<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> Adware, APT, Data breach, Ransomware, Spearphishing, </b>and<b> Vulnerabilities</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img src="https://cdn.filestackcontent.com/51aTZnLQDShYS8IL8vfD"/><br/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://securelist.com/focus-on-droxidat-systembc/110302/" target="_blank">Unknown Actor Targets Power Generator with DroxiDat and Cobalt Strike</a></h3> <p>(published: August 10, 2023)</p> <p> An unknown actor has targeted an electric utility in southern Africa with Cobalt Strike beacons and a new variant of the SystemBC payload known as DroxiDat. This incident occurred as part of a series of attacks involving DroxiDat and Cobalt Strike beacons worldwide. DroxiDat, a compact variant of SystemBC, was used as a system profiler and simple SOCKS5-capable bot in the attack. The attackers employed an energy-related domain "powersupportplan[.]com" for their C2 infrastructure. While this incident exhibits similarities with the Darkside Colonial Pipeline attack (a SystemBC variant being deployed to a critical infrastructure target), no definitive attribution has been established, and ransomware was not delivered in this case.<br/> <b>Analyst Comment:</b> The use of DroxiDat and Cobalt Strike beacons in targeting critical infrastructure underscores the evolving threat landscape. Organizations in the energy sector should enhance their security measures, conduct regular threat assessments, and consider defense-in-depth strategies. The increasing targeting of utilities highlights the potential for widespread consequences in case of network outages. Indicators related to the Cobalt Strike malware are available on the Anomali platform. <br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9808" target="_blank">[MITRE ATT&amp;CK] T1003.001 - OS Credential Dumping: Lsass Memory</a> | <a href="https://ui.threatstream.com/attackpattern/9684" target="_blank">[MITRE ATT&amp;CK] T1003.002 - OS Credential Dumping: Security Account Manager</a> | <a href="https://ui.threatstream.com/attackpattern/9765" target="_blank">[MITRE ATT&amp;CK] T1027.004 - Obfuscated Files or Information: Compile After Delivery</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/10116" target="_blank">[MITRE ATT&amp;CK] T1574.004 - Hijack Execution Flow: Dylib Hijacking</a><br/> <b>Tags:</b> malware:DroxiDat, malware:SystemBC, malware:Cobalt Strike, technique:Ransomware, target-industry:Energy, target-system:Critical Infrastructure, mitre-technique:T1003.001, mitre-technique:T1003.002, mitre-technique:T1027.004, mitre-technique:T1036.005, mitre-technique:T1059.001, mitre-technique:T1105.002, mitre-technique:T1574.004 </p> <h3 id="article-2"><a href="https://www.proofpoint.com/uk/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level" target="_blank">Rising Threat of Cloud Account Takeover Incidents</a></h3> <p>(published: August 9, 2023)</p> <p> Over the last six months, Proofpoint researchers have noted a significant surge of more than 100% in successful cloud account takeover incidents affecting high-level executives at prominent companies. This threat has impacted over 100 organizations worldwide, comprising a total of 1.5 million employees. The attackers employed EvilProxy, a phishing tool based on reverse proxy architecture, to bypass multifactor authentication (MFA) and steal credentials and session cookies. This emerging threat combines Adversary-in-the-Middle (AitM) phishing with advanced account takeover methods, aimed at countering the increased adoption of MFA by organizations. Surprisingly, account takeovers have increased even among entities using MFA, with at least 35% of compromised users over the past year having MFA enabled.<br/> <b>Analyst Comment:</b> The evolving landscape of cybersecurity presents new challenges. Despite the growth of MFA adoption, threats persist. The case of EvilProxy sheds light on the dangers of underestimating evolving attack methods. Implementing auto-remediation further reduces the window of opportunity for attackers, while web security measures, such as isolating dubious sessions originating from email links, add another layer of protection. Moreover, educating Microsoft 365 users on potential risks reinforces the human firewall. As a supplementary measure, adopting FIDO-based physical security keys can further fortify security.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a> | <a href="https://ui.threatstream.com/attackpattern/9981" target="_blank">[MITRE ATT&amp;CK] T1114.002 - Email Collection: Remote Email Collection</a> | <a href="https://ui.threatstream.com/attackpattern/10050" target="_blank">[MITRE ATT&amp;CK] T1584.002 - Compromise Infrastructure: Dns Server</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9913" target="_blank">[MITRE ATT&amp;CK] T1568.002 - Dynamic Resolution: Domain Generation Algorithms</a> | <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&amp;CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9929" target="_blank">[MITRE ATT&amp;CK] T1003.003 - OS Credential Dumping: Ntds</a> | <a href="https://ui.threatstream.com/attackpattern/9976" target="_blank">[MITRE ATT&amp;CK] T1136.003 - Create Account: Cloud Account</a><br/> <b>Tags:</b> malware:EvilProxy, technique:Phishing, technique:MFA Bypass, tool:Phishing Kits, technique:Geofencing, target-profile:VIP Targets, technique:Account Takeover, mitre-technique:T1566.001, mitre-technique:T1566.002, mitre-technique:T1114.002, mitre-technique:T1584.002, mitre-technique:T1027, mitre-technique:T1071.001, mitre-technique:T1568.002, mitre-technique:T1015, mitre-technique:T1078, mitre-technique:T1003.003, mitre-technique:T1136.003 </p> <h3 id="article-3"><a href="https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/" target="_blank">The Rhysida Ransomware: Activity, Analysis and Ties to Vice Society</a></h3> <p>(published: August 8, 2023)</p> <p> Check Point Research (CPR) have released their analysis of the tactics, techniques and procedures (TTPs) of the Rhysida ransomware group. Within their analysis, they describe many similarities to another ransomware group, Vice Society, indicating a possible connection. The rise of Rhysida activity (May 2023) coincides with a decline of Vice Society activity who have not posted to their leak site since July 2023. Rhysida’s two main identifiable target industries are the Education sector (32%) and Healthcare (12%). Vice Society is also notorious for targeting the Education sector (36%), with their attack on the Los Angeles Unified School District in September 2022. Whilst CPR extensively cover the TTPs of Rhysida, there are a few that are shared with Vice society namely same names of created, local firewall rules, same path used for backup creation via NRDS.nit, domain wide password change before ransomware payload deployment and shared use of commodity tool PortStarter, which is attributed to Vice Society.<br/> <b>Analyst Comment:</b> Security teams should monitor for indications of TTPs of known threats to ensure early detection of malicious behavior. Additionally, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9605" target="_blank">[MITRE ATT&amp;CK] T1021.001 - Remote Services: Remote Desktop Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9682" target="_blank">[MITRE ATT&amp;CK] T1021.006 - Remote Services: Windows Remote Management</a> | <a href="https://ui.threatstream.com/attackpattern/9648" target="_blank">[MITRE ATT&amp;CK] T1570 - Lateral Tool Transfer</a> | <a href="https://ui.threatstream.com/attackpattern/9929" target="_blank">[MITRE ATT&amp;CK] T1003.003 - OS Credential Dumping: Ntds</a> | <a href="https://ui.threatstream.com/attackpattern/9812" target="_blank">[MITRE ATT&amp;CK] T1219 - Remote Access Software</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/3710" target="_blank">[MITRE ATT&amp;CK] T1112: Modify Registry</a> | <a href="https://ui.threatstream.com/attackpattern/9882" target="_blank">[MITRE ATT&amp;CK] T1070.003 - Indicator Removal on Host: Clear Command History</a> | <a href="https://ui.threatstream.com/attackpattern/9839" target="_blank">[MITRE ATT&amp;CK] T1531 - Account Access Removal</a> | <a href="https://ui.threatstream.com/attackpattern/3720" target="_blank">[MITRE ATT&amp;CK] T1490: Inhibit System Recovery</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a><br/> <b>Tags:</b> mitre-technique:T1021.001, mitre-technique:T1021.006, mitre-technique:T1570, mitre-technique:T1003.003, mitre-technique:T1219, mitre-technique:T1070.004, mitre-technique:T1112, mitre-technique:T1070.003, mitre-technique:T1531, mitre-technique:T1490, mitre-technique:T1486, actor:Vice Society, malware:Rhysida, malware-type:Ransomware </p> <h3 id="article-4"><a href="https://www.electoralcommission.org.uk/privacy-policy/public-notification-cyber-attack-electoral-commission-systems" target="_blank">Public Notification of Cyber-Attack on Electoral Commission Systems</a></h3> <p>(published: August 8, 2023)</p> <p> A breach of UK civilian voter data was revealed by the UK Electoral Commission on the 8th of August 2023. Whilst details of the attack are unknown currently, the commission states that they were aware of an incident during October 2022, which upon investigation revealed that a threat actor had first accessed their systems during August 2021. The threat actors accessed reference copies of the voting register and the Commission’s email system, containing the names, addresses, emails, phone numbers, date of registration and any pictures sent to the commission. This includes overseas voters but not anonymous voters.<br/> <b>Analyst Comment:</b> Users should take care what information they make publicly available online. Whilst most of the data breached was within the public domain, threat actors can use that data combined with data from social media to form profiles and create spearphishing lures. More significantly with this incident is the incident timeline which suggests: (1) a sustained period of persistence and access that evaded detection; and (2) a prolonged period after detection required identify/observe the extent of the compromise and eject the actor from the systems and infrastructure involved. Defending teams should consider tactics and strategies that will segment penetration from their attack surface and cycle access/sessions to disrupt persistence and reassess all granted access post-cycling.<br/> <b>Tags:</b> target-country:UK, target-region:Europe, theme:data_breach, target-industry:Government </p> <h3 id="article-5"><a href="https://www.zscaler.com/blogs/security-research/statc-stealer-decoding-elusive-malware-threat" target="_blank">Statc Stealer: A New Menace to Windows Users</a></h3> <p>(published: August 8, 2023)</p> <p> Researchers at ZScaler have identified a new, sophisticated malware named Statc Stealer targeting Windows devices. Disguised as an authentic Google advertisement, this malware tricks users into executing its malicious code. Once active, it steals a wide range of sensitive data, from web browser credentials and cookies to cryptocurrency wallet details. Crafted in C++, Statc Stealer uses advanced evasion techniques such preventing sandbox detection to inhibit reverse engineering. It initiates its attack through an initial dropper that releases a decoy PDF and a binary downloader, subsequently employing a PowerShell script to download the main payload. The stolen data is encrypted and discreetly sent to a C2 server via the HTTPS protocol. This malware poses significant risks to individuals, exposing them to identity theft and other cybercrimes, while businesses face potential financial and reputational damages.<br/> <b>Analyst Comment:</b> In light of the emerging threat from Statc Stealer, it is paramount for both individuals and businesses to adopt a proactive stance to safeguard their digital assets. Firstly, exercise utmost caution with online advertisements; even if they appear to be legitimate, refrain from clicking without verifying the source. Regularly update and patch your operating system and software to fix vulnerabilities that malware often exploits. Implement multi-factor authentication (MFA) wherever possible, especially for critical accounts, as this provides an additional layer of security. Organizations should review their corporate, BYOD and 3rd party endpoint security policies vis the ongoing rise of info-stealers. Information and threat reports about the Statc Stealer malware are available on the Anomali Platform. <br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9588" target="_blank">[MITRE ATT&amp;CK] T1547 - Boot Or Logon Autostart Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9703" target="_blank">[MITRE ATT&amp;CK] T1217 - Browser Bookmark Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/14432" target="_blank">[MITRE ATT&amp;CK] picus-security: The Most Used ATT&amp;CK Technique — T1059 Command and Scripting Interpreter</a> | <a href="https://ui.threatstream.com/attackpattern/9599" target="_blank">[MITRE ATT&amp;CK] T1555 - Credentials From Password Stores</a> | <a href="https://ui.threatstream.com/attackpattern/9621" target="_blank">[MITRE ATT&amp;CK] T1132 - Data Encoding</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9624" target="_blank">[MITRE ATT&amp;CK] T1001 - Data Obfuscation</a> | <a href="https://ui.threatstream.com/attackpattern/3716" target="_blank">[MITRE ATT&amp;CK] T1189: Drive-by Compromise</a><br/> <b>Tags:</b> malware:Statc Stealer, malware-type:Information Stealer, abused:PowerShell, abused:HTTPS, file-type:PDF, file-type:Binary, target-system:Windows, technique:Decoy Document, technique:Evasion, technique:Data Encryption, technique:Command-and-Control, mitre-technique:T1547, mitre-technique:T1217, mitre-technique:T1059, mitre-technique:T1555, mitre-technique:T1132, mitre-technique:T1005, mitre-technique:T1001, mitre-technique:T1189, target-system:Windows </p> <h3 id="article-6"><a href="https://www.trendmicro.com/en_us/research/23/h/batloader-campaigns-use-pyarmor-pro-for-evasion.html" target="_blank">Latest Batloader Campaigns Use Pyarmor Pro for Evasion</a></h3> <p>(published: August 7, 2023)</p> <p> Trend Micro researchers have documented a new evasion technique for the Batloader malware. Since June 2023, Batloader has begun to employ the Pyarmor Pro command line tool to obfuscate the malware’s execution by obfuscating the python executable code. This is an upgrade to Batloader’s execution as previously, since December 2022, it has been using the free version of Pyarmor. Batloader typically starts as an MSI file that when executed, will start the infection chain. Privileges are escalated before using arp.exe to map the network, continuing further to establish C2 communication. The second stage malware will be downloaded from the C2 server, commonly Redline Stealer, Ursnif or Vidar Ransomware.<br/> <b>Analyst Comment:</b> Only run executables that are trustworthy. Network defenders should monitor for scanning/mapping activity and other signs of early compromise. Additionally, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of Ransomware infection.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9835" target="_blank">[MITRE ATT&amp;CK] T1497 - Virtualization/Sandbox Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/9725" target="_blank">[MITRE ATT&amp;CK] T1548 - Abuse Elevation Control Mechanism</a> | <a href="https://ui.threatstream.com/attackpattern/10178" target="_blank">[MITRE ATT&amp;CK] T1590.004 - Gather Victim Network Information: Network Topology</a> | <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a><br/> <b>Tags:</b> malware:Batloader, malware:Redline Stealer, malware:Ursnif, malware:Vidar, malware-type:Ransomware, mitre-technique:T1105, mitre-technique:T1497, mitre-technique:T1027, mitre-technique:T1548, mitre-technique:T1590.004, mitre-technique:T1486 </p> <h3 id="article-7"><a href="https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/" target="_blank">Emerging Yashma Ransomware Variant: A Blend of WannaCry Imitation and Stealthy Execution Tactics</a></h3> <p>(published: August 7, 2023)</p> <p> Cisco Talos recently unearthed a ransomware campaign led by an unidentified threat actor, likely of Vietnamese origin. This campaign employs a Yashma ransomware variant, distinctively tailored to resemble the well-known WannaCry ransomware. Initiated around June 4, 2023, the attacks primarily target nations like Bulgaria, China, Vietnam, and various English-speaking regions, as evidenced by ransom notes available in multiple languages, hosted in the actor's GitHub repository "nguyenvietphat." Unlike typical ransomware attacks, the ransom notes are not embedded within the binary but are downloaded via a unique embedded batch file, which evades conventional detection techniques. This ransomware variant, while retaining most of Yashma’s original features, including its potent anti-recovery capability, has introduced a novel mechanism to deliver the ransom note and exhibits enhanced persistence tactics on infected machines.<br/> <b>Analyst Comment:</b> To counteract the Yashma ransomware threat, it is imperative to adopt a multifaceted approach. Begin by ensuring regular backups of critical data in a secure, offline environment. Leverage robust endpoint security solutions. Regularly update all systems and software to patch any vulnerabilities, and prioritize educating staff about the risks of unfamiliar links and attachments.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/3714" target="_blank">[MITRE ATT&amp;CK] T1486: Data Encrypted for Impact</a> | <a href="https://ui.threatstream.com/attackpattern/9776" target="_blank">[MITRE ATT&amp;CK] T1564 - Hide Artifacts</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9814" target="_blank">[MITRE ATT&amp;CK] T1055 - Process Injection</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/9982" target="_blank">[MITRE ATT&amp;CK] T1485 - Data Destruction</a><br/> <b>Tags:</b> malware:Yashma, malware-type:Ransomware, abused:Batch File, file-type:Binary, file-type:.Net Executable, target-system:Windows, technique:Evasion, technique:Endpoint Detection Bypass, technique:Anti-Recovery, technique:Command-and-Control, mitre-technique:T1486, mitre-technique:T1564, mitre-technique:T1193, mitre-technique:T1105, mitre-technique:T1055, mitre-technique:T1060, mitre-technique:T1027, mitre-technique:T1485 </p> <h3 id="article-8"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/invisible-adware-unveiling-ad-fraud-targeting-android-users/" target="_blank">Invisible Adware: Unveiling Ad Fraud Targeting Android Users</a></h3> <p>(published: August 4, 2023)</p> <p> Mcafee researchers have discovered many accounts of ad fraud involving mobile applications that hide the ads they run from the user (invisible adware). The apps were available on the Google Play store but have since been either removed or the apps were updated by the developers. To avoid detection by users, the ads only run after the user screen is turned off, hence being termed invisible. Additional obfuscation occurs in the form of a latency period, where ads are not executed until after a set time after app installation which can be up to a max of a few weeks, making analysis of the adware more difficult. Invisible adware apps require the user to grant the “power saving” and “draw over other apps” permissions in order to function.<br/> <b>Analyst Comment:</b> In addition to being illegal, invisible adware drains battery life, consumes mobile data and can potentially leak data and interfere with user profiling. Only install apps from trusted marketplaces, and look at user comments and reviews before installation. Always grant the minimum permissions necessary for an app to function. Unprompted requests for permissions or applications requesting permissions they do not need should be treated with distrust.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10000" target="_blank">[MITRE ATT&amp;CK] T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion</a><br/> <b>Tags:</b> malware-type:Adware, abused:Google Play, Mobile, Invisible Adware, mitre-technique:T1497.003 </p> </div> </p></div>