The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Backdoors, DLL sideloading, Infostealers, Phishing, Social engineering, and Tunneling. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
WinorDLL64: A Backdoor From The Vast Lazarus Arsenal?
(published: February 23, 2023)
When the Wslink downloader (WinorLoaderDLL64.dll) was first discovered in 2021, it had no known payload and no known attribution. Now ESET researchers have discovered a Wslink payload dubbed WinorDLL64. This backdoor uses some of Wslink functions and the Wslink-established TCP connection encrypted with 256-bit AES-CBC cipher. WinorDLL64 has some code similarities with the GhostSecret malware used by North Korea-sponsored Lazarus Group.
Analyst Comment: Wslink and WinorDLL64 use a well-developed cryptographic protocol to protect the exchanged data. Innovating advanced persistent groups like Lazarus often come out with new versions of their custom malware. It makes it important for network defenders to leverage the knowledge of a wider security community by adding relevant premium feeds and leveraging the controls automation via Anomali Platform integrations.
MITRE ATT&CK: [MITRE ATT&CK] T1587.001 – Develop Capabilities: Malware | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1134.002 – Access Token Manipulation: Create Process With Token | [MITRE ATT&CK] T1070.004 – Indicator Removal on Host: File Deletion | [MITRE ATT&CK] T1087.001 – Account Discovery: Local Account | [MITRE ATT&CK] T1087.002 – Account Discovery: Domain Account | [MITRE ATT&CK] T1083 – File And Directory Discovery | [MITRE ATT&CK] T1135 – Network Share Discovery | [MITRE ATT&CK] T1057 – Process Discovery | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1614 – System Location Discovery | [MITRE ATT&CK] T1614.001 – System Location Discovery: System Language Discovery | [MITRE ATT&CK] T1016 – System Network Configuration Discovery | [MITRE ATT&CK] T1049 – System Network Connections Discovery | [MITRE ATT&CK] T1033 – System Owner/User Discovery | [MITRE ATT&CK] T1560.002 – Archive Collected Data: Archive Via Library | [MITRE ATT&CK] T1005: Data from Local System | [MITRE ATT&CK] T1531 – Account Access Removal
Tags: malware:WinorDLL64, file-type:DLL, malware-type:Backdoor, filename:WinorDLL64.dll, detection:Wslink, actor:Lazarus, mitre-group:Lazarus Group, malware:Wslink, malware-type:Downloader, filename:WinorLoaderDLL64.dll, source-country:North Korea, source-country:KP, target-country:South Korea, target-country:KR, AES-CBC, Windows
Clasiopa: New Group Targets Materials Research
(published: February 23, 2023)
Symantec researchers discovered attempts to disable Symantec Endpoint Protection. The threat group behind this activity, dubbed Clasiopa, has no established motivation or origin. It used some India-related strings (the “SAPTARISHI-ATHARVAN-101” mutex and the “iloveindea1998^_^” password), but it could be a false-flag indication. It is possible (low confidence) that Clasiopa uses brute force attacks on public facing servers as an initial infection vector. Its custom Atharvan backdoor receives communication-schedule commands from its C2, which can set an interval between communication attempts and/or restrict communication to certain days of week or to certain days of month. Clasiopa also uses a custom proxy tool, the Thumbsender hacking tool, and modified versions of the publicly available Lilith RAT.
Analyst Comment: Clasiopa’s tendency for proxying and variable sleep intervals makes the detection harder. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Host-based indicators for malware and tools used by Clasiopa are available in the Anomali Platform.
MITRE ATT&CK: [MITRE ATT&CK] T1078 – Valid Accounts | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1560 – Archive Collected Data | [MITRE ATT&CK] T1070 – Indicator Removal On Host | [MITRE ATT&CK] T1105 – Ingress Tool Transfer
Tags: actor:Clasiopa, target-region:Asia, malware:Atharvan, malware-type:Backdoor, malware-type:RAT, detection:Backdoor.Atharvan, malware:Lilith, malware:Thumbsender, malware-type:Hacking tool, malware-type:Proxy tool, file-type:EXE, file-type:DB, file-type:ZIP, Communication schedule, wsmprovhost, PowerShell, target-industry:Material research, Windows
PureCrypter Targets Government Entities through Discord
(published: February 23, 2023)
Multiple government organizations in the Asia-Pacific and North America regions have been targeted with phishing emails aiming to deliver PureCrypter, a commodity downloader. These emails contained a Discord app link pointing to a malicious, password-protected ZIP file. At the time of analysis, Menlo Labs researchers were not able to get the final payload from the compromised domain acting as a staging server. Analysis of similar PureCrypter samples showed that the likely payload was AgentTesla, or possibly some other remote access trojans/stealers (Redline Stealer), and ransomware (Eternity, Philadelphia, and others).
Analyst Comment: It is not clear why this seemingly unsophisticated actor using commodity malware decided to attack the government sector. Even if the motivation is purely financial, these unsophisticated attacks should be taken seriously. Theft of funds and ransomware attacks can be devastating, and the simple trick of delivering a cloud link to a password-protected archive seemingly provides for low antivirus detection.
MITRE ATT&CK: [MITRE ATT&CK] T1047 – Windows Management Instrumentation | [MITRE ATT&CK] T1055 – Process Injection | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] T1497 – Virtualization/Sandbox Evasion | [MITRE ATT&CK] T1055 – Process Injection | [MITRE ATT&CK] T1027 – Obfuscated Files Or Information | [MITRE ATT&CK] T1027.002 – Obfuscated Files or Information: Software Packing | [MITRE ATT&CK] T1036 – Masquerading | [MITRE ATT&CK] T1003 – Os Credential Dumping | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained – MITRE ATT&CK T1082 | [MITRE ATT&CK] T1518.001 – Software Discovery: Security Software Discovery | [MITRE ATT&CK] T1497 – Virtualization/Sandbox Evasion | [MITRE ATT&CK] T1010 – Application Window Discovery | [MITRE ATT&CK] T1057 – Process Discovery | [MITRE ATT&CK] T1005: Data from Local System | [MITRE ATT&CK] T1095 – Non-Application Layer Protocol | [MITRE ATT&CK] T1071 – Application Layer Protocol
Tags: malware:PureCrypter, malware-type:Downloader, malware:Redline Stealer, .NET, malware:AgentTesla, malware-type:RAT, malware-type:Infostealer, DES, malware:Eternity, malware:Blackmoon, malware:Philadelphia, malware-type:Ransomware, target-sector:Government, target-region:Asia-Pacific, target-region:North America, Discord, file-type:ZIP, file-type:GZ, FTP server, DES, Windows
S1deload Stealer – Exploring the Economics of Social Network
(published: February 22, 2023)
Bitdefender researchers analyzed a novel infostealer dubbed S1deload Stealer that became a significant threat in the second half of 2022. The infection typically starts with social engineering to prompt a user to download and open an archive file. The archive has one visible, legitimate, digitally-signed executable that is used for DLL sideloading by invisible malicious files in the same archive. Additional malware and modules are being delivered via two additional cycles of downloading, extracting, and triggering DLL sideloading. S1deload Stealer can obtain user credentials, as well as imitate human behavior to boost engagement on videos and other content and mine for BEAM cryptocurrency.
Analyst Comment: Users should be warned about the risk of clicking on executable files from suspicious downloads. An unusually high CPU usage and overheating can be a sign of the malicious resource hijacking for cryptocurrency mining and playing videos in a hidden browser.
MITRE ATT&CK: [MITRE ATT&CK] T1204.002 – User Execution: Malicious File | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1140 – Deobfuscate/Decode Files Or Information | [MITRE ATT&CK] T1555.003 – Credentials from Password Stores: Credentials From Web Browsers | [MITRE ATT&CK] T1071.001 – Application Layer Protocol: Web Protocols | [MITRE ATT&CK] T1041 – Exfiltration Over C2 Channel | [MITRE ATT&CK] T1496 – Resource Hijacking | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | [MITRE ATT&CK] T1564.001: Hidden Files and Directories | [MITRE ATT&CK] T1539 – Steal Web Session Cookie | [MITRE ATT&CK] T1564.003 – Hide Artifacts: Hidden Window | [MITRE ATT&CK] T1574.002 – Hijack Execution Flow: Dll Side-Loading | [MITRE ATT&CK] T1036.005 – Masquerading: Match Legitimate Name Or Location
Signatures: S1deloadStealer. YARA by Bitdefender | S1deloadStealer. ID Generation YARA by Bitdefender | S1deloadStealer. PDB Path YARA by Bitdefender
Tags: malware:S1deload, malware-type:Infostealer, .NET, file-type:DLL, file-type:ZIP, file-type:EXE, file-type:DAT, DLL sideloading, malware:miniZ, malware-type:Cryptominer, Cryptocurrency, BEAM cryptocurrency, Facebook, YouTube, Windows
Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia
(published: February 22, 2023)
A new threat actor dubbed Hydrochasma has been targeting shipping companies and medical laboratories in Asia since at least October 2022. This campaign is likely motivated by intelligence gathering with a possible interest in COVID-19-related treatments or vaccines. The attack likely starts with an email attachment: an executable mimicking a document file. Hydrochasma relies exclusively on publicly available and living-off-the-land tools. Fast Reverse Proxy and Meterpreter are being dropped for remote access, followed by the use of other tools for scanning (AlliN, Fscan, and Gogo), password dumping (BrowserGhost, Process Dumper), tunneling (Dogz, Gost, and SoftEtherVPN), remote control (Cobalt Strike), and other functions (HackBrowserData, Ntlmrelay).
Analyst Comment: All known Hydrochasma indicators are available in the Anomali platform and customers are advised to block these on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] T1566.002 – Phishing: Spearphishing Link | [MITRE ATT&CK] T1204 – User Execution | [MITRE ATT&CK] T1105 – Ingress Tool Transfer | [MITRE ATT&CK] T1090 – Proxy | [MITRE ATT&CK] T1003.001 – OS Credential Dumping: Lsass Memory | [MITRE ATT&CK] T1555 – Credentials From Password Stores | [MITRE ATT&CK] T1550.003 – Use Alternate Authentication Material: Pass The Ticket
Tags: actor:Hydrochasma, target-region:Asia, target-industry:Shipping, target-industry:Healthcare, malware:Cobalt Strike, malware:Fast Reverse Proxy, malware:GoGo, malware-type:Scanning tool, malware:Fscan, malware:AlliN, malware:Dogz, malware-type:Proxy tool, malware:Process Dumper, SoftEtherVPN, Procdump, malware:BrowserGhost, malware-type:Infostealer, malware:Gost proxy, malware-type:Tunneling tool, Ntlmrelay, Task Scheduler, Go-strip, HackBrowserData, malware:Meterpreter, Metasploit, file-type:EXE, file-type:PNG, COVID-19, COVID-19 vaccine, Windows