<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, China, Cryptomining, Cyberespionage, Decompressor evasion, Phishing, Proxyjacking, Ransomware, </b>and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/moZXME5Rgiz0sf9dIA8m"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/" target="_blank">Chinese Entanglement | DLL Hijacking in the Asian Gambling Sector</a></h3> <p>(published: August 17, 2023)</p> <p> SentinelLabs researchers have identified China-based operations directed at the gambling sector within the Philippines and other Southeast Asian countries. This activity likely includes previously-described Operation ChattyGoblin. It is attributed with medium confidence to BRONZE STARLIGHT, a group that has been active since 2021 deploying a variety of ransomware families, while masking its underlying cyberespionage activity. The attack chain starts with malicious trojanized executables, at least in some cases being delivered due to supply-chain compromise of the Comm100 Live Chat application. The newer variant uses the signature of a likely stolen code signing certificate issued to PMG PTE LTD, a Singapore-based vendor of Ivacy VPN services. A .NET SharpUnhooker downloader variant is being deployed and downloads ZIP-archived files from an Alibaba bucket. Those include Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking and used to sideload HUI Loader leading to deployment of Cobalt Strike beacons.<br/> <b>Analyst Comment:</b> Due to the interconnected relationships among various Chinese APT groups, this activity shares some similarities with related China-based groups APT10 and TA410. An earlier summarization of this activity was <a href="https://ui.threatstream.com/tip/8826099" target="_blank">available</a> to ThreatStream users via the <a href="https://ui.threatstream.com/threatmodels?feed_id=7552,7553,7554,7884" target="_blank">AutoLens+ service</a>. All known network indicators associated with this gambling targeting are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10061" target="_blank">[MITRE ATT&amp;CK] T1588.003 - Obtain Capabilities: Code Signing Certificates</a> | <a href="https://ui.threatstream.com/attackpattern/10107" target="_blank">[MITRE ATT&amp;CK] T1608.001 - Stage Capabilities: Upload Malware</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a><br/> <b>Tags:</b> malware:HUI Loader, malware:Cobalt Strike, malware:SharpUnhooker, actor:BRONZE STARLIGHT, operation:ChattyGoblin, source-country:CN, technique:DLL Hijacking, target-region:Asia, target-country:PH, target-industry:Gambling, target-software:Adobe Creative Cloud, target-software:Microsoft Edge, target-software:McAfee VirusScan, impersonated:Ivacy VPN, lang:.NET, open-port:8443, file-type:DLL, file-type:EXE, file-type:ZIP, target-system:Windows </p> <h3 id="article-1"><a href="https://blogs.blackberry.com/en/2023/08/cuba-ransomware-deploys-new-tools-targets-critical-infrastructure-sector-in-the-usa-and-it-integrator-in-latin-america" target="_blank">Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America</a></h3> <p>(published: August 17, 2023)</p> <p> In June 2023, the Russia-based Cuba ransomware group targeted a critical infrastructure company in the US, and a systems integrator from Latin America. Cuba utilizes a broad spectrum of tools: exploits, Living-off-the-Land Binaries, red-team, commodity, and custom tools. This recent campaign started with using a valid, a​​dministrator-level login via Remote Desktop Protocol. The attackers downloaded additional tools, probed the environment, moved laterally, and established command-and-control and exfiltration. Compared to Cuba's previous campaigns, it was the first time this group accessed credentials using an exploit for the Veeam Backup &amp; Replication vulnerability CVE-2023-27532. The group’s BURNTCIGAR process killer started to hide the list of antiviruses and other processes it intended to stop by hashing it with the CRC-64/ECMA-182 algorithm. <br/> <b>Analyst Comment:</b> Network defenders should keep their systems updated and set up specific administrator accounts (separate from the user’s other accounts and only used for administration activities), with multi-factor authentication with segmented, least privilege and monitored access restrictions. Some organizations may also wish to restrict access to these accounts to be from specific, separate endpoints as an added precaution. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Proper segmentation and a robust data backup can lower the possible impact of a ransomware attack. Host-based indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10098" target="_blank">[MITRE ATT&amp;CK] T1133 - External Remote Services</a> | <a href="https://ui.threatstream.com/attackpattern/10003" target="_blank">[MITRE ATT&amp;CK] T1078.003 - Valid Accounts: Local Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/3707" target="_blank">[MITRE ATT&amp;CK] T1106: Native API</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10029" target="_blank">[MITRE ATT&amp;CK] T1059.003 - Command and Scripting Interpreter: Windows Command Shell</a> | <a href="https://ui.threatstream.com/attackpattern/3718" target="_blank">[MITRE ATT&amp;CK] T1569.002: Service Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9939" target="_blank">[MITRE ATT&amp;CK] T1218.011 - Signed Binary Proxy Execution: Rundll32</a> | <a href="https://ui.threatstream.com/attackpattern/9762" target="_blank">[MITRE ATT&amp;CK] T1211 - Exploitation For Defense Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/3706" target="_blank">[MITRE ATT&amp;CK] T1548.002: Bypass User Access Control</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&amp;CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9860" target="_blank">[MITRE ATT&amp;CK] T1543.003 - Create or Modify System Process: Windows Service</a> | <a href="https://ui.threatstream.com/attackpattern/10093" target="_blank">[MITRE ATT&amp;CK] T1068 - Exploitation For Privilege Escalation</a> | <a href="https://ui.threatstream.com/attackpattern/10100" target="_blank">[MITRE ATT&amp;CK] T1124 - System Time Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9930" target="_blank">[MITRE ATT&amp;CK] T1135 - Network Share Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/10019" target="_blank">[MITRE ATT&amp;CK] T1018 - Remote System Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/23209" target="_blank">[MITRE ATT&amp;CK] Discovery - File and Directory Discovery [T1083]</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&amp;CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9984" target="_blank">[MITRE ATT&amp;CK] T1016.001 - System Network Configuration Discovery: Internet Connection Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9648" target="_blank">[MITRE ATT&amp;CK] T1570 - Lateral Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9688" target="_blank">[MITRE ATT&amp;CK] T1212 - Exploitation For Credential Access</a> | <a href="https://ui.threatstream.com/attackpattern/9812" target="_blank">[MITRE ATT&amp;CK] T1219 - Remote Access Software</a> | <a href="https://ui.threatstream.com/attackpattern/9893" target="_blank">[MITRE ATT&amp;CK] T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9891" target="_blank">[MITRE ATT&amp;CK] T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a><br/> <b>Tags:</b> actor:Cuba Ransomware, malware:BUGHATCH, malware-type:Downloader, malware:Metasploit, malware:Cobalt Strike, malware:Wedgecut, malware-type:Reconnaissance, malware:BURNTCIGAR, malware-type:Process killer, source-country:RU, target-country:US, target-region:Latin America, target-industry:IT integration, target-sector:Critical infrastructure, vulnerability:CVE-2023-27532, target-software:Veeam, vulnerability:CVE-2020-1472, target-software:NetLogon, vulnerability:ZeroLogon, open-port:5050, open-port:443, technique:PowerShell, technique:LOLBins, technique:BYOVD, abused:TOR, file-type:EXE, file-type:DLL, target-system:Windows </p> <h3 id="article-1"><a href="https://sysdig.com/blog/labrat-cryptojacking-proxyjacking-campaign/" target="_blank">LABRAT: Stealthy Cryptojacking and Proxyjacking Campaign Targeting GitLab </a></h3> <p>(published: August 17, 2023)</p> <p> Active since at least September 2022, financially-motivated operation dubbed LABRAT generates income through cryptomining and Russian-affiliated proxyjacking scripts. Sysdig researchers have shown that LABRAT differs from other resource hijacking attacks due to the emphasis on multi-layered stealth and defense evasion. The attackers abused TryCloudFlare and Apache Solr to obfuscate their C2 network. They installed the Global Socket (GSocket) tool, hid its process, and used it to hide the traffic as it enables encrypted communication, using TOR, and bypassing IP-Layer firewall restrictions with its own GSocket-Layer. The proxyjacking DLL was obfuscated using Control Flow Flattening (replacing all the conditional blocks with a flat one), and used anti-debugging and dynamic string resolution features. Finally, for its XMRig miners the LABRAT actors used kernel-based rootkit to hide the mining process. At least one of the used proxyjacking DLLs can use the .NET Core libraries to work on Linux, Windows, and MacOS.<br/> <b>Analyst Comment:</b> Cryptomining and proxyjacking should not be overlooked as they can result in significant financial damages, cost in bandwidth, and a potential cost in reputation if the compromised system is used in some illicit activities. Indicators associated with the LABRAT campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10012" target="_blank">[MITRE ATT&amp;CK] T1190 - Exploit Public-Facing Application</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/10023" target="_blank">[MITRE ATT&amp;CK] T1496 - Resource Hijacking</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3709" target="_blank">[MITRE ATT&amp;CK] T1562: Impair Defenses</a> | <a href="https://ui.threatstream.com/attackpattern/9655" target="_blank">[MITRE ATT&amp;CK] T1053.003 - Scheduled Task/Job: Cron</a> | <a href="https://ui.threatstream.com/attackpattern/9656" target="_blank">[MITRE ATT&amp;CK] T1021.004 - Remote Services: Ssh</a> | <a href="https://ui.threatstream.com/attackpattern/9893" target="_blank">[MITRE ATT&amp;CK] T1090.003 - Proxy: Multi-Hop Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9716" target="_blank">[MITRE ATT&amp;CK] T1573 - Encrypted Channel</a> | <a href="https://ui.threatstream.com/attackpattern/9970" target="_blank">[MITRE ATT&amp;CK] T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/12893" target="_blank">[MITRE ATT&amp;CK] T1622 - Debugger Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/10101" target="_blank">[MITRE ATT&amp;CK] T1036.004 - Masquerading: Masquerade Task Or Service</a><br/> <b>Tags:</b> campaign:LABRAT, malware-type:Dropper, malware:GSocket, malware-type:Backdoor, technique:Cryptojacking, malware-type:Cryptomining, malware:xmrig, technique:Proxyjacking, technique:Control Flow Flattening, abused:GitLab, lang:Go, lang:.NET, lang:GoLang, vulnerability:CVE-2021-22205, target-software:GitLab, vulnerability:CVE-2021-4034, vulnerability:pwnkit, exploit-type:Local privilege escalation, abused:TryCloudFlare, file-type:DLL, file-type:JSON, file-type:ZIP, file-type:TAR.GZ, actor:IPRoyal, actor:ProxyLite-ru, target-system:Linux, target-system:macOS, target-system:Windows </p> <h3 id="article-1"><a href="https://www.welivesecurity.com/en/eset-research/mass-spreading-campaign-targeting-zimbra-users/" target="_blank">Mass-Spreading Campaign Targeting Zimbra Users</a></h3> <p>(published: August 17, 2023)</p> <p> ESET researchers have discovered a phishing campaign targeting users of the Zimbra Collaboration email server. The campaign, which has been active since at least April 2023, is aimed at collecting Zimbra account users' credentials. The targets are primarily small and medium businesses and governmental entities. Phishing emails targeting at least a dozen of countries are drafted in respective languages, with the highest number of targets located in Poland, followed by Ecuador and Italy. The attackers use a phishing email with an attached HTML file that opens locally as a fake Zimbra login page prefilled with the user's login and his organization branding. The submitted credentials are then collected and sent to a server controlled by the adversary. <br/> <b>Analyst Comment:</b> The campaign relies on social engineering, user interaction, and challenges in detecting phishing HTML files. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10046" target="_blank">[MITRE ATT&amp;CK] T1586.002 - Compromise Accounts: Email Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10059" target="_blank">[MITRE ATT&amp;CK] T1585.002 - Establish Accounts: Email Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/9642" target="_blank">[MITRE ATT&amp;CK] T1136 - Create Account</a> | <a href="https://ui.threatstream.com/attackpattern/9675" target="_blank">[MITRE ATT&amp;CK] T1056.003 - Input Capture: Web Portal Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9744" target="_blank">[MITRE ATT&amp;CK] T1048.002 - Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol</a><br/> <b>Tags:</b> impersonated:Zimbra, target-identity:Zimbra user, target-country:PL, target-country:EC, target-country:IT, file-type:HTML, technique:Credential phishing </p> <h3 id="article-1"><a href="https://www.zimperium.com/blog/over-3000-android-malware-samples-using-multiple-techniques-to-bypass-detection/" target="_blank">Over 3,000 Android Malware Samples Using Multiple Techniques to Bypass Detection</a></h3> <p>(published: August 16, 2023)</p> <p> Zimperium researchers have analyzed four techniques that limit the possibility of decompiling an Android application package file (APK). First is the indication of an unsupported compression method, making it difficult for most decompressor (decompilation/extraction) tools to analyze the APK. However, it can be installed on Android devices with an OS version above Android 9 Pie. Other techniques include filenames with more than 256 bytes, malformed AndroidManifest.xml file, and malformed string pool. Searching in public application repositories for the unsupported compression method returned 3,300 samples, with 71 of them being malicious and able to load properly. These applications are not available on Google PlayStore and are likely distributed through third-party stores and social engineering attacks.<br/> <b>Analyst Comment:</b> Researchers should be aware that some decompressors can be affected by these evasion methods being unable to unzip the APK or ignoring important files needed for the analysis such as AndroidManifest.xml. Host-based indicators associated with malicious Android applications that are using an unsupported compression method are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>Tags:</b> technique:Debugger evasion, technique:Unsupported compression method, technique:Long filename, technique:Malformed AndroidManifest, technique:Malformed string pool, file-type:​​APK, target-system:Android </p> </div> </p></div>