Mar 19 2024

APT28 Hacker targeting in widespread Phishing Scheme

Category: APT,Phishingdisc7 @ 7:20 am

APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme

The Russia-linked threat actor known as APT28 has been linked to multiple ongoing phishing campaigns that employ lure documents imitating government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.

“The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production,” IBM X-Force said in a report published last week.

The tech company is tracking the activity under the moniker ITG05, which is also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

The disclosure comes more than three months after the adversary was spotted using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor dubbed HeadLace.

APT28 has since also targeted Ukrainian government entities and Polish organizations with phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Other campaigns have entailed the exploitation of security flaws in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to plunder NT LAN Manager (NTLM) v2 hashes, raising the possibility that the threat actor may leverage other weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks.

Widespread Phishing Scheme

The latest campaigns observed by IBM X-Force between late November 2023 and February 2024 take advantage of the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers, as well as the MASEPIE C2 servers, may be hosted on compromised Ubiquiti routers, a botnet comprising which was taken down by the U.S. government last month.

The phishing attacks impersonate entities from several countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., putting to use a mix of authentic publicly available government and non-government lure documents to activate the infection chains.

“In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations,” security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr said.

The climax of APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. OCEANMAP has been characterized as a more capable version of CredoMap, another backdoor previously identified as used by the group.

“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: APT28


Nov 20 2023

RUSSIA-LINKED APT29 GROUP EXPLOITED WINRAR 0DAY IN ATTACKS AGAINST EMBASSIES

Category: APTdisc7 @ 8:54 am

Russia-linked cyberespionage group APT29 has been observed leveraging the CVE-2023-38831 vulnerability in WinRAR in recent attacks.

The Ukrainian National Security and Defense Council (NDSC) reported that APT29 (aka SVR groupCozy BearNobeliumMidnight Blizzard, and The Dukes) has been exploiting the CVE-2023-38831 vulnerability in WinRAR in recent attacks.

APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The Russia-linked APT group was observed using a specially crafted ZIP archive that runs a script in the background to show a PDF lure while downloading PowerShell code to fetch and execute a payload.

The APT group targeted multiple European nations, including Azerbaijan, Greece, Romania, and Italy, with the primary goal of infiltrating embassy entities.

The threat actors used a lure document (“DIPLOMATIC-CAR-FOR-SALE-BMW.pdf”) containing images of a BMW car available for sale to diplomatic entities. The weaponized documents embedded malicious content that exploited the WinRAR vulnerability.

APT29 WinRAR

“In the context of this particular attack, a script is executed, generating a PDF file featuring the lure theme of a BMW car for sale. Simultaneously, in the background, a PowerShell script is downloaded and executed from the next-stage payload server.” reads the report published by NDSC. “Notably, the attackers introduced a novel technique for communicating with the malicious server, employing a Ngrok free static domain to access their server hosted on their Ngrok instance.”

In this attack scheme, Ngrok has been used to host their next-stage PowerShell payloads and establish covert communication channels.

Threat actors use the tool to obfuscate their communications with compromised systems and evade detection.

“What makes this campaign particularly noteworthy is the synthesis of old and new techniques. APT29 continues to employ the BMW car for sale lure theme, a tactic that’s been seen in the past. However, the deployment of the CVE-2023-38831 WinRAR vulnerability, a novel approach, reveals their adaptability to the evolving threat landscape. Additionally, their use of Ngrok services to establish covert communications emphasizes their determination to remain concealed.” concludes the NDSC that also published indicators of compromise (IoCs) for these attacks.

In April, Google observed Russia-linked FROZENBARENTS APT (aka SANDWORM) impersonates Ukrainian drone training school to deliver the Rhadamanthys infostealer.

The threat actors used a lure themed as an invitation to join the school, the email included a link to an anonymous file-sharing service, fex[.]net. The file-sharing service was used to deliver a benign decoy PDF document with a drone operator training curriculum and specially crafted ZIP archive (“Навчальна-програма-Оператори.zip” (Training program operators)) that exploits the flaw CVE-2023-38831.

In September, CERT-UA observed the FROZENLAKE group exploitingthe WinRAR flaw to deploy malware in attacks aimed at energy infrastructure.

Google TAG experts also observed the Russia-linked ATP28 group exploiting the flaw in attacks against Ukraine users. The state-sponsored hackers employed a malicious PowerShell script (IRONJAW) to steal browser login data and local state directories.

The China-linked APT40 group was observed exploiting the CVE-2023-38831 vulnerability in attacks against targets in Papua New Guinea.

Last week, researchers at cybersecurity firm NSFOCUS analyzed DarkCasino attack pattern exploiting the WinRAR zero-day vulnerability tracked as CVE-2023-38831. The economically motivated APT group used specially crafted archives in phishing attacks against forum users through online trading forum posts.

In the Lair of the Cozy Bear: Cyberwarfare with APT 29 Up Close and Personal

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: APT29


Oct 27 2023

HOW APT28 INFILTRATES NETWORKS IN FRENCH UNIVERSITIES & NUCLEAR PLANTS WITHOUT DETECTION

Category: APT,Information Securitydisc7 @ 1:19 pm

According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russia’s military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.

Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by France’s National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the group’s Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.

In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.

As a cyber-espionage group, APT28’s primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.

ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.

In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.

APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.

The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:

Protecting the privacy of email communications and preventing their disclosure via 
adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory


Oct 09 2023

Lazarus APT Laundered Over $900 Million Worth of Cryptocurrency

Category: APT,Cryptodisc7 @ 7:24 am

Threat actors have been laundering currencies with multiple methods. One of the most predominant ways they have been using lately was the Cross-chain crime. In a cross-chain crime, threat actors swap their Cryptocurrency between different blockchains and tokens that help maintain their anonymity.

Moreover, this cross-chain crime is carried out using decentralized exchanges (DEXs) and cross-chain bridges. As with the increase in cybercriminal activities such as ransomware attacks, scams, or crypto thefts, this has become an increasingly preferred money laundering method for cybercriminals.

In addition to this, reports also suggest that more than $4.1 billion of illegal funds have been laundered through decentralized exchanges (DEXs), cross-chain bridges, and coin swap services. 

This is estimated to rise to $6.5 billion by the end of 2023 and $10.5 billion by 2025. Another report indicates that $2.7 billion was laundered through cross-chain crime over just a 12-month period between July 2022 and July 2023.

Reason for High Adoption Rate

Threat actors and scammers generate revenue through illegal methods using this cross-chain crime for several reasons, which include the popularity of crypto assets excluding bitcoins among criminals, the anonymity it offers, and stable value assets as some of them are government-backed currencies (Tether (USDT) or DAI).

Another major reason for the adoption is that many cross-asset and cross-chain services other than centralized exchanges do not have ID verification. In addition to this, this method offers protection against tracing by using techniques like prolific asset- or chain-hopping.

Annual figures of cumulative illegal funds laundered
Annual figures of cumulative illegal funds laundered (Source: Elliptic)

Furthermore, it has been discovered that the Lazarus group, responsible for several high-profile cyberattacks, had laundered over $900 million using this method. 

Decentralized services (DEXs), cross-chain bridges, and coin swap services have been found to have laundered over $7 billion of illegal funds as of July 2023. Elliptic researchers have published a complete report about this method and other information.

Tor and the Deep Web: Bitcoin, DarkNet & Cryptocurrency

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Lazarus


Aug 16 2023

APTs use of lesser-known TTPs are no less of a headache

Category: APT,Attack Matrixdisc7 @ 9:48 am

Initially perceived as primarily targeting large corporations, advanced persistent threat (APT) attacks, often backed by state actors, have witnessed a notable surge in incidents against small and medium-sized enterprises. This expanding scope signifies that no entity is exempt, as the dynamic evolution of attack methods demands a proactive stance and ongoing fortification of security measures. This endeavor places a persistent burden on resources, especially when factoring in the diverse array of tactics, techniques, and procedures (TTPs) employed within these attacks.

Uncommon TTPs

With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.

While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:

Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.

Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.

Fileless malware: Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.

Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.

Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.

Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.

DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.

Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.

Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.

Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.

APTs are here to stay

Organizations can make APT groups’ lives more difficult. Here’s how:

  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.

Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.

Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: APT, Attacks, TTP, TTPS


Oct 17 2022

New UEFI rootkit Black Lotus offered for sale at $5,000

Category: APT,Cyber crime,CybercrimeDISC @ 10:02 am

Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.

Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.

The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.

“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.” wrote Scheferman.

Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.

The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.

The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.

Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.

Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.

New UEFI rootkit Black Lotus

Tags: APT, Black Lotus, criminal forums, UEFI rootkit


Jul 19 2022

Russia-linked APT29 relies on Google Drive, Dropbox to evade detection

Category: APT,Threat detectionDISC @ 8:43 am

Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection.

Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.

The Russia-linked APT29 group (aka SVRCozy Bear, and The Dukes) has been active since at least 2014, along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

The attackers used online storage services to exfiltrate data and drops their malicious payloads.

The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.

“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”

The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.

APT29

EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of a second state malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.

A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.

“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.

The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.

Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.

“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Tags: APT29, dropbox, Google drive


Apr 13 2022

China-linked Hafnium APT leverages Tarrask malware to gain persistence

Category: APT,MalwareDISC @ 8:28 am

China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems.

The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, that’s used to maintain persistence on compromised Windows systems, reported Microsoft Threat Intelligence Center (MSTIC) experts.

HAFNIUM primarily targets entities in the United States across multiple industries, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.

Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates “hidden” scheduled tasks on the system to maintain persistence.

Tarrask creates new registry keys upon the creation of a new task:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}
Tarrask malware

“The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.” reads the post published by Microsoft.

In the attack analyzed by Mcirosoft, the nation-state actors created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask to re-establish any dropped connections to the C2 servers.

The attackers deleted the [Security Descriptor] value within the Tree registry path. The security descriptor (SD) defines access controls for running the scheduled task.

The trick consists of erasing the SD value from the Tree registry path to make the task hidden from the Windows Task Scheduler or the schtasks command-line utility. The only way to see the tack is to manually examine the Registry Editor.

The experts pointed out that executing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.

“The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.” concludes the report. “As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”

China-linked Hafnium APT leverages Tarrask malware to gain persistence

A Comprehensive Approach to Detect and Analyze Modern Malware

👇 Please Follow our LI page…

Tags: APT, Tarrask malware


Mar 24 2022

China-linked GIMMICK implant now targets macOS

Category: APT,Cyber EspionageDISC @ 8:32 am

Gimmick is a newly discovered macOS implant developed by the China-linked APT Storm Cloud and used to target organizations across Asia.

In late 2021, Volexity researchers investigated an intrusion in an environment they were monitoring and discovered a MacBook Pro running macOS 11.6 (Big Sur) that was compromised with a previously unknown macOS malware tracked as GIMMICK. The researchers explained that they have discovered Windows versions of the same implant during the past investigations.

The experts attribute the intrusion to a China-linked APT group tracked as Storm Cloud, which is known to target organizations across Asia.

The macOS version of the implant is written primarily in Objective C, while the Windows ones are in both .NET and Delphi. The implant uses public cloud hosting services (such as Google Drive) for C2 to evade detection.

Volexity worked with Apple to implement protections for the GIMMICK implant, on March 17, 2022, Apple pushed new signatures to XProtect and MRT to remove the malware.

GIMMICK

GIMMICK should be launched directly by a user, rather than a daemon, then it installs itself as a launch agent by dropping a PLIST file with contents.

“On macOS, GIMMICK was found to support being launched as a daemon on the system or by a user. Should GIMMICK be launched directly by a user, rather than a daemon, it will install itself as a launch agent by dropping a PLIST file with contents, similar to that shown below, to /Users/<username>/Library/LaunchAgents.” reads the analysis published by Volexity. “The name of the binary, PLIST, and agent will vary per sample. In the case observed by Volexity, the implant was customized to imitate an application commonly launched by the targeted user.”

During the initialization, the implant analyzed by the experts decodes several pieces of data used by the implant for its operation using a rotating addition algorithm.

The implant also supports an uninstall function accessible by adding the argument “uninstall” on the command line. The command instructs the malicious code on removing itself and all associated files, and then kills the process.

“Storm Cloud is an advanced and versatile threat actor,  adapting its tool set to match different operating systems used by its targets.” concludes the analysis published by the experts. “The work involved in porting this malware and adapting its systems to a new operating system (macOS) is no light undertaking and suggests the threat actor behind it is well resourced, adept, and versatile.”

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

Tags: cyber espionage, GIMMICK implant, macos


Jan 12 2022

Indian-linked Patchwork APT infected its own system revealing its ops

Category: APTDISC @ 9:55 am

An India-linked threat actor, tracked as Patchwork (aka Dropping Elephant), employed a new variant of the BADNEWS backdoor, dubbed Ragnatela (“spider web” in Italian), in a recent campaign. However, the group made the headlines after infecting its infrastructure with a RAT allowing researchers to analyze its operations.

The APT group has been active since at least 2015, previous operations targeted military and political individuals across the world, it shows a specific interest in organizations in Pakistan.

At the end of 2021, Malwarebytes researchers observed the APT group targeting faculty members whose research focus is on molecular medicine and biological science.

In a recent campaign, the Patchwork group carried out a spear-phishing campaign using weaponized RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT). The malicious RTF files impersonating Pakistani authorities and exploit a vulnerability in Microsoft Equation Editor to deliver and execute the final payload (RAT). Malwarebytes researchers reported that that payload is stored within the RTF document as an OLE object.

Patchwork

The Ragnatela RAT was developed in late November as seen in its Program Database (PDB) path “E:\new_ops\jlitest __change_ops -29no – Copy\Release\jlitest.pdb” and was employed in cyberespionage campaigns.

The Ragnatela RAT allows threat actors to carry out malicious actions such as:

  • Executing commands via cmd
  • Capturing screenshots
  • Logging Keystrokes
  • Collecting list of all the files in victim’s machine
  • Collecting list of the running applications in the victim’s machine at a specific time periods
  • Downing addition payloads
  • Uploading files

The list of victims of this campaign includes the Ministry of Defense- Government of Pakistan, the National Defense University of Islam Abad, the Faculty of Bio-Science, UVAS University (Lahore, Pakistan), the International center for chemical and biological sciences, the HEJ Research institute of chemistry, International center for chemical and biological sciences, the univeristy of Karachi SHU University, Molecular medicine.

“Another – unintentional – victim is the threat actor himself which appears to have infected is own development machine with the RAT. We can see them running both VirtualBox and VMware to do web development and testing. Their main host has dual keyboard layouts (English and Indian).” reads the report published by Malwarebytes.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage 

Tags: Advanced persistent threat, Attribution of Advanced Persistent Threats


Oct 01 2021

New APT ChamelGang Targets Russian Energy, Aviation Orgs

Category: APT,Information SecurityDISC @ 9:23 am

First appearing in March, the group has been leveraging ProxyShell against targets in 10 countries and employs a variety of malware to steal data from compromised networks.

A new APT group has emerged that’s specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server’s ProxyShell and leveraging both new and existing malware to compromise networks.

Researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang for its chameleon-like capabilities, since March. Though attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far, researchers said in a report by company researchers Aleksandr Grigorian, Daniil Koloskov, Denis Kuvshinov and Stanislav Rakovsky published online Thursday.

To avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM and Google in a couple of unique ways, researchers observed.

more detail analysis on: New APT ChamelGang Targets Russian Energy, Aviation Orgs

Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools

Tags: APT ChamelGang, ATT&CK™ Framework, open source tools, Threat Hunting


Mar 13 2021

The fire in the OVH datacenter also impacted APTs and cybercrime groups

Category: APT,Cybercrime,data securityDISC @ 3:24 pm

OVH, one of the largest hosting providers in the world, has suffered this week a terrible fire that destroyed its data centers located in Strasbourg. The French plant in Strasbourg includes 4 data centers, SBG1, SBG2, SBG3, and SBG4 that were shut down due to the incident, and the fire started in SBG2 one.

The fire impacted the services of a large number of OVHs’ customers, for this reason the company urged them to implement their disaster recovery plans. 

Nation-state groups were also impacted by the incident, Costin Raiu, the Director of the Global Research and Analysis Team (GReAT) at Kaspersky Lab, revealed that 36% of 140 OVH servers used by various threat actors as C2 servers went offline. The servers were used by cybercrime gangs and APT groups, including Iran-linked Charming Kitten and APT39 groups, the Bahamut cybercrime group, and the Vietnam-linked OceanLotus APT.

Of course, the incident only impacted a small portion of the command and control infrastructure used by multiple threat actors in the wild, almost any group leverages on multiple service providers and bulletproof hosting to increase the resilience of their C2 infrastructure to takedown operated by law enforcement agencies with the help of security firms.
“In the top of ISPs hosting Command and control infrastructure, OVH is in the 9th position, according to our tracking data. Overall, they are hosting less than 2% of all the C2s used by APTs and sophisticated crime groups, way behind other hosts such as, CHOOPA.” Raiu told to The Reg.


“I believe this unfortunate incident will have a minimal impact on these groups operations; I’m also taking into account that most sophisticated malware has several C2s configured, especially to avoid take-downs and other risks. We’re happy to see nobody was hurt in the fire and hope OVH and their customers manage to recover quickly from the disaster.”

The fire in the OVH datacenter also impacted APTs and cybercrime groups

Tags: OVH datacenter


Mar 05 2021

External Remote Services

Category: Access Control,APTDISC @ 11:43 pm

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.

Access to Valid Accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Detection

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

Mitigations

  • Disable unnecessary external remote services.
  • Set account lockout policies to prevent password guessing.
  • Use two- or multi-factor authentication for such services.
  • Collect and monitor external remote services logs for unauthorized access


Feb 22 2021

NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Category: APT,Cyber Espionage,Cybercrime,HackingDISC @ 10:51 am

The Chinese APT group had access to an NSA Equation Group, NSA hacking tool and used it years before it was leaked online by Shadow Brokers group.

Check Point Research team discovered that China-linked APT31 group (aka Zirconium.) used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool years before it was leaked online by Shadow Brokers hackers.

In 2015, Kaspersky first spotted the NSA Equation Group, it revealed it was operating since at least 2001 and targeted almost any industry with  sophisticated zero-day malware.

The arsenal of the hacking crew included sophisticated tools that requested a significant effort in terms of development, Kaspersky speculated the Equation Group has also interacted with operators behind Stuxnet and Flame malware. 

Based on the evidence collected on the various cyber espionage campaigns over the years, Kaspersky experts hypothesize that the National Security Agency (NSA) is linked to the Equation Group.

Jian used the same Windows zero-day exploit that was stolen from the NSA Equation Group ‘s arsenal for years before it was addressed by the IT giant. 

In 2017, the Shadow Brokers hacking group released a collection of hacking tools allegedly stolen from the US NSA, most of them exploited zero-day flaws in popular software.

One of these zero-day flaws, tracked as CVE-2017-0005, was a privileged escalation issue that affected Windows XP to Windows 8 operating systems,

“In this blog we show that CVE-2017-0005, a Windows Local-Privilege-Escalation (LPE) vulnerability that was attributed to a Chinese APT, was replicated based on an Equation Group exploit for the same vulnerability that the APT was able to access.” reads the analysis published by CheckPoint. ““EpMe”, the Equation Group exploit for CVE-2017-0005, is one of 4 different LPE exploits included in the DanderSpritz attack framework. EpMe dates back to at least 2013 – four years before APT31 was caught exploiting this vulnerability in the wild.”

Source: NSA Equation Group tool was used by Chinese hackers years before it was leaked online

Tags: Chinese hackers, NSA Equation Group tool, Spy war, Tiger trap


Feb 09 2021

Microsoft to notify Office 365 users of nation-state attacks

Category: APTDISC @ 10:01 am

The new security alert will notify companies when their employees are being targeted by state-sponsored attacks.

Since this Saturday, the new alert service was added to the Microsoft 365 roadmap website.

“Nation state threats are defined as cyber threat activity that originates in a particular country with the apparent intent of furthering national interests. These attacks represent some of the most advanced and persistent threat activity Microsoft tracks.” reads the announcement published by Microsoft. “The Microsoft Threat Intelligence Center follows these threats, builds comprehensive profiles of the activity, and works closely with all Microsoft security teams to implement detections and mitigations to protect our customers. We’re adding an alert to the security portal to alert customers when suspected nation-state activity is detected in the tenant.”


Feb 03 2021

More SolarWinds News

Category: APT,Backdoor,MalwareDISC @ 9:30 am


Jan 29 2021

Lebanese Cedar APT group broke into telco and ISPs worldwide

Category: APTDISC @ 1:33 pm

Clearsky researchers linked the Lebanese Cedar APT group to a cyber espionage campaign that targeted companies around the world.

Clearsky researchers linked the Lebanese Cedar group (aka Volatile Cedar) to a cyber espionage campaign that targeted companies around the world.

The APT group has been active since 2012, experts linked the group to the Hezbollah militant group.

The activities of the group were first spotted by Check-Point and Kaspersky labs in 2015.

ClearSky experts linked the Lebanese Cedar group to intrusions at telco companies, internet service providers, hosting providers, and managed hosting and applications companies.

The attacks began in early 2020 and threat actors breached internet service providers in the US, the UK, Egypt, Israel, Lebanon, Jordan, the Palestinian Authority, Saudi Arabia, and the UAE.

“Based on a modified JSP file browser with a unique string that the adversary used to deploy ‘Explosive RAT’ into the victims’ network, we found some 250 servers that were apparently breached by Lebanese Cedar” reads the report published by the ClearSky. “We assess that there are many more companies that have been hacked and that valuable information was stolen from these companies over periods of months and years.”