Weekly Intelligence Trends and Advisory – 13 Jun 2021

New Malware Observed

The new piece of malware dubbed SkinnyBoy in spear-phishing campaigns attributed to Russian-speaking hacking group Fancy Bear (aka APT28, Sednit, Sofacy, Strontium, PwnStorm) targeting military and government institutions. Researchers highlight that SkinnyBoy is being delivered via a malicious Microsoft Word document and intended for an intermediary stage to collect information about the victim and to retrieve the next payload from the command-and-control (C2) server. The attackers leveraged commercial VPN services to hide their tracks. Based on the recent campaign, the malware’s primary focus is espionage and gaining more control over the compromised system/network.

 

According to researchers, the Necro Python bot’s activity has increased at the beginning of May with additional exploits added to its arsenal. The core functionality remained the same, with IRC used for communication with the C2 server and commands designed for launching DDoS, backdoor commands, and commands for stealing and exfiltrating data. The actors’ main focus is Monero mining, which is executed by installing a variant of XMRig and by injecting code into HTML and script files to include a JavaScript miner and additional bot functionality for controlling and stealing information from participating browsers.

Kimsuky APT Group is Evolving

Attack Type: Phishing, Data Exfiltration, Privilege Escalation, Defence Evasion

Target Industry: Government, Education, Private Organization

Target Geography: South Korea

Target Technology: Microsoft Windows, Android

Ransomware / Malware: AppleSeed Backdoor

Objective: Espionage, Impersonation, Data Theft, Unauthorized Access

Business Impact: Data Loss, Financial Loss, Reputational Damage

 

Researchers highlight that the North Korean APT group Kimsuky (aka Thallium, Black Banshee, Velvet Chollima) known to carry out espionage operations against South Korea was spotted targeting high-profile individuals within the South Korean government. The TTPs used in these activities aligned with KISA’s (Korean Internet & Security Agency) detailed analysis from December last year. One of the lures used in the campaign was designed to target the Ministry of Foreign Affairs of South Korea and was observed to be of high interest to Kimsuky.

 

The phishing infrastructure is capable of mimicking well-known websites (Gmail, Hotmail, Microsoft Outlook, Nate, Daum, Naver, Telegram, KISA) to collect credentials and email addresses that were later used in spearphishing attacks. Researchers noted that the threat actors reused their phishing infrastructure for its AppleSeed command-and-control communications. Apart from using the AppleSeed backdoor, an Android backdoor was also used to target Android users and is considered to be a mobile variant of AppleSeed.

 

In recent years, the Kimsuky has increased its operation tempo, both in frequency and number of victims. In the continued campaigns observed last year, researchers noticed the use of BabyShark and GoldDragon malware. Around the same time, the new malware families AppleSeed (aka AutoUpdate) and FlowerPower were introduced.

 

The threat actor groups were reported to register domains impersonating several entities involving COVID-19 vaccine research in the healthcare and pharmaceuticals industry from South Korea and Europe as well as World Health Organization (WHO).

Evil Corp Impersonates PayloadBin Group to Avoid Federal Sanctions

A notorious Russian cybercrime group appears to have rebranded their ransomware once again in a bid to escape US sanctions prohibiting victims from paying them.

 

The Evil Corp gang, also known as Indrik Spider and Dridex gang, started as a partner for the ZeuS botnet. Over time, they formed a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.

 

The group was placed on the US Treasury’s Office of Foreign Assets Control (OFAC) sanctions list in December 2019 following the accusation of using the Dridex banking Trojan to steal over $100 million globally.

 

Evil Corp began renaming their ransomware operations to various names such as WastedLocker, Hades, and Phoenix to bypass these sanctions.

 

In the recent activity, the cybercriminals renamed their ransomware to PayloadBin. Upon further inspection, researchers identified the malware as the work of Evil Corp based on previous ransomware operations of that group. As the ransomware is now attributed to a sanctioned hacking group, most ransomware negotiation firms will likely not help facilitate payments for victims affected by the PayloadBIN ransomware.

Global Ransomware Damage Expected to Reach USD 265 Billion by 2031

Attack Type: Ransomware

Target Industry: Multiple

Target Geography: Global

Business Impact: Data Loss, Operational Disruption, Reputational Damage

 

Experts forecast that ransomware will cost its victims approximately USD 265 billion annually by 2031 with a new ransomware attack carried out every 2 seconds. The ransomware operators are progressively refining their malware payloads and related extortion activities. Despite the action from law enforcement agencies and the recent retirement of several dominant ransomware gangs, new groups are appearing to take their place. Another survey suggests that the financial impact of these attacks has increased and larger businesses with greater exposure as well as bigger pockets are being targeted. One important trend that is expected to continue is commoditized Ransomware-as-a-Service (RaaS) offerings allowing multi-pronged attacks. The rapidly expanding ecosystem of devices especially IoT has opened up a new avenue for ransomware attackers, who can easily adapt their malware.

 

It is expected that, over the next decade, ransomware may take on an entirely new role as a cyber weapon to drive the geopolitical agenda. The demonstrated effectiveness of ransomware attacks may be used as a tool for gaining an advantage during political tensions or trade negotiations.

Recent trends also indicate that cybercriminals behind ransomware attacks are more than willing to target individuals as seen in the exceptional incident of Finland mental-health facility compromise. The attackers targeted individual clients with threats to release sensitive information. There should be no reason to suspect nation-state actors may embrace similar tactics.

 

While the organization will require a high level of vigilance to manage the technological aspect of vulnerabilities, education, and training exercises are essential to ensure human-created ransomware infections are minimized. Beyond regular education campaigns, the organization should leverage tools that raise an alert and initiate targeted training, moments after a user interacts with malicious links.

VMware Critical Flaw is being Exploited

Target Geography: Global

Target Technology: VMware vCenter Server (vCenter Server), VMware Cloud Foundation (Cloud Foundation)

Vulnerabilities: CVE-2021-21985 (CVSS Base Score: 9.8)

Vulnerability Type: Remote Code Execution

Impact: Confidentiality (High), Integrity (High), Availability (High)

 

The security flaw tracked as CVE-2021-21985 (VMware Advisory ID: VMSA-2021-0010) – a remote code execution vulnerability arising due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. Although security patches were made available on May 25, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned that unpatched systems of organizations remain an attractive target, and threat actors can leverage this vulnerability to take control of an unpatched system. Further, researchers have observed mass scanning for this security flaw on internet-exposed vCenter and exploit activity using a proof-of-concept (POC) exploit targeting vCenter servers.

 

The vulnerability is critical, and VMware has asked for the “immediate attention” of vCenter Server users. Researchers have already published PoC code that exploits the flaw and highlights that exploit work reliably and little effort is required to achieve a malicious objective. Another researcher highlights that using the PoC code execution can be achieved without the need for authentication.

Don't forget to share this post!

Share on facebook
Share on twitter
Share on linkedin

Related Articles

Disclosed earlier this week the zero-day flaw that exists in iOS and macOS platforms – being actively exploited in the wild – can allow attackers to take over an affected device.

Hello, and welcome to this episode of Glass Class. Today, I'll be talking about Cloud Security Posture Management, also known as CSPM. CSPM is the continuous compliance checking of cloud platform accounts.

A Cloud Access Security Broker (CASB) is a policy enforcement point that delivers data and threat protection in the cloud, on any device, anywhere.