Search This Blog

Showing posts with label Cobalt Strike. Show all posts

Anonymous Hacker Targets Cobalt Strike Servers Linked to Former Conti Gang Members

 

An anonymous hacking group launched DDoS assaults on Cobalt Strike servers handled by former Conti ransomware members with anti-Russian texts to halt their operation. 

Earlier this year in May, the Conti ransomware gang permanently switched off its operation but its members joined other groups, such as Quantum, Hive, and BlackCat. However, former Conti members continued employing the same Cobalt Strike infrastructure to launch new attacks. 

The hackers flooded the CS servers employed by Conti hackers to control the Cobalt Strike (CS) with anti-Russian texts such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” 

According to Vitali Kremez, the CEO of cyber intelligence company Advanced Intelligence (AdvIntel), the hackers targeted at least four Cobalt Strike servers by former Conti gang members. 

The messages are flooding the servers at a rapid rate of nearly two every second resulting in the disruption of Conti ransomware operations. Kremez says whoever is behind this activity constantly targeting Cobalt Strike servers is believed to be operated by previous Conti ransomware members, resuming the flood whenever a new server is discovered. 

“Red teamers operating Cobalt Strike infrastructure to help identify gaps for organizations need to ensure that they are properly protecting their infrastructure,” stated Jerrod Piker, threat analyst at Deep Instinct. “DoS/DDoS protection is necessary as evidenced by the recent Conti group attacks, as well as advanced malware prevention, identity protection, and access control. Attackers will always look for and eventually discover low-hanging fruit, so we have to ensure that we make their discovery process as difficult as possible.” 

Conti is one of the most prolific ransomware groups of the last year along with LockBit 2.0, PYSA, and Hive, and has blocked hospital, corporate, and government agency networks while demanding ransom for sharing the decryption key as part of their name-and-shame scheme. 

After the ransomware gang sided with Russia in February to invade Ukraine, an anonymous pro-Ukraine hacktivist under the Twitter handle ContiLeaks released the malware source code, credentials, chat logs, and operational workflows.

Hackers getting the taste of their own medicine 

It remains unclear who is behind these messages but for the moment they’re keeping the hackers busy. Last month, the LockBit ransomware gang suffered a DDoS attack disrupting its operation. The attack was launched after the gang claimed responsibility for a hack on security firm Entrust earlier this year. 

The hackers blamed the DDoS on Entrust since the HTTPS requests came with the message to delete the company’s data. However, the halt was temporary and the ransomware gang came online with enhanced infrastructure allowing them to keep the stolen data intact even when facing distributed denial-of-service (DDoS) attacks.

Infrastructure Used in Cisco Hack is the same used to Target Workforce Management Solution Firm


Hackers Attack Organization using Cisco Attack Infrastructure
 

Experts from cybersecurity firm eSentire found that the attack infrastructure used in recent Cisco hack was also used in targeting a top Workforce management corporation in April 2022. 

They also observed that the attack was executed by a threat actor called as mx1r, who is an alleged member of the Evil Corp affiliate cluster called UNC2165.

What is UNC2165?

The UNC2165 is in action since 2019, it was known for using the FAKEUPDATES infection chain (aka UNC1543) to get access to victims' networks. 

Experts observed that FAKEUPDATES was also used as the initial infection vector for DRIDEX infections which were used to execute BITPAYMER or DOPPELPAYMER in the final stage of the attack. 

Hades ransomware was also used

Earlier, the UNC2165 actors also used the HADES ransomware. As per eSentire, the hackers accessed the workforce management corporation's IT network via stolen Virtual Private Network (VPN) credentials. 

The experts found various underground forum posts, from April 2022, where mx1r was looking for VPN credentials for high-profile organizations. 

They also found posts on a Dark Web access broker auction site where a threat actor was buying VPN credentials for big U.S companies. 

Experts also find Cobalt Strike 

The researchers also discovered the attackers attempting to move laterally in the network via a set of red team tools, this includes Cobalt strike, network scanners, and Active Domain crawlers. 

The attackers used Cobalt Strike and were able to have initial foothold and hands-on-actions were quick and swift from the time of initial access to when the attacker could enlist their own Virtual Machine on the target VPN network. 

eSentire researchers also noticed the attacker trying to launch a Kerberoasting attack (cracking passwords in Windows Active Directory via the Kerberos authentication protocol) which is also in line with the TTPs of the Evil Corp affiliate/UNC2165. 

eSentire experts discovered the attack

TTPs of the attack that attacked the workforce management corporation are similar with Evil Corp, while the attack infrastructure used matches that of a Conti ransomware affiliate, who has been found using Hive and Yanlukwang ransomware. eSentire traces this infrastructure cluster as HiveStrike. 

"It seems unlikely – but not impossible – that Conti would lend its infrastructure to Evil Corp. Given that Mandiant has interpreted UNC2165´s pivot to LockBit, as an intention to distance itself from the core Evil Corp group, it is more plausible that the Evil Corp affiliate/UNC2165 may be working with one of Conti’s new subsidiaries. Conti’s subsidiaries provide a similar outcome – to avoid sanctions by diffusing their resources into other established brands as they retire the Conti brand,” eSentire report concludes. “It’s also possible that initial access was brokered by an Evil Corp affiliate but ultimately sold off to Hive operators and its affiliates.”



Upcoming Crimeware is Driven by Cobalt Strike

Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.

Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.

Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.

Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.

Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.

According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.

Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.

State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).

Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.

Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.

Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.

Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.


'DarkTortilla' Crypter Produces Targeted Malware 

Researchers from Secureworks examined "DarkTortilla," a.NET-based crypter used to distribute both well-known malware and custom payloads. 

Agent Tesla, AsyncRat, NanoCore, and RedLine were among the information stealers and remote access trojans (RATs) delivered by DarkTortilla, which has probably been active since 2015. It was also detected distributing specific payloads like Cobalt Strike and Metasploit.

Software tools known as crypters enable malware to evade detection by security programs by combining encryption, obfuscation, and code manipulation.

Averaging 93 samples each week between January 2021 and May 2022, the highly adjustable and complicated crypter can also be used to send add-ons, such as additional payloads, decoy documents, and executables. It also looks to be particularly popular among hackers.

SecureWorks analysts have discovered code resemblances with a crypter employed by the RATs Crew threat organization between 2008 and 2011 as well as with malware discovered in 2021, Gameloader.

The malicious spam emails that transmit DarkTortilla include archives with an executable for an initial loader that is used to decode and run a core processor module, either hidden within the email itself or downloaded through text-storage websites like Pastebin.

The researchers have found spam email samples in English, German, Italian, Bulgarian, Romanian, and Spanish languages. These emails are adapted to the target's language.

A complex configuration file that enables the core processor to drop add-on packages like keyloggers, clipboard stealers, and cryptocurrency miners is then used to establish persistence and inject the main RAT payload into memory without leaving a trace on the file system.

The anti-tamper safeguards utilized by DarkTortilla are also significant since they guarantee that both processes used to run the components in memory are restarted right away after termination.

A second executable called a WatchDog, which is intended to monitor the targeted process and rerun it if it is destroyed, specifically enables the persistence of the first loader.

In addition to performing anti-VM and anti-sandbox checks, achieving persistence, migrating execution to the 'tmp' folder, processing add-on packages, and migrating execution to its install directory, DarkTortilla's core processor can be configured to do these things.

To prevent interference with the execution of DarkTortilla or the payload, it then injects its payload within the context of the configured subprocess and, if configured, can also provide anti-tamper protections.

This method is similar to the one used by the threat actor Moses Staff, who was discovered earlier this year using a watchdog-based strategy to prevent any interruption of his payloads. Two additional controls are also used to ensure the persistence of the initial loader as well as the continuing execution of the dumped WatchDog software itself.

Over 17 months from 2021 to May 2022, Secureworks claimed to have found an average of 93 different DarkTortilla samples being posted to the VirusTotal malware database per week. Only roughly nine of the 10,000 samples monitored during that period were used to propagate ransomware, with seven distributing Babuk and two more distributing MedusaLocker.






Sophos: Employing Stolen Session Cookies to Navigate MFA & Access Networks

Hackers on the internet keep getting better. Stealing cookies from recently completed or ongoing web sessions is one new strategy they have been employing to avoid multi-factor authentication (MFA). 

Recently, Sophos researchers reported a new attack technique that is already becoming more prevalent. According to the researchers, the "cookie-stealing cybercrime spectrum" is vast, encompassing entry-level hackers as well as sophisticated rivals who employ a variety of strategies. 

On dark web forums, cybercriminals purchase stolen credentials in bulk or collect cookies. Because ransomware groups exploit genuine executables, both those that are already present and those that are added as tools, 'their operations may not be detected by simple anti-malware defenses.'

Cookie theft

Cookies are used by cloud infrastructures as well for user authentication. It's becoming simpler for entry-level attackers to engage in credential theft thanks to the malware-as-a-service sector. 

For instance, all they need to do is purchase a copy of an information-stealing Trojan like Raccoon Stealer to bulk collect information like cookies and passwords and then sell them on illicit markets like Genesis. Once this data is purchased, other criminals in the attack chain, such as ransomware developers, can search through it for anything they think would help their attacks. 

In contrast hand, in two of the most recent events that Sophos studied, the attackers adopted a more focused strategy. For one event, the hackers infiltrated a target's network for months in order to collect cookies from the Microsoft Edge browser. The attackers employed Cobalt Strike and Meterpreter activity to take advantage of a legal compiler tool in order to scrape access tokens after the initial penetration occurred via an exploit kit.

The attackers dropped a malicious payload that scraped cookie files for a week using a legal Microsoft Visual Studio component.

"Although mass cookie theft has been an issue, hackers are using a far more focused and efficient method to steal cookies. There is no limit to the kinds of nefarious activities attackers might engage in with stolen session cookies now that so much of the workplace is web-based. Hackers have the power to alter cloud infrastructures, corrupt corporate email, persuade other staff members to download malware, and even modify product code. Their own imagination is their only constraint," said Sean Gallagher, principal threat researcher at Sophos.

Cookies Access Systems Against Safety Protocols

According to Digital Trends, hackers are able to abuse different online tools and services as a result of cookie theft. This exploitation can occur in browsers, web-based programs, web services, malware-infected emails, and ZIP files. Since cookies are so popular, hacking with them is a sophisticated practice.

Sophos lists Emotet botnet as one cookie-stealing virus that preys on data in the Google Chrome browser. Acquiring data from credit cards and saved logins are the objectives. Even if the browser is encrypted and uses multifactor authentication, the Emotet botnet can still gather login information.

Ransomware organizations also gather cookies. As hackers exploit genuine executables that are both already present and ones that can bring with them tools, simple anti-malware defenses are unable to detect their actions, according to eSecurity Planet.

Networks Breached via Bumblebee Loader


The Bumblebee loader is increasingly being used by hackers linked to the IcedID, TrickBot, and BazarLoader malware to infiltrate target networks and carry out additional post-exploitation operations.

When Google's Threat Analysis Group (TAG) exposed the actions of an initial access broker named Exotic Lily with connections to the TrickBot and the bigger Conti collectives in March 2022, Bumblebee initially came to light.

What is Bumblebee?

Researchers discovered that Bumblebee is a successor for the malware known as BazarLoader, which previously distributed the Conti ransomware.

Spam emails are where the Bumblebee virus first appears. The malicious Dynamic Link Library (DLL) file is finally dropped by the ISO file that can be downloaded using the link in this email. On the victim's computer, the DLL file continues to load Bumblebee's ultimate payload.

An identical replica of the data found on an optical disc, such as a CD or DVD, is stored in an archive file called an ISO file. They are primarily employed to distribute huge file sets intended for burning onto optical discs or backup optical discs.

Analysis by experts 

According to Cybereason, most Bumblebee infections were initiated by end users executing LNK files, which load the malware via a system binary.

As per experts from Cybereason Meroujan Antonyan and Alon Laufer, "the virus is distributed by phishing emails with an attachment or a link to the malicious archive containing Bumblebee."

Bumblebee operators apparently did extensive surveillance after system compromise and diverted command execution output to files for exfiltration.

The loader is launched using the command found in the LNK file, which serves as a conduit for subsequent steps including persistence, privilege escalation, reconnaissance, and data theft.

After attaining elevated access to infected endpoints, the threat actor also uses the Cobalt Strike adversary simulation framework to move laterally throughout the network. By deploying AnyDesk remote desktop software, persistence is achieved.

The technical report stated that the hackers 'disrupted Active Directory and used confidential data such as users' logins and passwords for lateral movement. Less than two days passed between the initial access and the compromising of Active Directory.

Cybereason asserts that Bumblebee needs to be handled as a serious threat due to the attack's proactivity.


Gootkit Loader: Targets Victims via Flawed SEO Tactics

 

Gootkit previously concealed dangerous files using freeware installers and now, it is deceiving users to download these files by engineering them as lawful documents. Looking at a flag for a PowerShell script, researchers were able to stop it from doing any harm and from delivering its payload. This approach was discovered through managed extended detection and response (MxDR). 

In order to compromise unwary users, the creators of the Gootkit access-as-a-service (AaaS) virus have reemerged. Gootkit has a history of disseminating threats including the SunCrypt ransomware, REvil (Sodinokibi) malware, Kronos trojans, and Cobalt Strike via fileless tactics.

The discoveries add to a prior report by eSentire, which stated in January that numerous attacks targeted the staff of accounting and law companies to propagate malware on compromised systems.

Gootkit is a tool of the rising underground ecosystem of access brokers, who are well-known for charging money to provide other hackers access to corporate networks, opening the door for real destructive operations like ransomware.
 
Upgraded Tactics

A search engine user initiates the attack chain by entering a specific query. A website infiltrated by Gootkit operators is displayed among the results using a black SEO method used by hackers.

The website is presented to the victim as an online forum that answers his question directly when they visit it. The malicious.js code, which is used to create persistence and inject a Cobalt Strike binary into the target system's memory, was housed in a ZIP download that was made available by this forum.

"The obfuscated script that was run when the user downloaded and accessed this file used registry stuffing to install a section of encrypted codes in the registry and add scheduled tasks for persistence. Then, utilizing PowerShell's reflective loading of the encrypted registry code, the Cobalt Strike binary that runs entirely in memory was rebuilt," reads Trend Micro's analysis.

Experts drew attention to the fact that proprietary text replacement technology has replaced base64 encoding in encrypted registries.

The Cobalt Strike binary loaded straight into the victim's system's RAM has been seen connecting to the Cobalt Strike C2's IP address, which is 89[.]238[.]185[.]13. The major payload of Cobalt Strike, a tool used for post-exploitation actions, is the beacon component.

Defensive measures

This case demonstrates,  that Gootkit is still active and developing its methods. This danger demonstrates that SEO poisoning continues to be a successful strategy for enticing unwary users. 

User security awareness training, which tries to enable people to identify and defend themselves against the most recent risks, is something that organizations can do to help. 

This incident emphasizes the value of round-the-clock supervision. Notably, cross-platform XDR stopped this assault from getting worse since it allowed us to rapidly isolate the compromised system and prevent the threat from causing more harm to the network.

LockBit Ransomware Exploits Windows Defender to Load Cobalt Strike Payloads

 

A hacker linked with the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been identified exploiting the Windows Defender command-line tool to decrypt and install Cobalt Strike payloads.

According to endpoint security firm SentinelOne, the ransomware operator exploited VMware command-line utility called VMwareXferlogs.exe, to alter VMware tool settings and interface in the targeted operating systems, and downloaded a Cobalt Strike payload. The hacker also leveraged a command line tool associated with Windows Defender named “MpCmdRun.exe to” decrypt and load Cobalt Strike payloads. 

Subsequently, the malicious actor exploited the Log4Shell vulnerability which is the bug found in an open-source logging library employed by apps and services across the internet, and implemented a reconnaissance for thorough observation of the network to download the Cobalt Strike Payload.

SentinelOne stated that Windows Defender needs to be vigilant regarding the current scenario as hackers associated with the LockBit ransomware are exploring to abuse “novel living off the land tools” to deploy Cobalt Strike beacons bypassing traditional AV detection tools. 

“Defenders need to be alert to the fact that LockBit ransomware operators and affiliates are exploring and exploiting novel ‘living off the land’ tools to aid them in loading Cobalt Strike beacons and evading some common EDR and traditional AV detection tools,” SentinelOne said. 

“Importantly, tools that should receive careful scrutiny are any that either the organization or the organization’s security software have made exceptions for. Products like VMware and Windows Defender have a high prevalence in the enterprise and a high utility to threat actors if they are allowed to operate outside of the installed security controls,” the company added. 

The LockBit ransomware has been active since 2019 and it has likely been used to target thousands of organizations. 

Earlier this year in June, the Lockbit ransomware gang announced the launch of Lockbit 3.0, a new ransomware-as-a-service offering and a bug bounty program. The group said it will offer rewards ranging between $1,000 and $1 million to security researchers and ethical or unethical hackers for information regarding vulnerabilities in their website, the ransomware encryption process, the Tox messaging app, and bugs exploiting their Tor infrastructure.

Chinese APT Utilizes Ransomware to Cover Cyberespionage

 

A China-based advanced persistent threat (APT) group called Bronze Starlight has been active since the start of 2021. It appears to be using double-extortion attacks and ransomware as cover for routine, state-sponsored cyberespionage and intellectual property theft. 

The distribution of post-intrusion ransomware, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0, is a feature of Bronze Starlight. Microsoft also labeled it as part of the DEV-0401 emerging threat cluster, highlighting its involvement in all phases of the ransomware attack cycle, from initial access to the payload dissemination.

China's Correlation

The threat actor has always loaded Cobalt Strike Beacon and then released ransomware on compromised computers using a malware loader known as the HUI Loader, which is solely utilized by  Chinese-based organizations. This method has not been noticed by other threat actors, according to Secureworks researchers.

Researchers from Secureworks believe that Bronze Starlight is more likely motivated by cyberespionage and intellectual property (IP) theft than financial gain due to the short lifespan of each ransomware family, victimology, and access to tools used by Chinese state hacktivists (including known vulnerabilities and the HUI Loader). HUI Loader has been used to distribute malware such as Cobalt Strike, QuasarRAT, PlugX, and SodaMaster as well as remote access trojans (RATs) at least since 2015.

Attacks carried out by the actor are distinguished by the use of vulnerabilities influencing Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence, and Apache Log4j. This contrasts with other RaaS groups that obtain access from initial access brokers (IABs) to enter a network. 

The similarity between Ransomware 

Additionally, a familiar actor is apparent from the similarities found between LockFile, Atom Silo, Rook, Night Sky, and Pandora, the latter three of which were developed from the Babuk ransomware, the source code of which was leaked in September 2021. 

The researchers write that the use of HUI Loader to load Cobalt Strike Beacon, the configuration data for Cobalt Strike Beacon, the C2 network, and the code overlap "indicate that the same threat group is linked with these 5 ransomware families."

The use of the HUI Loader to launch next-stage encrypted payloads like PlugX and Cobalt Strike Beacons, which are used to disseminate the ransomware, is another instance of detected tradecraft. However, this technique requires first getting privileged Domain Administrator credentials. 

The main victims are American and Brazilian pharmaceutical firms, a U.S. media outlet with branches in China and Hong Kong, Lithuanian and Japanese electronic component designers and manufacturers, a U.S. legal company, and the aerospace & defense unit of an Indian conglomerate. 

To achieve this, ransomware operations not only give the threat actor a way to phish data as a result of the double extortion, but they also give them a chance to erase forensic proof of its destructive actions and distract them from data theft.

Attackers Exploit Telerik Vulnerabilities to Deploy Cobalt Strike

 

A hacker called ‘Blue Mockingbird’ is exploiting Telerik UI flaws to breach servers, install Cobalt Strike beacons, and deploy cryptomining malware. 

The vulnerability tracked as CVE-2019-18935 with a critical severity score (CVSS v3.1: 9.8), impacts the Telerik UI library for ASP.NET AJAX and is a high-risk deserialization security bug that can lead to remote code execution. 

Blue Mockingbird was also identified in May 2020 targeting susceptible Microsoft IIS servers that employed Telerik UI, even though it had been a year after the vendor had published security patches. Earlier this week, Sophos researchers revealed that Blue Mockingbird is leveraging the same flaw to launch new cyberattacks. 

To exploit CVE-2019-18935, the hackers must secure the encryption keys that guard Telerik UI’s serialization on the target. This may be done by using CVE-2017-11317 and CVE-2017-11357 or abusing another vulnerability in the target web app. 

Since multiple web apps were used as projects that embedded the Telerik UI framework version at the time of development and later were discontinued, they are still legitimate targets accessible for exploitation. Once the keys are acquired, the hackers can compile a malicious DLL containing the code to be executed during deserialization and launch it in the context of the ‘w3wp.exe’ process. 

According to the researchers, in recent assaults, Blue Mockingbird employed a readily available proof-of-concept (PoC) vulnerability to manage the encryption logic and automate the DLL compilation. The payload used in the recent assaults is a Cobalt Strike beacon, a stealthy, legitimate penetration testing tool hacker exploits for executing encoded PowerShell commands. 

Persistence is achieved by Active Directory Group Policy Objects (GPOs), which manufacture scheduled tasks in a new registry entry that contains base64-encoded PowerShell. To mitigate Windows Defender detection, the script employs typical AMSI-bypassing methodologies to download and load a Cobalt Strike DLL into memory. 

The second-stage program (‘crby26td.exe’) is an XMRig Miner, a common open-source cryptocurrency miner for Monero, one of the least detected cryptocurrencies. Notably, this was the primary goal of the threat actor’s 2020 campaign; therefore, the attack chain, methodologies, and goals haven’t altered significantly. 

On the other hand, Cobalt Strike allows for simple lateral movement within an exploited network, data exfiltration, account takeover, and the deployment of more powerful payloads like ransomware. It remains unclear whether Blue Mockingbird is interested in investigating these possibilities; for the time being, or they’re only focused on Monero mining.

Gh0stCringe Malware Recently Attacked Insecure Microsoft SQL and MySQL Servers

 

Hackers are deploying the Gh0stCringe remote support trojans on vulnerable computers by inadequately targeting secured Microsoft SQL and MySQL database servers. 

Gh0stCringe, also known as CirenegRAT, is a Gh0st RAT malware variant that was most recently used in Chinese cyber-espionage activities in 2020, however, it has been around since 2018. The malware has several instructions and functionalities which can be activated after the malware connects to its command and control server, or through data stored in the virus's settings. 

Attackers can use Gh0stCringe to download payloads like crypto miners from C2 servers, access specified websites via the Internet Explorer web browser, and even wipe the start-up disk's Master Boot Record (MBR). The malware includes a keylogger, which records input data in the Default. key file in the Windows System directory if it is activated. 

Threat actors are infiltrating database servers and writing the malicious'mcsql.exe' executable to disc utilizing the mysqld.exe, mysqld-nt.exe, and sqlserver.exe processes. These assaults are comparable to the Microsoft SQL server attempts, which used the Microsoft SQL xp cmdshell command to drop Cobalt Strike beacons. In addition to Gh0stCringe, AhnLab's study notes the presence of numerous malware samples on the investigated servers, implying potentially competing threat actors are infiltrating the same servers to drop payloads with its own operations.

Gh0stCringe RAT is a strong virus that can connect to a C2 server to receive custom commands or exfiltrate stolen data to the enemies. For an endless loop, the keylogging component uses the Windows Polling method (GetAsyncKeyState API) to ask the state of each key. This otherwise dependable recording mechanism carries the risk of very high CPU utilization, however, this is unlikely to cause issues for threat actors on poorly maintained servers. The malware will also record keystrokes for the previous three minutes and send them to the infection's command and control servers along with basic system and network information. 

Threat actors will be able to steal login passwords and other sensitive information that logged-in users entered on the device using these logged keystrokes. CirenegRAT has four operational modes: 0, 1, 2, and a specific Windows 10 mode which the threat actor can choose from during deployment.

Update your server software to install the most recent security upgrades, which can help you avoid a variety of attacks to make use of known flaws. It's also critical to use a secure admin password that can't be brute-forced. The most important step is to put the database server behind a firewall to only allow authorized devices to connect to it.

Emotet Malware Campaign Masquerades the IRS for 2022 Tax Season

 

The Emotet malware botnet is taking advantage of the 2022 tax season in the United States by mailing out fraudulent emails posing as the Internal Revenue Service, which is supposed to be issuing tax forms or federal returns. 

Emotet is a malware infection spread via phishing emails with malicious macros attached to Word or Excel documents. When the user opens these documents, they will be misled into allowing macros that will install the Emotet malware on the device. Emotet will capture victims' emails to use in future reply-chain attacks, send more spam emails, and eventually install other malware that could lead to a Conti ransomware assault on the targeted network once it is implemented. 

Researchers have discovered various phishing attempts masquerading the Internet Revenue Service (IRS.gov) that use lures relevant to the 2022 US tax season, according to a recent analysis by email security firm Cofense. These emails ostensibly come from the IRS, and they claim to be sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents that are often needed during tax season. 

While the subject lines and content of IRS-themed emails vary, the fundamental notion is that the IRS is contacting the company with either finished tax forms or ones that one must fill out and return. Zip files or HTML pages that lead to zip files are attached to the emails and are password-protected to avoid detection by secure email gateways. Third-party archive programs like 7-Zip, on the other hand, have no trouble extracting the files. 

A 'W-9 form.xslm' Excel file is included in the zip files, and when viewed, it prompts the user to click the "Enable Editing" and "Enable Content" buttons to see the document correctly. When a user clicks one of these buttons, malicious macros are launched, downloading and installing the Emotet virus from hacked WordPress sites. Once Emotet is loaded, it will download further payloads, which in recent campaigns have mostly been Cobalt Strike. 

Emotet has also dropped the SystemBC remote access Trojan, according to Cryptolaemus, an Emotet research organisation. With the Conti Ransomware gang now developing Emotet, all businesses, large and small, should be on the watch for these phishing tactics, which can escalate to ransomware assaults and data theft. It's important to remember that the IRS never sends unsolicited emails and only communicates via postal mail. As a result, if anyone receives an email from the IRS purporting to be from the IRS, flag it as spam and delete it.

A Worldwide Fraud Campaign Used Targeted Links to Rob Millions of Dollars

 

Infrastructure overlaps tied to the TrickBot botnet can be seen in large-scale phishing activity employing hundreds of domains to steal information for Naver, a Google-like web platform in South Korea. The resources employed in this assault demonstrate the magnitude of the cybercriminal effort to gather login data to carry out attacks. 

Naver, like Google, offers a wide range of services, including web search, email, news, and the NAVER Knowledge iN online Q&A platform. Its credentials, in addition to granting access to regular user accounts, can also grant access to enterprise environments due to password reuse. 

Earlier this year, security researchers from cyber intelligence firm Prevailion began its inquiry using a domain name shared by Joe Sowik, mailmangecorp[.]us, which led to a "vast network of targeted phishing infrastructure designed to gather valid login credentials for Naver." Additionally, PACT analysts discovered similarities with the WIZARD SPIDER [a.k.a. TrickBot] network while researching the hosting infrastructure utilized to serve the Naver-themed phishing pages. 

The fraudsters enticed victims with phoney surveys and incentives purporting to be from well-known brands, the lure was meant to help the criminals steal victims' personal information and credit card information. Tens of millions of people in 91 countries, including the United States, Canada, South Korea, and Italy, were shown to have been targeted by the scammers.

To entice potential victims, the cybercriminals sent out invitations to participate in a survey, along with the promise of a prize if they completed it. Advertising on both legitimate and illegitimate websites, contextual advertising, SMS and email messages, and pop-up notifications were all used in the campaign. To develop trust with the victims, lookalike domains modeled after authentic ones were registered. 542 unique domains were linked to the operation, 532 of which were utilized for Naver-themed phishing. Authorities found the operator would register a group of web addresses linked to a single IP address using an email address.

According to the researchers, two Cobalt Strike beacon variants on Virus Total were linked to 23.81.246[.]131 as part of a campaign that used CVE-2021-40444 to spread Conti ransomware, a typical TrickBot payload. The end page's content is as personalized as possible to the victim's interests, with the customized link only accessible once, making detection significantly more difficult and enabling the scheme to last longer. 

The victim is also informed to be eligible for a prize and one must supply personal information such as one's complete name, email and physical addresses, phone number, and credit card information, including expiration date and CVV for the same. Prevalion believes one explanation that justifies the conclusions is cybercriminals should use an "infrastructure-as-a-service" model for their operations.

Entropy Ransomware Connected to Dridex Malware, as per Sophos

 

The recently found Entropy ransomware has coding similarities to the Dridex malware, which started out as a banking trojan. After two Entropy cybercrimes on different firms, researchers were able to establish a bond between the different pieces of malware. 

Sophos principal researcher Andrew Brandt claimed in a new study detection signature designed to detect Dridex which prompted a closer look into the Entropy virus, both of the target businesses had gadgets were unprotected. Despite the characteristic for recognizing the Dridex packer code, endpoint protection measures blocked the attack, which was started by identifying the Entropy packer code.

In all incidents, the attackers gained remote access to the target networks by infecting them with Cobalt Strike Beacons and Dridex before deploying Entropy. Despite some similarities, the twin attacks differed greatly in terms of the initial access point used to parasite its path within the networks, the period invested in each environment, and the malware utilized to initiate the final stage of the invasion. 

The attack on the media company employed the ProxyShell vulnerability to infect a vulnerable Exchange Server with a web shell, which was then used to deploy Cobalt Strike Beacons throughout the network. The attacker is alleged to have spent four months doing espionage and data theft before launching the cyberattack in December 2021. The second attack on the provincial government agency was made possible via a malicious email attachment carrying the Dridex virus.

Notably, prior to encryption of the files on the hacked machines, redundant exfiltration of confidential documents to more than just one cloud storage service – in the form of packed RAR archives – occurred within 75 hours of the initial discovery of a suspect login session on a single machine. Apart from employing respectable tools like AdFind, PsExec, and PsKill, the resemblance between Dridex and Entropy samples and past DoppelPaymer extortion infections has raised the likelihood of a "similar origin."

The network of links between the various types of malware is worth mentioning; the Dridex malware, an information-stealing botnet, is thought to be the product of Indrik Spider, a well-known Russian cybercrime outfit  Evil Corp. 

The Evil Corp cluster continues to improve its tradecraft, continually altering payload signatures, exploitation tools, and initial access methods to mislead attribution. SentinelOne researchers identified the "evolutionary" ties in a standalone analysis, claiming nearly identical design, implementation, and functionality amongst various iterations of the malware, with the file-encrypting malware buried using a packer named CryptOne. 

"The attackers took advantage of a lack of attention in both situations - both targets had vulnerable Windows PCs which were missing relevant patches and updates," said Andrew Brandt, chief researcher at Sophos. Attackers would have had to work harder to gain first access into the Exchange Server if it had been patched properly.

Threat Actors use MSBuild to Execute Cobalt Strike Beacons

 

Malicious campaigns have recently been spotted abusing Microsoft Build Engine (MSBuild) to execute a Cobalt Strike payload on vulnerable machines. MSBuild, which was designed for the construction of Windows applications, uses a project file element called 'Tasks' to designate components that are executed during project building, and threat actors are misusing these Tasks to launch malicious code disguised as MSBuild. Renato Marinho, a Morphus Labs security researcher, and SANS Internet Storm Center (ISC) handler claims that two different malicious campaigns have been discovered utilizing MSBuild for code execution in the last week. 

MSBuild is a build tool that aids in the automation of the software development process, including source code compilation, packaging, testing, deployment, and documentation creation. It is feasible to build Visual Studio projects and solutions with MSBuild even if the Visual Studio IDE is not installed. MSBuild is a free and open-source software. MSBuild was previously included with the.NET Framework; however, starting with Visual Studio 2013, it is now included with Visual Studio. MSBuild is a functional replacement for the nmake utility, which is still used in projects created with previous Visual Studio editions. 

MSBuild operates on MSBuild project files, which have an XML syntax comparable to Apache Ant or NAnt. Despite the fact that the syntax is based on a well-defined XML schema, the fundamental structure and operation are comparable to the traditional Unix make utility: the user specifies what will be used (typically source code files) and what the result should be (typically a static library, DLL, or executable application), but the utility decides what to do and in which order to carry out the build. 

Threat actors often obtain access to the target environment through the use of a genuine remote desktop protocol (RDP) account, then employ remote Windows Services (SCM) for lateral movement and MSBuild to execute the Cobalt Strike Beacon payload. The malicious MSBuild project was created to build and run certain C# code, which then decodes and executes Cobalt Strike. 

Marinho further claims that after confirming that Beacon was used in the attack, he was able to decrypt the SSL-encrypted communication with the command and control (C&C) server. To avoid such attacks, the researcher recommends that enterprises use the Windows Defender Application Control (WDAC) policy to restrict Microsoft-signed applications that potentially allow the execution of other malware. MSBuild generates a list of these apps. 

“There is a note for MSBuild.exe, though, that if the system is used in a development context to build managed applications, the recommendation is to allow MSBuild.exe in the code integrity policies,” Marinho concluded.

Blister Malware Silently Slips Through Windows Defences

 

Cybersecurity researchers have revealed details of an evasive malware campaign that uses valid code signing certificates to bypass security defences and remain undetected, with the purpose of distributing Cobalt Strike and BitRAT payloads on infected systems. Elastic Security researchers dubbed the binary, a loader, "Blister," and the malware samples had negligible to zero detections on VirusTotal. The infection vector utilized to stage the attack, as well as the eventual goals of the infiltration, are unknown. 

A notable aspect of the attacks is that they make use of a legitimate Sectigo code signing certificate. The malware has been seen signed with the certificate in question since September 15, 2021. Elastic stated that it has contacted the company in order to get the exploited certificates revoked. "Executables with valid code signing certificates are often scrutinized to a lesser degree than unsigned executables," researchers Joe Desimone and Samir Bousseaden said. "Their use allows attackers to remain under the radar and evade detection for a longer period of time." 

Another intriguing component of this campaign is what looks to be a novel malware loader with few VirusTotal detections. It's known as the BLISTER loader. The loader is likely spliced into genuine libraries like colorui.dll to guarantee that the majority of the on-disk footprint contains known-good code and metadata. The loader can be written to disc from simple dropper executables at first. One such dropper saves a signed BLISTER loader to %temp%\Framwork\axsssig.dll and runs it with rundll32. BLISTER's LaunchColorCpl is a popular DLL export and entry point name. 

BLISTER uses a basic 4-byte XOR routine to decode bootstrapping code stored in the resource area when it is run. The bootstrapping code is extensively obfuscated and sleeps for 10 minutes at first. This is almost certainly an attempt to avoid sandbox analysis. It decrypts the embedded malware payload after the delay. CobaltStrike and BitRat have been identified as embedded malware payloads by researchers. When the embedded payload is decoded, it is either loaded into the current process or injected into a newly generated WerFault.exe process.

Elastic Security has alerted Sectigo that Blister's code signing certificate has been revoked; nonetheless, the company has also produced a Yara rule to assist organizations in identifying the new malware.

‘Karakurt’ Extortion Back with an Upswing

 

As of late, a new money-driven attack group has been on the upswing, and unlike previous groups, it does not appear to be interested in spreading ransomware or attacking high-profile targets. 

Accenture Security researchers have been investigating a group that calls itself "Karakurt," meaning "black wolf" in Turkish, and is also the name of a deadly spider prevalent in eastern Europe and Siberia. 

Karakurt specializes in data exfiltration and eventual extortion, which allows them to operate swiftly. It already has claimed the lives of more than 40 people until September, with 95 percent of them in North America and the rest in Europe, according to a paper released on Friday by academics. 

Experts suggest Karakurt would be a trend-setter, and shortly, similar groups may shift away from attacking large corporations or critical-infrastructure providers with ransomware and instead take a similar exfiltration/extortion technique. 

“The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” read the report.

According to Accenture CIFR researchers, Karakurt was originally spotted by investigators outside of Accenture Security in June since it started building up its network and data-leak platforms. In August, the group registered the domains karakurt.group and karakurt.tech, as well as the Twitter, handle @karakurtlair. Shortly the organization launched its first successful attack. 

Accenture Security's collecting sources and intrusion research discovered the organization's first target in September; two months later, the group revealed their victim on the karakurt.group website.

Karakurt's tactics, techniques, and procedures (TTP) for infiltrating victim infrastructures, accomplishing persistence, relocating laterally, and stealing data are similar to those used by numerous threat actors and the group frequently takes a "living off the land" strategy relying on the attack surface, i.e., utilizing tools or features which already belong across the targeted system. 

Karakurt primarily employs service installation, remote-management software, and the delivery of command-and-control (C2) beacons throughout victim environments via Cobalt Strike to sustain persistence once connected to a network. 

However, experts have noticed that the group recently appears to have changed methods in its implementation of backup persistence. Karakurt "persisted within the victim's network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices" rather than delivering Cobalt Strike, they stated. This enables the gang to migrate laterally by leveraging previously obtained user, service, and administrator personal information. 

Researchers stated the gang will also employ additional remote-management technologies, such as remote desktop protocol (RDP), Cobalt Strike, and PowerShell commands, to travel laterally and uncover relevant data to steal and exploit for extortion reasons as needed. 

Nevertheless, the group's assault pattern thus far demonstrates that it is adaptable enough to change its techniques based on the victim's circumstances. Karakurt can also avoid detection in many circumstances since it frequently utilizes authorized credentials to access websites. 

Ultimately, Karakurt employs 7zip and WinZip for data compression, along with Rclone or FileZilla (SFTP) for staging and final exfiltration to Mega.io cloud storage, to steal information. Also according to Accenture Security, the staging folders utilized to exfiltrate data in assaults were C:Perflogs and C:Recovery. 

Researchers offered standard mitigation recommendations to enterprises to prevent being penetrated and extorted by Karakurt, which will call them several times to put pressure over them to pay once their data has been stolen.

Cuba Ransomware Group Compromised the Networks of at Least 49 Organizations

 

The FBI has issued a new warning regarding the Cuba ransomware, stating that the gang has targeted "49 entities in five critical infrastructure sectors" and made at least $43.9 million in ransom. The FBI claimed the gang is targeting enterprises in the financial, government, healthcare, manufacturing, and information technology sectors, and is employing the Hancitor malware to gain access to Windows systems, according to an alert sent out on Friday. 

The Hancitor malware downloader is used to transmit Cuba ransomware to victims' networks, allowing the ransomware gang to have greater access to previously hacked corporate networks. Hancitor (Chancitor) is a ransomware that distributes data stealers, Remote Access Trojans (RATs), and other ransomware. It was discovered spreading the Vawtrak information-stealing trojan, according to Zscaler. Since then, it has shifted to password-stealers such as Pony and Ficker, as well as Cobalt Strike. 

Hancitor employs phishing emails and stolen passwords to get access to their victims' systems, as well as exploiting Microsoft Exchange vulnerabilities and breaking in via Remote Desktop Protocol (RDP) tools. Cuba ransomware operators would exploit legal Windows services (e.g., PowerShell, PsExec, and numerous other unspecified services) to remotely deliver their ransomware payloads and encrypt files with the ".cuba" extension once they have gained access using Hancitor.

When a victim's computer is infected, the ransomware downloads and installs a CobaltStrike beacon, as well as two executable files. Attackers can use the two files to get passwords and "write to the compromised system's temporary (TMP) file."

"Once the TMP file is uploaded, the 'krots.exe' file is deleted, and the TMP file is executed in the compromised network. The TMP file includes Application Programming Interface (API) calls related to memory injection that, once executed, deletes itself from the system. Upon deletion of the TMP file, the compromised network begins communicating with a reported malware repository located at Montenegro-based Uniform Resource Locator (URL) teoresp.com," the FBI explained. 

Other assault details were included by the FBI, as well as a sample ransom note and email sent by the attackers. Given their degree of activity in comparison to other more well-known ransomware gangs, experts were startled by the amount of money the group had amassed. The data, according to Emsisoft threat analyst Brett Callow, demonstrated how lucrative the ransomware market is, despite the fact that the Cuba ransomware organization is not among the top ten in terms of activity.

Ransomware Threat Actors on the Rise in US, Target Big Organizations

 

A hacker earlier linked with the Thieflock ransomware campaign, currently might be using the rising Yanluowang ransomware in a chain of attacks against U.S organizations. Symantec cybersecurity experts, a subdivision of Broadcom software, discovered links between Yanluowang and Thieflock, details of the former were revealed in October after experts found its use against a big firm. They believe that a hacker has been using this ransomware to attack financial organizations in the U.S. The threat actor also compromised various firms in the manufacturing sector, engineering, consultancy, and IT services, using the novel ransomware.

Experts noticed a probable link between new Yanluowang attacks and earlier attacks which involved Thieflock, a RaaS (ransomware as a service), built by the Canthroid group, aka Fivehands. This shows how there's no loyalty in ransomware users, especially those who work as affiliates of RaaS operations. As per ThreatPost, "Data-capture tools are also part of the attack vector, including a screen capture tool and a file exfiltration tool (filegrab.exe), as well as Cobalt Strike Beacon, which researchers saw deployed against at least one target." 

The ransomware developers pivot here and there, they switch business based on profit margins offered by ransomware threat actors, there's no loyalty in the business, says Vikram Thakur, chief research manager at Symantec. The experts have given a summary of some of the tools used in these attacks (Yanluowang), a few of these share some commonalities with the 

Thieflock attacks, which may lead someone to believe that the actor orchestrating the attack is an expert with Thieflock's deployment. "In most scenarios, attackers use PowerShell to download tools to compromised systems, including BazarLoader, which assists in reconnaissance of a system before attacks occur. The attackers then enable RDP via registry to enable remote access, deploying the legitimate remote access tool ConnectWise, formerly known as ScreenConnect, once they’ve gained this access," said ThreatPost.

Threat Actors Targeting Vaccine Manufacturing Facility with Tardigrade Malware

 

Biomanufacturing facilities in the US are being actively targeted by an anonymous hacking group leveraging a new custom malware called ‘Tardigrade’. 

In a new threat advisory, the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) claimed this week that the first attack was launched using this new malware in spring 2021, followed by the second assault in October.

 New malware strain

According to BIO-ISAC, Tardigrade possesses advanced features and is supposedly the work of an advanced threat detection group or a nation-state intelligence service. The malware is primarily used for espionage though it can also cause other issues including network outages. The recent assaults are also believed to be linked to Covid-19 research as the pandemic has shown just how crucial biomanufacturing research is when creating vaccines and other drugs. 

Tardigrade’s functionality includes a Trojan, keylogger, data theft, and also establishes a backdoor into targeted systems. There is some debate regarding the origins of the code used in Tardigrade as BIO-ISAC believes the malware is based on Smoke Loader, a Windows-based backdoor operated by a hacking group called Smoky Spider. However, security researchers that spoke with Bleeping Computer believe that it is a form of the Cobalt Strike HTTP. 

“The biomanufacturing industry along with other verticals are so far behind in cybersecurity, making them a prime target for bad actors. Cyberattacks mostly happen to those that provide easy access or least path of resistance,” George Gerchow, chief security officer of machine data analytics company Sumo Logic Inc., told SiliconANGLE. 

“This is a blatant example of how attackers are focusing on human health during a time of high anxiety, and bioscience is an easy target. The industry is going to have to move quickly to put proper cyber security controls in place. It is going to be a huge mountain for them to climb as some of the companies in the industry have antiquated technology, lacked the proper skill sets, and relied too much on legacy security tools,” Gerchow added. 

The BIO-ISAC report recommends the following steps for biomanufacturing sites that will enhance the security and response postures (i) Scan your biomanufacturing network segmentation, (ii)  Collaborate with biologists and automation experts to design a full-proof analysis for your firm, (iii) Employ antivirus with behavioral analysis capabilities, (iv) Participate in phishing detection training (v) Stay vigilant.