April 12, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: Zyxel Patches Critical Firewall Bypass Vulnerability, Spring4Shell (CVE-2022-22965), The Caddywiper Malware Attacking Ukraine and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>Caddywiper, Colibri Loader, Gamaredon, SaintBear, SolarMaker</b> and <b>Spring4Shell</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/h7V8mxWvSteRnzwAU2Uy"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://unit42.paloaltonetworks.com/solarmarker-malware/" target="_blank">New SolarMaker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns</a></h3> <p>(published: April 8, 2022)</p> <p>Palo Alto Researchers have released their technical analysis of a new version of SolarMaker malware. Prevalent since September 2020, SolarMaker’s initial infection vector is SEO poisoning; creating malicious websites with popular keywords to increase their ranking in search engines. Once clicked on, an encrypted Powershell script is automatically downloaded. When executed, the malware is installed. SolarMaker’s main functionality is the theft of web browser information such as stored passwords, auto-fill data, and saved credit card information. All the data is sent back to an encoded C2 server encrypted with AES. New features discovered by this technical analysis include increased dropper file size, droppers are always signed with legitimate certificates, a switch back to executables instead of MSI files. Furthermore, the backdoor is now loaded into the dropper process instead of the Powershell process upon first time execution.<br/> <b>Analyst Comment:</b> Never click on suspicious links, always inspect the url for any anomalies. Untrusted executables should never be executed, nor privileges assigned to them. Monitor network traffic to assist in the discovery of non standard outbound connections which may indicate c2 activity.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947229" target="_blank">[MITRE ATT&amp;CK] Data Obfuscation - T1001</a> | <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> SolarMaker, Jupyter, Powershell, AES, C2, SEO poisoning</p> </div> <div class="trending-threat-article"> <h3><a href="https://research.checkpoint.com/2022/google-is-on-guard-sharks-shall-not-pass/" target="_blank">Google is on Guard: Sharks shall not Pass!</a></h3> <p>(published: April 7, 2022)</p> <p>Check Point researchers have discovered a series of malicious apps on the Google Play store that infect users with the info stealer Sharkbot whilst masquerading as AV products. The primary functionality of Sharkbot is to steal user credentials and banking details which the user is asked to provide upon launching the app. Furthermore, Sharkbot asks the user to permit it a wide array of permissions that grant the malware a variety of functions such as reading and sending SMS messages and uninstalling other applications. Additionally, the malware is able to evade detection through various techniques. Sharkbot is geofenced, therefore it will stop functioning if it detects the user is from Belarus, China, India, Romania, Russia or Ukraine. Interestingly for Android malware, Sharkbot also utilizes domain generation algorithm (DGA). This allows the malware to dynamically generate C2 domains to help the malware function after a period of time even if known C2 domains are blacklisted or taken down. As of publication, all known Sharkbot malicious apps have been removed from the Google Play store.<br/> <b>Analyst Comment:</b> Only install apps from trusted stores and still research an app before installing it. Use known safe apps rather than smaller, more obscure alternatives. Never grant an app more permissions than it needs to function. An app that tries to acquire permissions outside its scope of function is an indicator that the app is malicious. Never input your personal information, especially banking information to unknown and untrusted apps, particularly if they are not your bank’s official banking app.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905073" target="_blank">[MITRE ATT&amp;CK] Dynamic Resolution - T1568</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947141" target="_blank">[MITRE ATT&amp;CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a><br/> <b>Tags:</b> Sharkbot, DGA, Google Play, Android, Belarus, China, India, Romania, Russia, Ukraine</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cybereason.com/blog/operation-bearded-barbie-apt-c-23-campaign-targeting-israeli-officials" target="_blank">Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials</a></h3> <p>(published: April 6, 2022)</p> <p>Cybereason Nocturnus Team has revealed details about a campaign targeting Israeli officials that utilizes social engineering as the initial infection technique. APT-C-23, a threat group primarily active in the Middle East, particularly Palestinian territories, maintain very active social media profiles that catfish as young women in an attempt to befriend Israeli officials. Once befriended/connected, they move the conversations off of social media to WhatsApp. Once there, the APT group suggests moving to a different chat app and providing a link to a .rar file supposedly containing sexually explicit video content of the catfished profile. The chat app they suggest is in fact VolitileVenom malware and the .rar file contains a payload that downloads Barbie downloader which, in turn, drops the BarbWire backdoor.<br/> <b>Analyst Comment:</b> Be suspicious of individuals that attempt to move conversations off of safe social media to less secure or even untrustworthy chat apps. Never click on links that are provided over the internet by individuals that act in a suspicious manner. Skepticism of individuals over the internet is prudent, especially if you occupy a position that has access to valuable or sensitive information.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a><br/> <b>Tags:</b> APT-C-23, Israel, Palestine, Barbie, VolatileVenom, BarbWire, social engineering, catfish</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine" target="_blank">New Analysis: The Caddywiper Malware Attacking Ukraine</a></h3> <p>(published: April 5, 2022)</p> <p>Researchers at Morphisec have released a technical analysis of Caddywiper, a wiper malware that has been seen attacking Ukrainian targets since 14th March 2022. The malware checks to determine if the machine it is operated on is a domain controller, if not, no action is taken and the malware stops its execution. If the machine is a domain controller, Caddywiper deletes as many files as it can from C://Users before deleting files from all lettered drives from D - Z. In addition, the wiper becomes more destructive if it is executed with administrator privileges by gaining the ability to delete physical drive partitions, which can effectively make the file system useless. Furthermore, Caddywiper is a polymorphic malware, which makes detection attempts based upon signatures less reliable.<br/> <b>Analyst Comment:</b> Never run untrusted programs on your computer, with or without administrator privileges. With evasive malware such as Caddywiper, a defense in depth approach to security will assist in damage mitigation and stop the spreading of malware to all assets within the network.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/2402541" target="_blank">[MITRE ATT&amp;CK] Data Destruction - T1485</a><br/> <b>Tags:</b> Caddywiper, Ukraine, polymorphic, wiper</p> </div> <div class="trending-threat-article"> <h3><a href="https://awakesecurity.com/blog/everythingislife-a-masquerading-cryptocurrency-mining-campaign/" target="_blank">EverythingIsLife: A Masquerading Cryptocurrency Mining Campaign</a></h3> <p>(published: April 5, 2022)</p> <p>Awake Labs has documented an extensive cryptocurrency mining campaign named EverythingIsLife. The first activity associated with the campaign was documented on the 1st September 2021 and the last on the 21st of March 2022. Whilst the initial infection vector is unknown, the crypto mining malware is downloaded through a Visual Basic script named Windows Update Service with one of two extensions: .vbs or .vbe. Both communicate with the domain windows-display-service[.]com, which acts as an initial C2 domain. The script makes headless Chrome connections to other domains associated with crypto mining before opening port 4444, which is associated with crypto mining and Metasploit.<br/> <b>Analyst Comment:</b> Treat all untrusted programs with skepticism and only download files from trusted sources. Be wary of file attachments within emails as phishing is a common infection vector for crypto mining malware. Only download updates from the vendors official websites, do not run untrusted software that is named in the style of an official product.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> EverythingIsLife, Cryptocurrency, Cryptomining, VB, Metasploit</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/" target="_blank">Colibri Loader combines Task Scheduler and Powershell in clever Persistence Technique</a></h3> <p>(published: April 5, 2022)</p> <p>A report released by Malwarebytes details the persistence technique utilized by Colibri Loader. The loader, which has been observed in the wild since August 2021, drops Vidar Stealer as a final payload but archives persistence via Powershell. On both Windows 7 and 10, the loader inserts itself into /WindowsApps and then uses a scheduled task to run Powershell for persistence. However, for Windows 10, the Powershell command comes with an additional parameter, “windowstyle hidden”. This appears to be the first of this technique to achieve persistence.<br/> <b>Analyst Comment:</b> All assets and logs should be inserted into your SIEM to detect and track anomalous activity within your network and machines which could indicate malicious activity. Monitor network traffic to detect any C2 communications that compromised machines may attempt.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a> | <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a><br/> <b>Tags:</b> Colibri Loader, Powershell, Scheduled Task, Vidar Stealer, Windows</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/" target="_blank">Ukraine spots Russian-Linked ‘Armageddon’ Phishing Attacks</a></h3> <p>(published: April 5, 2022)</p> <p>A phishing campaign launched by Russia-sponsored threat actor Armageddon (Gamaredon, Primitive Bear) was detected by the Computer Emergency Response Team of Ukraine (CERT-UA). The campaign targets both the Ukrainian goverment and government agencies in the EU. Whilst the phishing lure themes differ between targets, with Ukrainian lures masquerading as war criminal files with a HTML attachment that will drop a .rar file, and EU lures as military assistance files with a .rar file attachment, the infection chain is the same. A phishing email is sent out containing the appropriate phishing attachment that results in the dropping of a .rar file. The .rar file contains shortcut files that when executed will fetch a VB script that executes Powershell to retrieve a payload.<br/> <b>Analyst Comment:</b> Never click on email attachments from untrusted sources, or execute unknown files. Report any suspicious emails to the appropriate authority within your organization. Phishing education training is the best defense against phishing attacks.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a><br/> <b>Tags:</b> Armageddon, Gamaredon, Phishing, CERT-UA, Powershell, HTML</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/update-now-zyxel-patches-critical-firewall-bypass-vulnerability/" target="_blank">Update Now! Zyxel Patches Critical Firewall Bypass Vulnerability</a></h3> <p>(published: April 4, 2022)</p> <p>Zyxel, a Taiwanese producer of telecommunication and routing equipment, released a security advisory as of 4th of April 2022 that informed their customers of a new, critical vulnerability affecting some of their products. The vulnerability, recorded as CVE-2022-0342, is a result of a misconfigured access control mechanism within the CGI of the vulnerable devices. This can allow unauthenticated users administrative access, effectively bypassing authentication and escalating privileges. A patch has been made available upon request from Zyxel’s support team and all vulnerable devices will receive the full patch in an upcoming May release.<br/> <b>Analyst Comment:</b> Critical vulnerabilities should be patched as soon as patches are released. A strong patch management policy will help organize your system patches and reduce downtime needed to patch them. For firewalls, it is recommended to limit access to the administrative interface to only trusted and authorized users.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947233" target="_blank">[MITRE ATT&amp;CK] Exploitation for Privilege Escalation - T1068</a> | <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> Zyxel, CVE-2022-0342, Taiwan, CGI</p> </div> <div class="trending-threat-article"> <h3><a href="https://securelist.com/spring4shell-cve-2022-22965/106239/" target="_blank">Spring4Shell (CVE-2022-22965): Details and Mitigations</a></h3> <p>(published: April 4, 2022)</p> <p>A critical vulnerability registered as CVE-2022-22965 has been discovered within the Spring Framework, an open source Java framework. The vulnerability exists within the getCachedIntrospectionResults method, granting unauthorized access to objects used by the application. This is achieved by passing their class names as parameters in the HTTP request that creates the possibility of remote code execution. Additionally, there is another vulnerability for the spring framework registered as CVE-2022-22963. This vulnerability exploits the Spring Expression Language (SpEL) to allow code injection through adding a spring.cloud.function.routing-expression header to an HTTP request. Patched versions of the Spring Framework are now available to address both vulnerabilities.<br/> <b>Analyst Comment:</b> A strong patch management policy should be implemented to assist in the patching of critical vulnerabilities. Frameworks that become vulnerable to exploitation render many applications and products that are built using the framework vulnerable, so the patching of such critical vulnerabilities must be made a priority.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a> | <a href="https://ui.threatstream.com/ttp/947244" target="_blank">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a><br/> <b>Tags:</b> Spring4Shell, Spring, Java, CVE-2022-22963, CVE-2022-22965, HTTP, SpEL</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/" target="_blank">Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations</a></h3> <p>(published: April 4, 2022)</p> <p>Intezer researchers discovered that GraphSteel and GrimPlant backdoors discovered in Ukraine in March 2022 are part of a new Go-based malware framework. This framework is apparently called Elephant by its creators and has four malware components used for stealing credentials, documents, and to provide remote access to the infected machine. Elephant uses multiple protocols for C2 communication, Google Remote Procedure Call (gRPC) and GraphQL over websockets. Intezer found an earlier Elephant phishing email from February 2022, and discovered that the oldest service certificate found through the Elephant’s embedded CA certificate shows that the malware was possibly used since December 2021.<br/> <b>Analyst Comment:</b> Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a> | <a href="https://ui.threatstream.com/ttp/2402543" target="_blank">[MITRE ATT&amp;CK] Virtualization/Sandbox Evasion - T1497</a> | <a href="https://ui.threatstream.com/ttp/947166" target="_blank">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/3904531" target="_blank">[MITRE ATT&amp;CK] Encrypted Channel - T1573</a> | <a href="https://ui.threatstream.com/ttp/947125" target="_blank">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947082" target="_blank">[MITRE ATT&amp;CK] System Owner/User Discovery - T1033</a> | <a href="https://ui.threatstream.com/ttp/947187" target="_blank">[MITRE ATT&amp;CK] System Network Configuration Discovery - T1016</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/3905036" target="_blank">[MITRE ATT&amp;CK] Credentials from Password Stores - T1555</a> | <a href="https://ui.threatstream.com/ttp/947135" target="_blank">[MITRE ATT&amp;CK] Data from Local System - T1005</a> | <a href="https://ui.threatstream.com/ttp/947195" target="_blank">[MITRE ATT&amp;CK] File and Directory Discovery - T1083</a><br/> <b>Tags:</b> Elephant, SaintBear, UAC-0056, UNC2589, TA471, GraphSteel, GrimPlant, gRPC, GraphQL, Go, AES, Cipher-Block Chaining, RSA implementation, Russia, source-country:RU, Ukraine, target-country:UA, Ukraine-Russia Conflict 2022, Operation Bleeding Bear, Romania, target-country:RO</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.