Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

CISA: Patch Zoho Bug Being Exploited by APT Groups

(published: September 17, 2021)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials – T1552 | [MITRE ATT&CK] Valid Accounts – T1078
Tags: APT, Bug, Vulnerability, Zoho

Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise

(published: September 16, 2021)

Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Application Window Discovery – T1010 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Dynamic Resolution – T1568 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Native API – T1106 | [MITRE ATT&CK] Non-Standard Port – T1571 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Peripheral Device Discovery – T1120 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] Remote Services – T1021 | [MITRE ATT&CK] Remote System Discovery – T1018 | [MITRE ATT&CK] Replication Through Removable Media – T1091 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Video Capture – T1125
Tags: AsyncRAT, Aviation, Phishing, RAT, Malicious Document, Njrat, VBScript

New Malware Uses Windows Subsystem For Linux For Stealthy Attacks

(published: September 16, 2021)

Researchers at Lumen’s Black Lotus Labs have identified a new Linux malware. The malware is created for the Windows Subsystem for Linux (WSL), possibly as a means to evade detection. The low detected files contain an embedded payload or retrieve one from a remote server, which is then injected into a running process. The loader, written in Python has the ability to kill anti-virus software, establish persistence and run a PowerShell script.
Analyst Comment: Malware authors are always innovating new methods of evading detection. Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Software Discovery – T1518 | [MITRE ATT&CK] Process Injection – T1055
Tags: ELF, Linux, Powershell, Python, Windows

The Navalny Leaks: Data, Probiv, and Russian Political Influence

(published: September 15, 2021)

A database containing personal identifiable information (PII) of people making donations to the Anti-Corruption Foundation (FBK), the organisation led by opposition figure Alexey Navalny has been leaked. The information leaked includes names, birth dates, employers and financial information, and was initially leaked on 4chan imageboard. This is the latest in a series of breaches related to Navalny supporters this year.
Analyst Comment: Politically exposed persons (PEP) are often a target of government-connected cyber groups. In the past we saw an expansion of cyber targeting when domestic targeting in Russia was later expanded to politically-motivated targeting around the World: from Ukraine to the US. People and organizations with political exposure should implement defence-in-depth protection regarding their online assets and stored PII.
Tags: Data Breach, Dissidents, Russia

Analyzing Attacks That Exploit The CVE-2021-40444 MSHTML Vulnerability

(published: September 15, 2021)

The Microsoft MSHTML vulnerability, registered as “CVE-2021-40444”, first identified by Microsoft Threat Intelligence Center (MTIC) has been used in a small number of attacks. In research by MTIC, the campaign is believed to begin with emails impersonating agreements and contracts containing malicious documents. The documents are crafted with embedded Javascript that downloads a CAB file containing a DLL from a remote host. Once the DLL function is executed, shellcode is loaded from a remote source and into the “wabmig.exe” process.
Analyst Comment: Microsoft have released a patch. It is highly recommended to apply the appropriate September 2021 cumulative security update (5005565, 5005566, 5005575, or 5005568). Anomali Match can enable you to detect past occurances of such attacks using retrospective search capabilities.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059
Tags: JavaScript, Malicious Document, MSHTML, Microsoft, Process Injection, Process Hollowing

Attackers Impersonate DoT in Two-Day Phishing Scam

(published: September 15, 2021)

Researchers at INKY have identified a two-day phishing campaign that involved threat actors impersonating the US Department of Transportation. The campaign targeted architecture, energy, and engineering luring victims with a bid proposal, which then led to a credential stealing page. Using newly created domains, the threat actors were able to evade detection as they didn’t appear in any threat intelligence feeds.
Analyst Comment: Anomali Premium Domain Monitoring service notifies customers regarding registration of potential phishing domains. Customers can then automatically block such domains via Anomali Integrator.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE PRE-ATT&CK] Spear phishing messages with text only – T1368
Tags: Credential Harvesting, Phishing, US Government

OMIGOD: Azure Users Running Linux VMs Need to Update Now

(published: September 15, 2021)

Security researcher Nir Ohfeld has discovered four vulnerabilities in Microsoft’s Open Management Infrastructure (OMI) project that could allow an actor to gain root access on a remote machine if they sent a single packet with the authentication header removed. This is a textbook Remote Code Execution (RCE) vulnerability that you would expect to see in the 90’s, but it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints. The vulnerability, registered as “CVE-2021-38647,” is a combination of a simple conditional statement coding mistake and an uninitialized auth struct. Any request without an Authorization header has its privileges default to “uid=0, gid=0”, which is root.
Analyst Comment: Organisations who deliver software solutions to their customers need to perform automated static and dynamic code analysis to catch potential security vulnerabilities. Vulnerability detection and patch prioritisation need to be in place to address most critical vulnerabilities related to the customer’s environment.
Tags: Azure, Linux, VM, Vulnerability

Hide and Seek | New Zloader Infection Chain Comes With Improved Stealth and Evasion Mechanisms

(published: September 14, 2021)

Researchers from SentinelLabs have discovered a new infection chain to disable Microsoft Defender Antivirus (formerly Windows Defender) on victims’ computers to evade detection. The actors behind this campaign have changed the malware delivery vector from spam or phishing emails to TeamViewer Google ads published through Google Adwords, redirecting the targets to fake download sites. From there, they are tricked into downloading signed and malicious MSI installers designed to install Zloader malware payloads on their computers. The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of living-off-the-land binaries and scripts (LOLBAS) to impair defenses and proxy the execution.
Analyst Comment: Windows event logs monitoring through SIEM can help to identify security configuration changes on endpoints. Application & Device monitoring policies should be set to ensure no untrusted process can modify important registry or config files.
MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Man in the Browser – T1185 | [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041
Tags: Malware, Terdot, Windows Defender, Zloader

Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike

(published: September 13, 2021)

Researchers at Intezer have discovered an undetected ELF Cobalt Strike beacon. First found in August 2021, the beacon named Vermillion Strike shares infrastructure and functionality with Windows Cobalt Strike, and is a reimplementation for Linux. Vermillion Strike’s functionality includes: get/change working directory, append/write to file, list files, retrieve disk partition, upload files to C2. The malware appears to be targeting multiple industries including advisory, financial, IT, government and telecom companies.
Analyst Comment: Users should be aware of the growing Linux threats. Anomali Match can be used to quickly search your infrastructure for known IOCs, in combination with a TIP (such as Anomali ThreatStream) to ingest and add context to IOCs and threat actors.
MITRE ATT&CK: [MITRE ATT&CK] Exfiltration Over C2 Channel – T1041 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] File and Directory Permissions Modification – T1222 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Abuse Elevation Control Mechanism – T1548 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Create or Modify System Process – T1543 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Man in the Browser – T1185 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Native API – T1106 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Network Share Discovery – T1135 | [MITRE ATT&CK] Standard Non-Application Layer Protocol – T1095 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Office Application Startup – T1137 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Protocol Tunneling – T1572 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] Remote Services – T1021 | [MITRE ATT&CK] Remote System Discovery – T1018 | [MITRE ATT&CK] Scheduled Transfer – T1029 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Subvert Trust Controls – T1553 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Network Connections Discovery – T1049 | [MITRE ATT&CK] System Services – T1569 | [MITRE ATT&CK] Use Alternate Authentication Material – T1550 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Windows Management Instrumentation – T1047
Tags: Cobalt Strike, ELF, Linux, Vermilion Strike

By admin