May 29 2024

Microsoft: ‘Moonstone Sleet’ APT Melds Espionage, Financial Goals

Category: APT,Cyber Espionage,TTP, Cyber-Espionagedisc7 @ 3:59 pm

North Korea’s newest threat actor uses every trick in the nation-state APT playbook, and most of cybercrime’s tricks, too. It also developed a whole video game company to hide malware.

Researchers at Microsoft have identified a North Korean threat group carrying out espionage and financial cyberattacks concurrently, using a grab bag of different attack techniques against aerospace, education, and software organizations and developers.

In the beginning, Microsoft explained in a blog post, Moonstone Sleet heavily overlapped with the known DPRK advanced persistent threat (APT) Diamond Sleet. The former copped from the latter’s malware — like the Comebacker Trojan — as well as its infrastructure and preferred techniques — such as delivering Trojanized software via social media. Moonstone Sleet has since differentiated itself, though, moving to its own infrastructure and establishing for itself a unique, if rather erratic identity.

For one thing, where some of Kim Jong-Un’s threat groups focus on espionage and others focus on stealing money, Moonstone Sleet does both. Having its hands in every pie is reflected in its tactics, techniques, and procedures (TTPs), too, which in various cases have involved fake job offers, custom ransomware, and even a fully functional fake video game.

“Moonstone Sleet’s ability to blend traditional cybercriminal methodologies with those of nation-state actors is particularly alarming,” says Adam Gavish, co-founder and CEO at DoControl. “Their multifaceted strategies — ranging from setting up fake companies to deliver custom ransomware to using compromised tools for direct infiltration — showcase a versatility that complicates defensive measures.”

Moonstone Sleet’s Grab Bag of TTPs

To Gavish, “One tactic that stands out is their utilization of trusted platforms, like LinkedIn and Telegram, and developer freelancing websites to target victims. This exploits the inherent trust associated with these platforms, making it easier for them to trick victims into interacting with malicious content.”

To add to the realism, Moonstone Sleet uses the common North Korean strategy of engaging with victims from the perspective of a seemingly legitimate company.

From January to April of this year, for example, the group masqueraded as a software development company called “StarGlow Ventures.” With a sleek custom domain, made-up employees, and social media accounts to go along with it all, StarGlow Ventures targeted thousands of organizations in the software and education sectors. In phishing emails, the faux company complemented its victims and offered to collaborate on upcoming projects.

In other cases, the group used another fake company — C.C. Waterfall — to spread an especially creative ruse.

In emails from C.C. Waterfall since February, Moonstone Sleet has been reaching out to victims with a link to download a video game. “DeTankWar” — also called DeFiTankWar, DeTankZone, or TankWarsZone — is marketed as a community-driven, play-to-earn tank combat game. It has its own websites, and X accounts for fake personas used to promote it.

Remarkably, DeTankWar is a fully functional (if atavistic) video game. When users launch it, though, they also download malicious DLLs with a custom loader called “YouieLoad.” YouieLoad loads malicious payloads to memory, and creates services that probe victim machines and collect data, and allow its owners to perform extra hands-on command execution.

Whack-a-Mole Cyber Defense

Fake companies and fake video games are just some of Moonstone Sleet’s tricks. Its members also try to get hired for remote tech jobs with real companies. It spreads malicious npm packages on LinkedIn and freelancer websites. It has its own ransomware, FakePenny, which it uses in conjunction with a ransom note ripped from NotPetya to solicit millions of dollars worth of Bitcoin.

In the face of such varied TTPs and malicious tools, Gavish says, “The answer is fundamentally the same as for any other threat: Defenders must adopt a multi-layered security posture. This involves a combination of endpoint protection, network monitoring, and threat hunting to detect and respond to anomalous activities early.” Microsoft took a similarly broad stance in its blog, highlighting network and tamper protections, endpoint detection and response (EDR), and more steps organizations can take to layer their cyber defenses.

“Ultimately,” says Gavish, “the dynamic nature of threats like Moonstone Sleet requires a holistic and adaptive approach to cybersecurity — one that balances technical defenses with strategic intelligence and continuous vigilance.”


Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: APT, Cyber-Espionage, Moonstone Sleet

Aug 16 2023

APTs use of lesser-known TTPs are no less of a headache

Category: APT,Attack Matrixdisc7 @ 9:48 am

Initially perceived as primarily targeting large corporations, advanced persistent threat (APT) attacks, often backed by state actors, have witnessed a notable surge in incidents against small and medium-sized enterprises. This expanding scope signifies that no entity is exempt, as the dynamic evolution of attack methods demands a proactive stance and ongoing fortification of security measures. This endeavor places a persistent burden on resources, especially when factoring in the diverse array of tactics, techniques, and procedures (TTPs) employed within these attacks.

Uncommon TTPs

With time, money and other resources on their side, APTs such as Cozy Bear (aka APT29), OceanLotus (aka APT32), and Grim Spider (aka APT-C-37) conduct technically intricate, cutting-edge attacks that potentially threaten any organization. One victim can also be collateral damage for an attack on a larger target.

While some of their TTPs – such as spear phishing, credential theft, living off the land (LOL), and data exfiltration – are well-known and widely documented, less common TTPs that APTs may use can wreak just as much havoc. These include:

Watering hole attacks: These attacks involve compromising websites that the target organization’s employees or individuals frequently visit. The attackers inject malicious code into these legitimate websites, causing visitors to download malware unknowingly. It’s a tactic that allows APTs to gain access to the target organization through the users’ systems without directly attacking them. One well-known attack involved the website of the US Department of Labor in 2013, where malicious code was injected to infect visitors’ systems and target government employees and contractors.

Island hopping: In these attacks, APTs target not only the primary victim organization but also other organizations within their supply chain, partners, or affiliates. By compromising less secure third-party companies first, they can use them as stepping stones to reach the ultimate target and avoid direct detection. Cozy Bear targeted the Democratic National Committee in 2016 and later used island hopping techniques to breach other US government agencies.

Fileless malware: Fileless malware resides in the system’s memory, leaving little to no trace on the hard drive. It leverages legitimate processes and tools to carry out malicious activities, making it challenging for traditional security solutions to detect. Fileless malware can be delivered through malicious scripts (such as macros and PowerShell commands), malicious registry entries, LOLBins, LOLScripts, WMI/WSH, and reflective DDL-injection (to highlight the most common ones). APT32 (OceanLotus) used fileless malware to compromise multiple organizations in Southeast Asia, including government agencies and private companies while evading detection and attribution.

Hardware-based attacks: APTs may use hardware-based attacks, such as compromising firmware, hardware implants, or manipulating peripheral devices, to gain persistence and evade traditional security measures. These attacks can be difficult to detect and remove without specialized tools and expertise. A notable example is the Equation Group‘s malware for reprogramming hard drives’ firmware.

Zero-day exploits: APTs may deploy zero-day exploits to target previously unknown vulnerabilities in software or hardware. These attacks can be highly effective as no patches or defenses against them are available. Who could forget the Stuxnet attack? Stuxnet was a sophisticated and targeted worm that exploited multiple zero-day vulnerabilities in industrial control systems, making it highly effective and challenging to detect.

Memory-based attacks: Memory-based attacks exploit vulnerabilities in software to gain access to sensitive data stored in the computer’s RAM. These attacks can bypass traditional security measures that focus on file-based threats. APT32, believed to be based in Vietnam, is known for using fileless malware and “living off the land” techniques to operate stealthily in the computer’s memory and evade traditional security measures.

DNS tunneling: APTs may use DNS tunneling to exfiltrate data from the victim’s network. This technique involves encoding data in DNS requests or responses, allowing the attackers to bypass perimeter security measures that may not inspect DNS traffic thoroughly. Cozy Bear used DNS tunneling to communicate with their command-and-control servers and steal sensitive information from targeted organizations in a stealthy manner.

Advanced anti-forensic techniques: APTs invest significant efforts in covering their tracks and erasing evidence of their presence. They may employ advanced anti-forensic techniques to delete logs, manipulate timestamps, or encrypt data to hinder investigation and response efforts. One well-known advanced anti-forensic techniques attack by the Equation Group involved using a rootkit called “DoubleFantasy” to hide and persistently maintain their presence on infected systems, making it extremely challenging for analysts to detect and analyze their activities.

Multi-platform or custom malware: APTs employ malware capable of targeting both Windows and macOS systems to maximize its reach. They can also deploy tailored malware, such as the Scanbox reconnaissance framework to gather intelligence. An example is APT1 (also known as Comment Crew or Unit 61398), which utilized custom malware to infiltrate and steal sensitive data from various organizations worldwide, particularly in the United States.

Password spraying: Password spraying attacks are used to gain initial access by attempting to use a few common passwords against multiple accounts. APT33 (Elfin) targeted organizations in the Middle East and globally, using password spraying to compromise email accounts and gain a foothold for further cyber-espionage activities.

APTs are here to stay

Organizations can make APT groups’ lives more difficult. Here’s how:

  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

These TTPs underscore the diverse and advanced technical skills exhibited by different threat groups. Organizations can bolster their defenses and protect against APT incursions by studying their tactics, techniques, and procedures.

Continuous vigilance, threat intelligence, and incident response readiness are crucial elements in preparing for and sometimes thwarting these persistent and highly skilled adversaries. Understanding real-world APT attacks’ technical intricacies and TTPs is vital for organizations to enhance their defense strategies and safeguard against these persistent threats.

Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

CISSP training course

InfoSec tools | InfoSec services | InfoSec books | Follow our blog

Tags: APT, Attacks, TTP, TTPS

Oct 17 2022

New UEFI rootkit Black Lotus offered for sale at $5,000

Category: APT,Cyber crime,CybercrimeDISC @ 10:02 am

Black Lotus is a new, powerful Windows UEFI rootkit advertised on underground criminal forums, researcher warns.

Cybersecurity researcher Scott Scheferman reported that a new Windows UEFI rootkit, dubbed Black Lotus, is advertised on underground criminal forums. The powerful malware is offered for sale at $5,000, with $200 payments per new updates.

The researcher warns that the availability of this rootkit in the threat landscape represents a serious threat for organizations due to its evasion and persistence capabilities.

“Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we’ve made (e.g. Trickbot‘s #Trickboot module), this represents a bit of a ‘leap’ forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction.” wrote Scheferman.

Black Lotus is written in assembly and C and is only 80kb in size, the malicious code can be configured to avoid infecting systems in countries in the CIS region.

The malware supports anti-virtualization, anti-debugging, and code obfuscation. Black Lotus is able to disable security solutions, including Hypervisor-protected Code Integrity (HVCI), BitLocker, and Windows Defender. The rootkit is able to bypass security defenses like UAC and Secure Boot, it is able to load unsigned drivers used to perform a broad range of malicious activities.

The threat is very stealth, it can achieve persistence at the UEFI level with Ring 0 agent protection.

Black Lotus supports a full set of backdoor capabilities, it could be also used to potential target IT and OT environments.

Black Lotus is bringing APT capabilities to malicious actors in the threat landscape.

New UEFI rootkit Black Lotus

Tags: APT, Black Lotus, criminal forums, UEFI rootkit

Apr 13 2022

China-linked Hafnium APT leverages Tarrask malware to gain persistence

Category: APT,MalwareDISC @ 8:28 am

China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems.

The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, that’s used to maintain persistence on compromised Windows systems, reported Microsoft Threat Intelligence Center (MSTIC) experts.

HAFNIUM primarily targets entities in the United States across multiple industries, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.

HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control.

Microsoft Threat Intelligence Center (MSTIC) highlighted the simplicity of the technique employed by the Tarrask malware that creates “hidden” scheduled tasks on the system to maintain persistence.

Tarrask creates new registry keys upon the creation of a new task:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\TASK_NAME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{GUID}
Tarrask malware

“The first subkey, created within the Tree path, matches the name of the scheduled task. The values created within it (Id, Index, and SD) contain metadata for task registration within the system. The second subkey, created within the Tasks path, is a GUID mapping to the Id value found in the Tree key. The values created within (Actions, Path, Triggers, etc.) contain the basic parameters necessary to facilitate execution of the task.” reads the post published by Microsoft.

In the attack analyzed by Mcirosoft, the nation-state actors created a scheduled task named ‘WinUpdate’ via HackTool:Win64/Tarrask to re-establish any dropped connections to the C2 servers.

The attackers deleted the [Security Descriptor] value within the Tree registry path. The security descriptor (SD) defines access controls for running the scheduled task.

The trick consists of erasing the SD value from the Tree registry path to make the task hidden from the Windows Task Scheduler or the schtasks command-line utility. The only way to see the tack is to manually examine the Registry Editor.

The experts pointed out that executing a “reg delete” command to delete the SD value will result in an “Access Denied” error even when run from an elevated command prompt. The only way to delete the SD value is to execute the command within the context of the SYSTEM user. For this reason, the Tarrask malware utilized token theft to obtain the security permissions associated with the lsass.exe process.

“The attacks we described signify how the threat actor HAFNIUM displays a unique understanding of the Windows subsystem and uses this expertise to mask activities on targeted endpoints to maintain persistence on affected systems and hide in plain sight.” concludes the report. “As such, we recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”

China-linked Hafnium APT leverages Tarrask malware to gain persistence

A Comprehensive Approach to Detect and Analyze Modern Malware

👇 Please Follow our LI page…

Tags: APT, Tarrask malware

Nov 12 2020

Costaricto APT: Cyber mercenaries use previously undocumented malware

Category: MalwareDISC @ 3:28 pm

CostaRicto APT is targeting South Asian financial institutions and global entertainment companies with an undocumented malware.

Blackberry researchers have documented the activity of a hackers-for-hire group, dubbed CostaRicto, that has been spotted using a previously undocumented piece of malware to target South Asian financial institutions and global entertainment companies.

“During the past six months, the BlackBerry Research and Intelligence team have been monitoring a cyber-espionage campaign that is targeting disparate victims around the globe.” reads the analysis published by BlackBerry. “The campaign, dubbed CostaRicto by BlackBerry, appears to be operated by “hackers-for-hire”, a group of APT mercenaries who possess bespoke malware tooling and complex VPN proxy and SSH tunnelling capabilities.”

Source: Costaricto APT: Cyber mercenaries use previously undocumented malware

Tim Maurer discusses “Cyber Mercenaries: The State, Hackers and Power”

Cyber Mercenaries: The State, Hackers, and Power

Tags: Advanced persistent threat, APT, Cyber mercenaries

Dec 04 2012

Advanced Persistent Threats are the main challenge for businesses

Category: cyber security,ISO 27kDISC @ 11:27 am

Advanced Persistent Threats’ are top infosecurity challenge for businesses in 2013

Mitigating Advanced Persistent Threats (APT) is going to be a main challange and should be the highest of information security priorities for businesses in 2013, according to governance, risk management and compliance firm IT Governance.

Latest APT threats should be taken into account in an organization risk assessment process and depending on the current vulnerabilities, these threats should be treatetd based on the organization risk appetite. Risk appetite or risk threshold is where an organization draw a line to accept or treat any given risk to an organization.  

Alan Calder, Chief Executive of IT Governance, says: “Today, through benign neglect, staff carelessness or insufficient preparation, every business, large and small, is vulnerable to cyberattack. ITG Top 10 identifies the biggest online threats to your business in the coming year and shows how you can tackle these.”

1. Advanced Persistent Threats: APTs refer to coordinated cyberactivities by sophisticated criminals and state-level entities. With the aim of stealing information or compromising information systems, these target governments and corporations which have valuable intellectual property. By their very nature, manufacturing and the high-tech, oil and gas, finance and pharmaceutical industries all come under the greatest threat of attack by APTs. While there’s no single, stand-alone solution, coordinated and integrated preparations can help you rebuff, respond to and recover from possible attacks. Adopting ISO27001, the best practice infosecurity standard, is the most practical way for companies to develop and implement a tailor-made and comprehensive cybersecurity management system to counter the APT threat.

2. Cyberwar: Cyberespionage and cyberterrorism have become a major threat to UK and US governments. In the form of high-profile malware attacks, state-backed entities are seeking commercial advantage against international competitors, as well as preparing for a new front in modern warfare. China is the best known example of a state believed to engage in such activities, so much so that many larger corporations now forbid employees from taking their laptops on business trips into China for fear of data loss. Effective, enterprise-wide cyber-defence must therefore be in place at all levels, to provide strategic, tactical and operational protection, alongside linkages between operational management, operational processes and technical controls.

3. Cybercrime: As opposed to APTs or cyberwar, cybercrime is a threat to every individual and organisation, no matter how small. Cybercriminals exploit modern technologies in order to commit criminal activities, ranging from identity theft to the penetration of online financial services. All businesses should implement an integrated cybersecurity strategy which, among other issues, includes securing your cyber-perimeter to making sure that your staff are trained to recognise and respond to social engineering attacks and follow a well-thought-out social media strategy.

4. Personal data protection: 2012 has seen a slew of data breaches involving the theft of customers’ personal information. This trend will continue unless businesses change their approach to handling personal data. The proposed new EU Data Protection regulation aims to strengthen individual rights and tackle the challenges of globalisation and new technologies. The EU Commission is also putting pressure on businesses to tighten information security measures. Again, the most logical and sensible way to do this is via ISO27001 implementation and certification.

5. Mobile security: USB devices, laptops, tablets and mobile phones make it very easy for employees to transport massive amounts of information out of the door – potentially to your rivals. Also, whenever employees save username and password data onto their mobile devices, they make it exceptionally easy for fraudsters to crack the passwords of a range of applications, thereby increasing cyber risk. All confidential information stored on these devices must be encrypted to avoid data breaches as a result of theft or loss.

6. Data security: Given that many data breaches are due to human error, insider threats play a significant role. Continuous staff awareness training is essential, but companies also need to manage access to data as part of the overall information security management system. For example, restrict access to people with a ‘business need to know’, or set up a unique ID for users which, combined with logging and audits, protects against the ‘insider’.

7. Bring Your Own Device: BYOD policies are becoming the norm at a growing number of both companies and state organisations. Protecting and controlling company data on your staff’s personal mobile devices poses a stiff challenge – best answered by implementing a mobile device management policy.

8. Identity theft: Identity fraud, which involves someone pretending to be somebody else for financial or other gain, is rife. We all need to be aware of ‘phishing’ and ‘pharming’ emails, but we also need to be wary of how we use social media and how much personal information we provide. Antivirus software and spyware removal software alone cannot protect against these attacks. Effort also needs to go into user education to cut exposure to risk.

9. Payment Card Security: Ever-growing numbers of payment cards are being threatened as a result of the migration of payment apps onto mobile devices. Companies should apply regular website security testing, known as ‘vulnerability scanning’, which should be conducted by qualified ethical hackers. It’s also important to regularly apply all relevant patches, and to have a basic understanding of common hacking techniques and new threats and computer viruses.

10. Cloud continuity and security: If you are using a Cloud provider for mission-critical applications and data storage, check the contract carefully. What security policies does the provider have in place? Do they have ISO27001 certification? Evaluate the risks of using a Cloud provider and make them part of your own information security management system.

Tags: Advanced persistent threat, APT, Corporate governance of information technology, Information Security, iso 27001, threat