Weekly Threat Briefing: APT Attack In the Middle East: The Big Bang

<div id="weekly">The intelligence in this week’s iteration discuss the following threats: Big Bang, Cryptojacking, Hide and Seek Botnet, Hussarini, and Smoke Loader. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.<div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><a href="https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html" target="_blank">Hussarini – Targeted Cyber Attack In The Philippines</a> (July 8, 2018) FortiGuard Labs uncovered an Advanced Persistent Threat (APT)-linked malicious Microsoft Word document with a politically-themed name "Draft PH-US Dialogue on Cyber Security.doc" targeting the Philippines. The document, if opened, uses the vulnerability CVE-2017-11882 to deploy Hussarini malware on a user's machine. This malware is a Dynamic Link Library (DLL) backdoor that exports functions containing malicious code. This specific malware has more export functions than a normal backdoor DLL usually does. It saves a "ServerID" in the machine's registry before connecting to the Command and Control (C2) server with a random value to identify itself to a botnet. Once doing this and receiving a response from the C2 server, the malware will send sensitive information from the infected machine such as username, OS, and CPU information. This Hussarini malware can log keystrokes, take screenshots, while also having the capability to upload and download files, in addition to executing commands. This APT was first seen in 2014 targeting the Philippines and Thailand, but has been revived to target the Philippines once again, though the intended goal of the APT is unknown. The Philippines is continually a target for cyber espionage from other nation-states. <a href="https://forum.anomali.com/t/hussarini-targeted-cyber-attack-in-the-philippines/2658" target="_blank">Click here for Anomali recommendation</a><a href="https://research.checkpoint.com/apt-attack-middle-east-big-bang/" target="_blank">APT Attack In the Middle East: The Big Bang</a> (July 8, 2018) Researchers from Check Point have observed the return of an Advanced Persistent Threat (APT) surveillance attack targeting institutions in the Middle East. The surveillance campaign, dubbed "Big Bang," is primarily focused on targeting the Palestinian Authority. The group leverages self-extracting RAR archives that contain two files: a decoy Microsoft Word document and a malicious executable. The decoy document pretends to be from the "Palestinian Political and National Guidance Commission." The malware contains a number of modules that perform certain functionalities such as taking screenshots, obtaining a list of files, retrieving system information, restarting the system and self-deletion. The malware will fetch additional modules from the Command and Control server if it finds something of interest. It is not exactly clear what the attackers are searching for. <a href="https://forum.anomali.com/t/apt-attack-in-the-middle-east-the-big-bang/2659" target="_blank">Click here for Anomali recommendation</a><a href="https://www.timehop.com/security" target="_blank">Timehop Security Incident, July 4th, 2018</a> (July 8, 2018) The social media company "Timehop" suffered a data breach on July 4. Timehop claims that they discovered the breach whilst in progress and were able to stop it, but as a result, the data of 21 million users was stolen. The stolen data included names, email addresses and phone numbers. Timehop states that none of the social media posts and photos that were stored were accessed, but that the "API keys" to view the posts were compromised. The keys have been deactivated. <a href="https://forum.anomali.com/t/timehop-security-incident-july-4th-2018/2660" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.netlab.360.com/hns-botnet-recent-activities-en/" target="_blank">HNS Botnet Recent Activities</a> (July 6, 2018) Netlab researchers have detailed some recent updates to the "Hide and Seek" (HNS) botnet. The botnet has added new exploits that target 5 platforms: AVTECH webcams, Cisco Linksys routers, JAWS web server, Apache CouchDB and OrientDB. The HNS botnet searches for victims via network scanning. The botnet attempts to install a cryptominer on the target device, but it appears to not fully function. <a href="https://forum.anomali.com/t/hns-botnet-recent-activities/2661" target="_blank">Click here for </a><a href="https://forum.anomali.com/t/hns-botnet-recent-activities/2661" target="_blank">Anomali</a><a href="https://forum.anomali.com/t/hns-botnet-recent-activities/2661" target="_blank"> recommendation</a><a href="https://www.bleepingcomputer.com/news/security/fake-adult-sites-pushing-unwanted-extensions-miners-and-adware/" target="_blank">Fake Adult Sites Pushing Unwanted Extensions, Miners, and Adware</a> (July 5, 2018) Fake adult websites are pushing adware, Potentially Unwanted Programs (PUPs), and unwanted extensions on users who visit them. When a video is played, a fake video player pop-up will state that the user needs to download and install an updated version of the media player on the machine. If a user clicks on the message, adware installers are downloaded on the machine, or the user is redirected to a site that pushes Chrome extensions like one that contains script to perform in-browser data mining. The adware installers combine legitimate and free programs with the installer to increase the likelihood of a user actually proceeding with the download. <a href="https://forum.anomali.com/t/fake-adult-sites-pushing-unwanted-extensions-miners-and-adware/2662" target="_blank">Click here for Anomali recommendation</a><a href="https://www.gdatasoftware.com/blog/07/30876-analysis-downloader-with-a-twist" target="_blank">Analysis: Downloader with a twist</a> (July 5, 2018) GData researchers have released analysis on a recently discovered downloader malware with an interesting fileless User Account Control (UAC) bypassing technique. The malicious file is a JavaScript file with obfuscated code. The script, after deobfuscation, checks the current Windows version by querying Windows Management Instrumentation (WMI). If Windows 7 is detected, UAC bypass is performed by modifying a registry key with the value to execute the script with parameters. "eventvwr.exe" is executed which looks through registry keys to execute "Microsoft Management Console," but because the downloader updated the value, the script is executed via "wscript.exe", bypassing UAC, with elevated values before "mmc.exe" is executed. For Windows 10 the technique is similar except an additional registry key is deleted and "fodhelper.exe" is used instead of "eventvwr.exe." An observed final payload was found to be the Gandcrab ransomware. <a href="https://forum.anomali.com/t/analysis-downloader-with-a-twist/2663" target="_blank">Click here for Anomali recommendation</a><a href="https://nakedsecurity.sophos.com/2018/07/04/samsung-phones-sending-photos-to-contacts-without-permission/" target="_blank">Samsung Phones Sending Photos To Contacts Without Permission</a> (July 4, 2018) Samsung smartphones, mainly the Samsung S9 and S9+, have reportedly been spontaneously sending photos to a user's contacts without being prompted to. Multiple photos have been sent to contacts without user interaction or evidence in the Samsung Message app after-the-fact. It is uncertain what has caused this to occur. <a href="https://forum.anomali.com/t/samsung-phones-sending-photos-to-contacts-without-permission/2664" target="_blank">Click here for Anomali recommendation</a><a href="https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773" target="_blank">Hamas Cyber Ops Spied On Hundreds Of Israeli Soldiers Using Fake World Cup, Dating Apps</a> (July 3, 2018) Hamas cyber ops managed to compromise phones of numerous Israeli Defence Forces (IDF) soldiers by distributing World Cup-themed and dating applications to install malware. Hamas used malicious Android applications located in the Google Play Store to gain access to IDF soldiers' email addresses, phone numbers, and pictures. The malicious applications enabled Hamas to control the camera and microphone of the hacked phones. Hamas used a dating application with corresponding fake Facebook profiles and an application called "Golden Cup" which provided real-time updates on the World Cup to spy on IDF soldiers. Hamas also used fitness applications to identify IDF soldiers who were jogging near the Gaza border. Hamas has been using these applications since 2017 to compromise their phones. The IDF information security team has known about suspicious people trying to get soldiers to download applications since January 2018. <a href="https://forum.anomali.com/t/hamas-cyber-ops-spied-on-hundreds-of-israeli-soldiers-using-fake-world-cup-dating-apps/2665" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html" target="_blank">Smoking Guns - Smoke Loader Learned New Tricks</a> (July 3, 2018) Cisco Talos researchers have been observing developments in the malware known as "Smoke Loader," including the incorporation of the recently discovered "PROPagation" injection technique. Smoke Loader is delivered via emails with malicious macro embedded Microsoft Word documents attached. Smoke Loader injects plugins into the "explorer.exe" application. The plugins are designed to steal sensitive information, looking to exfiltrate files, steal passwords, and intercept traffic being sent over HTTP/HTTPS. <a href="https://forum.anomali.com/t/smoking-guns-smoke-loader-learned-new-tricks/2666" target="_blank">Click here for Anomali recommendation</a><a href="https://blog.malwarebytes.com/threat-analysis/2018/07/obfuscated-coinhive-shortlink-reveals-larger-mining-operation/" target="_blank">Crooks utilizing Coinhive JavaScript Miner for Monero on hundreds of compromised websites.</a> (July 3, 2018) Demand from ambitious investors drove the value of cryptocurrencies to all time highs in the last few months of 2017. This consequently encouraged threat actors to examine various ways of trying to seize upon this new source of potential wealth. Malware that steal cryptocurrency wallets (e.g CrypoShuffler, njRAT, Evrial) are frequently observed, but perhaps the most profitable approach to capitalizing on the cryptocurrency craze are crypto mining or "cryptojacking" attacks. Deploying a crypto miner initially involves exploitation of unpatched vulnerabilities, such as Remote Code Execution (RCE) and Cross-site Scripting (XSS) bugs. Increasingly, actors are using a legitimate JavaScript Miner for the Monero cryptocurrency called "Coinhive." Several hundred compromised websites part of a large mining network were recently found pushing this script to visitors. The "Coinhive" API offers a feature to monetize hyperlinks called "shortlinks". The concept is that visitors who click on a hyperlink will use their own computer to solve a specific number of hashes before being redirected to the destination site. Clicking on a shortlink will activate a progress bar that with default parameters would normally disappear within a few seconds. However, actors are abusing this feature by loading shortlinks as hidden iframes with an unreasonably high hash count. Visitors to a compromised site will unknowingly mine Monero for as long as they remain on the page. <a href="https://forum.anomali.com/t/crooks-utilizing-coinhive-javascript-miner-for-monero-on-hundreds-of-compromised-websites/2667" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bleepingcomputer.com/news/security/nozelesn-ransomware-reportedly-using-spam-to-target-poland/" target="_blank">Nozelesn Ransomware Reportedly Using Spam to Target Poland</a> (July 2, 2018) A new campaign was observed distributing the "Nozelesn" ransomware to targets located in Poland. According to a researcher at CERT Polska, the ransomware is being distributed through a spam campaign using a fake DHL (courier company) invoice. As of July 2018, it appears the campaign has subsided. However, themed phishing emails are relatively common and staying aware of trends can assist in identify potential phishing attempts. When a victim's computer is infected, Nozelesn encrypts files with the ".nozelesn" extension and demands a ransom of 0.1 bitcoins (approximately $660 USD). <a href="https://forum.anomali.com/t/nozelesn-ransomware-reportedly-using-spam-to-target-poland/2668" target="_blank">Click here for Anomali recommendation</a><a href="https://www.bbc.co.uk/news/technology-44682369" target="_blank">NHS data breach affects 150,000 patients in England</a> (July 2, 2018) A coding error has resulted in the data breach of 150,000 patients in England, according to the National Health Service (NHS). The coding error was present in the "SystmOne" application developed by Horsforth-based TPP (The Phoenix Partnership). SystmOne is used by general practitioners to access patient health records held by the NHS. Data from patients who had requested that their information only be used for care, had mistakenly also been used for research and auditing purposes. The software developer "TPP" apologises for the fault and NHS Digital has started a process to write to all affected patients. <a href="https://forum.anomali.com/t/nhs-data-breach-affects-150-000-patients-in-england/2669" target="_blank">Click here for Anomali</a><a href="https://forum.anomali.com/t/nhs-data-breach-affects-150-000-patients-in-england/2669" target="_blank"> recommendatio</a><a href="http://forum.anomali.com/t/nhs-data-breach-affects-150-000-patients-in-england/2669" target="_blank">n</a><a href="https://blog.malwarebytes.com/threat-analysis/2018/07/new-macro-less-technique-used-distribute-malware/" target="_blank">New Macro-less Technique To Distribute Malware</a> (July 2, 2018) A new macro-less initial infection vector has been discovered by the security researcher "Matt Nelson." The attack, specific to Windows 10, involves leveraging a "Setting Content" file embedded into a Microsoft Office file. Setting Content files are XML based files that are used to create shortcuts to the Control Panel. One of the elements "DeepLink" allows for any binary with parameters to be executed, allowing an attacker to run shell code using powershell.exe or cmd.exe. <a href="https://forum.anomali.com/t/new-macro-less-technique-to-distribute-malware/2670" target="_blank">Click here for Anomali recommendation</a></div></div>