Blog

Anomali Cyber Watch: Amadey Bot Started Delivering LockBit 3.0 Ransomware, StrelaStealer Delivered by a HTML/DLL Polyglot, Spymax RAT Variant Targeted Indian Defense, and More

Anomali Threat Research
November 15, 2022
Table of contents
<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, DDoS, Infostealers, Maldocs, Phishing, Ransomware,</b> and <b>Wipers</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/qvfTskcPQA6TUm9UpnnA"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware" target="_blank">KmsdBot: The Attack and Mine Malware</a></h3> <p>(published: November 10, 2022)</p> <p>KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations.<br/> <b>Analyst Comment:</b> Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html" target="_blank">Massive ois[.]is Black Hat Redirect Malware Campaign</a></h3> <p>(published: November 9, 2022)</p> <p>Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&amp;A sites.<br/> <b>Analyst Comment:</b> WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads</p> </div> <div class="trending-threat-article"> <h3><a href="https://asec.ahnlab.com/en/41450/" target="_blank">LockBit 3.0 Being Distributed via Amadey Bot</a></h3> <p>(published: November 8, 2022)</p> <p>Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey Bot delivery. For one delivery option, they used a Word document to retrieve a remote template with a malicious VBA macro. If enabled by the user, it drops a malicious LNK file that runs a PowerShell command to download and run Amadey Bot. For the second delivery option, Amadey was delivered by an attached executable masquerading as a Word file.<br/> <b>Analyst Comment:</b> The best defense against these Amadey Bot attacks is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Macros are a common method for executing malicious code therefore, never enable macros on suspicious documents.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> detection:LockBit 3.0, malware-type:Ransomware, detection:Amadey Bot, malware-type:Loader, malware-type:Infostealer, VBA macro, file-type:DOCX, file-type:LNK, PowerShell, file-type:EXE, file-type:PS1, Windows, South Korea, target-country:KR</p> </div> <div class="trending-threat-article"> <h3><a href="https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc" target="_blank">#ShortAndMalicious: StrelaStealer Aims for Mail Credentials</a></h3> <p>(published: November 8, 2022)</p> <p>In November 2022, DCSO CyTec researchers detected a new malware dubbed StrelaStealer that steals email credentials from Thunderbird and Outlook. StrelaStealer infections start with an ISO file. One infection variant included a polyglot HTML file that was executed twice by the LNK file, once as a DLL and a second time as a benign HTML file. StrelaStealer’s current command-and-control (C2) IP address is hosted on known Russian bulletproof hosting “Kanzas LLC.”<br/> <b>Analyst Comment:</b> Users should be cautious when opening attachments, especially with non-standard extensions such as .ISO files. Analysts should be on lookout for polyglot files that can avoid detection during basic sandbox execution.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a><br/> <b>Tags:</b> detection:StrelaStealer, malware-type:Infostealer, Kansas LLC, Russia, Polyglot file, file-type:HTML, file-type:DLL, file-type:ISO, Windows, Thunderbird, Outlook</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/azov-ransomware-is-a-wiper-destroying-data-666-bytes-at-a-time/" target="_blank">Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time</a></h3> <p>(published: November 7, 2022)</p> <p>Azov data wiper (self-named Azov Ransomware) was first detected in October 2022. It can be programmed to sit dormant on the infected machine until a certain date and then locks the computer and displays the ransom note to contact aliases that actually belong to security researchers and journalists. In reality, Azov does not encrypt but destroys data by overwriting files and alternating 666-byte chunks of garbage data. The wiper achieves persistence by backdooring some executable files with shellcodes encoded in a polymorphic way. Azov is distributed through the Smokeloader botnet, often found in fake pirated software and crack sites.<br/> <b>Analyst Comment:</b> Smokeloader infection often delivers credential stealing malware that would be an additional concern for those with the Azov wiper infection. As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/2402541" target="_blank">[MITRE ATT&amp;CK] Data Destruction - T1485</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> detection:Azov, malware-type:Wiper, Ukraine, Pirated software, detection:Smokeloader, malware-type:Loader</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cyfirma.com/outofband/unknown-nation-based-threat-actor-using-android-rat-to-target-indian-defence-personnel-2/" target="_blank">Unknown Nation-Based Threat Actor Using Android RAT to Target Indian Defence Personnel</a></h3> <p>(published: November 7, 2022)</p> <p>Cyfirma researchers detected a state-sponsored campaign targeting Indian defense personnel. Since July 2021, the group has been using social engineering in the WhatsApp messenger conversations to deliver malicious APKs such as a variant of the Spymax remote access trojan. This Spymax variant is masquerading as a PDF application and has a highly obfuscated source code including class names obfuscation. It gets permissions to access camera, audio, internet, Wi-Fi, storage, and can determine user location.<br/> <b>Analyst Comment:</b> Targeted industries such as defense should train their personnel to recognize targeted attacks via social media. Attackers abuse trust and curiosity to overcome hesitancy of opening a file sent by a stranger.<br/> <b>Tags:</b> detection:Spymax, file-type:APK, Android, India, target-country:IN, target-industry:Defense</p> </div>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Discover More About Anomali

Get the latest news about Anomali's Security and IT Operations platform,

SEe all Resources
No items found.
No items found.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

November 15, 2022
-
Anomali Threat Research
,

Anomali Cyber Watch: Amadey Bot Started Delivering LockBit 3.0 Ransomware, StrelaStealer Delivered by a HTML/DLL Polyglot, Spymax RAT Variant Targeted Indian Defense, and More

<p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: <b>APT, DDoS, Infostealers, Maldocs, Phishing, Ransomware,</b> and <b>Wipers</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.</p> <p><img src="https://cdn.filestackcontent.com/qvfTskcPQA6TUm9UpnnA"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p> <h2>Trending Cyber News and Threat Intelligence</h2> <div class="trending-threat-article"> <h3><a href="https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-malware" target="_blank">KmsdBot: The Attack and Mine Malware</a></h3> <p>(published: November 10, 2022)</p> <p>KmsdBot is a cryptominer written in GO with distributed denial-of-service (DDoS) functionality. This malware was performing DDoS attacks via either Layer 4 TCP/UDP packets or Layer 7 HTTP consisting of GET and POST. KmsdBot was seen performing targeted DDoS attacks against the gaming industry, luxury car manufacturers, and technology industry. The malware spreads by scanning for open SSH ports and trying a list of weak username and password combinations.<br/> <b>Analyst Comment:</b> Network administrators should not use weak or default credentials for servers or deployed applications. Keep your systems up-to-date and use public key authentication for your SSH connections.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/2402530" target="_blank">[MITRE ATT&amp;CK] Network Denial of Service - T1498</a> | <a href="https://ui.threatstream.com/ttp/2402525" target="_blank">[MITRE ATT&amp;CK] Resource Hijacking - T1496</a><br/> <b>Tags:</b> detection:KmsdBot, SSH, Winx86, Arm64, mips64, x86_64, malware-type:DDoS, malware-type:Cryptominer, xmrig, Monero, Golang, target-industry:Gaming, target-industry:Car manufacturing, target-industry:Technology, Layer 4, Layer 7</p> </div> <div class="trending-threat-article"> <h3><a href="https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-campaign.html" target="_blank">Massive ois[.]is Black Hat Redirect Malware Campaign</a></h3> <p>(published: November 9, 2022)</p> <p>Since September 2022, a new WordPress malware redirects website visitors via ois[.]is. To conceal itself from administrators, the redirect will not occur if the wordpress_logged_in cookie is present, or if the current page is wp-login.php. The malware infects .php files it finds – on average over 100 files infected per website. A .png image file is initiating a redirect using the window.location.href function to redirect to a Google search result URL of a spam domain of actors’ choice. Sucuri researchers estimate 15,000 affected websites that were redirecting visitors to fake Q&amp;A sites.<br/> <b>Analyst Comment:</b> WordPress site administrators should keep their systems updated and secure the wp-admin administrator panel with 2FA or other access restrictions. If your site was infected, perform a core file integrity check, query for any files containing the same injection, and check any recently modified or added files.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/947138" target="_blank">[MITRE ATT&amp;CK] Exploit Public-Facing Application - T1190</a><br/> <b>Tags:</b> file-type:PHP, SEO poisoning, WordPress, Google Search, Google Ads</p> </div> <div class="trending-threat-article"> <h3><a href="https://asec.ahnlab.com/en/41450/" target="_blank">LockBit 3.0 Being Distributed via Amadey Bot</a></h3> <p>(published: November 8, 2022)</p> <p>Discovered in 2018, Amadey Bot is a commodity malware that functions as infostealer and loader. Ahnlab researchers detected a new campaign where it is used to deliver the LockBit 3.0 ransomware. It is likely a part of a larger 2022 campaign delivering LockBit to South Korean users. The actors used phishing attachments with two variants of Amadey Bot delivery. For one delivery option, they used a Word document to retrieve a remote template with a malicious VBA macro. If enabled by the user, it drops a malicious LNK file that runs a PowerShell command to download and run Amadey Bot. For the second delivery option, Amadey was delivered by an attached executable masquerading as a Word file.<br/> <b>Analyst Comment:</b> The best defense against these Amadey Bot attacks is anti-phishing training. Never click on attachments from spam emails or untrusted senders. Macros are a common method for executing malicious code therefore, never enable macros on suspicious documents.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a> | <a href="https://ui.threatstream.com/ttp/2402531" target="_blank">[MITRE ATT&amp;CK] Data Encrypted for Impact - T1486</a> | <a href="https://ui.threatstream.com/ttp/947235" target="_blank">[MITRE ATT&amp;CK] Obfuscated Files or Information - T1027</a> | <a href="https://ui.threatstream.com/ttp/947136" target="_blank">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a><br/> <b>Tags:</b> detection:LockBit 3.0, malware-type:Ransomware, detection:Amadey Bot, malware-type:Loader, malware-type:Infostealer, VBA macro, file-type:DOCX, file-type:LNK, PowerShell, file-type:EXE, file-type:PS1, Windows, South Korea, target-country:KR</p> </div> <div class="trending-threat-article"> <h3><a href="https://medium.com/@DCSO_CyTec/shortandmalicious-strelastealer-aims-for-mail-credentials-a4c3e78c8abc" target="_blank">#ShortAndMalicious: StrelaStealer Aims for Mail Credentials</a></h3> <p>(published: November 8, 2022)</p> <p>In November 2022, DCSO CyTec researchers detected a new malware dubbed StrelaStealer that steals email credentials from Thunderbird and Outlook. StrelaStealer infections start with an ISO file. One infection variant included a polyglot HTML file that was executed twice by the LNK file, once as a DLL and a second time as a benign HTML file. StrelaStealer’s current command-and-control (C2) IP address is hosted on known Russian bulletproof hosting “Kanzas LLC.”<br/> <b>Analyst Comment:</b> Users should be cautious when opening attachments, especially with non-standard extensions such as .ISO files. Analysts should be on lookout for polyglot files that can avoid detection during basic sandbox execution.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/3905348" target="_blank">[MITRE ATT&amp;CK] OS Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/3904494" target="_blank">[MITRE ATT&amp;CK] Exfiltration Over C2 Channel - T1041</a> | <a href="https://ui.threatstream.com/ttp/3906161" target="_blank">[MITRE ATT&amp;CK] Command and Scripting Interpreter - T1059</a> | <a href="https://ui.threatstream.com/ttp/3905071" target="_blank">[MITRE ATT&amp;CK] Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/3905074" target="_blank">[MITRE ATT&amp;CK] Phishing - T1566</a> | <a href="https://ui.threatstream.com/ttp/3905764" target="_blank">[MITRE ATT&amp;CK] Hijack Execution Flow - T1574</a><br/> <b>Tags:</b> detection:StrelaStealer, malware-type:Infostealer, Kansas LLC, Russia, Polyglot file, file-type:HTML, file-type:DLL, file-type:ISO, Windows, Thunderbird, Outlook</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.bleepingcomputer.com/news/security/azov-ransomware-is-a-wiper-destroying-data-666-bytes-at-a-time/" target="_blank">Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time</a></h3> <p>(published: November 7, 2022)</p> <p>Azov data wiper (self-named Azov Ransomware) was first detected in October 2022. It can be programmed to sit dormant on the infected machine until a certain date and then locks the computer and displays the ransom note to contact aliases that actually belong to security researchers and journalists. In reality, Azov does not encrypt but destroys data by overwriting files and alternating 666-byte chunks of garbage data. The wiper achieves persistence by backdooring some executable files with shellcodes encoded in a polymorphic way. Azov is distributed through the Smokeloader botnet, often found in fake pirated software and crack sites.<br/> <b>Analyst Comment:</b> Smokeloader infection often delivers credential stealing malware that would be an additional concern for those with the Azov wiper infection. As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. These types of downloads should be restricted by your company, often by supplying legitimate with dedicated development teams who continue improving and implementing new patches. Your employees should be well educated about the risks these downloads pose.<br/> <b>MITRE ATT&amp;CK:</b> <a href="https://ui.threatstream.com/ttp/2402541" target="_blank">[MITRE ATT&amp;CK] Data Destruction - T1485</a> | <a href="https://ui.threatstream.com/ttp/3904527" target="_blank">[MITRE ATT&amp;CK] Ingress Tool Transfer - T1105</a><br/> <b>Tags:</b> detection:Azov, malware-type:Wiper, Ukraine, Pirated software, detection:Smokeloader, malware-type:Loader</p> </div> <div class="trending-threat-article"> <h3><a href="https://www.cyfirma.com/outofband/unknown-nation-based-threat-actor-using-android-rat-to-target-indian-defence-personnel-2/" target="_blank">Unknown Nation-Based Threat Actor Using Android RAT to Target Indian Defence Personnel</a></h3> <p>(published: November 7, 2022)</p> <p>Cyfirma researchers detected a state-sponsored campaign targeting Indian defense personnel. Since July 2021, the group has been using social engineering in the WhatsApp messenger conversations to deliver malicious APKs such as a variant of the Spymax remote access trojan. This Spymax variant is masquerading as a PDF application and has a highly obfuscated source code including class names obfuscation. It gets permissions to access camera, audio, internet, Wi-Fi, storage, and can determine user location.<br/> <b>Analyst Comment:</b> Targeted industries such as defense should train their personnel to recognize targeted attacks via social media. Attackers abuse trust and curiosity to overcome hesitancy of opening a file sent by a stranger.<br/> <b>Tags:</b> detection:Spymax, file-type:APK, Android, India, target-country:IN, target-industry:Defense</p> </div>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.