Anomali Cyber Watch: Gamaredon Delivers Four Pterodos At Once, Known-Plaintext Attack on Yanlouwang Encryption, North-Korea Targets Blockchain Industry, and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, CatalanGate, Cloud, Cryptocurrency, Information stealers, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems

(published: April 25, 2022)

Cybereason researchers have compared trending attacks involving SocGholish and Zloader malware. Both infection chains begin with social engineering and malicious downloads masquerading as legitimate software, and both lead to data theft and possible ransomware installation. SocGholish attacks rely on drive-by downloads followed by user execution of purported browser installer or browser update. The SocGholish JavaScript payload is obfuscated using random variable names and string manipulation. The attacker domain names are written in reverse order with the individual string characters being put at the odd index positions. Zloader infection starts by masquerading as a popular application such as TeamViewer. Zloader acts as information stealer, backdoor, and downloader. Active since 2016, Zloader actively evolves and has acquired detection evasion capabilities, such as excluding its processes from Windows Defender and using living-off-the-land (LotL) executables.
Analyst Comment: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.
MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise – T1189 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Windows Management Instrumentation – T1047 | [MITRE ATT&CK] Masquerading – T1036 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets – T1558 | [MITRE ATT&CK] Steal Web Session Cookie – T1539 | [MITRE ATT&CK] Unsecured Credentials – T1552 | [MITRE ATT&CK] Remote System Discovery – T1018 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Domain Trust Discovery – T1482 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol – T1048
Tags: SocGholish, Zloader, Masquerading, LotL, Cobalt Strike, SharpView, Rubeus, Stracciatella, PowerShell, Seatbelt, PowerShellRunner, SharpChromium, TeamViewer, CVE-2013-3900, Drive-by

TeamTNT Targeting AWS, Alibaba

(published: April 21, 2022)

The German-speaking, cryptojacking group, TeamTNT, is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services (AWS), and modern development operations environments such as Docker and Kubernetes. TeamTNT scripts are impairing defenses by disabling cloud security tools and agents provided by Alibaba Cloud Security, BMC Helix Cloud Security, and Tencent Cloud Monitor. Other malicious functionality include credential stealing, cryptocurrency mining, lateral movement, and persistence.
Analyst Comment: Organizations should monitor their cloud outgoing traffic for traffic to the TeamTNT servers and cryptocurrency mining pools. Configure Amazon CloudWatch Alarm for ongoing steady utilization of exactly 70%. Investigate if your security or monitoring tools stop working. Limit the use of the root user, implement multi-factor authentication and security logging.
MITRE ATT&CK: [MITRE ATT&CK] Execution Guardrails – T1480 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Resource Hijacking – T1496 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Account Manipulation – T1098
Tags: TeamTNT, Alibaba, XMRig, Monero, Cryptomining, Cryptocurrency, Cryptojacking, Cloud, AWS, Docker, Kubernetes, bcm-agent, aegis agent

Criminals Provide Ginzo Stealer for Free, Now It is Gaining Traction

(published: April 21, 2022)

The Ginzo stealer was first advertised on a Russian-speaking hacker forum in the beginning of March 2022. Initially offered for free, Ginzo gained significant interest from other threat actors resulting in more than 400 Ginzo stealer binaries on VirusTotal between 20th and 30th of March, 2022. The Ginzo actors are starting to provide Ginzo as a paid service. They also have access to the stolen data as exfiltration goes through their server. Ginzo stealer is obfuscated with ConfuserEx requiring decryption on-the-fly and initializing data for string decryption, making automatic deobfuscation by researchers not sufficient.
Analyst Comment: Information stealing is a common and prevalent threat facing individuals and organizations around the world. Education on frequently-used delivery methods such as malspam and phishing emails can help prevent infection. In addition, maintain efficient log management policies to identify potentially abnormal network activity.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Resource Hijacking – T1496 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Archive Collected Data – T1560
Tags: Ginzo, Information stealer, ConfuserEx, Electrum, Exodus, Cryptocurrency, Coinbase

Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine

(published: April 20, 2022)

Russia-linked cyberespionage group Gamaredon (Primitive Bear, Shuckworm) continues to target Ukrainian organizations. After using phishing to get into a victim computer, the group deploys multiple variants of the same malware, Backdoor.Pterodo (Pteranodon), that have similar functionality and obfuscation techniques, but use different command-and-control (C2) servers. Symantec researchers observed four variants used in recent attacks, these are Visual Basic Script (VBS) droppers that drop a VBScript file, use Scheduled Tasks for persistence, and download additional code from a C2 server. Additionally Gamaredon utilizes UltraVNC, an open-source remote-administration tool, and Process Explorer, a Microsoft Sysinternals tool.
Analyst Comment: Gamaredon relies on a large number of phishing emails, so it is important to provide anti-phishing training and discourage users from enabling editing and interacting with unwarranted suspicious attachments. Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497 | [MITRE ATT&CK] Remote Access Tools – T1219
Tags: Gamaredon, Primitive Bear, Shuckworm, APT, Russia, source-country:RU, Ukraine, target-country:UA, VBS, Backdoor.Pterodo, Pteranodon, Scheduled Tasks, UltraVNC, Process Explorer, Cyberespionage

BlackCat/ALPHV Ransomware Indicators of Compromise

(published: April 20, 2022)

The Federal Bureau of Investigation (FBI) published new details on operation and command-and-control (C2) infrastructure of the BlackCat/ALPHV ransomware. BlackCat/ALPHV ransomware as a service (RaaS) had compromised over 60 entities worldwide initially requesting ransom payments of several million dollars in Bitcoin and Monero. BlackCat uses previously stolen credentials to gain initial access. They proceed to compromise Active Directory and abuse Windows Task Scheduler to configure malicious Group Policy Objects (GPOs) to deploy ransomware.
Analyst Comment: Organizations should audit user accounts with administrative privileges and configure access controls based on least privilege principle. Implement network segmentation, air gap, and password protect backup copies offline. Use multifactor authentication (MFA) where possible.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Group Policy Modification – T1484 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Impair Defenses – T1562 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: BlackCat, Ransomware, BlackMatter, DarkSide, ALPHV, CVE-2021-31207, Rust, Bitcoin, Monero, Powershell, Active Directory, Group Policy Objects, Cobalt Strike

How to Recover Files Encrypted by Yanlouwang

(published: April 18, 2022)

Since October 2021, Yanluowang ransomware group has engaged in human-operated, highly targeted attacks against enterprise entities located mostly in Brazil, Turkey, and the US. The initial infection vector is currently unknown. To encrypt the victim’s files the attackers use the Sosemanuk stream cipher, its key then encrypted using RSA-1024, whose public key itself is embedded in the program encrypted with RC4, whose key is a string and also embedded in ransomware. Files under 3 GB are encrypted from beginning to end, bigger files are encrypted in stripes: 5 MB after every 200 MB. The extortionists threaten with additional exposure, DDoS attack, and repeated compromise with data-wiping. Kaspersky researchers have found a plain-text attack vulnerability in the Yanluowang encryption algorithm and offer free Rannoh Decryptor to help victims if they can provide a couple of original files.
Analyst Comment: Keep your company’s VPN solutions updated. Do not expose Remote Desktop Protocol (RDP) and other remote desktop services to public networks unless absolutely necessary, and always protect them using strong passwords. Focus on detecting lateral movement and data exfiltration.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Network Denial of Service – T1498 | [MITRE ATT&CK] Inhibit System Recovery – T1490 | [MITRE ATT&CK] Data Destruction – T1485 | [MITRE ATT&CK] Service Stop – T1489 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] System Network Connections Discovery – T1049
Tags: Yanluowang, Ransomware, USA, target-country:US, Brazil, target-country:BR, Turkey, target-country:TR, Free decryptor, Extortion, DDoS, Data exposure, Data destruction, Sosemanuk, RSA-1024, RC4

CatalanGate: Extensive Mercenary Spyware Operation Against Catalans Using Pegasus and Candiru

(published: April 18, 2022)

Citizen Lab researchers describe CatalanGate, a prolific cyberespionage campaign that targeted Catalonia, Spain through 2017-2020. Victims included Catalan Presidents and some of their relatives, jurists, members of the European Parliament, legislators, and members of civil society organizations. The CatalanGate campaign, which aligns with objectives of the Spanish government, used two mercenary providers of cyberespionage services: NSO Group and Candiru. Some spearphishing attacks were showing knowledge of the victim’s name, business situation, and even taxpayer’s number. Other attacks were utilizing zero-click zero-day exploits that were affecting iOS (zero-click HOMAGE exploit) and Windows (CVE-2021-31979, CVE-2021-33771).
Analyst Comment: It is important to study mercenary companies’ malicious infrastructure to detect the ongoing infections on your organization networks. Keep your devices updated to address the latest security patches. Isolate your networks and move sensitive conversation offline if your threat posture includes being targeted with zero-click zero-day exploits.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Video Capture – T1125 | [MITRE ATT&CK] Audio Capture – T1123 | [MITRE ATT&CK] File and Directory Discovery – T1083
Tags: HOMAGE, NSO Group, Pegasus spyware, Candiru, Saito Tech Ltd., Smishing, Spearphishing, Zero-click, Zero-day, iMessage, Kismet, Spain, source-country:ES, Catalonia, target-region:Catalonia, CVE-2019-3568, CVE-2021-31979, CVE-2021-33771

Alert (AA22-108A) TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies

(published: April 18, 2022)

Three US agencies issued a joint advisory related to a new campaign by North-Korea sponsored group Lazarus that targets the blockchain industry. This campaign starts with phishing delivering TraderTraitor: a number of malicious applications that were built based on open-source projects. These apps are written using cross-platform JavaScript code with the Node.js runtime environment using the Electron framework and pretend to provide cryptocurrency trading or price prediction. TraderTraitor downloads an encrypted payload and the decryption key via its “update” function. The malicious payload is the Manuscrypt RAT that allows the Lazarus attackers to propagate across the victim’s network environment, steal private keys, and eventually steal their cryptocurrency.
Analyst Comment: Blockchain-related organizations should be aware of third-party cryptocurrency applications downloads and implement email and domain mitigations. Apply least access models and defense-in-depth to user and application privileges. Segment your networks into zones based on roles and requirements.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Unsecured Credentials – T1552 | [MITRE ATT&CK] Application Layer Protocol – T1071
Tags: TraderTraitor, Lazarus Group, Lazarus, APT, Manuscrypt, North Korea, source-country:KP, APT38, BlueNoroff, Stardust Chollima, Blockchain, Cryptocurrency, DeFi, Banking and finance, Non-fungible tokens, NFTs, Social engineering, Windows, macOS

Observed Threats

Additional information regarding the threats discussed in this week’s Anomali Cyber Watch can be found below:

TeamTNT
TeamTNT is a German- and English-speaking group targeting cloud environments since at least August 2020. This actor group primarily engages in cryptojacking (Monero mining) of the vulnerable Docker and Kubernetes systems. The group uses open-source tools, as well as developed their own distributed denial-of-service (DDoS) malware (TNTbotinger) and wormable cryptojacking malware (Black-T, Hildegard, Cetus).

Gamaredon Group
The Advanced Persistent Threat (APT) group “Gamaredon,” is believed to be a Russia-based group that has been active since at least 2013. The group is known for conducting cyber espionage campaigns targeting the Ukrainian government, law enforcement officials, media, and military. The Lookingglass Cyber Threat Intelligence Group first reported Gamaredon in their report on a cyberespionage campaign dubbed “Operation Armageddon” in April 2015, according to Palo Alto Networks Unit 42 researchers. This led Unit 42 researchers, in February 2017, to name the group “Gamaredon Group” because they believe the group conducted Operation Armageddon.

Lazarus Group
The Advanced Persistent Threat group (APT) “Lazarus Group” is believed to be based in the Democratic People’s Republic of Korea (DPRK) and has been active since at least 2009. Lazarus Group is believed to be composed of operatives from “Bureau 121” (121국), the cyber warfare division of North Korea’s Reconnaissance General Bureau. The Reconnaissance General Bureau was formed due to a reorganization in 2009 but its exact structure is not known due to North Korea’s denial and deception tactics. Bureau 121 is North Korea’s most important cyber unit that is used for both offensive and defensive operations. Bureau 121 are referred, in South Korean open-source media, as the “Electronic Reconnaissance Bureau’s Cyber Warfare Guidance Bureau” (전자정찰국 사이버전지도국). The term “guidance” in the context of North Korea often denotes that an organization is personally overseen by the head of state of North Korea as a strategically significant entity. Lazarus Group has targeted financial organizations since at least July 2009, The group is well known for their tendency to engage in data destruction/disk wiping attacks, and network traffic Distributed Denial-of-Service (DDoS) attacks, typically against the Republic of Korea (South Korea). The group targets various industries and sectors including South Korean and US government organizations, Non-Governmental Organizations (NGO), media and entertainment organizations, as well as shipping and transportation organizations, Korean hydro and nuclear power, and jamming of South Korean GPS.

CVE-2013-3900
The WinVerifyTrust function in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate PE file digests during Authenticode signature verification, which allows remote attackers to execute arbitrary code via a crafted PE file, aka “WinVerifyTrust Signature Validation Vulnerability.”

CVE-2019-3568
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

CVE-2021-31207
Microsoft Exchange Server Security Feature Bypass Vulnerability

CVE-2021-33771
Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-31979, CVE-2021-34514.

CVE-2021-31979
Windows Kernel Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-33771, CVE-2021-34514.