May 23, 2023
-
Anomali Threat Research
,

Anomali Cyber Watch: CloudWizard Targets Both Sides in Ukraine, Camaro Dragon Trojanized TP-Link Firmware, RA Group Ransomware Copied Babuk

<div id="weekly"> <p id="intro">The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, Data leak, Infostealers, Package-name typosquatting, Phishing, </b> and <b> Ukraine</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/tPC6e2CmTpKK3eNbk5x7"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://securelist.com/cloudwizard-apt/109722/" target="_blank">CloudWizard APT: the Bad Magic Story Goes on</a></h3> <p>(published: May 19, 2023)</p> <p>A newly-discovered modular malware framework dubbed CloudWizard has been active since 2016. Kaspersky researchers were able to connect it to previously-recorded advanced persistent threat activities: Operation Groundbait and the Prikormka malware (2008-2016), Operation BugDrop (2017), PowerMagic (2020-2022) and CommonMagic (2022). Similar to these previous campaigns, CloudWizard targets individuals, diplomatic organizations, and research organizations in the Donetsk, Lugansk, Crimea, Central and Western Ukraine regions. CloudWizard’s two main modules perform encryption and decryption of all communications and relay the encrypted data to the cloud or web-based C2. Additional modules enable taking screenshots, microphone recording, keylogging and more.<br/> <b>Analyst Comment:</b> Earlier, ESET researchers concluded that the actors behind Operation Groundbait most likely operate from within Ukraine, but Kaspersky researchers did not share if they agree with this attribution. Wars and military conflicts attract additional cyber activity. All known CloudWizard indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9838" target="_blank">[MITRE ATT&amp;CK] T1140 - Deobfuscate/Decode Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&amp;CK] T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9716" target="_blank">[MITRE ATT&amp;CK] T1573 - Encrypted Channel</a><br/> <b>Tags:</b> actor:CloudWizard, APT, target-country:Ukraine, target-region:Donetsk, target-region:Lugansk, target-region:Crimea, target-region:central Ukraine, target-region:western Ukraine, campaign:Operation BugDrop, campaign:Operation Groundbait, malware:Prikormka, malware:CloudWizard, malware:PowerMagic, malware:CommonMagic, target-industry:Diplomatic, target-industry:Research, abused:OneDrive, file-type:DLL, file-type:VFS, file-type:LRC, target-system:Windows</p> <h3 id="article-2"><a href="https://blog.cyble.com/2023/05/19/capcut-users-under-fire/" target="_blank">CapCut Users Under Fire</a></h3> <p>(published: May 19, 2023)</p> <p>Several campaigns are targeting users of the CapCut video editing software with typosquatted websites. Users in jurisdictions where this popular product of ByteDance is banned (Taiwan, India, and several other countries) are especially vulnerable. One campaign profiled by Cyble researchers delivers the Offx stealer. Another campaign delivers BatLoader eventually leading to RedLine Stealer and an Antimalware Scan Interface (AMSI) bypass tool. It had not been detected by any antivirus engine at the time of discovery.<br/> <b>Analyst Comment:</b> Users should avoid downloading pirated software from unofficial websites. All known indicators associated with this CapCut-impersonating campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9883" target="_blank">[MITRE ATT&amp;CK] T1566 - Phishing</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9591" target="_blank">[MITRE ATT&amp;CK] T1027 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9593" target="_blank">[MITRE ATT&amp;CK] T1552 - Unsecured Credentials</a> | <a href="https://ui.threatstream.com/attackpattern/10030" target="_blank">[MITRE ATT&amp;CK] T1528 - Steal Application Access Token</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&amp;CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/9895" target="_blank">[MITRE ATT&amp;CK] T1095 - Non-Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9714" target="_blank">[MITRE ATT&amp;CK] T1071 - Application Layer Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9746" target="_blank">[MITRE ATT&amp;CK] T1567 - Exfiltration Over Web Service</a> | <a href="https://ui.threatstream.com/attackpattern/9617" target="_blank">[MITRE ATT&amp;CK] T1041 - Exfiltration Over C2 Channel</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&amp;CK] T1562.001: Disable or Modify Tools</a><br/> <b>Tags:</b> malware:Offx, malware-type:Infostealer, malware:BatLoader, malware-type:Loader, malware:RedLine, impersonated:CapCut, targeted:CapCut Users, technique:Phishing, target-country:Taiwan, target-country:India, malware-type:Infostealer, file-type:EXE, file-type:BAT, abused:PowerShell, target-system:Windows</p> <h3 id="article-3"><a href="https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic" target="_blank">RATs Found Hiding in the npm Attic</a></h3> <p>(published: May 18, 2023)</p> <p>Malicious packages at the npm public repository were staying undetected for up to two months. The attackers used name typosquatting and impersonation of popular, legitimate packages, used their code, and included links to the legitimate GitHub repositories. ReversingLabs researchers determined that this campaign was aiming at delivering a modified version of the open-source TurkoRat infostealer. It was used to steal user information and crypto wallets.<br/> <b>Analyst Comment:</b> Development organizations should take steps to avoid typing mistakes for dependencies, scrutinize the features and behaviors of the code they are relying on. Organizations should pay attention to suspicious combinations of code behavior such as discrepancies in naming, executing commands, hard-coded IP addresses, smaller than expected downloads, suspicious versioning, and writing data to files. Indicators associated with this TurkoRat campaigns are available in the Anomali platform for ongoing infections and historical reference.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9611" target="_blank">[MITRE ATT&amp;CK] T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9597" target="_blank">[MITRE ATT&amp;CK] T1036 - Masquerading</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a><br/> <b>Tags:</b> malware:TurkoRat, malware-type:Infostealer, malware-type:Clipper, abused:npm, technique:Supply chain, technique:Package name typosquatting, actor:AliTefeli02, file-type:JS, file-type:EXE, target-industry:Software Publishers, target-industry:Cryptocurrency, target-system:Windows</p> <h3 id="article-4"><a href="https://www.trellix.com/en-us/about/newsroom/stories/research/china-taiwan-tensions-spark-surge-in-cyberattacks-on-taiwan.html" target="_blank">China-Taiwan Tensions Spark Surge in Cyberattacks on Taiwan</a></h3> <p>(published: May 17, 2023)</p> <p>In April 2023, rising geopolitical tensions between China and Taiwan resulted in an increase in cyber-attacks towards Taiwan, with malicious emails and phishing URLs. PlugX and other malware detections were identified by Trellix researchers. The malicious emails targeted various industries, with the most impacted industries being networking/IT, manufacturing, and logistics. The phishing URLs were found to be generic login pages, targeted company-specific pages, and multi-brand login pages, with the goal of harvesting credentials. Three days after the phishing email volume peaked, the PlugX RAT detections spiked, with sightings of other malware families such as Formbook, Kryptik, and Zmutzy.<br/> <b>Analyst Comment:</b> All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Unwarranted emails that request that the recipient follow a link and enter the credentials can be indicative of a phishing attack. Host-based indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&amp;CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&amp;CK] T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a><br/> <b>Tags:</b> malware:PlugX, detection:BackDoor-PlugX, detection:Trojan:Win32/Korplug, malware:Kryptik, malware:Zmutzy, detection:Trojan-AutoIt, malware:Formbook, target-industry:Networking, target-industry:Manufacturing, target-country:Taiwan, target-industry:Logistics, file-type:ISO, file-type:DLL, target-system:Windows</p> <h3 id="article-5"><a href="https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/" target="_blank">The Dragon Who Sold His Camaro: Analyzing Custom Router Implant</a></h3> <p>(published: May 16, 2023)</p> <p>Check Point researchers have recently discovered a malicious firmware implant tailored for TP-Link routers. This implant is associated with a China-sponsored group known as Camaro Dragon, and is similar to previously-reported activities conducted by the Mustang Panda group. The actors trojanized ​​TP-Link firmware images by modifying two files and adding four files to the altered router firmware. The implant contains several malicious components, including a custom backdoor, dubbed Horse Shell, that enables remote shell, file transfer, and network tunneling, making it easier for them to anonymize their communication through a chain of infected nodes.<br/> <b>Analyst Comment:</b> While the exact intrusion technique is not known, it is important to keep your network devices patched to the latest security update. Indicators associated with this campaign and the HorseShell implant-detecting YARA rule provided by Check Point are available in the Anomali platform.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&amp;CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9716" target="_blank">[MITRE ATT&amp;CK] T1573 - Encrypted Channel</a><br/> <b>Signatures:</b> <a href="https://ui.threatstream.com/signature/108024" target="_blank">CamaroDragon's HorseShell implant - YARA by Check Point </a><br/> <b>Tags:</b> actor:Camaro Dragon, malware:Horse Shell, detection:HorseShell, malware-type:Backdoor, malware-type:Implant, actor:Mustang Panda, source-country:China, target-region:Europe, file-type:ELF, file-type:LOG, file-type:DAT, target-device:TP-Link router, target-system:Linux</p> <h3 id="article-6"><a href="https://blog.talosintelligence.com/ra-group-ransomware/" target="_blank">Newly Identified RA Group Compromises Companies in U.S. and South Korea with Leaked Babuk Source Code</a></h3> <p>(published: May 15, 2023)</p> <p>RA Group is a new ransomware group that has been actively exposing target data since April 2023. The group uses double-extortion tactics. Talos researchers established that Ra Group’s ransomware is based on the leaked Babuk ransomware source code. The ransomware code appears to include the target’s name and is written in C++, and uses the cryptography scheme with curve25519 and eSTREAM cipher hc-128 algorithm for encryption. The group’s first exposed targets were organizations in the US and South Korea.<br/> <b>Analyst Comment:</b> Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&amp;CK] T1490: Inhibit System Recovery</a><br/> <b>Tags:</b> actor:RA Group, target-country:US, target-country:South Korea, malware:Babuk, detection:Win.Ransomware.Babuk, malware-type:Ransomware, malware:RA, detection:Ransomware/Win.RA, abused:qTox, abused:TOR, Data leak site, target-industry:Manufacturing, target-industry:Wealth management, target-industry:Insurance, target-industry:Pharmaceuticals, file-type:EXE, file-type:GAGUP, target-system:Windows</p> </div> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.