MuddyWater APT Uses GitHub and Imgur to Deploy Cobalt Strike Beacon

Just after Christmas (December 25), a security researcher going by the Twitter handle of @Arkbird_SOLG, posted details of what appears to be an attack chain that began with a malicious Word document. Since then, Arkbird and multiple subsequent researchers have attributed this attack to the MuddyWater APT (Advanced Persistent Threat) group.

MuddyWater activity was first discovered in 2017, primarily targeting entities involved in oil, telecommunications and government in Middle Eastern nations as well as some European and North American countries. MuddyWater is believed to be Iran-based, state-sponsored and is also known as SeedWorm and TEMP.Zagros.

What Is It?

The attack chain begins with a Microsoft Word document containing a malicious macro. The document utilizes the oft used social engineering technique of claiming that the embedded file was “edited in a different version of Microsoft Word” and “To load the document, please Enable Content.” If a recipient is convinced to “Enable Content,” the embedded macro executes a PowerShell script in a hidden window. This script then downloads and executes another PowerShell script hosted on a Github account. At the time of writing, this hosted PowerShell script is only detected by one of the sixty products on VirusTotal.

Once executed, the PowerShell script then downloads what appears to be a harmless Portable Network Graphic (PNG) image file with four icons. However, the script utilizes a process known as steganography to perform calculations on the pixel values of the image file to extract code for the final payload, a Cobalt Strike beacon script. While Cobalt Strike is a legitimate tool used for penetration testing and often leveraged by attackers, a Cobalt Strike beacon creates a system backdoor.

There is one more trick in this attack chain. Once decoded, the shellcode contained in the Cobalt Strike payload contains an European Institute for Computer Antivirus Research (EICAR) test string. This specific string is used to test whether signature-based malware detection tools are functioning correctly. In the MuddyWater APT attack the intent is to make it appear to signature-based detection tools and the SOC teams reviewing the alerts generated by such tools that the payload is for testing and not malicious. This technique is not unique, but it is not frequently used. The timing of this attack during a holiday and vacation season suggests the attackers are attempting to capitalize on reduced SOC and higher-level security team’s capacity so that their payload might be dismissed as an EICAR test.

The combined use of the techniques described above is consistent with evidence that an APT group perpetrated this attack.

How Does It Propagate?

This malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is malicious Word document attachments containing macros.

When/How Did BluVector Detect It?

Two malicious Word document samples and the PowerShell script downloaded from GitHub are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the Word document samples would have both been detected 82 months prior to their release. The PowerShell script downloaded from GitHub, which at the time of writing is only detected by one of the sixty products on VirusTotal, would have been detected by BluVector 15 months prior to its release.

SystemBC RAT Used as Ransomware Backdoor

In recent months, Sophos’ incident response team has observed the use of the commoditized SystemBC RAT (Remote Access Tool) in Ryuk and Egregor ransomware attacks. In these attacks, SystemBC is used as a backdoor on systems to move laterally through a victim’s network, allowing it to exfiltrate data and to deploy malicious payloads (including ransomware.)

What Is It?

The Ryuk and Egregor attacks described by Sophos begin with the use of one of several malicious droppers, delivered by spam emails. These are then utilized to deliver Cobalt Strike and SystemBC malware for lateral movement through the victim network. SystemBC is then used to perform data exfiltration and as a delivery mechanism to deploy the ransomware payload. To this point, the attackers have been inside the victim network for up to weeks. When they are satisfied with they have exfiltrated data and compromised enough systems, the previously deployed ransomware is activated to encrypt systems and file servers.

As a RAT, SystemBC comes with all the normally expected functionality. When executed, it reports back to the attacker via the C2 channel: the active Windows username, Windows build number, volume serial number and whether the system is 32-bit or 64-bit. It can execute a variety of different file types sent to it via C2, including executables, DLLs, shellcode, Visual Basic scripts, Windows commands, Windows batch files and PowerShell scripts. Executed malicious code can then use the Tor proxy to communicate with attackers and exfiltrate data.

The use of SystemBC is another example of threat attackers choosing the efficiency of using existing malicious tools as a component of their attack chain – why reinvent the wheel when a suitable tool already exists? This allows them to focus time and effort on their own malware and ransomware in the incidents described here.

The SystemBC RAT was first detailed by researchers from Proofpoint in August 2019, where they saw it been used in conjunction with Fallout and RIG exploit kits. Initial versions are believed to have been sold on Russian dark web marketplaces and created data-handling SOCKS5 proxies on infected systems. These proxies were used to evade detection of C2 traffic by firewalls and other detection mechanisms and to obfuscate the addresses of the C2 sites. Subsequent versions of SystemBC have replaced the use of SOCKS5 proxies with Tor.

How Does It Propagate?

The SystemBC RAT malware does not contain the necessary code to self-propagate. The initial attack vector observed in these attacks is spam with malicious Buer Loader, QBot, Bazar Loader or ZLoader attachments/links.

When/How Did BluVector Detect It?

Four SystemBC samples related to these attacks are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 81 months prior to their release.

CostaRicto APT for Hire

A new Advanced Persistent Threat (APT) for hire group named CostaRicto was recently identified by the Blackberry Research and Intelligence Team. The group—at this time—has not focused on any specific vertical and its target countries are widespread: United States, Australia, the Bahamas, France, India, Singapore and several European countries. Mercenary APT groups are by no means new—in fact DeathStalker and Bahamut, two similar groups, were discovered by cybersecurity researchers earlier this year.

What Is It?

CostaRicto uses social engineering (phishing) to gain access to a target network and then deploys a rarely seen piece of custom malware called Sombra or SombRAT to act as the backdoor component. The 64-bit version of SombRAT is deployed using a PowerShell loader, a common and straightforward method. Next, a 32-bit version is deployed, hiding its true nature via a more sophisticated piece of malware that uses a custom virtual machine. This advanced technique is often used by executable protectors with commercial software.

The SombRAT backdoor, like most remote access trojans (RATs), supports plugin modules and contains 50 backdoor commands that includes functionality to download and execute other malware, manipulate files and processes, extract system information and exfiltrate data to the C2 (command and control) site. The C2 site’s base domain name is hardcoded, lightly obfuscated with a single byte XOR. In turn, it is used to calculate the subdomain which will be connected to on the dark web using Tor. Researchers note that the code is well structured, appears to be under constant development and utilizes a detailed versioning system, indicating it is part of CostaRicto’s base toolset, rather than a one-off campaign.

More mercenary APT groups will likely appear over time, as “as-a-service” offerings gain in popularity and offer advantages to attackers, even as a small part of an overall campaign. Advantages include complicating attempts at attributing an attack, obfuscating the true source of the attack and subverting the need for an attacker to develop their own new tools.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. It is believed CostaRicto gains access to a target’s networks via credentials obtained as a result of social engineering attacks.

When/How Did BluVector Detect It?

Eleven samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown samples would have been detected an average of 31 months prior to their release.

ModPipe Point-of-Sale Malware Targets Oracle’s MICROS RES Systems

A new, modular point-of-sale (POS) malware named ModPipe specifically targets Oracle’s MICROS RES (Restaurant Enterprise Series) 3700 POS, which Oracle describes as “the most widely installed restaurant management software in the industry today.” The malware could target hundreds of thousands of hotels, restaurants and bars worldwide.

What Is It?

Discovered by Eset researchers, the malware shows evidence of in-depth knowledge by the attackers into the POS software they are targeting.  The attack vector used to compromise the POS systems is currently unknown.

According to researchers ModPipe utilizes modules to steal passwords for the system’s databases which could lead to extraction of sensitive data. The first module, an initial dropper component contains both 32-bit and 64-bit versions of the next module, the loader. The loader is persistent, meaning it survives reboots of the infected system. It then unpacks and loads the main ModPipe module.

An additional standalone module enables network communication with ModPipe’s C2 (command and control) server to pass commands to the main module. Data is passed between the modules using a shared-memory method known as “pipes.” The combination of modules and pipes gives ModPipe its name. ModPipe is also extensible via downloadable modules, a technique used by various malware variants, particularly remote access trojans (RATs).

Eset researchers first discovered the downloadable module in late 2019 and later identified three modules by April 2020: ProcList, ModScan and GetMicInfo. ProcList extracts information about currently executing processes on the infected system. ModScan 2.20 scans specified IP addresses and extracts information regarding the MICROS RES 3700 POS installation. GetMicInfo gathers and decrypts the POS software’s database passwords. Rather than use keylogging to obtain passwords, ModPipe’s authors created custom code, which may have required them to reverse engineer the POS software’s password encryption component. Or, they may have obtained this knowledge as the result of a 2016 data breach that impacted Oracle’s MICROS RES division. Access to the database’s passwords opens up point of sale transactions, including cardholder names. Card and expiry data are located in the same database but in a different table, secured by an additional method of encryption. Because of this, Eset researchers believe that there may be an additional decryption module used to access that data.

How Does It Propagate?

Researchers have not yet determined the attack vector that results in the compromise of the POS systems. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 60 months prior to their release.

Egregor Ransomware Exits the Maze

A new Ransomware-as a-Service (RaaS) named Egregor emerged in September 2020 and has already claimed high profile victims. After encrypting and exfiltrating their target’s data, Egregor also threatens to publicly release the data unless a ransom is paid within three days. Researchers at Malwarebytes believe Egregor has benefited from the “press release” detailing the shutting down of the Maze ransomware infrastructure by its operators. It appears that many of the customers (aka “affiliates”) of the Maze RaaS offering have moved over to Egregor.

What Is It?
Like many current ransomware variants, Egregor uses the dual threat of naming and shaming victims and releasing stolen data to increase pressure on a victim to pay. Researchers at Appgate discovered the “Egregor News” dark web site, containing a victim “hall of shame” and the site is also where the victim’s stolen data would leak from. The current victim count appears to be low. Named victims include logistics firm GEFCO and bookseller Barnes & Noble.

Egregor’s ransom note provides the three-day deadline to pay the ransom and states that failure to pay will result in the release of stolen data and publicity to ensure the victim’s “partners and clients” are made aware of the attack. The note also states that once the ransom is paid, the victim will get full decryption of their data, a complete listing of all files downloaded, confirmation the downloaded data has been deleted from Egregor’s servers, and most interestingly of all, offers recommendations for securing their network perimeter against further cyberattacks.

Egregor incorporates techniques that make sample analysis more difficult, such as obfuscated code blocks and custom-packed payloads. Execution requires a parameter being passed to the malware to decrypt the Egregor payload. This feature thwarts both human-based malware analysis and automated solutions (such as sandboxes.)

How Does It Propagate?
The malware does not contain the necessary code to self-propagate. Specifics relating to Egregor’s initial attack vectors aren’t currently known, however, the most common attack vector for most ransomware remains social engineering, either as malicious attachments or downloads performed by malicious documents.

When/How Did BluVector Detect It?

Five publicly available samples of Egregor ransomware were tested and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected 57 months prior to their release.

Turla APT Updates Anti-Detection Tactics

What Is It?

Turla is a Russian-sponsored APT (Advanced Persistent Threat) group we have covered in previous Threat Reports. Also known as Waterbug, Venomous Bear and KRYPTON, Turla has been in operation since the early 2000s. The group focuses on espionage, targeting government entities and embassies in up to 100 countries. Turla is believed to be behind attacks on the U.S. State Department, NASA, U.S. Central Command (CENTCOM) and various embassies located in European countries.

The Accenture Cyber Threat Intelligence team recently released research into a successful attack on an unnamed European government entity. Additionally, USCYBERCOM has publicly released samples of a dropper attributed to Turla by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI.

Turla has succeeded by continuing to evolve its custom malware to remain undetected for extended periods of time. Mirroring traditional espionage tradecraft, the less attention the malware draws to itself, the longer it can gather intelligence. Once the initial compromise and installation of the malware has been successful, the main challenge to its continued stealth is communication with the attackers and exfiltration of data (also known as command and control or C2).

Any unusual or new traffic could be detected as malicious or flagged as suspicious by security infrastructure on an organization’s network. Previously, Turla has used some novel methods to avoid drawing attention to the C2 traffic. One of the most well-known is from 2017 when the group used the comments section of a photo on Britney Spears’ official Instagram account. The malware looked for comments with a specific hash value that contained non-printable characters indicating which characters in the comment should be combined to create a URL that redirected to the actual C2 site. 

In the latest Turla malware reported by Accenture, a combination of old and new techniques is used for C2 communication. The old and most common technique uses a compromised legitimate site to host the C2 site which is directly contacted by the malware on each infected system. The new technique uses a compromised system inside the local network of the targeted organization as a proxy so that C2 traffic is sent to this internal system and then forwarded to an externally hosted C2 site. This new method provides Turla with two advantages over the old method. First, it allows systems without direct internet connectivity to communicate with an external C2 site. Second, it has the potential to significantly reduce the number of infected systems communicating to an external site.  This can minimize the risk of C2 traffic being detected.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The Turla APT group has a history of utilizing social engineering attacks to initially compromise target organizations, such as malicious documents contained in spear phishing emails.

When/How Did BluVector Detect It?

Accenture’s report contained 11 publicly available samples and USCYBERCOM uploaded 5 samples to VirusTotal. BluVector’s patented Machine Learning Engine (MLE) detected all 16 samples. Regression testing has shown the Accenture samples would have been detected an average of 33 months prior to their release and the USCYBERCOM samples would have been detected an average of 39 months prior to their release.

MoDi RAT Attack Pastes PowerShell Commands

What Is It?

Researchers at Sophos recently detailed a novel attack chain that delivered a variant of the MoDi RAT (Remote Access Trojan). The novelty comes from the fact that rather than call­ing PowerShell with a long command string, it creates a PowerShell task and then pastes in PowerShell commands into the window. As it is common to call PowerShell with a long command string, the obvious intention of this technique is to evade detection by endpoint-based security products.

As MoDi RAT is a Windows .NET executable, it is not obfuscated or encrypted and relatively straightforward to reverse engineer. There are multiple steps in the attack chain, beginning with a Visual Basic Script (VBS) file from the spam mail, which downloads a Visual Basic Encoded (VBE) script (VBEs are more difficult to read or altered by end-users). The first VBS #1 (aka the VBE) does two separate things: it writes binary data to the Windows Registry and it creates a scheduled task that runs each minute. It then decodes and drops VBS #2.

VBS #2 script, executed by the scheduled task, launches a PowerShell task to execute the commands using the binary data written to the registry by VBS #1 to assemble filelessly and execute the MoDi RAT payload in memory. Once PowerShell commands are executing, all of the VBS scripts are over with as far as the attack chain is concerned.

When executed, the sample connects to a hardcoded C2 (command and control) site, using port 13. The code supports four C2 hostnames, which were set to the sa­me value in this sample. Now with MoDi RAT running in its own, hidden window and after connecting to one of the hardcoded C2 hosts, the sample sends the name of the active window. Communication with the C2 starts with the string “|Boss2019|”.

As a RAT, MoDi can be instructed via the C2 channel to perform functions such as keylogging, taking desktop screenshots and videos and obtaining system information including installed anti-virus products. The sample also contains code to verify credit card numbers intercepted by the key logger. It does this by calling a site that can decode the first eight digits of a credit card number, providing information such as the location of the issuer, type of card, debit or credit card and brand of card. This information is reported via the C2 channel with the message prefixed with “ccnotif||.”

Strings in the sample indicate that it may be early in its development. First, it was compiled from a directory named “Project Larbi\MoDi RAT V0.1 Build1.” This is reinforced by unused code blocks containing default strings such as a password variable set to “yourPassPhrase” and a cryptographic salt set to “mySaltValue.” 

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The initial infection vector is a malicious attachment to spam email.

When/How Did BluVector Detect It?

Six malicious samples associated with this attack, including .NET executables, DLL files and VisualBasic scripts are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 50 months prior to their release.




Lucifer Brings Crypto Miner and DDoS Functions to Linux and IoT

What Is It?

In June 2020, we reported on Lucifer, a Windows cryptomining bot capable of participating in DDoS (Distributed Denial of Service) attacks. Recently, researchers at Checkpoint published their analysis of the latest iteration of Lucifer for Linux and IoT systems. Checkpoint found evidence of infections of more than 25 banking, insurance, legal and manufacturing companies in India, Ireland, the Netherlands, Turkey and the U.S.

Servers previously compromised by the attackers were the source of the analyzed attacks. While web servers are the main target for the Linux version, the exploitation of the CVE-2018-10561 vulnerability found in Dasan GPON home routers is currently the most common attack vector for the IoT version.

Researchers found that current variants are directly related to those described by Trend and Tencent in June 2019, named Blacksquid and Spreadminer/Rudeminer, respectively. Comparison of the variants shows that the authors are continuing to develop the malware with additional monetization opportunities, such as the DDoS functionality.

Upon initial execution, the Linux version runs in the background and uses cron to obtain persistence. It attempts to begin listening on a specific port number, solely to ensure that it is the only instance of the malware currently executing. Depending on whether the malware is running under the root userid, it attempts to alter the file descriptor limit to the maximum value available to be optimized for its participation in a DDoS attack. Lucifer then downloads the crypto miner and attempts to kill processes containing specific, hardcoded strings. It then contacts its C2 (command and control) site, then uploads system resource utilization specifics and waits for instructions. These instructions can include start and stop DDoS attacks, download and execute a file or a command, start and stop crypto mining operations and provide usage reports.

The IoT version sample, written for the ARM processor architecture, was initially uploaded to the VirusTotal service on May 10th. When initially uploaded, none of the products listed on VirusTotal detected the sample. As of the time of writing this Threat Report, this is still the case. Owing to the limitations of IoT platforms, the IoT sample does not contain any crypto mining functionality, with its use being limited to participating in DDoS attacks.

How Does It Propagate?

Only the Windows versions of Lucifer are capable of self-propagation; the Linux and ARM versions are not. The attacks, which originate from attacker-controlled servers, mainly target Linux web servers and Dasan GPON routers.

When/How Did BluVector Detect It?

Seven Linux and IoT Lucifer samples associated with this attack are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown all samples would have been detected for an average of nine months prior to their release – this includes the ARM IoT sample, which is currently not detected by any product on VirusTotal.

Zeppelin Ransomware Floats Back With New Attacks

What Is It?

In late August 2020, researchers at Juniper Threat Labs discovered a new Zeppelin ransomware campaign, the first for this variant in several months. Juniper found that this campaign was poorly detected by legacy anti-virus applications because of a new downloader component used in the attack chain.

In this latest campaign, the initial attack vector is Microsoft Word documents containing malicious macros attached to emails. When opened, the documents display a blurred image of a “medical invoice” with instructions on how to view the “content” of the document, which if followed, allow the macro to execute. In an attempt, which appears to have largely been successful, to avoid detection by legacy anti-virus applications, the macro extracts the code for another macro from what appears to be junk text hidden behind the blurred image. The extracted macro is executed when the document is closed.

This macro downloads the actual Zeppelin ransomware from a domain controlled by the attackers and saves it to the local hard drive. However, in an attempt to avoid detection by automated sandbox tools, which are heavily used by endpoint detection vendors, the Zeppelin ransomware is not executed for 26 seconds.

As with all previous variants going back to VegaLocker, the ransomware will not encrypt files if the infected system is located in Russia or the former Soviet states of Belarus, Kazakhstan and Ukraine. The displayed ransom note provides an email address for victims to contact the attackers and provide one encrypted file which will be decrypted for free.

First discovered in December 2019, named due to the string ZEPPELIN being written into encrypted files, was originally a variant of Buran ransomware, itself a variant of VegaLocker. All of these variants are written in the Borland Delphi programming language, popular with some malware authors due it being potentially more difficult to reverse engineer than other languages such as C++. All variants have been offered for sale using the Ransomware-as-a-Service (RaaS) model. In the case of Buran, clients would keep 75% of all ransom payments with the remaining 25% being retained by the authors. The initial Zeppelin campaign was targeted at IT and healthcare organizations in Europe and the U.S. It is believed that the initial infection vectors were poorly secured, internet-facing, Remote Desktop Protocol (RDP) servers.

How Does It Propagate?

This Zeppelin campaign utilizes what remains the most common attack vector for most ransomware, social engineering, in this case, malicious Microsoft Word document attachments. The malware does not contain the necessary code to self-propagate.

When/How Did BluVector Detect It?

A total of 49 samples related to this campaign are publicly available – two VBScript samples, 46 malicious Microsoft Word samples and the Zeppelin ransomware sample itself - and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 74 months prior to their release.

Chinese APT Campaigns Target Indian and Hong Kong Users

What Is It?

Researchers from Malwarebytes have released their research into three malicious campaigns they observed in early July 2020. The first two campaigns, which occurred within a day of each other, were aimed at Indian government entities. The third campaign targeted users in Hong Kong. Due to the targets, the timing and the techniques utilized, researchers believe the attacks originated from an undocumented China-based APT group, potentially active since 2014. In each campaign, the initial attack vector was malicious Word documents, resulting in a modified Cobalt Strike variant or the MgBot RAT (Remote Access Trojan). They also found malicious Android RATs believed to be used by the APT group.

Two real-world events in late June 2020 strained political relations between India and China. The first was a border skirmish along their disputed shared border in the Himalayas, reportedly resulting in casualties on both sides. Secondly, the Indian government banned 59 Chinese apps, most notably TikTok, on national security and privacy grounds.

The two APT campaigns were aimed at users with Indian government email addresses. Messages contained a Word document claiming to be a security check required due to a leak of email addresses. The Word document uses a technique known as “template injection” to download a malicious macro. This then led to the download and execution of the Cobalt Strike variant or the MgBot RAT.

The third APT campaign, targeting users in Hong Kong, used a lure and associated document based around statements made by UK Prime Minister, Boris Johnson. The statements, made in response to China’s new national security law for Hong Kong, describe provisions for up to 3 million Hong Kong citizens to live and work in the UK. The document again made use of “template injection” which resulted in the installation of the MgBot RAT.

The MgBot malware claims to be the legitimate Realtek Audio Manager utility. The malware also contains a number of techniques to make analysis more difficult. It attempts to determine if it is running on a VM or under analysis and if various endpoint security products are running. It connects to a C2 (Command and Control) server, ironically located in Hong Kong, over port 12800. As expected of a RAT, MgBot is capable of keystroke logging, saving screenshots, manipulating files and folders and controlling processes on the infected system.

The Android RATs associated with this APT group also communicate with C2 servers located in Hong Kong, using random port numbers. They are capable of geographically locating the infected phone; sending SMS messages; exfiltrating contacts, call logs, SMS messages and browsing history; recording audio via the phone’s microphone and recording screen activity.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector used in these campaigns are malicious Word documents attached to spear phishing emails, attempting to leverage social engineering in order to compromise targeted users.

When/How Did BluVector Detect It?

The 14 publicly available samples associated with these campaigns consist of malicious Word documents, the Windows RAT MgBot and an Android RAT. BluVector’s patented Machine Learning Engine (MLE) detected all of these diverse samples. Regression testing has shown the all samples, including those first seen in the wild as early as 2017, would have been detected an average of 34 months prior to their release.