Anomali Cyber Watch: Moshen Dragon Abused Anti-Virus Software, Raspberry Robin Worm Jumps from USB, UNC3524 Uses Internet-of-Things to Steal Emails, and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cyberespionage, Phishing, Ransomware, Sideloading, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Attackers Are Attempting to Exploit Critical F5 BIG-IP RCE

(published: May 9, 2022)

CVE-2022-1388, a critical remote code execution vulnerability affecting F5 BIG-IP multi-purpose networking devices/modules, was made public on May 4, 2022. It is of high severity (CVSSv3 score is 9.8). By May 6, 2022, multiple researchers have developed proof-of concept (PoC) exploits for CVE-2022-1388. The first in-the-wild exploitation attempts were reported on May 8, 2022.
Analyst Comment: Update your vulnerable F5 BIG-IP versions 13.x and higher. BIG-IP 11.x and 12.x will not be fixed, but temporary mitigations available: block iControl REST access through the self IP address and through the management interface, modify the BIG-IP httpd configuration.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190
Tags: CVE-2022-1388, F5, Vulnerability, Remote code execution, Missing authentication

Mobile Subscription Trojans and Their Little Tricks

(published: May 6, 2022)

Kaspersky researchers analyzed five Android trojans that are secretly subscribing users to paid services. Jocker trojan operators add malicious code to legitimate apps and re-upload them to Google Store under different names. To avoid detection, malicious functionality won’t start until the trojan checks that it is available in the store. The malicious payload is split in up to four files. It can block or substitute anti-fraud scripts, and modify X-Requested-With header in an HTTP request. Another Android malware involved in subscription fraud, MobOk trojan, has additional functionality to bypass captcha. MobOk was seen in a malicious app in Google Store, but the most common infection vector is being spread by other Trojans such as Triada.
Analyst Comment: Limit your apps to downloads from the official stores (Google Store for Android), avoid new apps with low number of downloads and bad reviews. Pay attention to the terms of use and payment. Avoid granting it too many permissions if those are not crucial to the app alleged function. Monitor your balance and subscription list.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Data Manipulation – T1565
Tags: Android, Jocker, MobOk, Triada, Vesub, GriftHorse, Trojan, Subscription fraud, Subscription Trojan, Russia, target-country:RU, Middle East, Saudi Arabia, target-country:SA, Egypt, target-country:EG, Thailand, target-country:TH

Raspberry Robin Gets the Worm Early

(published: May 5, 2022)

Since September 2021, Red Canary researchers monitor Raspberry Robin, a new worm typically installed via a USB drive targeting organizations with ties to technology and manufacturing. The malicious USB has an LNK file masquerading as a folder that is being activated through modification in the UserAssist registry. The actor uses compromised QNAP devices to stage malicious DLL and TOR traffic for further command-and-control (C2) communication. Raspberry Robin extensively uses mixed-case letters in its commands in an attempt to evade detection.
Analyst Comment: It is crucial that your company has policies in place that forbid employees from using unknown USB drives. Identify the use of Windows Installer Tool msiexec.exe to download and execute packages in the command-line interface (CLI). Detect the Windows Open Database Connectivity utility (odbcconf.exe) loading a configuration file or DLL. Detect regsvr32.exe, rundll32.exe, and dllhost.exe making external network connections with no parameters.
MITRE ATT&CK: [MITRE ATT&CK] Replication Through Removable Media – T1091 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218
Tags: Raspberry Robin, USB, LNK, DLL, Mixed-case command, UserAssist registry, ROT-13, msiexec, Windows, QNAP NAS, TOR, Worm, Manufacturing

Update on Cyber Activity in Eastern Europe

(published: May 3, 2022)

Google researchers describe five advanced groups especially active in Eastern Europe in regard to the military conflict between Russia and Ukraine. Three Russian groups: Fancy Bear (APT28) targets Ukraine with phishing attachments delivering a new information stealer written in .Net. Another group, Turla, attributed to Russia’s Federal Security Services (FSB), targets defense and cybersecurity organizations in Baltic states with phishing links dropping a malicious DOCX that would download a malicious PNG file. GoldRiver (Callisto) group abuses Google and Microsoft services in their credential-stealing phishing attempts with targets including government and defense officials, journalists, NGOs and think tanks, and politicians. Belarus-sponsored group Ghostwriter spoofed Google to target Ukraine and Facebook to target Lithuania. Curious George, a group attributed to China’s The People’s Liberation Army Strategic Support Force (PLASSF), is targeting government, logistics, manufacturing, and military organizations in Central Asia, Russia and Ukraine, including Russia’s Ministry of Foreign Affairs.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from advanced persistent threats (APTs), including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user interaction. It is important to teach your users basic online hygiene and phishing awareness.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] Steal Web Session Cookie – T1539 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: Ukraine, target-country:UA, Russia, source-country:RU, Belarus, source-country:BY, China, source-country:CN, Lithuania, target-country:LT, APT28, Fancy Bear, Turla, FSB, GoldRiver, Callisto, Ghostwriter, Curious George, PLA SSF, Phishing, Windows, Ukraine-Russia Conflict 2022

Moshen Dragon’s Triad-and-Error Approach | Abusing Security Software to Sideload PlugX and ShadowPad

(published: May 2, 2022)

SentinelOne researchers describe Moshen Dragon, a China-based threat group targeting Central Asia. Moshen Dragon abused binaries from BitDefender, Kaspersky, McAfee, Symantec, and TrendMicro. They performed a specific DLL search order hijacking attack called sideloading triad where the hijacked security software DLLs were used to decrypt and load the final payloads from the third file in the same folder. Moshen Dragon used ShadowPad and PlugX payloads, Gunters loader, and a Local Security Authority (LSA) Notification Package (SecureFilter).
Analyst Comment: The observed abuse of different anti-virus products does not directly point to their insecurity, as it shows an advanced actor utilizing known Windows design limitations. Organizations can use behavioral monitoring capabilities to better detect anomalous behavior, detecting when files and data are accessed that are outside the normal working hours or job specification of the account holder. Defense-in-depth can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
MITRE ATT&CK: [MITRE ATT&CK] Hijack Execution Flow – T1574 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Windows Management Instrumentation – T1047 | [MITRE ATT&CK] OS Credential Dumping – T1003
Tags: Moshen Dragon, Gunters, PlugX, Shadowpad, China, source-country:CN, Central Asia, Windows, DLL search order hijacking, Sideloading triad, Impacket, wmiexec, SecureFilter

UNC3524: Eye Spy on Your Email

(published: May 2, 2022)

Mandiant researchers detected an advanced threat group, designated as UNC3524, that targets organization networks to steal emails from IT departments, executives, and those responsible for mergers and acquisitions. In the victim networks, they target trusted systems such as load balancers, Storage Area Network (SAN) arrays, and wireless access point controllers that might be running older versions of BSD or CentOS. These systems are often unsupported by agent-based security tools allowing attackers to stealthily deploy their QuietExit backdoor that acts as a SSH client-server. Command-and-control (C2) communication goes from an Internet-of-Things (IoT) botnet consisting mostly of LifeSize conference room camera systems. UNC3524 actors use a heavily obfuscated version of ReGeorg web-shell as a backup backdoor for re-infection, move laterally using WMIEXEC, and target selected mailboxes in either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment.
Analyst Comment: Defenders should hunt for outbound SSH traffic from unknown IPs and from ports other than 22. Investigate large volumes of outbound traffic from NAS arrays and load balancers. Identify devices on your network that do not support monitoring tools, harden them, limit or block egress traffic from such devices.
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Network Connections Discovery – T1049 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Software Discovery – T1518 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Two-Factor Authentication Interception – T1111 | [MITRE ATT&CK] Email Collection – T1114 | [MITRE ATT&CK] Remote Services – T1021 | [MITRE ATT&CK] Logon Scripts – T1037 | [MITRE ATT&CK] Account Manipulation – T1098 | [MITRE ATT&CK] Server Software Component – T1505 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Standard Non-Application Layer Protocol – T1095 | [MITRE ATT&CK] Protocol Tunneling – T1572 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Masquerading – T1036
Tags: QuietExit, UNC3524, ReGeorg, Cyberespionage, Microsoft Exchange, Email collection, IoT, Botnet, Persistence, Dropbear SSH, WMIEXEC, SOCKS, BSD, CentOS, LifeSize, Dynamic DNS, APT

REvil Ransomware Returns: New Malware Sample Confirms Gang is Back

(published: May 1, 2022)

The REvil (Sodinokibi, Pinchy Spider) ransomware group resumed its operations. In October 2021, the group shut down after a law enforcement operation hijacked their Tor servers, and Russian police arrested some of its members. At the end of April 2022, the group became active on its ransom websites listing new and old victims, and on April 29, 2022, researchers detected a new sample of their encryptor compiled from its source code that includes new changes. The new REvil sample is highly targeted: it includes a new configuration field, ‘accs,’ with credentials for the specific victim (specified accounts and Windows domains), preventing encryption on devices outside of the intended target.
Analyst Comment: It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice defense-in-depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe). Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] System Owner/User Discovery – T1033
Tags: Pinchy Spider, Sodinokibi, REvil, Ransomware, Windows, Russia, source-country:RU

Russian Hackers Compromise Embassy Emails to Target Governments

(published: May 1, 2022)

In January-March 2022, APT29 (Cozy Bear, Nobelium, attributed to Russia’s Foreign Intelligence Service (SVR)) targeted diplomats and government entities with phishing attacks from previously compromised diplomatic email addresses. To mask their command-and-control (C2) traffic, attackers used compromised websites and abused legitimate services such as Atlassian Trello, Firebase, or DropBox. They used a customized Cobalt Strike Beacon backdoor and a number of custom malware: BeatDrop downloader, BoomMic (VaporRage) shellcode downloader, and RootSaw (EnvyScout) dropper.
Analyst Comment: Anti-phishing training should include ways to verify the authenticity of the received email such as a phone call. Network defenders advised to configure a system to explode suspicious emails in a sandbox environment, for example, as provided by Anomali XDR (ThreatStream).
MITRE ATT&CK: [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Indicator Removal on Host – T1070 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Indirect Command Execution – T1202 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497 | [MITRE ATT&CK] Hide Artifacts – T1564 | [MITRE ATT&CK] Hijack Execution Flow – T1574 | [MITRE ATT&CK] Windows Management Instrumentation – T1047 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] System Services – T1569 | [MITRE ATT&CK] External Remote Services – T1133 | [MITRE ATT&CK] Trusted Relationship – T1199 | [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] System Service Discovery – T1007 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] System Network Connections Discovery – T1049 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Permission Groups Discovery – T1069 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Account Discovery – T1087 | [MITRE ATT&CK] Domain Trust Discovery – T1482 | [MITRE ATT&CK] Software Discovery – T1518 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Data from Network Shared Drive – T1039 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] Data from Information Repositories – T1213 | [MITRE ATT&CK] Archive Collected Data – T1560 | [MITRE ATT&CK] Remote Services – T1021 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Unsecured Credentials – T1552 | [MITRE ATT&CK] Steal or Forge Kerberos Tickets – T1558 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Standard Non-Application Layer Protocol – T1095 | [MITRE ATT&CK] Web Service – T1102 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Non-Standard Port – T1571 | [MITRE ATT&CK] Encrypted Channel – T1573 | [MITRE ATT&CK] Account Manipulation – T1098 | [MITRE ATT&CK] Create or Modify System Process – T1543 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Service Stop – T1489 | [MITRE ATT&CK] System Shutdown/Reboot – T1529 | [MITRE ATT&CK] Data Transfer Size Limits – T1030
Tags: APT29, Cozy Bear, Nobelium, SVR, BeatDrop, BoomMic, VaporRage, Cobalt Strike Beacon, RootSaw, EnvyScout, ISO, LNK, Trello, Firebase, DropBox, Russia, source-country:RU, Government, Embassy, Poland, Turkey, France

Observed Threats

Additional information regarding the threats discussed in this week’s Anomali Cyber Watch can be found below:

APT28
The Advanced Persistent Threat (APT) group “APT28” is believed to be a Russian-sponsored group that has been active since at least 2007. The group displays high levels of sophistication in the multiple campaigns that they have been attributed to, and various malware and tools used to conduct the operations align with the strategic interests of the Russian government. The group is believed to operate under the Main Intelligence Directorate (GRU), the foreign intelligence agency of the Russian armed forces.

APT29
The Advanced Persistent Threat (APT) group “APT29” is a Russian-based group that was first reported on in July 2013 by Kaspersky and CrySyS Lab researchers. Prior to this report, malicious activity had been observed but not yet attributed to one sophisticated group. The group boasts an arsenal of custom and complex malwares at its disposal and is believed to be sponsored by the Russian Federation government. APT29 conducts cyber espionage campaigns and has been active since at least 2008. The group primarily targets government entities and organizations that work in geopolitical affairs around the world, however, a plethora of other targets have also been identified.

Pinchy Spider
Pinchy Spider is a Russian-speaking threat group that run a Ransomware-as-a-Service (RaaS). The threat group has been active since January 2018 when they announced the GandCrab RaaS on the “exploit[.]in” forum. The GandCrab RaaS was discontinued in June 2019 in favour of the newer RaaS Sodinokibi/REvil.

CVE-2022-1388
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.