker gains complete access to the victim’s website by way of a downloaded webshell. Once the webshell is active, the dropper component is scrubbed from the affected PHP files. Any user who has directly downloaded any of their provided themes or plugins in the last five months is advised to immediately update.<br/> <b>Analyst Comment:</b> It is advised to update all affected WordPress themes and plugins to a clean, updated version; these are all listed in the blog article. It is also advised to use the provided YARA signature to detect if the dropper or webshell has infected your WordPress site.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947137" target="_blank">[MITRE ATT&amp;CK] Supply Chain Compromise - T1195</a> | <a href="https://ui.threatstream.com/ttp/947220" target="_blank">[MITRE ATT&amp;CK] Trusted Relationship - T1199</a> | <a href="https://ui.threatstream.com/ttp/3905776" target="_blank">[MITRE ATT&amp;CK] Hide Artifacts - T1564</a><br/> <b>Tags:</b> AccessPress, WordPress, Webshell</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects" target="_blank">Office 365 Phishing Attack Impersonates The US Department of Labor</a></h3> <p>(published: January 19, 2022)</p> <p>A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids, in order to steal Office 365 credentials. The phishing campaign has been ongoing for several months and utilizes over ten different phishing sites impersonating the government agency. The emails are sent by servers controlled by a non-profit organization to create legitimacy with the headers and bypass filters. If there are multiple attempts to enter fake credentials, the malicious site will redirect to the legitimate Department of Labor site.<br/> <b>Analyst Comment:</b> Threat actors deliver malware in numerous ways and will consistently update their TTPs to make analysis and discovery more difficult. Educate your employees on the methods actors use to distribute malware: compromised websites, malicious files, phishing, spearphishing, and vulnerability exploitation, among others.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Phishing, Microsoft 365, Google Workplace</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/donot-team-apt-will-strike-govt-targets-for-years-until-they-succeed/#ftag=RSSbaffb68" target="_blank">Donot Team APT Will Strike Gov't, Military Targets For Years - Until They Succeed</a></h3> <p>(published: January 19, 2022)</p> <p>Starting in 2016, the APT group Donot Team (also known as APT-C-35 and SectorE02) have operated out of India targeting Government and Military operations. Donot has been sending phishing emails to the same targets roughly every two months for several years. The main method of attack is phishing with maldocs that have embedded shellcode used to exploit CVE‑2017‑11882 in Microsoft Office. The malicious code will then download malware such as DarkMusical and Gedit, enabling C2 communications for data exfiltration and file/folder creation.<br/> <b>Analyst Comment:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/3297612" target="_blank">[MITRE ATT&amp;CK] Internal Spearphishing - T1534</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947100" target="_blank">[MITRE ATT&amp;CK] Data from Removable Media - T1025</a> | <a href="https://ui.threatstream.com/ttp/947079" target="_blank">[MITRE ATT&amp;CK] Screen Capture - T1113</a><br/> <b>Tags:</b> DarkMusical, Gedit, yty malware framework, CVE‑2017‑11882, APT-C-35, Donot Team, SectorE02, EU &amp; UK, China, Pakistan, Middle East, Government, Military, Transportation</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/" target="_blank">Active Exploitation of VMware Horizon Servers</a></h3> <p>(published: January 18, 2022)</p> <p>Attackers are actively targeting VMware Horizon servers vulnerable to Apache Log4j CVE-2021-44228 (Log4Shell) and related vulnerabilities that were patched in December 2021. Attackers have been using PowerShell and System.Net.WebClient to download CryptoMiners, as well as Cobalt Strike backdoor, during post-exploitation activities. Ngrok, a legitimate tool used to tunnel traffic through a NAT or firewall, has also been observed. A third attack uses Node to run a small Javascript code snippet to create a reverse shell.<br/> <b>Analyst Comment:</b> It is advised to patch all systems against CVE-2021-44228 and CVE-2021-45046 to prevent Log4Shell attacks. This is a high-priority vulnderability and presents a significant risk to all systems that use Java Log4j versions 2.x. Users and IT departments are advised to update to version 2.16.0 for Java 8, and 2.12.2 or later for Java 7.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947231" target="_blank">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/3904549" target="_blank">[MITRE ATT&amp;CK] Remote Service Session Hijacking - T1563</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a><br/> <b>Tags:</b> VMWare Horizon, CVE-2021-44228, Log4j, Log4Shell</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html" target="_blank">New White Rabbit Ransomware Linked To FIN8 Hacking Group</a></h3> <p>(published: January 18, 2022)</p> <p>A new ransomware family called 'White Rabbit' appeared in the wild in December 2021 and could be a side-operation of the FIN8 hacking group. FIN8 is a financially motivated actor who has been spotted targeting financial organizations for several years, primarily by deploying POS malware that steals credit card details. The file is roughly 100kb in size and is run via command line. On runtime, the payload requires a password; giving an incorrect password will cause it to fail. White Rabbit also uses a new backdoor dubbed ‘Badhatch’ in conjunction with F5.<br/> <b>Analyst Comment:</b> Do not open any files from sources that have not been verified to be legitimate, or from legitimate sources without verifying that files are being sent to a specific email account. Caution should also be taken when files have passwords that do not follow a practical naming scheme.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947207" target="_blank">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/947097" target="_blank">[MITRE ATT&amp;CK] Permission Groups Discovery - T1069</a> | <a href="https://ui.threatstream.com/ttp/947082" target="_blank">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947200" target="_blank">[MITRE ATT&amp;CK] System Network Connections Discovery - T1049</a> | <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947142" target="_blank">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/2402537" target="_blank">[MITRE ATT&amp;CK] Domain Trust Discovery - T1482</a> | <a href="https://ui.threatstream.com/ttp/947077" target="_blank">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a><br/> <b>Tags:</b> White Rabbit, Badhatch, Ransomware, FIN8</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.bleepingcomputer.com/news/security/cyber-espionage-campaign-targets-renewable-energy-companies/" target="_blank">Cyber Espionage Campaign Targets Renewable Energy Companies</a></h3> <p>(published: January 17, 2022)</p> <p>A large-scale espionage campaign targeting renewable energy and industrial technology organizations has been discovered to be active since at least 2019, targeting over fifteen entities worldwide. The attackers, which are purported to be APT28 (known as FancyBear) and Konni, use a ‘Mail Box’ toolkit that directs victims to domains ending in ‘eu3[.]biz’ and ‘eu3[.]org’. The emails inform potential victims that their mailbox storage is full and to follow a link for clean up and archiving. The goal of the campaign is to harvest access credentials.<br/> <b>Analyst Comment:</b> This APT is using legitimate methods to access networks and steal information. Campaigns like this are difficult to detect because they may not be using any malware to achieve their hands-on-objectives. Behavioural monitoring capabilities include detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a><br/> <b>Tags:</b> Phishing, Zetta, APT28, FancyBear, Konni, Europe</p> </div> <div class="trending-threat-article"> <h3 id="article-1"><a href="https://www.zdnet.com/article/linux-malware-is-on-the-rise-here-are-three-top-threats-right-now/#ftag=RSSbaffb68" target="_blank">Linux Malware Is On The Rise. Here Are Three Top Threats Right Now.</a></h3> <p>(published: January 17, 2022)</p> <p>Linux-based systems are the backbone of the internet infrastructure, but it's low-powered Internet of Things (IoT) devices that have become the main target for Linux malware. Three malware families are currently the most active and dangerous to Linux systems. First is XorDDos, which uses XOR encryption for C2 communications and abuses open Docker instances. Next, Mozi is a peer-to-peer (P2P) botnet infector that uses distributed hash table systems, hiding malicious traffic in DHT traffic. Lastly, the Mirai botnet trojan has multiple variants in the wild and uses ssh brute-forcing to attack weak password-protected services such as telnet.<br/> <b>Analyst Comment:</b> It is important that your company has patch-maintenance policies in place, particularly if there are numerous internet-facing services your company uses or provides. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. Passwords should also be changed regularly and meet minimum complexity requirements.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/947217" target="_blank">[MITRE ATT&amp;CK] Exploitation of Remote Services - T1210</a> | <a href="https://ui.threatstream.com/ttp/3905768" target="_blank">[MITRE ATT&amp;CK] Boot or Logon Autostart Execution - T1547</a> | <a href="https://ui.threatstream.com/ttp/947227" target="_blank">[MITRE ATT&amp;CK] Brute Force - T1110</a> | <a href="https://ui.threatstream.com/ttp/947224" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a><br/> <b>Tags:</b> XorDDoS, Mozi, Mirai, Linux</p> </div> <h2>Observed Threats</h2> <p>Additional information regarding the threats discussed in this week's Weekly Threat Briefing can be found below:</p> <p><a href="https://ui.threatstream.com/actor/28033" target="_blank">APT41</a><br/> APT41 is a Chinese-based group that have carried out financially-motivated attacks from as early as 2012 but have become more known for their state-sponsored campaigns with activity as early as 2013. The groups earliest activity focused on financial gain and would target organizations in the video game industry by gaining access to game development environments. The groups’ financially-motivated activities focused on stealing source code and digital certificates, virtual currency gold mining, and attempting to deploy ransomware within these game environments. The Tools, Techniques and Procedures (TTPs) used and campaigns carried out by APT41 for financial motivations would later be leveraged for state-sponsored attacks for China. From 2013 onwards, APT41’s focus would concurrently carry out espionage operations against high value industry sectors with their previous financially-motivated attacks towards the games industry.</p> <p><a href="https://ui.threatstream.com/actor/4494" target="_blank">APT28</a><br/> The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.</p> <p><a href="https://ui.threatstream.com/actor/14714" target="_blank">FIN8</a><br/> FIN8 is a financially-motivated Advanced Persistent Threat (APT) group that has been active since at least 2016. The FIN8 group primarily targets the retail and hospitality industry among others and deploys Point-of-Sale (POS) malware to exfiltrate credit card details. The group primarily relies on spear-phishing emails to deliver weaponized macro-enabled documents to gain an initial foothold on their targets. In the past, FIN8 has leveraged a zero-day vulnerability in its campaigns and also utilized innovative obfuscation techniques to effectively stay under the radar.</p> <p><a href="https://ui.threatstream.com/tip/3271732" target="_blank">Apache Log4j 2 Vulnerability Affects Numerous Companies, Millions of Users</a><br/> A critical vulnerability, registered as CVE-2021-44228 (Log4Shell), has been identified in Apache Log4j 2, which is an open source Java package used to enable logging in. The vulnerability was discovered by Chen Zhaojun of Alibaba in late November 2021, reported to Apache, and subsequently released to the public on December 9, 2021.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar