Anomali Cyber Watch: Sandworm Uses HTML Smuggling and Commodity RATs, BlackCat Ransomware Adds New Features, Domain Shadowing Is Rarely Detected, and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, Fraud, Inbound connectors, Phishing, Ransomware, Russia, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

A Multimillion Dollar Global Online Credit Card Scam Uncovered

(published: September 23, 2022)

ReasonLabs researchers discovered a large network of fake dating and customer support websites involved in credit card fraud operations. The threat actor builds a basic website, registers it with a payment processor (RocketGate), buys credit card data from other threat actors, and subscribes victims to monthly charging plans. The US was the most targeted, and a lower number of sites were targeting France. To pass the processor checks and lower the number of charge-backs the actor avoided test charges, used a generic billing name, charged only a small, typical for the industry payment, and hired a legitimate support center provider, providing effortless canceling and returning of the payment.
Analyst Comment: Users are advised to regularly check their bank statements and dispute fraudulent charges. Researchers can identify a fraudulent website by overwhelming dominance of direct-traffic visitors from a single country, small network of fake profiles, and physical address typed on a picture to avoid indexing.
Tags: Credit card, Fraud, Scam, Chargeback, Payment processor, Fake dating site, USA, target-country:US, France, target-country:FR, target-sector:Finance NAICS 52

Malicious OAuth Applications Used to Compromise Email Servers and Spread Spam

(published: September 22, 2022)

Microsoft researchers described a relatively stealthy abuse of a compromised Exchange server used to send fraud spam emails. After using valid credentials to get access, the actor deployed a malicious OAuth application, gave it admin privileges and used it to change Exchange settings. The first modification created a new inbound connector allowing mails from certain actor IPs to flow through the victim’s Exchange server and look like they originated from the compromised Exchange domain. Second, 12 new transport rules were set to delete certain anti-spam email headers.
Analyst Comment: If you manage an Exchange server, strengthen account credentials and enable multifactor authentication. Investigate if receiving alerts regarding suspicious email sending and removal of antispam header.
MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Indicator Removal on Host – T1070
Tags: Exchange, Microsoft, PowerShell, Inbound connector, Transport rule, Fraud, Spam

NFT Malware Gets New Evasion Abilities

(published: September 22, 2022)

Morphisec researchers describe a campaign targeting non-fungible token (NFT) communities since November 2020. A malicious link is being sent via Discord or other forum private phishing message related to an NFT or financial opportunity. If the user clicks through, a malicious downloader is being installed: either the Babadeda crypter utilyzing DLL-sideloading, or a custom downloader performing User Account Control bypass and running PowerShell scripts. The final payloads are various information stealers, typically Remcos RAT, sometimes AsyncRAT, BitRAT, or Eternity.
Analyst Comment: Cryptocurrency and blockchain-related industries are heavily targeted likely due to ease of laundering the stolen cryptocurrency. Users should pay double attention to phishing and other social engineering attempts coming through email, forums, or other channels. Use network isolation and the “cold storage” technique to further safeguard your funds.
MITRE ATT&CK: [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] Input Capture – T1056
Tags: detection:NFT-001, detection:Remcos, detection:AsyncRAT, detection:BitRAT, detection:Eternity, detection:Babadeda, Powershell, target-industry:Cryptocurrency NAICS 523160, target-sector:Finance NAICS 52, malware-type:RAT

7 Years of Scarlet Mimic’s Mobile Surveillance Campaign Targeting Uyghurs

(published: September 22, 2022)

From 2015 to August 2022, Check Point researchers observed China-affiliated group Scarlet Mimic using more than 20 different variations of Android malware targeting the Uyghur community. This malware, dubbed MobileOrder, can steal data, record audio, track the victim’s location, and send messages on behalf of the infected user. MobileOrder is being spread outside of the official Google Store with Uyghur and Muslim-related baits masquerading as PDF, photo or audio files. This threat group often hides their real command-and-control (C2) infrastructure behind dead drop resolvers: MobileOrder starts by querying different posts on the Chinese Sina blog platform to find a matching pattern and an encoded second-level C2.
Analyst Comment: It is important to only use the Google Play Store to obtain your software (for Android users), and avoid installing software from unverified sources because it is easier for malicious applications to get into third-party stores. Applications that ask for additional permissions outside of their normal functionality should be treated with suspicion, and normal functionality for the applications should be reviewed carefully prior to installation. Antivirus applications, if available, should be deployed on devices, particularly those that could contain sensitive information.
Tags: mitre-group:Scarlet Mimic, ScarletMimic, Uyghurs, detection:MobileOrder, Dead drop resolver, China, source-country:CN

Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime

(published: September 21, 2022)

Domain shadowing is a special case of DNS hijacking, where actors stealthily create malicious subdomains under compromised domain names. These malicious subdomains resolve to an actor-controlled IP while the compromised domain still resolves to the original benign IP address. Between April 25 and June 27, 2022, Palo Alto Unit 42 researchers detected 12,197 shadowed domains and only 200 of them had any antivirus detections. One specific campaign operating in March-June 2022, abused 16 compromised domains hosted in Australia and the US. A total of 649 shadowed subdomains were created pointing to IP addresses in the same Russian net range. Those malicious subdomains were typically short-lived and used in phishing links to steal Microsoft user credentials.
Analyst Comment: Domain owners should set steps to secure their credentials. Schedule regular audits for signs of unauthorized access, subdomain or file creation.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566
Tags: Domain shadowing, DNS hijacking, Phishing, Australia, target-country:AU, USA, target-country:US, Phishing, Microsoft

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics

(published: September 22, 2022)

Symantec researchers described newest developments in the BlackCat (ALPHV, Noberus) ransomware operations. In August 2022, the Exmatter data exfiltration tool was heavily updated. It added FTP exfiltration capability to existing SFTP and WebDav capabilities. Additionally, Exmatter received erasing and self-destructing capabilities, and can build a report listing all processed files. The BlackCat group was also seen using tools previously observed in other ransomware operations such as the GMER rootkit scanner and the Eamfo infostealer that steals credentials from the SQL database of the Veeam backup software.
Analyst Comment: Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Credentials from Password Stores – T1555
Tags: actor:BlackCat, detection:BlackCat, detection:ALPHV, detection:Noberus, malware-type:Ransomware, Darkside, BlackMatter, Ransomware-as-a-service, detection:Exmatter, malware-type:Data exfiltration tool, detection:Infostealer.Eamfo, malware-type:Infostealer, detection:GMER, malware-type:Rootkit scanner, Veeam, Rust, Windows, EXSI, Debian, Linux, ReadyNAS, Synology

Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine

(published: September 19, 2022)

Recorded Future analyzed malicious infrastructure and operations of the Russia-sponsored threat group Sandworm Team that has been masquerading as telecommunication providers to target Ukrainian state and private entities. The group has been using phishing maldocs utilizing HTML smuggling technique to deliver malicious ISO files. For a final payload the group was delivering commodity malware: in June 2022, DarkCrystal RAT, and by August 2022, switched to Colibri Loader and Warzone RAT.
Analyst Comment: All known Sandworm Team indicators from this story are available in the Anomali platform and customers are advised to block these on their infrastructure. Typosquatting and other forms of domain abuse could be mitigated by Anomali’s Premium Digital Risk Protection.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Dynamic Resolution – T1568 | [MITRE ATT&CK] Standard Non-Application Layer Protocol – T1095 | [MITRE ATT&CK] Web Service – T1102 | [MITRE ATT&CK] Hide Artifacts – T1564 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Command and Scripting Interpreter – T1059 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Data Staged – T1074 | [MITRE ATT&CK] Hijack Execution Flow – T1574 | [MITRE ATT&CK] Boot or Logon Autostart Execution – T1547 | [MITRE ATT&CK] Scheduled Task – T1053
Tags: mitre-group:Sandworm Team, Russia, source-country:RU, GRU, Foreign military intelligence service, APT, Cyberesionage, Ukraine, target-country:UA, HTML smuggling, file-type:ISO, detection:DarkCrystal RAT, detection:Colibri Loader, detection:Warzone RAT, malware-type:RAT, Windows, target-industry:Telecommunications NAICS 517