Cyber Intel Brief: Mar 16 – 22, 2023


New TeamTNT Script Discovered

Impacted Industries: All

What You Need To Know:

Cado Security analyzed a TeamTNT script based on an “intelligence lead” from a recent Sysdig Security report detailing an AWS cloud attack involving a complex attack chain resulting in cryptomining and the loss of proprietary data. Cado Security discovered an XMRig configuration file uploaded to VirusTotal three days before the publication of Sysdig’s report. The configuration file pointed to a miner script that was also uploaded to VirusTotal around the same time. The miner script bears similarities to prior TeamTNT payloads, including a wallet ID that Tencent has attributed to the group, and includes log statements written in German, consistent with previous campaigns Trend Micro has attributed to the group. While the domain in the miner script has not been attributed to any campaigns, the Whois record shows that the domain was last updated in May 2021, suggesting the miner script has never been reported. The analyst’s opinion is that the files analyzed by Cado are older TeamTNT samples that have never been reported on before, and the configuration file’s name and upload date are coincidences.


Emotet Deploying Payloads Through OneNote Attachments

Impacted Industries: All

What You Need To Know:

Cyble has reported that cybercriminals are using OneNote attachments to distribute Emotet malware through spam emails, replacing the previous method of using malicious ZIP files. The banking malware targets confidential data such as bank details and passwords. When a user opens the OneNote attachment, a covert action triggers a Windows Script File that drops and executes the Emotet payload. The malware operators use a verification step to ensure the payload is retrieved even if one of the URLs is unavailable. The analyst believes this new campaign will only last for one to two months before reverting to traditional delivery techniques, as Emotet spam campaigns historically operate for a short time. Preventing users from launching embedded files in Microsoft OneNote may reduce this risk.


QakBot Alters Embedded File Types Used in OneNote Documents

Impacted Industries: All

What You Need To Know:

Crowdstrike has observed QakBot malware distributed in OneNote documents with embedded files. QakBot operators have used HTML Application (.HTA), Windows Command (.CMD), and .JSE binaries as embedded files. The user accesses the document and executes the embedded file, which then downloads a second-stage payload from the cybercriminal’s infrastructure. The second-stage payload is saved on disk and executed by rundll32.exe, typically disguised as a .PNG file. Recent variants of this attack have dropped QakBot, which is commonly used to install additional payloads such as Cobalt Strike and is frequently linked to ransomware attacks. ATI assesses that cybercriminals will likely employ OneNote files and attachments in their campaigns until Microsoft implements changes that make malware distribution via OneNote less effective, as they did with macros and ISO files. Preventing users from launching embedded files in Microsoft OneNote may reduce this risk.


Uncovering the TTPs of LockBit Ransomware Affiliates

Impacted Industries: All

What You Need To Know:

The FBI, CISA, and Multi-State Information Sharing & Analysis Center (MS-ISAC) have jointly published a Cybersecurity Advisory (CSA) based on FBI investigations, sharing reported indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) of LockBit ransomware affiliates. LockBit 3.0, also known as LockBit Black, is a new variant that shares similarities with Blackmatter and Blackcat ransomware. LockBit ransomware only infects systems without specific language settings and can modify its behavior using various arguments, making detection and analysis difficult. Affiliates gain initial access through exploiting RDP access, phishing, abusing valid accounts, and exploiting public-facing applications. ATI assesses that affiliates using LockBit Green, a new variant, will use the same techniques and tools as LockBit 3.0.

Exploited Vulnerabilities

ATI Updates Recent Customer Advisory

Impacted Industries: Public Administration, Transportation

What You Need To Know:

ATI has updated their most recent Customer Advisory after completing testing of one of the publicly available PoC exploit codes in a lab environment. We have updated the Exploitation Details, Be On the Lookout (BOLO), Analyst Comment, and MITRE ATT&CK table sections with additional details, our findings, and show one potential attack chain that may be observed. The updated blog post also details the attack chain of the publicly available PoC exploit code displaying how it looks from the victim and attacker’s perspective.

According to Microsoft, Russian-based threat actors are actively exploiting an elevation of privilege vulnerability in Microsoft Outlook for Windows, tracked as CVE-2023-23397, which allows new technology LAN manager (NTLM) credential hash theft. According to an analysis of .msg files uploaded to VirusTotal that exploit the vulnerability by Deep Instinct, the earliest known attack occurred in April 2022 against the Foreign Ministry of Romania. A threat actor can exploit the vulnerability by sending a specially crafted email using one of three message types: note, appointment, or task, containing an extended Message Application Program Interface (MAPI) property pointing to a Universal Naming Convention (UNC) path. The Adversary Tactics and Intelligence team has observed threat actors posting proof-of-concept (PoC) exploit code on cybercriminal forums like XSS. Exploit codes shared publicly and on cybercriminal forums use the item type “appointment.” However, Outlook messages uploaded to VirusTotal in December 2022 and January 2023 use the item types “task,” and “note.” Deepwatch recommends organizations update vulnerable software as soon as possible.

Threat Actors

Latest Additions to Data Leak Sites

Impacted Industries: Manufacturing, Construction, Professional Services, Transportation and Warehousing, and Administrative & Support Services

What You Need To Know:

In the past week, monitored ransomware threat groups added 38 victims to their leak sites. Nineteen of those listed are US-based. This was followed by four in Germany, and two each in Malaysia, Italy, and Canada. The most popular industry listed was manufacturing, with nine victims. They were followed by seven in construction, six in professional services, five in transportation & warehousing and three in administrative & support services. This information represents victims whom cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.

What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog