September 9, 2020
-
Anomali Threat Research
,

Weekly Threat Briefing: Skimmer, Ransomware, APT Group, and More

<p>The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: <b>APT, Baka, DDoS, Netwalker, PyVil, Windows Defender, TA413,</b> and <b>Vulnerabilities</b>. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/h8Rv1uvSGKb7vkCSQ0GZ"/><br/> <em>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</em></p> <h2>Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1" style="margin-bottom:0;"><a href="https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf" target="_blank">‘Baka’ Javascript Skimmer Identified</a></h3> <p>(published: September 6, 2020)</p> <p>Visa have issued a security alert based on identification of a new skimmer, named “Baka”. Based on analysis by Visa Payment Fraud Disruption, the skimmer appears to be more advanced, loading dynamically and using an XOR cipher for obfuscation. The attacks behind Baka are injecting it into checkout pages using a script tag, with the skimming code downloading from the Command and Control (C2) server and executing in memory to steal customer data.<br/> <b>Recommendation:</b> eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. Visa has also released best practices in the security advisory.<br/> <b>Tags:</b> Baka, Javascript, Skimmer</p> <h3 id="article-2" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-argentinian-government-demands-4-million/" target="_blank">Netwalker Ransomware Hits Argentinian Government, Demands $4 Million</a></h3> <p>(published: September 6, 2020)</p> <p>The Argentinian immigration agency, Dirección Nacional de Migaciones suffered a ransomware attack that shut down border crossings. After receiving many tech support calls, the computer networks were shut down to prevent further spread of the ransomware, which led to a cecission in border crossings until systems were up again. The ransomware used in this attack is Netwalker ransomware, that left a ransom note demanding initalling $2 million, however when this wasn’t paid in the first week, the ransom increased to $4 million.<br/> <b>Recommendation:</b> Ransomware can potentially be blocked by using endpoint protection solutions (HIDS). Always keep your important files backed up following the 3-2-1 rule: have at least 3 different copies, on 2 different mediums, with 1 off-site. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402531">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> Argentina, Government, Netwalker, Ransomware</p> <h3 id="article-3" style="margin-bottom:0;"><a href="https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat" target="_blank">No Rest for the Wicked: Evilnum Unleashes PyVil RAT</a></h3> <p>(published: September 3, 2020)</p> <p>Researchers on the Cybereason Nocturnus team have published their research tracking the threat actor group known as Evilnum, and an ongoing change in their tooling and attack procedures. This includes a new Remote Access Trojan (RAT), written in python that they have begun to use. The actor group attacks targets in the financial services sector using highly targeted spearphishing. The phishing lures leverage "Know Your Customer" (KYC) methods to increase perceived legitimacy and trick the targets to click on a malicious LNK file that uses a small javascript dropper to achieve initial infection. The dropper subsequently downloads a secondary payload responsible for retrieving and installing the final PyVil RAT executable. The PyVil malware has multiple modules/functionality that can be used to perform a number of actions, including credential harvesting, data exfiltration, screenshots, etc.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts. This is especially vital within the finance sector due to the type and value of data, not to mention actual money, remains a prime target of actors of all sophistication levels.<br/> <b>Tags:</b> PyVil RAT, Evilnum</p> <h3 id="article-4" style="margin-bottom:0;"><a href="https://mediaserver.responsesource.com/mediabank/18328/AlertRDDoSandISPDDoSAttacksaugust2020.pdf" target="_blank">New Global DDoS Extortion Campaign</a></h3> <p>(published: September 3, 2020)</p> <p>Researchers from Radware have warned of a new ransom DDoS campaign targeting organizations in e-commerce, finance, and travel globally. First observed in the middle of August, Radware have identified several extortion requests from threat actors posing as well-known Advanced Persistent Threat (APT) groups including Fancy Bear, Lazarus Group and Armada Collective. Victims are initially contacted with an email including target specific IP addresses and Autonomous System Numbers (ASNs) of servers or services that will be targeted unless the victim pays a ransom. The ransom fee is generally set around 10 BTC (approximately $113,000), however, ransoms of up to 20 BTC have been reported.<br/> <b>Recommendation:</b> Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation techniques can vary depending on the specifics of the attack.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/2402776" target="_blank">[MITRE PRE-ATT&amp;CK] Spearphishing for Information - T1397</a><br/> <b>Tags:</b> DDOS, ransom, APT</p> <h3 id="article-5" style="margin-bottom:0;"><a href="https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/" target="_blank">Windows Defender Now Able to Download Malware</a></h3> <p>(published: September 3, 2020)</p> <p>A recent update to the antivirus solution Windows Defender has given the software the ability to download malware and other files on to Windows computers. The command line tool “MpCmdRun.exe” has been augmented with a ‘-DownloadFile’ command line flag, this in turn allows the Microsoft Antimalware Service Command Line Utility to download files from remote locations using the specific command line flag. Microsoft Defender will still detect malicious files downloaded with MpCmdRun.exe but it is currently unclear if other AV software will allow this program to bypass their detections.<br/> <b>Recommendation:</b> Your company should have patch-maintenance policies in place to expect Microsoft’s Patch Tuesday every month. Continuing usage of vulnerability application will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947205" target="_blank">[MITRE ATT&amp;CK] User Execution - T1204</a><br/> <b>Tags:</b> Windows Defender, remote execution, antivirus</p> <h3 id="article-6" style="margin-bottom:0;"><a href="https://blog.malwarebytes.com/web-threats/2020/09/web-skimmer-steals-credit-card-data-via-telegram/" target="_blank">New Web Skimmer Steals Credit Card Data, Sends to Crooks via Telegram</a></h3> <p>(published: September 1, 2020)</p> <p>Threat actors that are using web skimmers have started to exfiltrate stolen credit card data via Telegram, according to researchers at Malwarebytes. The use of Telegram allows the skimmers, which are designed to be executed on checkout pages on web stores, to blend the exfiltration traffic in what appears to be legitimate traffic. Also the use of a legitimate service, makes the exfiltration harder to block, to take down, and not requiring the threat actor to run their infrastructure.<br/> <b>Recommendation:</b> Protecting against credit card skimmers on the client side is a hard task. A TLS interceptor can be used to block traffic to Telegram’s bot API (https://api.telegram.org/bot*). eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere. Ensure that your company's firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, ensure that your employees are educated about the risks of opening attachments, particularly from unknown senders and any attachment that requests macros be enabled.Websites, much like personal workstations, require constant maintenance and upkeep to adapt to the latest threats. Understanding what TTPs threat actors use to target certain types of websites or companies can assist in creating a more proactive approach before something malicious takes place.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> Magecart, Credit card, Skimmer, Telegram</p> <h3 id="article-7" style="margin-bottom:0;"><a href="https://unit42.paloaltonetworks.com/cybersquatting/" target="_blank">Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers</a></h3> <p>(published: September 1, 2020)</p> <p>Palo Alto Networks Unit 42 researchers have investigated threat actors' use of cybersquatting. During a month the researchers discovered almost 14 thousands, an average of 450 per day, suspicious domains registered. Of the suspicious domains, almost 19% were classified as malicious and almost 37% were classified as high risk. The brand with the highest rate of malicious domains was Paypal followed by Apple, Royal Bank, NetFlix, LinkedIn, and Amazon. The domains were found to be used in phishing campaigns, for malware distribution, malware command and control (C2), re-bill scams, delivery of potentially unwanted programs (PUP), technical support scams, reward scams, and add revenue via domain parking pages.<br/> <b>Recommendation:</b> Educate your employees on the potential risk that typosquatting represents because oftentimes the domains have malicious code that attempt to exploit web browser vulnerabilities. Bookmarking frequently used domains or searching for the domain in a search engine instead of typing the domain out is a good mitigation step against typosquatting.<br/> <b>Tags:</b> Apple, Cybersquatting, Facebook, Netflix, Scam</p> <h3 id="article-8" style="margin-bottom:0;"><a href="https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic" target="_blank">Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe</a></h3> <p>(published: September 1, 2020)</p> <p>Researchers from Proofpoint discovered a new campaign from China-based Advanced Persistent Threat (APT) group TA413 that targets Tibet using COVID-19 lures. In March 2020, researchers observed a phishing campaign impersonating the World Health Organization’s (WHO) that delivered a new malware family named “Sepulcher” against European diplomatic bodies. Subsequently, in July 2020 a new phishing campaign that targeted Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413.<br/> <b>Recommendation:</b> Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947127" target="_blank">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947191" target="_blank">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947162" target="_blank">[MITRE ATT&amp;CK] Remote Services - T1021</a> | <a href="https://ui.threatstream.com/ttp/947194" target="_blank">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947259" target="_blank">[MITRE ATT&amp;CK] Data Encoding - T1132</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a><br/> <b>Tags:</b> COVID-19, China, TA413, Tibet</p> <h3 id="article-9" style="margin-bottom:0;"><a href="https://www.scmagazine.com/web-services-security-e-commerce-security/attackers-could-exploit-flaws-in-magmi-magento-plugin-to-hijack-admin-sessions/" target="_blank">Attackers Could Exploit Flaws In Magmi Magento Plugin To Hijack Admin Sessions </a></h3> <p>(published: September 1, 2020)</p> <p>Enguerran Gillier from Tenable discovered two vulnerabilities in the MAGMI Magento plugin that could result in remote code execution (RCE) on vulnerable sites using Magento. The vulnerability CVE-2020-5776 is a cross-site request forgery (CSRF) vulnerability in MAGMI for Magento and by exploiting the vulnerability attackers could hijack administrator sessions and execute arbitrary code. The other vulnerability, CVE-2020-5777, is an authentication bypass vulnerability in MAGMI for Magento version 0.7.23 and below.<br/> <b>Recommendation:</b> The fix for CVE-2020-5777 is in MAGMI version 0.7.24 and it is recommended to update to that version, however, there is no known solution for CVE-2020-5776 at this time.<br/> <b>Tags:</b> CVE-2020-5776, CVE-2020-5777, magento, vulnerability</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.