Thursday, August 26, 2021

Threat Source newsletter (Aug. 26, 2021)

Newsletter compiled by Jon Munshaw.

Good afternoon, Talos readers.  

We have RATs on RATs on RATs over the past few weeks. And last week, we found a few more heading to Latin America to target users and try to steal their login credentials.

The threat actor in this case has some compelling connections to the Aggah threat group we've written about in the past, but there doesn't appear to be any definitive link.

Upcoming Talos public engagements

Speaker: Chris DiSalle
Date: Sept. 9
Location: Virtual
Description: Chris DiSalle from Talos Incident Response will join the Technado podcast to share the ins and outs of the IR industry. Chris will talk to host Don Pezet about how he got started in incident response, horror stories he's seen in the field, and much more. 

Speaker: Vitor Ventura
Date: Oct. 7 - 8
Location: Virtual
Description: Android malware has become prevalent across the landscape. In this workshop, Vitor Ventura will show you reverse engineering techniques for Android malware. This workshop is designed to provide the participants with different approaches to malware analysis so they can perform their own analysis without the use of automated tools. When everything else fails, we need to know what's under the hood. This workshop will cover malware unpacking, string deobfuscation, command and control protocol identification and feature identification.

Cybersecurity week in review

  • T-Mobile confirmed that more than 50 million current, former and prospective customers' information was affected by a recent data breach. The company said that in its most recent research, they could not find any evidence that victims' social security numbers or driver's license information was accessed.
  • A threat actor returned roughly $600 million worth of cryptocurrency that they stole about two weeks prior. The online platform targeted in the attack, Poly Network, offered the attacker a monetary reward for returning the virtual currency and attempted multiple lines of communication.
  • The FBI sent out its first-ever warning regarding a ransomware affiliate group, part of the growing trend around ransomware-as-a-service. The alert details the actions of the OnePercent group, known to spread ransomware such as Maze and REvil.
  • Ransomware actors are using a new secret code in online forums to bypass researchers and government officials looking to stop their activities. There is essentially a series of unwritten rules bad actors are following, including the use of seemingly legitimate language to connotate cyber attacks.
  • Google issued an update for its Chrome web browser that fixes seven security issues, some of which could allow an attacker to take control of an affected system. The update came two weeks after Google released a separate set of patches for Chrome.
  • The U.S. State Department was reportedly the victim of a recent cyber attack, though the exact extent is still not known. News of the attack came a few weeks after several federal agencies received poor cybersecurity grades from a Senate report.
  • A small New Hampshire town lost $2.3 million in taxpayer money after a recent cyber attack. It's believed that an adversary used an email-based attack to divert funds meant for the school system to an attacker-controlled account.
  • A vulnerability in Microsoft's Power Apps mistakenly left millions of records exposed across some high-profile websites. The sites affected include COVID-19 contact-tracing applications, vaccination registration pages, job application portals and employee databases.
  • The U.S. Department of Cybersecurity and Infrastructure Security warned that attackers are actively exploiting two vulnerabilities in ProxyShell. Security researchers say this is a different attack vector than the ProxyLogon vulnerability and Hafnium threat first discovered in March.

Notable recent security issues

Description: The ransomware-as-a-service network behind the LockBit ransomware is launching new attacks using the 2.0 version of its malware. LockBit has recently been spotted targeting organizations in the U.K., Taiwan, Chile and Italy. This new version of LockBit includes new encryption features and an effort to recruit “insiders” at the targeted organizations. Once the malware encrypts the data on the targeted machine, it changes the wallpaper to display an advertisement, telling users that they can become a part of LockBit’s recruitment process, promising payouts in the millions of dollars. LockBit’s been behind several recent high-profile attacks, including one on global consulting firm Accenture. 
Snort SIDs: 58024, 58025 

Description: Cisco Talos has observed a new malware campaign delivering commodity RATs, including njRAT and AsyncRAT. The campaign targets travel and hospitality organizations in Latin America. Techniques utilized in this campaign bear a resemblance to those of the Aggah group but are operated by a distinct threat actor based out of Brazil. We've also discovered a builder/crypter known as "Crypter 3losh rat" used to generate various stages of the highly modularized infection chain used by the campaign operators. The threat actor authoring the crypter primarily aims to sell it as a service. We've observed the authors advertise their crypters on Facebook, YouTube and other social media. However, we've also discovered that the crypter's authors have conducted their own malware campaigns abusing archive[.]org to deliver commodity RATs. The highly modular structure of the Latin American attack indicates a focus on stealth to deliver two widely popular RAT families of AsynRAT and njRAT. These techniques along with other indicators are shared with the Aggah group indicating that the crypter author might have sold it to both parties. 

Most prevalent malware files this week

MD5: 9a4b7b0849a274f6f7ac13c7577daad8 
Typical Filename: ww31.exe 
Claimed Product: N/A 
Detection Name: W32.GenericKD:Attribute.24ch.1201

MD5: 6be10a13c17391218704dc24b34cf736 
Typical Filename: smbscanlocal0906.exe 
Claimed Product: N/A 
Detection Name: Win.Dropper.Ranumbot::in03.talos

MD5: ec26aef08313a27cfa06bfa897972fc1 
Typical Filename: 01fd0f9a83cb940bca23fbeea3ecaffcfb4df2ef.vbs 
Claimed Product: N/A 
Detection Name: Win.Worm.Dunihi::tpd 

MD5: 8c80dd97c37525927c1e549cb59bcbf3 
Typical Filename: Eter.exe 
Claimed Product: N/A 
Detection Name: 

MD5: 0a13d106fa3997a0c911edd5aa0e147a 
Typical Filename: mg20201223-1.exe 
Claimed Product: N/A 
Detection Name: RanumBot::mURLin::W32.5E46ECFFCF.in12.Talos 

Keep up with all things Talos by following us on TwitterSnortClamAV and Immunet also have their own accounts you can follow to keep up with their latest updates. You can also subscribe to the Beers with Talos podcast here and Talos Takes here (as well as on your favorite podcast app). And, if you’re not already, you can also subscribe to the weekly Threat Source newsletter here.  

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.