Weekly Intelligence Trends and Advisory – 18 July 2021

Weekly Attack Type and Trends

Key intelligence signals

Attack Type: Phishing, Malware Implant, Ransomware, Vulnerabilities & Exploits, Social Engineering, Data Exfiltration, DDoS, Impersonation

Objective: Data Theft, Payload Delivery, Data Encryption, Financial Gains, Operational Disruption

Business Impact: Data Loss, Financial Loss, Reputational Damage, Operational Disruption

Ransomware – Everest | Malware – Bandook, zloader, BIOPASS RAT

Everest – A data leak site/ ransomware.

Bandook – A Info-stealer RAT.

zloader – A Backdoor Trojan.

BIOPASS RAT – A rat with new infection technique.

 

Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, and defence evasion tactics are being observed.

 

Insights

The Everest ransomware operators gained notoriety for promoting their site by contacting security researchers and journalists as well as emailing competitors of breach victims to pressure and extort money. The operators were seen listing new data leaks during the observation period.

 

Written in both Delphi and C++, Bandook has a history of being sold as a commercial remote access trojan (RAT) dating back to 2005. Since then, numerous variants have emerged on the threat landscape and use in different surveillance campaigns.

 

Zloader malware has resumed its campaign with a new technique that downloads and executes malicious DLLs (Zloader) without any malicious code present in the initial spammed attachment macro.

 

Online gambling companies are being targeted by a new BIOPASS RAT which, in addition to its predictable features like file assessment and data exfiltration takes the novel approach of using live streaming to spy on the screens of its victims.

Threat Actor in Focus

BIOPASS RAT: New Malware Sniffs Victims via Live Streaming

Suspected Threat Actors: MISSION2025

Attack Type: Watering hole

Ransomware / Malware: BIOPASS RAT

Objective: Data Exfiltration, Shell Command Execution, Remote Desktop Access, Capture Screen

Target Industry: Consumer Service

Target Geography: China

Target Technology: Microsoft Silverlight, Adobe Flash Player, Open Broadcaster Software (OBS)

Business Impact: Data Loss, Operational Disruption

 

Summary

BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. The RAT possesses basic features found in other malware, such as file system assessment, remote desktop access, file exfiltration, and shell command execution. The RAT is notable for its focus on stealing private data from web browsers and instant messaging apps chiefly popular in Mainland China, including QQ Browser, 2345 Explorer, Sogou Explorer, and 360 Safe Browser, WeChat, QQ, and Aliwangwang.

 

Besides featuring an array of capabilities that run the typical spyware gamut, BIOPASS is equipped to establish live streaming to a cloud service under the attacker’s control via Real-Time Messaging Protocol (RTMP), in addition to communicating with the Command & Control (C2) server using the Socket.IO protocol.

 

Insights

What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of OBS Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via RTMP. In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.

 

BIOPASS RAT is a sophisticated type of malware that is implemented as Python scripts. It possesses many features, such as the ability to use scheduled tasks as a method of maintaining persistence in the infected system. The malware abuses publicly available tools and cloud services for its malicious behavior.

Rise in Malware/Ransomware and Phishing

Epsilon Hydraulique Impacted by Everest Ransomware

Attack Type: Ransomware, Data Leak

Target Industry: Farm and Garden Machinery

Target Geography: France

Ransomware: Everest Ransomware

Objective: Data Exfiltration, Financial Gains

Business Impact: Data Leak, Erosion of Intellectual Property, Financial Loss, Reputational Damage

 

Summary

CTI observed Epsilon Hydraulique – a French machinery-making company – impacted by the Everest ransomware group/ leak site. It is suspected that the operators have exfiltrated a large amount of business-critical and sensitive data. The threat actor in the advertisement, published on their data leak site, released approximately 45 gigabytes of suspected stolen data.

Source: Dark web

 

Insights

The data is first made available for sale to potential buyers. As the ransom payment gets delayed the ransomware operators resort to publishing data as time goes on. Ultimately, if no ransom is paid and the data is not purchased, the data is released to the public for free for anyone to download.

Most ransomware providers often put a lot of effort to establish their reputation and attempt to maintain some level of integrity likely to encourage and facilitate ransomware payments.

Latest Cyber-Attacks, Incidents, and Breaches

TrickBot Malware Returns with a new VNC Module to Spy on its Victims

Attack Type: Malware Implant

Attack Vector: Phishing

Threat Actor: Wizard Spider

Target Geography: Worldwide

Malware: TrickBot

Objective: Data Exfiltration, Payload Delivery, Lateral Movement

Business Impact: Data Loss, Operational Disruption

 

Summary

Researchers have discovered an updated VNC module that seems to be in active development, as its maintainers are updating it at a very fast pace. The new capabilities discovered are used to monitor and gather intelligence on victims, using a custom communication protocol to hide data transmissions between command & control servers and victims — making attacks difficult to spot.

 

The botnet has since survived two takedown attempts by Microsoft and the U.S. Cyber Command, with the operators developing firmware meddling components that could allow the hackers to plant a backdoor in the Unified Extensible Firmware Interface (UEFI), enabling it to evade antivirus detection, software updates, or even a total wipe and reinstallation of the computer’s operating system. The threat actor has been found actively developing an updated version of a module called “vncDll” that it employs against select high-profile targets for monitoring and intelligence gathering. The new version has been named “tvncDll.”

 

Insights

TrickBot has evolved to use a complex infrastructure that compromises third-party servers and uses them to host malware. It also infects consumer appliances such as DSL routers, and its criminal operators constantly rotate their IP addresses and infected hosts to make disruption of their crime as difficult as possible.

 

The new module is designed to communicate with one of the nine command & control (C2) servers defined in its configuration file, using it to retrieve a set of attack commands, download more malware payloads, and exfiltrate gathered from the machine back to the server. Additionally, the researchers said they identified a “viewer tool,”

Vulnerabilities and Exploits

SolarWinds Serv-U Managed File Transfer Server and Serv-U Secured Security Advisory

Target Geography: Global

Target Technology: Serv-U Managed File Transfer Server and Serv-U Secured FTP

Vulnerabilities: CVE-2021-35211 (CVSS Base Score: 9.8)

Vulnerability Type: Remote Code Execution (RCE)

Impact: Confidentiality (High), Integrity (High), Availability (High)

 

Summary

SolarWinds has patched a RCE vulnerability in its Serv-U file transfer products after Microsoft observed exploitation against a limited, targeted set of customers by a single threat actor. The remote memory escape flaw (CVE-2021-35211) affects both the Serv-U Managed File Transfer Server and Serv-U Secured File Transfer Protocol, according to a security advisory issued by SolarWinds. The enterprise IT software vendor said it does not yet have an estimate of how many customers may be directly affected by the vulnerability or the identity of any potentially affected customers.

 

Insights

SolarWinds said the flaw is completely unrelated to the Sunburst supply chain attack that unfolded at the tail end of 2020, in which nation-state attackers compromised some of the major SolarWinds clients including US government agencies via vulnerabilities in SolarWinds’ Orion software.

The company has warned Serv-U customers that the throwing of exceptions within their environment could be a sign of compromise – although there are other potential causes – because exploitation takes the form of Return Oriented Programming (ROP) attacks. Another potential indicator of compromise is potentially suspicious connections via SSH. Customers are safe from attacks exploiting the vulnerability when SSH is disabled.

Don't forget to share this post!

Share on facebook
Share on twitter
Share on linkedin

Related Articles

Disclosed earlier this week the zero-day flaw that exists in iOS and macOS platforms – being actively exploited in the wild – can allow attackers to take over an affected device.

Hello, and welcome to this episode of Glass Class. Today, I'll be talking about Cloud Security Posture Management, also known as CSPM. CSPM is the continuous compliance checking of cloud platform accounts.

A Cloud Access Security Broker (CASB) is a policy enforcement point that delivers data and threat protection in the cloud, on any device, anywhere.