<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Account takeover, APT, Infostealers, Phishing, Russia, Spyware, </b>and<b> Vietnam</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/IqCrJwSITwmzrQ9utQwl"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/" target="_blank">New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3</a></h3> <p>(published: August 3, 2023)</p> <p> Rilide Stealer is an infostealer that operates as a Chromium-based (Brave, Google Chrome, Microsoft Edge, and Opera) browser extension. Trustwave researchers discovered that Rilide versions were for sale from at least January 2023, followed by some major source code leaks, and development of new versions. Google's Chrome Extension Manifest V3 was implemented to limit extensions ability to load remote JavaScript code and execute arbitrary strings, but the newest Rilide version overcomes it by using a combination of few publicly-disclosed techniques to achieve injection of a remotely hosted script. The malware was also upgraded with more sophisticated modular design, code obfuscation, and ability to exfiltrate stolen data via the Telegram messenger and make interval-based screenshots. Rilide has been observed used by different actors in various campaigns, including those targeting corporate users, users of play-to-earn games on Twitter, and banking data of users in Australia and the UK. Depending on the campaign, different infection chains involved PowerPoint phishing lures and a fake Palo Alto GlobalProtect plugin, a PowerShell loader, and a Rilide loader distributed via Twitter or malvertising.<br/> <b>Analyst Comment:</b> For security researchers, Rilide permhash values are a useful tool to identify additional samples inside the same Rilide campaign or version. Users should install only extensions that they actually need, use the official store and check the extension description and reviews. Be especially careful when prompted to install something via private messaging and social media. Indicators associated with the latest Rilide version are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9612" target="_blank">[MITRE ATT&amp;CK] T1204 - User Execution</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/10114" target="_blank">[MITRE ATT&amp;CK] T1176 - Browser Extensions</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/10031" target="_blank">[MITRE ATT&amp;CK] T1539 - Steal Web Session Cookie</a> | <a href="https://ui.threatstream.com/attackpattern/9703" target="_blank">[MITRE ATT&amp;CK] T1217 - Browser Bookmark Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9628" target="_blank">[MITRE ATT&amp;CK] T1090 - Proxy</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a><br/> <b>Tags:</b> malware:Rilide Stealer, malware-type:Infostealer, malware:Rilide Loader, malware-type:Loader, malware:AngelDrainer, target-country:Australia, target-country:UK, file-type:APK, file-type:EXE, file-type:BIN, file-type:LNK, file-type:PS1, file-type:ZIP, impersonated:GlobalProtect, target-system:Windows, target-software:Microsoft Edge, target-software:Brave, target-software:Opera, target-software:Google Chrome </p> <h3 id="article-2"><a href="https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/" target="_blank">Midnight Blizzard Conducts Targeted Social Engineering over Microsoft Teams</a></h3> <p>(published: August 2, 2023)</p> <p> Since at least late May 2023, Russia-sponsored group Cozy Bear (APT29, Midnight Blizzard) has been engaging in a new type of highly-targeted credential attack that involves the use of credential theft phishing lures sent via Microsoft Teams chats. The threat actor uses compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities. These domains are then used to send lures that attempt to hijack access by prompting the targets to enter a code into the Microsoft Authenticator app on their mobile device. The actor gains access to the user’s Microsoft 365 account, steals information from the compromised Microsoft 365 tenant, and in some cases, attempts to expand access to resources by adding a device to the organization as a managed device via Microsoft Entra ID. Microsoft researchers have detected fewer than 40 targeted organizations, primarily in the government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. <br/> <b>Analyst Comment:</b> Any authentication requests not initiated by the user should be treated as malicious. Do not trust cloud links and subdomain if they could have been created or modified by threat actors.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/18599" target="_blank">[MITRE ATT&amp;CK] T1585.003 - Establish Accounts: Cloud Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/10064" target="_blank">[MITRE ATT&amp;CK] T1598.001 - Phishing for Information: Spearphishing Service</a> | <a href="https://ui.threatstream.com/attackpattern/9959" target="_blank">[MITRE ATT&amp;CK] T1530 - Data From Cloud Storage Object</a><br/> <b>Tags:</b> actor:Cozy Bear, mitre-group:APT29, actor:Midnight Blizzard, source-country:Russia, source-identity:SVR, threat-type:Credential theft phishing, abused:Microsoft Teams, abused:Microsoft Entra ID, target-industry:Government, Target-industry:Non-government organizations, target-industry:IT services, target-industry:Technology, target-industry:Manufacturing, target-industry:Media, target-software:Microsoft 365 </p> <h3 id="article-3"><a href="https://go.recordedfuture.com/hubfs/reports/cta-2023-0802.pdf" target="_blank">BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023</a></h3> <p>(published: August 2, 2023)</p> <p> The Russia-sponsored group ColdRiver (Star Blizzard, BlueCharlie) has been active since 2017. ColdRiver’s targets are diverse, ranging from government and defense sectors to NGOs, journalists, and think tanks. Recorded Future researchers have discovered a new phishing infrastructure cluster (94 new domains) created since mid-December 2022. The largest shift in tactics is changing from trailing URL structures to the new hyphenated, random-word naming convention. New domain naming themes centered around information technology and cryptocurrency do not help in the identification of victims. The exact targeting and the attack details for this newly-discovered infrastructure are unknown.<br/> <b>Analyst Comment:</b> Network defenders should enhance phishing defenses, implement multi-factor authentication, use threat intelligence, and educate third-party vendors. Consider disabling all macros, particularly macros loading by default. All known network indicators associated with this ColdRiver campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10062" target="_blank">[MITRE ATT&amp;CK] T1598 - Phishing For Information</a> | <a href="https://ui.threatstream.com/attackpattern/10106" target="_blank">[MITRE ATT&amp;CK] T1608 - Stage Capabilities</a> | <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a><br/> <b>Tags:</b> actor:ColdRiver, actor:Star Blizzard, actor:BlueCharlie, source-country:Russia, abused:NameCheap, abused:Regway, abused:Porkbun, abused:ColoCrossing, abused:BlueVPS OU, abused:Hostwinds LLC, abused:Clouvider, abused:MIRhosting, technique:Phishing </p> <h3 id="article-4"><a href="https://unit42.paloaltonetworks.com/nodestealer-2-targets-facebook-business/" target="_blank">NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts</a></h3> <p>(published: August 1, 2023)</p> <p> ​​NodeStealer was first discovered by Meta as a JavaScript-based infostealer that specifically targets Facebook business accounts. Palo Alto researchers have discovered two new ​​NodeStealer variants written in Python conducting additional targeting of the MetaMask cryptocurrency wallet, and exfiltrating over Telegram. These variants were likely distributed by a Vietnam-based actor starting around December 2022. Phishing posts on Facebook were prompting users to follow a link to download, extract and execute the ​​NodeStealer payload. One variant had additional functionality to disable Microsoft Defender and download additional malware (BitRAT, hVNC RAT, ToggleDefender, and XWorm). The second variant received additional anti-analysis functions, ability to read emails and take over the connected personal Facebook accounts.<br/> <b>Analyst Comment:</b> Facebook business account owners should restrain from installing new software based on unsolicited social media posts and messages. Indicators associated with the​​ NodeStealer campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9614" target="_blank">[MITRE ATT&amp;CK] T1204.001 - User Execution: Malicious Link</a> | <a href="https://ui.threatstream.com/attackpattern/9615" target="_blank">[MITRE ATT&amp;CK] T1204.002 - User Execution: Malicious File</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/3713" target="_blank">[MITRE ATT&amp;CK] T1562.001: Disable or Modify Tools</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3706" target="_blank">[MITRE ATT&amp;CK] T1548.002: Bypass User Access Control</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9668" target="_blank">[MITRE ATT&amp;CK] T1114 - Email Collection</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a><br/> <b>Tags:</b> malware:NodeStealer 2.0, malware-type:Infostealer, source-country:Vietnam, malware:ToggleDefender, malware:BitRAT, malware:hVNC RAT, malware:XWorm, lang:Python, target-identity:Facebook Business Account, threat-type:Advertising fraud, abused:Facebook’s Graph API, abused:Nuitka, file-type:EXE, file-type:ZIP, target-software:Google Chrome, target-software:Microsoft Edge, target-software:Cốc Cốc, target-software:Brave, target-software:Firefox, abused:Telegram, technique:FodHelper UAC bypass, target-system:Windows </p> <h3 id="article-5"><a href="https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions" target="_blank">SpyNote Continues to Attack Financial Institutions</a></h3> <p>(published: July 31, 2023)</p> <p> SpyNote is a rare case of spyware being used to perform bank fraud. Cleafy researchers have been detecting these Android spyware infections since September 2022 and see an increasing number of cases in May-July 2023. This latest activity targeted European customers of various banks with smishing, and in some cases, email phishing lures. The spyware abuses Android permissions and Accessibility services to collect user data, record audio and screen, log keystrokes, bypass two-factor authentication, and track GPS locations. These remote access trojan capabilities and additional social engineering techniques (vishing) are aimed to perform account takeover attacks (ATO) and on-device fraud.<br/> <b>Analyst Comment:</b> Smartphone users should be extremely cautious when prompted to install additional applications and give them extra permissions. Indicators associated with this SpyNote campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/17807" target="_blank">[MITRE ATT&amp;CK] T1406 - Obfuscated Files Or Information</a> | <a href="https://ui.threatstream.com/attackpattern/18653" target="_blank">[MITRE ATT&amp;CK] T1417.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/17816" target="_blank">[MITRE ATT&amp;CK] T1532 - Data Encrypted</a> | <a href="https://ui.threatstream.com/attackpattern/17836" target="_blank">[MITRE ATT&amp;CK] T1513 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/17801" target="_blank">[MITRE ATT&amp;CK] T1509 - Uncommonly Used Port</a><br/> <b>Tags:</b> malware:SpyNote, malware-type:Spyware, threat-type:Bank fraud, threat-type:Account Takeover, threat-type:On-device fraud, target-industry:Financial, technique:Accessibility services, technique:Phishing, technique:Smishing, technique:Vishing, target-identity:Bank customer, target-region:Europe, target-system:Android </p> </div> </p></div>