Weekly Threat Briefing: Emotet Gang Changes Tactics Ahead of the Winter Holidays

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week's iteration discuss the following threats: APT20, Dudell, Malspam, Phishing, Poison Frog, Rancor, Stronium, Targeted attacks, Tokyo Olympics 2020, and Zero-day. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.<img alt="" src="https://cdn.filestackcontent.com/ofW2PVQRX2amdTBSva31"/><h2>Trending Threats</h2><a href="https://nsarchive.gwu.edu/news/cyber-vault/2019-12-16/military-concerns-over-chinese-dji-drones" target="_blank">US Navy Memo Raised Cybersecurity Concerns About DJI Drones</a> (December 16, 2019) A classified memo has been released by the U.S. Army supporting a decision made in 2017 to discontinue the use of drones made by the Chinese manufacturer, DJI. The previous U.S. Navy memo was released in 2017 and cited a number of risks associated with the DJI products. It drew attention to open source reports which highlighted how a data link from the ground station was vulnerable. The vulnerability meant that malicious actors could upload images, videos and telemetry to servers discreetly, and highlighted uncertainty over how electromagnetic interference could result in loss of control. DJI is one of the world's largest manufacturers of drones. In May 2019, the U.S. Department of Homeland Security (DHS) further warned that sensitive data could be being sent back to manufacturers in China, which in turn can be accessed by the government. <a href="https://forum.anomali.com/t/us-navy-memo-raised-cybersecurity-concerns-about-dji-drones/4460" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a><a href="https://www.bleepingcomputer.com/news/security/tokyo-2020-staff-warns-of-phishing-disguised-as-official-emails/" target="_blank">Tokyo 2020 Staff Warns of Phishing Disguised As Official Emails</a> (December 20, 2019) A warning has been published detailing an ongoing phishing campaign spoofing the Tokyo Organizing Committee of the Olympic and Paralympic Games (Tokyo 2020). The warning emphasises that the email might look official and legitimate, but that victims are likely to be redirected to malicious sites or infected with malware. Tokyo 2020 ticket sales have not yet begun in an effort to reduce fraudulent activity. Microsoft has already linked previous malicious activity targeting Tokyo 2020 to STRONIUM Advanced Persistent Threat (APT) group. <a href="https://forum.anomali.com/t/tokyo-2020-staff-warns-of-phishing-disguised-as-official-emails/4461" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947141">[MITRE ATT&CK] Masquerading - T1036</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a> | <a href="https://ui.threatstream.com/ttp/1259923">[MITRE PRE-ATT&CK] Conduct social engineering (PRE-T1056)</a><a href="https://labs.bitdefender.com/2019/12/rdp-abuse-and-swiss-army-knife-tool-used-to-pillage-encrypt-and-manipulate-data/" target="_blank">RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data</a> (December 18, 2019) Bitdefender has reported on a recently discovered technique being leveraged by attackers. The actors are abusing a legitimate feature in Remote Desktop Protocol (RDP). The RDP client has the ability to share a drive letter on their machine acting as a resource on the local virtual network. This shared directory was used as a data exfiltration mechanism over RDP. An off-the-shelf component placed on the 'tsclient1' network location could be executed using cmd.exe or explorer.exe. Ransomware appears to be used as a payload. The actors have leveraged at least $150,000 in cryptocurrency so far at the time of this writing. <a href="https://forum.anomali.com/t/rdp-abuse-and-swiss-army-knife-tool-used-to-pillage-encrypt-and-manipulate-data/4462" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&CK] Commonly Used Port - T1043</a><a href="https://www.bleepingcomputer.com/news/security/emotet-gang-changes-tactics-ahead-of-the-winter-holidays/" target="_blank">Emotet Gang Changes Tactics Ahead of the Winter Holidays</a> (December 19, 2019) Cofense Labs researchers have noted a change in Emotet tactics in the run up to Christmas. Researchers have noticed that the Emotet Command and Control (C2) communication from the client no longer uses random paths based on a word list. It uses a string of at least four characters that appears random but is actually the key pair in the posted form data. The researchers think that this might be 'more on the cosmetic side' because it does not affect the check-in data. Emotet gang is also delivering emails with malicious attachments since September rather than emails with malicious links. <a href="https://forum.anomali.com/t/emotet-gang-changes-tactics-ahead-of-the-winter-holidays/4463" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947210">[MITRE ATT&CK] Exfiltration Over Command and Control Channel - T1041</a><a href="https://www.bleepingcomputer.com/news/security/honda-exposes-26-000-records-of-north-american-customers/" target="_blank">Honda Exposes 26,000 Records of North American Customers</a> (December 18, 2019) Security Discovery researcher Bob Diachenko discovered a misconfigured Elasticsearch cluster in early December. The database was discovered on December 11th as it was indexed by the BinaryEdge Internet-connected device search engine. Honda's security team in Japan has secured the publicly accessible server, but over 26,000 North American vehicle owner records containing Personally Identifiable Information (PII) were exposed. Information including; name, email address, mailing address, phone numbers and Vehicle related data including service information was accessible. No financial information such as credit card data were exposed. <a href="https://forum.anomali.com/t/honda-exposes-26-000-records-of-north-american-customers/4464" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947138">[MITRE ATT&CK] Exploit Public-Facing Application - T1190</a><a href="https://www.bleepingcomputer.com/news/security/industrial-cyber-espionage-campaign-targets-hundreds-of-companies/" target="_blank">Industrial Cyber-Espionage Campaign Targets Hundreds of Companies</a> (December 17, 2019) Researchers from Cyberx'S threat intelligence team 'Section 52' have recently investigated an Advanced Persistent Threat (APT) cyber-espionage campaign targeting industrial controls and critical infrastructure in South Korea, Thailand, China, Japan, Indonesia, Turkey, Ecuador, Germany and the United Kingdom. 57.4% of the targets were South Korea, where victims included equipment supplying chemical plants, power transmission and distribution facilities or firms in the renewable energy sector. The attack began with spear phishing emails, one of the samples purporting to be a request for quote (RFQ) for designing a power plant in the Czech Republic. CyberX researchers found that malware used in the campaign included the Separ info-stealer which was first reported on in 2013. <a href="https://forum.anomali.com/t/industrial-cyber-espionage-campaign-targets-hundreds-of-companies/4465" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947209">[MITRE ATT&CK] Third-party Software - T1072</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://www.bleepingcomputer.com/news/security/chinese-rancor-apt-refreshes-malware-kit-for-espionage-attacks/" target="_blank">Chinese Rancor APT Refreshes Malware Kit for Espionage Attacks</a> (December 17, 2019) Palo Alto Unit 42 researchers have noticed that the Advanced Persistent Threat (APT) group, 'Rancor' is deploying a new malware strain dubbed 'Dudell' as part of attacks targeting the Cambodian government. Rancor has been reported using custom built malware previously, using DDKONG and PLAINTEE in 2017 and 2018. The report details the use of a malicious Excel document that has a custom obfuscated VBScript named 'Chrome.vbs'. The downloader pulls down a DDKONG payload exfiltrating victim information XOR encoded. Other malware such as DUDELL and KHRAT was also observed. <a href="https://forum.anomali.com/t/chinese-rancor-apt-refreshes-malware-kit-for-espionage-attacks/4466" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/" target="_blank">Operation Wocao : Shining a Light on One of China's Hidden Hacking Groups</a> (December 19, 2019) Fox-IT have released a report detailing the activities of publically reported Advanced Persistent Threat (APT) group 'APT20'. Fox-IT has high confidence that the actor is a Chinese group working on behalf of the Chinese government for espionage purposes. Victims were found in over 10 countries and included governments, managed service providers (MSPs), energy, healthcare and high-tech. The activity shows that the actors operated mostly through legitimate channels, VPN access and singled out workstations of employees with privileged access. They stole password vaults and sometimes maintained several access methods for back up. APT20 is using simple but efficient and effective methods. <a href="https://forum.anomali.com/t/operation-wocao-shining-a-light-on-one-of-china-s-hidden-hacking-groups/4467" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://securelist.com/oilrigs-poison-frog/95490/" target="_blank">OilRig's Poison Frog - Old Samples, Same Trick</a> (December 17, 2019) Securelist have released a retrospective analysis of activity conducted by OilRig. The researchers discovered new samples but also found some of the first Poison Frog backdoor samples. One of the earliest Poison Frog samples uses poison-frog[.]club as the Command and Control (C2) domain. OilRig developers disguised the malware as the legitimate Cisco AnyConnect application. OilRig is described as sloppy by researchers as in one sample, a typo of powershell 'poweeershell.exe' prevented the sample from being executed properly. Many samples also still had the Program Database (PDB) path inside the binary. <a href="https://forum.anomali.com/t/oilrig-s-poison-frog-old-samples-same-trick/4468" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&CK] Spearphishing Attachment - T1193</a><a href="https://securityaffairs.co/wordpress/95245/hacking/tp-link-archer-routers-flaws.html" target="_blank">TP-Link Archer Routers Allow Remote Takeover Without Passwords</a> (December 17, 2019) A critical zero-day vulnerability in TP-Link Archer routers has been addressed by TP-Link. The vulnerability (CVE-2017-7405) could allow attackers to have remote access and control over LAN through a Telnet connection without authentication. IBM X-Forces researchers note that the zero-day flaw can affect home and business environments. The Common Gateway Interface (CGI) validation of the router is based on the referrer's HTTP headers. Because TP-Link Archer routers run default administrative users with root privileges, an attacker can spoof the HTTP header data and take control. <a href="https://forum.anomali.com/t/tp-link-archer-routers-allow-remote-takeover-without-passwords/4469" target="_blank">Click here for Anomali recommendation</a> MITRE ATT&CK: <a href="https://ui.threatstream.com/ttp/947121">[MITRE ATT&CK] Network Sniffing - T1040</a><h2>Observed Threats</h2>This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. <a href="https://www.anomali.com/products">Click here to request a trial</a>.<a href="https://ui.threatstream.com/actor/4411" target="_blank">OilRig</a> The Advanced Persistent Threat (APT) group “OilRig” is believed to be an Iranian-based group that has been active since at least 2014. OilRig conducts cyber espionage operations focused on reconnaissance that benefits Iranian nation-state interests. OilRig uses a mix of public and custom tools to primarily target entities located in the Middle East.