Anomali Cyber Watch: Daixin Team Ransoms Healthcare Sector, Earth Berberoka Breaches Casinos for Data, Windows Affected by Bring-Your-Own-Vulnerable-Driver Attacks, and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, DDoS, Infostealers, Iran, Ransomware, and Russia. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Alert (AA22-294A) #StopRansomware: Daixin Team

(published: October 21, 2022)

Daixin Team is a double-extortion ransomware group that has been targeting US businesses, predominantly in the healthcare sector. Since June 2022, Daixin Team has been encrypting electronic health record services, diagnostics services, imaging services, and intranet services. The group has exfiltrated personal identifiable information and patient health information. Typical intrusion starts with initial access through virtual private network (VPN) servers gained by exploitation or valid credentials derived from prior phishing. They use SSH and RDP for lateral movement and target VMware ESXi systems with ransomware based on leaked Babuk Locker source code.
Analyst Comment: Network defenders should keep organization’s VPN servers up-to-date on security updates. Enable multifactor authentication (MFA) on your VPN server and other critical accounts (administrative, backup-related, and webmail). Restrict the use of RDP, SSH, Telnet, virtual desktop and similar services in your environment.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Account Manipulation – T1098 | [MITRE ATT&CK] OS Credential Dumping – T1003 | [MITRE ATT&CK] Remote Service Session Hijacking – T1563 | [MITRE ATT&CK] Use Alternate Authentication Material – T1550 | [MITRE ATT&CK] Exfiltration Over Web Service – T1567 | [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: actor:Daixin Team, malware-type:Ransomware, PHI, SSH, RDP, Rclone, Ngrok, target-sector:Health Care NAICS 62, ESXi, VMware, Windows

Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool

(published: October 21, 2022)

Symantec detected a new custom data exfiltration tool used in a number of BlackByte ransomware attacks. This infostealer, dubbed Exbyte, performs anti-sandbox checks and proceeds to exfiltrate selected file types to a hardcoded Mega account. BlackByte ransomware-as-a-service operations were first uncovered in February 2022. The group’s recent attacks start with exploiting public-facing vulnerabilities of ProxyShell and ProxyLogon families. BlackByte removes Kernel Notify Routines to bypass Endpoint Detection and Response (EDR) products. The group uses AdFind, AnyDesk, Exbyte, NetScan, and PowerView tools and deploys BlackByte 2.0 ransomware payload.
Analyst Comment: It is crucial that your company ensures that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice defense-in-depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497
Tags: actor:BlackByte, malware-type:Data exfiltration tool, detection:blackbyte_exfil, actor:Hecamede, detection:Ransom.Blackbyte, malware-type:Ransomware, detection:Infostealer.Exbyte, malware-type:Infostealer, Go, ProxyShell, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, ProxyLogon, CVE-2021-26855, CVE-2021-27065

Domestic Kitten Campaign Spying on Iranian Citizens with New FurBall Malware

(published: October 20, 2022)

ESET researchers identified a new version of FurBall malware used by the Iran-sponsored Domestic Kitten (aka APT-C-50) group. Since June 2021, this Android malware has been distributed masquerading as a translation app. It is a part of mobile surveillance operations against Iranian citizens since 2016. The new FurBall version added obfuscation in class names, method names, some strings, logs, and server URI paths. The app is only asking to access contacts as the malware functionality was limited to bare minimum: exfiltrate contact list, get accessible files from external storage, get list of user accounts synced with device, list installed apps, and obtain basic information about the device.
Analyst Comment: Only install your Android applications from the Official Google Play Store. Domestic Kitten displays the Play Store logo on their fake website, but the malicious app is not present in Play Store. Organizations that publish applications for their customers are invited to use Anomali Premium Digital Risk Protection to discover rogue, malicious apps impersonating your brand that security teams typically do not search or monitor.
Tags: actor:Domestic Kitten, actor:APT-C-50, detection:FurBall, detection:Android/Spy.Agent, KidLogger, Android, APT, Iran, target-country:IR, source-country:IR, Surveillance

DiceyF Deploys GamePlayerFramework in Online Casino Development Studio

(published: October 17, 2022)

China-sponsored cyberespionage group dubbed Earth Berberoka (aka DiceyF, Operation DRBControl) is targeting online casino development and operations environments in Hong Kong and Southeast Asia, according to Kaspersky researchers. Earth Berberoka used a framework called GamePlayerFramework. The attackers were able to sign their malware with the potentially-stolen certificate from a development studio of the Mango messenger. GamePlayerFramework avoids hooks by duplicating legitimate DLLs and then referring functions in copies. The group’s persistence techniques changed over time: creating new service, then scheduled tasks, and, finally, RasMan service. The Tifa branch of the framework first deployed in November 2021, included only a downloader and a core module. In 2022, the group moved to the Yuna branch, which includes a downloader, plugins, and various PuppetLoader components.
Analyst Comment: Earth Berberoka is a sophisticated group with evolving techniques, but it seems to not care much about attribution. Lack of obfuscation in GamePlayerFramework makes it easier to use detection methods such as YARA rules.
MITRE ATT&CK: [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Credentials from Password Stores – T1555 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Clipboard Data – T1115
Tags: actor:DiceyF, mitre-software:PlugX, detection:GamePlayerFramework, detection:PuppetLoader, Mango messenger, RasMan, Operation Earth Berberoka, Operation DRBControl, APT, Cyberespionage, China, source-country:CN, target-region:Southeast Asia, target-region:Hong Kong, target-industry:Gambling NAICS 713

Bulgarian Government Hit By Cyberattack Blamed On Russian Hacking Group

(published: October 15, 2022)

On October 15, 2022, the Russia-based hacktivist group KillNet performed a distributed denial of service (DDoS) attack disabling Bulgarian government websites belonging to the Constitutional Court, the Defense Ministry, the Interior Ministry, the Justice Ministry, and the President’s Office. KillNet is known for its low-sophistication DDoS attacks that are still able to cause some temporary interruptions for targeted web resources.
Analyst Comment: KillNet’s Telegram channel announced that their founder (known as KillMilk) is responsible for the attack on the Bulgarian government. Bulgaria attributed this attack specifically to the Russian city of Magnitogorsk. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack. Anomali platform allows for access to updated actor profiles including the KillNet profile listed below.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service – T1498
Tags: actor:KillNet, target-sector:Government NAICS 92, Bulgaria, target-country:BG, Russia, source-country:RU, DDoS, Hacktivism

How a Microsoft Blunder Opened Millions of PCs to Potent Malware Attacks

(published: October 14, 2022)

An error in Windows security mechanisms provided for in-the-wild exploitation through bring-your-own-vulnerable-driver (BYOVD) attacks. Microsoft admitted a problem in synchronization, which resulted in the driver blocklist not updated since 2019. In 2021-22 several threat groups abused this issue. North Korea-sponsored Lazarus group used a decommissioned Dell driver with a high-severity vulnerability to target aerospace and media. In March-June 2022, the AvosLocker ransomware abused the vulnerable Avast anti-rootkit driver, BlackByte ransomware exploited a vulnerable driver for Micro-Star’s MSI AfterBurner 4.6.2.15658, and yet another ransomware group used a deprecated anti-cheat driver used by the Genshin Impact game.
Analyst Comment: Consider monitoring for the presence or loading (for example, Sysmon Event ID 6) of known vulnerable drivers that actors may drop and exploit to execute code in kernel mode. Implement the latest Windows updates for one-time synchronization of the driver blocklist and future solutions for this vulnerability.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068
Tags: BYOVD, Vulnerable driver, mitre-group:Lazarus Group, detection:AvosLocker, detection:BlackByte, malware-type:Ransomware, Blocklist, Microsoft, Windows

Observed Threats

Additional information regarding the threats discussed in this week’s Anomali Cyber Watch can be found below:

KillNet
KillNet, a Russia-affiliated hacktivist group specialized in distributed denial of service (DDoS) attacks, originally created on the basis of a Russian-speaking DDoS-for-hire group with the same name. Since February 2022, KillNet formed a loosely affiliated group of volunteer hacktivists to DDoS various organizations in Ukraine and countries that support Ukraine in a way hostile to Russia. KillNet relies on a large following on the Telegram messenger (over 90,000 subscribers) for coordination, growing support, and fundraising. The group aspires to grow beyond just DDoS attacks to include data leaks, credit card fraud monetization services, and substantial support to Russian active-duty military personnel.