Cyber Intel Brief: Jan 25 – Feb 01, 2023

By

Malware

New Infostealer Titan Stealer, C2 Discovered

Impacted Industries: All

What You Need To Know:

Cyble discovered multiple command and control servers associated with the new information stealer Titan Stealer. During their analysis, Cyble discovered the C2 panel shows statistics about the victims and the stolen data. As of 24 January, Cyble’s analysis reveals there were 94 logs in the identified C2 panel. The Adversary Tactics and Intelligence team located Titan Stealer’s Telegram news channel with over 100 subscribers. Analyzing the channel, in early January, the developer released version 1.3, replacing the panel with a new client panel, and added a built in loader feature. Based on screenshots of the new client panel shared in Titan Stealers Telegram channel and screenshots of the panel Cyble located, it is the new panel and the 94 logs that are for that cybercriminal only and is not a culmination of all logs stolen. With the addition of the loader feature, cybercriminals have the ability to deploy legitimate tools for remote access and data exfiltration or additional malware like Cobalt Strike or ransomware variants.


Malware

Check Point Claims TrickGate Packer Operates as a Packer-as-a-Service

Impacted Industries: All

What You Need To Know:

Check Point analyzed their data involving malware packed with TrickGate and its many variations, determining with high confidence that TrickGate is a single operation that seems to be offered as a service. Check Point has continually observed TrickGate and found cybercriminals have used it to spread all types of malware such as ransomware, RATs, info-stealers, bankers, and miners. One key factor that made Check Point believe that TrickGate is controlled by one cybercriminal or group is that they observed an occasional break in operations when looking at a unique injection technique where they assumed that it would be highly improbable that several different groups employing this technique would take a break during the same time. The cybercriminals behind TrickGate will likely ensure that any future updates to the packer do not use unique and identifying features, thereby preventing the attribution of packers to the TrickGate cybercriminals and possibly preventing security solutions from blocking the packer.


Techniques

CISA Warns Orgs of RMM Software Deployed in Phishing Campaign

Impacted Industries: Public Administration; Potential to affect all industries

What You Need To Know:

CISA, NSA, and Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint Cybersecurity Advisory (CSA) to warn organizations about malicious use of legitimate remote monitoring and management (RMM) software. CISA identified a widespread campaign where cybercriminals sent phishing emails that downloaded legitimate RMM software ScreenConnect and AnyDesk. The cybercriminals downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server. Portable executables do not require administrator privileges and allow execution of unapproved software even if a risk management control is in place to block the software’s installation. We assess that cybercriminals will likely adopt the same techniques to deploy RMM software via self-contained, portable executables.


Techniques

Gootloader Employs New Techniques and Updates Their Loader

Impacted Industries: All

What You Need To Know:

Mandiant observed the cybercriminals operating Gootloader used multiple variations of the Fonelaunch launcher, new post-access payloads, modifications to the Gootloader downloader, and the introduction of a variation that uses PowerShell commands at the end of 2022. According to Manadiant, in the post-exploitation activity, they observed TAC-011 dropping two payloads: Fonelaunch, an in-memory dropper and, most often, a Cobalt Strike Beacon. Post-exploitation activity could lead to follow-on activity, including data exfiltration and encryption for extortion and proprietary and intellectual property theft. With Mandiant reporting Gootloader’s TTPs and posting automated deobfuscation scripts, the cybercriminals are highly likely to read the report and posted scripts to adjust their infection chain and obfuscation techniques to avoid detection and analysis.


Techniques

Google’s Favicon Service Abused in Phishing

Impacted Industries: All

What You Need To Know:

ASEC has detected multiple phishing emails to a phishing page that features a dynamically generated favicon to reflect the domain of the targeted recipient’s email address. The cybercriminal hosted the phishing page on the InterPlanetary File System network. The domain name of the command and control server used in this campaign matches a domain name of a phishing web server ASEC discovered recently. They assume the cybercriminal behind the phishing web server conducted this phishing campaign. At the time of our analysis, due to the IPFS unique content identifier not returning the requested content, we assume the cybercriminal moved the content and now has a new content identifier. The cybercriminal is likely using the harvested credentials to sell on darkweb marketplaces, which can lead to further post-exploitation activity including data exfiltration and encryption for extortion, and proprietary and intellectual property theft.


Exploited Vulnerabilities

CISA Adds CVE-2017-11357 to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added CVE-2017-11357 to its Known Exploited Vulnerabilities Catalog. The software affects Telerik UI for ASP.NET AJAX, which contains an insecure direct object reference vulnerability in RadAsyncUpload. Multiple sources routinely report exploiting publicly-facing applications as one of the top initial infection vectors. The vulnerability added this week could allow a cybercriminal to upload a file to a limited location and/or remote code execution. Cybercriminals will likely ramp up exploitation efforts of the newly listed vulnerability within the next two weeks. However, we can not rule out the possibility that cybercriminals could switch to other tactics & techniques to gain initial access.


Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: All

What You Need To Know:

In the past week, monitored threat groups added 33 victims to their leak sites. Nine of those listed are US-based, the UK had three victims listed, and Canada, Australia, and Italy had two victims each. The most popular industries were professional, scientific, and technical services, with seven victims; education, with five victims; and manufacturing, with four victims. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Subscribe to the Deepwatch Insights Blog