Anomali Cyber Watch: Active Probing Revealed ShadowPad C2s, Fodcha Hides Behind Obscure TLDs, Awaiting OpenSSL 3.0 Patch, and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, DDoS, OpenSSL, Ransomware, Russia, Spyware, and Ukraine. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Threat Analysis: Active C2 Discovery Using Protocol Emulation Part3 (ShadowPad)

(published: October 27, 2022)

ShadowPad is a custom, modular malware in use by multiple China-sponsored groups since 2015. VMware researchers analyzed the command-and-control (C2) protocol in recent ShadowPad samples. They uncovered decoding routines and protocol/port combinations such as HTTP/80, HTTP/443, TCP/443, UDP/53, and UDP/443. Active probing revealed 83 likely ShadowPad C2 servers (during September 2021 to September 2022). Additional samples communicating with this infrastructure included Spyder (used by APT41) and ReverseWindow (used by the LuoYu group).
Analyst Comment: Researchers can use reverse engineering and active probing to map malicious C2 infrastructure. At the same time, the ShadowPad malware changes the immediate values used in the packet encoding per variant, so finding new samples is crucial for this monitoring.
MITRE ATT&CK: [MITRE ATT&CK] Application Layer Protocol – T1071 | [MITRE ATT&CK] Exfiltration Over Alternative Protocol – T1048 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: detection:ShadowPad, C2, APT, China, source-country:CN, actor:APT41, actor:LuoYu, detection:Spyder, detection:ReverseWindow, TCP, HTTP, HTTPS, UDP

Raspberry Robin Worm Part of Larger Ecosystem Facilitating Pre-Ransomware Activity

(published: October 27, 2022)

The Raspberry Robin USB-drive-targeting worm is an increasingly popular infection and delivery method. Raspberry Robin works as a three-file infection: Raspberry Robin LNK file on an USB drive, Raspberry Robin DLL (aka Roshtyak) backdoor, and a heavily-obfuscated .NET DLL that writes LNKs to USB drives. Microsoft researchers analyzed several infection chains likely centered around threat group EvilCorp (aka DEV-0206/DEV-0243). Besides being the initial infection vector, Raspberry Robin was seen delivered by the Fauppod malware, which shares certain code similarities both with Raspberry Robin and with EvilCorp’s Dridex malware. Fauppod/Raspberry Robin infections were followed by additional malware (Bumblebee, Cobalt Strike, IcedID, TrueBot), and eventually led to a ransomware infection (LockBit, Clop).
Analyst Comment: Organizations are advised against enabling Autorun of removable media on Windows by default, as it allows automated activation of an inserted, Raspberry Robin-infected USB drive. Apply best practices related to credential hygiene, network segmentation, and attack surface reduction.
MITRE ATT&CK: [MITRE ATT&CK] Replication Through Removable Media – T1091 | [MITRE ATT&CK] Modify Registry – T1112 | [MITRE ATT&CK] Proxy – T1090 | [MITRE ATT&CK] Abuse Elevation Control Mechanism – T1548 | [MITRE ATT&CK] Data Encrypted for Impact – T1486 | [MITRE ATT&CK] Ingress Tool Transfer – T1105 | [MITRE ATT&CK] Obfuscated Files or Information – T1027
Tags: USB drive spread, detection:Raspberry Robin, malware-type:Worm, detection:Fauppod, detection:Roshtyak, file-type:DLL, file-type:LNK, file-type:CPL, detection:Bumblebee, detection:TrueBot, detection:SocGholish, detection:FakeUpdates, malware-type:Backdoor, malware-type:Loader, detection:LockBit, detection:Clop, malware-type:Ransomware, detection:Cobalt Strike, detection:IcedID, actor:DEV-0243, actor:EvilCorp, actor:DEV-0950, actor:FIN11, mitre-group:TA505, actor:DEV-0651, actor:DEV-0856, TOR, LOLBin, QNAP, NAS, Windows

Fodcha DDoS Botnet Reaches 1Tbps in Power, Injects Ransoms in Packets

(published: October 27, 2022)

The Fodcha DDoS botnet grew in power and sophistication after its first appearance on January 12, 2022. After Fodcha was publicly described by 360Netlab researchers, the actors made a number of steps to enable sandbox evasion and stealthy C2 communication. Fodcha uses two sets of C2 domains, one being rare OpenNIC’s top-level domains (TLDs) style C2s, that cannot be resolved by common DNS and use specific ones hard-coded in the ELF binary. Fodcha has global targeting, with most targeted being China, followed by the US. The botnet is estimated to have over 60,000 bots, it was seen targeting over 1,000 targets a day, generating up to 1Tbps of traffic.
Analyst Comment: Organizations and users should keep updating and/or isolating their vulnerable Linux-based devices to stop those from being used by a DDoS botnet, or worse. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. In addition, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. A business continuity plan should be in place in the unfortunate case that your company is the target of a significant DDoS attack.
MITRE ATT&CK: [MITRE ATT&CK] Network Denial of Service – T1498 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497
Tags: detection:Fodcha, malware-type:DDoS, malware-type:DDoSBotnet, Linux, ELF, OpenNIC TLD, China, target-country:CN, USA, target-country:US

OpenSSL Warns of Critical Security Vulnerability with Upcoming Patch

(published: October 26, 2022)

On October 25, 2022, OpenSSL Project team preannounced an upcoming patch to a vulnerability that they assessed as an issue of critical severity that affects common configurations and is also likely exploitable. This vulnerability only affects OpenSSL versions 3.0.0 – 3.0.6. So, some older operating systems and devices are not at risk. The OpenSSL 3.0.7 update is scheduled for November 1, 2022.
Analyst Comment: No technical details on the vulnerability were shared and no signs of ongoing exploitation. The ubiquity of OpenSSL use can potentially make the potential impact similar to the 2014’s HeartBleed OpenSSL vulnerability. Anomali will continue to monitor this issue and plans to create a dedicated dashboard when and if the in-the-wild exploitation starts.
MITRE ATT&CK: [MITRE ATT&CK] Exploit Public-Facing Application – T1190
Tags: OpenSSL, Vulnerability, TLS, Critical severity, OpenSSL 3.0, Secure communication

Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries

(published: October 23, 2022)

Blackberry researchers analyzed three campaigns by an unknown actor aiming at delivering the RomCom remote access trojan (RAT). The first two campaigns in July and October 2022, were utilizing fake apps and impersonating legitimate application websites for Advanced IP Scanner and pdfFiller. The latest campaign, detected on October 21, 2022, targeted the Ukrainian military via phishing links with the ultimate payload being the RomCom RAT.
Analyst Comment: A separate report by Unit 42 in August 2022, connected RomCom to the Cuba ransomware, but these newly-described campaigns were not associated with dropping ransomware. It is possible that RomCom can be utilized as a final payload in information-stealing campaigns. Network defenders are advised to block known RomCom command-and-control infrastructure available in Anomali Platform.
MITRE ATT&CK: [MITRE ATT&CK] Phishing – T1566 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Ingress Tool Transfer – T1105
Tags: detection:RomCom, malware-type:RAT, file-type:EXE, file-type:DLL, Russian, Ukraine, target-country:UA, USA, target-country:US, Philippines, target-country:PH, target-industry:Military, Windows, Typosquatting, Malicious app

When Cops Hack Back: Dutch Police Fleece DEADBOLT Criminals (Legally!)

(published: October 21, 2022)

The DeadBolt ransomware group has been active for almost two years. Their preferred target is QNAP network-attached storage (NAS) devices. DeadBolt releases the ransomware decryption key in a Bitcoin transaction after receiving Bitcoin payment from the target. The Dutch police and Responders.NU researchers were able to receive the keys for 155 victims from 13 different countries without actually paying to the threat group. DeadBolt was not waiting for the ransom transaction confirmation by Bitcoin miners. So the police used conflicting transactions (double-spend method). The first transaction was triggering the key release by sending to the attacker-controlled address with the required ransom but low chance of confirmation. The second transaction to override the first one was sending the same funds to a defenders-controlled address and had a priority-confirmation fee attached.
Analyst Comment: Victims of DeadBolt can use this assistance and the double-spend method of getting the decryption key until the ransomware operators change their automation. To lessen the scope of potential NAS device compromise, create an offline copy of your important files.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: actor:DeadBolt, malware-type:Ransomware, Bitcoin, Cryptocurrency, Double-spend, Hack-back, Netherlands, QNAP, NAS