Cyber Intel Brief: Dec 29, 2022 – Jan 4, 2023

By

Malware

New Tool Targets WordPress Sites to Inject LoveCats Malware

Impacted Industries: All

What You Need To Know:

Cybercriminals are likely using malware, dubbed LoveCats by the Adversary Tactics and Intelligence team, discovered by Dr. Web to redirect visitors to malicious advertising or phishing websites to steal user credentials or trick users into downloading additional malware. The malware is injected into targeted websites by a tool that targets 32-bit and 64-bit versions of Linux and exploits almost 30 known vulnerabilities in WordPress plugins and themes. Users who click on an infected page will be redirected to a malicious website. The tool also collects statistics on its activity and has the potential to implement a brute-force attack on administrator accounts using available logins and passwords.


Malware

Stolen Bank Data Used as Lures in BitRAT Campaign

Impacted Industries: All

What You Need To Know:

Qualys discovered that a cybercriminal compromised a Colombian cooperative bank, dumping a total of 4,18,777 rows of customer information. We assume Qualys meant 418,777 rows of information, as over 4 million rows seem unreasonable for even a large financial institution in Colombia. Cybercriminals used the stolen data in Excel sheets to act as lures to infect targets with BitRAT. BitRAT, a well-known remote access trojan, has been available on underground cybercriminal markets since February 2021. It has a range of functions, including data exfiltration, execution of payloads with bypasses, DDoS, keylogging, webcam and microphone recording, and credential theft. They could target other financial institutions and organizations to steal sensitive data to use as lures in future campaigns. The stolen data included Colombian national ID numbers (similar to a social security number), email addresses, phone numbers, customer names, payment records, salary, and addresses. Qualys has yet to find this information shared on their lists of monitored websites from the dark web and clearnet as of the report’s publication. However, cybercriminals could be selling the stolen data through different channels or on cybercriminal marketplaces not observed by Qualys.


Malware

Raspberry Robin Updated Again, Observed Targeting Financial Sector in Europe

Impacted Industries: Financial; Known to target all industries

What You Need To Know:

The cybercriminals behind Raspberry Robin, discovered in early 2022 and known for distributing via USB drives, download an MSI installer file that deploys the primary payload responsible for facilitating post-exploitation.  They may change the C2 server IP address based on Security Joes observing Raspberry Robin malware targeting the financial sector in Europe, focusing on Spanish and Portuguese-speaking organizations using the same IP address observed in previous reporting. According to Security Joes, Raspberry Robin’s developers recently updated its attack framework with new anti-analysis capabilities, and the attackers have started collecting more victim machine data. Cybercriminals now encrypt the victim data with RC4 rather than plain text. Cybercriminals delivered the malware via a zip file downloaded from the victim’s browser. We expect the developers to continue updating the malware with anti-analysis techniques and focusing on sectors to better align with the needs of Raspberry Robin users.


Malware

New Linux Malware Discovered Installing XMRig Coinminer

Impacted Industries: All

What You Need To Know:

AhnLab discovered a Linux downloader that installs XMRig coinminer malware on improperly configured and managed Linux SSH servers. However, the cybercriminal behind this campaign could be distributing other malware besides the XMRig coinminer, and AhnLab may not have visibility into the other malware dropped by the loader. XMRig is an open-source application used by cybercriminals to mine cryptocurrencies like Monero and Bitcoin. AhnLab also found a similar form of the shc downloader malware on VirusTotal, which they assess was likely targeting systems in Korea due to Korean-based VirusTotal user(s) uploading the files. However, this campaign could target other regions besides Korea, and other targeted organizations did not upload the samples to VirusTotal.


New Techniques

Windows Error Reporting, WerFault.exe, used to Execute PupyRAT

Impacted Industries: All

What You Need To Know:

K7 Security observed cybercriminals use the legitimate Windows program WerFault.exe to execute a Remote Administration Tool (RAT) called PupyRAT on victim machines. The cybercriminals created an ISO image with a malicious DLL file and a shortcut file. Because the initial stage was an ISO file, the cybercriminals likely delivered it as an email attachment. The ISO image contained a malicious DLL file and a shortcut file, which, when opened, uses WerFault.exe to execute PupyRAT. Considering that cybercriminals can deploy PupyRAT in memory from a single command line using Python or Powershell one-liners, open non-interactive and interactive shells, and generate payloads in various formats, the risk posed by the RAT is exceptionally high. Cybercriminals may assume this technique is not well known and begin using WerFault.exe to execute malware in future campaigns.


Threat Actors

Latest Additions to Ransomware and Data Extortion Leak Sites

Impacted Industries: All

What You Need To Know:

The Adversary Tactics and Intelligence Team builds a weekly picture of ransomware activity by monitoring the information published on their dark web leak sites. Victims added this week include two organizations in the educational services sector and organizations from transportation and warehousing, information, healthcare and social assistance, construction, and public administration. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminal’s claims.


Exploited Vulnerabilities

CISA Adds CVE-2018-5430 & CVE-2018-18809 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2018-5430 & CVE-2018-18809 to its Known Exploited Vulnerabilities Catalog. This vulnerability affects JasperReports Library and Server, which could allow a cybercriminal read-only access to the contents of the web application, including key configuration files (CVE-2018-5430), or allow web server users to access the contents of the host system (CVE-2018-18809).


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Subscribe to the Deepwatch Insights Blog