The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT10, Charming Kitten, China, Cycldek, Hancitor, Malspam, North Korea, Phishing, TA453, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
(published: April 5, 2021)
A new sophisticated Chinese campaign was observed between June 2020 and January 2021, targeting government, military and other critical industries in Vietnam, and, to lesser extent, in Central Asia and Thailand. This threat actor uses a “DLL side-loading triad” previously mastered by another Chinese group, LuckyMouse: a legitimate executable, a malicious DLL to be sideloaded by it, and an encoded payload, generally dropped from a self-extracting archive. But the code origins of the new malware used on different stages of this campaign point to a different Chinese-speaking group, Cycldek.
Analyst Comment: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] DLL Side-Loading – T1073 | [MITRE ATT&CK] File Deletion – T1107
Tags: Chinese-speaking, Cycldek-related
(published: April 1, 2021)
Hancitor is an information stealer and malware downloader used by a threat actor designated as MAN1, Moskalvzapoe or TA511. Initial infection includes target clicking malspam, then clicking on a link in an opened Google Docs page, and finally clicking to enable macros in the downloaded Word document. In recent months, this actor began using a network ping tool to help enumerate the Active Directory (AD) environment of infected hosts. It generates approximately 1.5 GB of Internet Control Message Protocol (ICMP) traffic.
Analyst Comment: Organizations should use email security solutions to block malicious/spam emails. All email attachments should be scanned for malware before they reach the user’s inbox. IPS rules need to be configured properly to identify any reconnaissance attempts e.g. port scan to get early indication of potential breach.
MITRE ATT&CK: [MITRE ATT&CK] Remote System Discovery – T1018 | [MITRE ATT&CK] Remote Access Tools – T1219 | [MITRE ATT&CK] Rundll32 – T1085 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] System Information Discovery – T1082
Tags: Hancitor, Malspam, Cobalt Strike
(published: March 31, 2021)
Threat Analysis Group (TAG) first discovered the campaign back in January. In mid-March, TAG analysts observed the North Korea-sponsored group had launched a fake security company, ‘SecuriElite,’ with its own website. The new website claims the company is an offensive security company located in Turkey that offers pen-tests, software security assessments and exploits.
Analyst Comment: We recommend to block SecuriElite website and related email IDs. Also, send a notification to researchers and SecOPS teams in your company with Twitter and LinkedIn profiles related to this company asking them to report and block them.
Tags: SecuriElite, North Korean threat group
Cheating The Cheater: How Adversaries are Using Backdoored Video Game Cheat Engines and Modding Tools
(published: March 31, 2021)
A new cryptor used in several different malware campaigns hidden in seemingly legitimate files that users would usually download to install cheat codes into video games or other visual and game modifications. The cryptor uses Visual Basic 6 along with shellcode and process injection techniques. A malicious file packed with the VB6 cryptor in reality acts as a loader, for example, for information stealer XtremeRAT. These types of attacks are a return to form for classic virus campaigns – video game players are no strangers to trying to avoid malicious downloads while trying to change the way some games are presented.
Analyst Comment: Gaming industry targeting is often underestimated, however, there is a lot of money in gaming. Threat actors can always pivot and use the compromised gaming machine for ransom or stealing banking information.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] System Network Configuration Discovery – T1016
Tags: Malware campaign, Video game mods, Mod developing
(published: March 30, 2021)
Security researchers have linked a late-2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called TA453 (Charming Kitten, Phosphorus, Ajax). The campaign-dubbed BadBlood because of its medical focus and the history of tensions between Iran and Israel-aimed to steal credentials of professionals specializing in genetic, neurology and oncology research. “While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be the result of a specific short-term intelligence collection requirement,” the team wrote.
Analyst Comment: Spearphishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
MITRE ATT&CK: [MITRE ATT&CK] System Network Configuration Discovery – T1016
Tags: TA543, Charming Kitten, BadBlood Campaign
(published: March 30, 2021)
A41APT is a long-running campaign with activities detected from March 2019 to the end of December 2020. APT10 leveraged vulnerabilities in Pulse Connect Secure in order to hijack VPN sessions, or took advantage of system credentials that were stolen in previous operations. Ecipekac is a sophisticated multi-layer loader module used to deliver payloads such as SodaMaster.
Analyst Comment: Defense-in-depth is an effective way to help mitigate potential APT activity. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
MITRE ATT&CK: [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] PowerShell – T1086 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Exploitation of Remote Services – T1210
Tags: APT10, A41APT campaign, Ecipekac loader, QuasarRAT
(published: March 29, 2021)
Vulnerabilities could allow a malicious user to access data belonging to other users. If left unpatched, the vulnerabilities mean existing Spectre protections will not be sufficient to prevent some exploitation techniques. The vulnerabilities were discovered by Piotr Krysiuk, a security researcher on Symantec’s Threat Hunter team.
Analyst Comment: It is important that your company has patch-maintenance policies in place, particularly when there are Bring Your Own Device (BYOD) policies in use. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity
MITRE ATT&CK: [MITRE ATT&CK] Redundant Access – T1108 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068
Tags: CVE-2020-27170, CVE-2020-27171