Malware
Contact Form Used to Drop BumbleBee, Meterpreter, and Cobalt Strike
Impacted Industries: All
What You Need To Know:
The DFIR Report published details of an intrusion against their honeypots that occurred in May 2022. According to their report, the threat actors used the “Contact Us” form on a website, claiming a violation of copyright with a link to download a file showing the purported offense. Once the threat actors gained initial access, they performed reconnaissance, dropped additional malware, used two UAC bypass techniques, dumped credentials, exploited ZeroLogon to elevate privileges, and moved laterally through the environment.
Analyst Note: Threat actors may have chosen the contact us form as recipients may perceive the message as legitimate, and the threat of legal action lends an air of urgency, improving the chances of the user clicking the link. Several open-source reports have linked BumbleBee infections to data exfiltration, extortion, and encryption. The threat actors will likely continue using “Contact Us” forms in future campaigns to initiate communications and gain initial access.
Malware
Is BatLoader an Extension Beyond ZLoader?
Impacted Industries: Professional, Scientific, and Technical Services, Finance and Insurance, Manufacturing
What You Need To Know:
VMWare has observed the initial access malware, BatLoader, become increasingly prevalent over the last couple of months. The threat actors use SEO poisoning with lures for free productivity apps or software development tools to lure users into downloading malware from compromised websites. VMWare discovered several attributes within the attack chain similar to previous activity linked to Conti. VMWare’s findings align with Walmart’s assessment that BatLoader is indeed an extension beyond ZLoader.
Analyst Note: According to VMWare and Mandiant, BatLoader operators employ similar techniques as Gootloader, where they identify and compromise vulnerable websites and create a page to entice users to download the application. If they pass verification checks, the user is directed to a fake forum page with a link that, if clicked, downloads a malicious .msi file. BatLoader operators will likely continue compromising vulnerable websites to host SEO-poisoned pages to lure victims into downloading BatLoader.
Malware
New Cryptomining and DDoS Malware Discovered
Impacted Industries: All
What You Need To Know:
Akamai has observed a new malware that infected their honeypot, dubbed KmsdBot. The botnet infects systems by scanning for SSH credentials, then uses those to log in to open SSH ports. The malware can mine cryptocurrencies or perform DDoS attacks. The malware does not stay persistent on the infected system to evade detection.
Analyst Note: Akamai states that the new honeypot was left more open and accessible. Threat actors often attack an organization’s internet-facing systems multiple times daily. These systems could be susceptible to this attack (SSH Brute Force) to install cryptomining or botnet malware and used to attack other systems.
Malware
An Inside Look at Lazarus Group Backdoor DTrack
Impacted Industries: All; Public Administration; Educational Services; Professional, Scientific, and Technical Services; Information; and Utilities
What You Need To Know:
A Kaspersky report details recent backdoor activity linked to Lazarus Group, a North Korean state-sponsored threat actor. The backdoor allows threat actors to upload, download, start, or delete files on the victim host. The backdoor has a keylogger, a screenshot maker, and a module for gathering victim system information. According to Kaspersky telemetry, they have detected backdoor activity targeting multiple sectors worldwide.
Analyst Note: The threat actors conduct cryptocurrency theft, data exfiltration, encryption, and extortion. OFAC sanctioned the group on 14 April 2022. A month later, federal agencies released an Advisory linking North Korean state-sponsored threat actors to Maui ransomware. The threat actors will likely use the backdoor in future campaigns to target organizations of interest for financial and intellectual property gain and conduct espionage-related activities.
Malware
SocGholish Discovered Using New Technique to Inject Code
Impacted Industries: All
What You Need To Know:
Sucuri recently uncovered a new SocGholish infection campaign using an unconventional way of injecting malicious JavaScript into a target’s website, injecting a line of code at the bottom of the website’s theme’s function.php file. Sucuri discovered that this code loads a malicious template file that injects the SocGholish javascript code.
Analyst Note: Security software often parses through files and monitors their integrity and for known IoCs, but less frequently do they directly monitor the database’s content. This campaign targets Windows users as the code checks for the word “Windows” in the useragent header. However, SocGholish operators may check for Linux and Mac in the useragent header in future campaigns if they are not already doing it.
Exploited Vulnerabilities
CISA Adds 1 CVE to its Known Exploited Vulnerabilities Catalog
Impacted Industries: All
What You Need To Know:
Based on the evidence of active exploitation, CISA has added CVE-2022-41049 to its Known Exploited Vulnerabilities Catalog. This vulnerability could allow a threat actor to craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features.
Analyst Note: According to Microsoft, a threat actor can exploit this vulnerability by designing and hosting a malicious website in a web-based attack scenario. The threat actor could send the targeted user a specially crafted .url file in a phishing attack scenario. Compromised websites or websites that accept or host user-provided content could contain specially crafted content to exploit the security feature bypass.
What We Mean When We Say
Estimates of Likelihood
We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.
Confidence in Assessments
Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:
- High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
- Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
- Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.
Share