Cyber Intel Brief: May 26 – June 1, 2022

Malware

Rapidly Evolving IoT Malware EnemyBot Now Targeting Content Management System Servers and Android Devices

Key Points:

  • Alien Labs has discovered that EnemyBot has been updated and is capable of exploiting recently identified vulnerabilities, and now targets web servers, Android devices, and content management system (CMS) servers in addition to IoT devices.
  • Observation of this activity may be possible by monitoring for web traffic involving URLs matching “uclibc[.]org/downloads/binaries*” or “pkg.musl[.]cc.

Deepwatch Assessment:

Mitigation recommendations include regularly scanning Linux servers, CMS, and IoT devices for vulnerabilities and patching systems as soon as possible, prioritizing those internet-exposed systems focusing on known exploited vulnerabilities like those featured in CISA’s Known Exploited Vulnerabilities Catalog, segmenting externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure, using least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system, employing an anti-virus or EDR solution that can automatically quarantine suspicious files, and finally, where possible, only permitting the execution of signed scripts.


Malware

ChromeLoader Targets Chrome Browser Users with Malicious ISO Files

Key Points:

  • Malwarebytes has observed ISO archive files spreading ChromeLoader, malware that alters the browser settings of its victims and redirects traffic to advertising websites. The ISO files masquerade as legitimate software and games promoting them through social media posts and websites.
  • Observation of this activity may be possible by monitoring for file activity involving .iso extensions.

Deepwatch Assessment:

Mitigation recommendations include instructing employees to only install software approved and provided to them, employing an anti-virus or EDR solution that can automatically quarantine suspicious files, where possible, only permit the execution of signed scripts, when PowerShell is necessary, restrict PowerShell execution policy to administrators, implementing a browser management policy to prevent unwanted extensions from being installed, and finally, script blocking extensions can help prevent the execution of scripts and ISO files that are used during the exploitation process.


Phishing

Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I & II

Key Points:

  • Fortinet recently analyzed a phishing campaign masquerading as a payment report from a trusted source with an attached Excel file containing a malicious macro that ultimately drops AveMariaRAT, BitRAT, and PandoraHVNC fileless malware on targeted systems. 
  • Observation of this activity may be possible by monitoring for processes “aspnet_compiler.exe” or “RegAsm.exe.”

Deepwatch Assessment:

Mitigation recommendations include incorporating the TTPs outlined in the report in your phishing awareness training and simulation exercise program, employing an anti-virus or EDR solution that can automatically quarantine suspicious files, using an anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM), where possible, only permitting the execution of signed scripts, and finally, when PowerShell is necessary, restricting PowerShell execution policy to administrators only.


Ransomware

New Black Basta Ransomware Group

Key Points:

  • Cyberint recently published a brief overview of a new ransomware group dubbed Black Basta. The brief details Black Basta’s infection chain and if they have any ties to the Conti ransomware group.
  • Observation of this activity may be possible by monitoring for the registry key ‘Computer\HKEY_CLASSES_ROOT\.basta\DefaultIcon.’

Deepwatch Assessment:

Mitigation recommendations include incorporating the TTPs outlined in the report in your phishing awareness training and simulation exercise program, and employing an anti-virus or EDR solution that can automatically quarantine suspicious files. Determine if certain websites or attachment types (ex: .iso, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk, and finally, using anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM).


Threat Actors

CISA Alert AA22-152A: Karakurt Data Extortion Group

Key Points:

  • CISA in coordination with the FBI, Treasury Department, and the Financial Crimes Enforcement Network released a joint Cybersecurity Advisory that provides information on the Karakurt data extortion group, to include, initial infection vectors observed, how Karakurt conducts network reconnaissance, enumeration, persistence, and exfiltration of victim data;  finally, the advisory details Karakurt’s extortion tactics.
  • Observation of this activity may be possible by monitoring for Mimikatz, AnyDesk, or Rclone usage.

Deepwatch Assessment:

Mitigation recommendations include implementing a phishing awareness training and simulation exercise program, determining if certain websites or attachment types (ex: .iso, .exe, .pif, .cpl, etc.) are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk, implementing network segmentation and maintain offline backups of data, regularly backing up data and password protect backup copies offline, ensuring copies of critical data are not accessible for modification or deletion from the system where the data resides, configuring user accounts with administrative privileges with least privilege in mind, disabling unused ports, enforcing multi-factor authentication, and finally, ensuring organizational password policy adheres to the  National Institute for Standards and Technology’s “Digital Identity Guidelines” standards.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms unlikely and remote imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like might and might reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog