SISA Weekly Threat Watch – August 15th, 2022

The use of malware to breach the network and exfiltrate the data was the most prevalent tactic that surfaced this week. Windows and Linux servers topped the list of these targeted attacks that used payload deployment, brute force techniques and PowerShell Command to gain access to the target’s environment. As cybercriminals improve their techniques and update their malware to bypass the security defenses of the organizations, it is essential to implement reliable security measures like antivirus software, multi-factor authentication and strong passwords to safeguard against cyber attacks.

SISA Weekly Threat Watch – our new weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. LockBit ransomware abuses Windows Defender to deploy Cobalt Strike Payload

A threat actor linked to the LockBit 3.0 ransomware-as-a-service (RaaS) operation has been using the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads. An outdated VMware Horizon server that was a victim of the Log4j exploitation, led directly to the LockBit attack. The threat actor created a web shell driven by PowerShell by modifying the VMware Horizon Blast Secure Gateway component. The operator then downloaded a duplicate of “MpCmdRun.exe” and three malicious files: “mpclient.dll,” “C0000015.log,” and “mpclient.dll.” The operator ran the legitimate Windows Defender tool “MpCmdRun.exe” using DLL side-loading techniques, which allowed the malicious DLL to get loaded in place of the legitimate one. To establish persistent Command and Control, the malicious DLL loads, decrypts, and loads the Cobalt Strike beacon located inside “C0000015.log” (C2).

Defenders are advised to keep an eye on new methods like living off the land scripts and binaries (LOLBAS) that are being used to target security protocols. These techniques may be capable of avoiding EDR and AV tools since native Windows binaries are trusted. Establishing a baseline for endpoint processes can help identify unusual uses of native Windows tools.

2. IBAN clipper malware swaps banking details

According to some researchers, large-scale financial attacks using banking malware have substantially increased with nearly all banking firms and organizations facing a significant security risk. Cyble Research Labs recently discovered a threat actor advertising clipper malware, that targets Windows OS, on a forum for cybercrime. It is believed that the attacker either modifies or makes changes to IBAN from the victim’s clipboard through a C2 panel to hijack an ongoing financial transaction on the victim’s system.

The clipper infiltrates the victim’s machine by using phishing emails, attachments, malicious URLs, or by downloading malicious software from the internet. According to a proof-of-concept video demonstration, after installation, the clipper runs the whole process in multiple phases to swap the victim’s IBAN with the attacker’s own IBAN, thereby rerouting the transaction in attacker’s favor. Further research showed that the attackers were only offering malware solutions to target IBANs located in SEPA-registered countries.

It is advised to avoid downloading pirated software from torrent websites and enforce multi-factor authentication (MFA) and use of strong passwords. In addition to that, enabling automatic software updates on all devices and deployment of Data Loss Prevention (DLP) solution on the computers of the staff are recommended to prevent data exfiltration. Cybercriminals are improving their techniques and updating their malware to bypass antivirus software and that is why organizations should immediately train their employees on identifying and countering such threats.

3. Microsoft links Raspberry Robin malware to Evil Corp attacks

Microsoft has discovered that an unnamed access broker classified as DEV-0206 uses the Raspberry Robin Windows worm to deploy a malware downloader on networks where it also found evidence of malicious activity matching Evil Corp (DEV-0243) tactics. The company’s research shows that DEV-0206 and DEV-0243 may be linked in some manner to the attackers who are responsible for Raspberry Robin. Cybercriminal organization Evil Corp used Raspberry Robin’s DEV-0243 access to company networks to distribute the Dridex malware. Raspberry Robin has also been detected on the networks of organizations in the manufacturing and technology sectors.

After being downloaded on a compromised system, the malware spreads to other devices on a target’s network via infected USB devices that contain a malicious LNK file. Once it has been attached, the worm initiates a new process that executes a malicious file stored on the infected drive using cmd[.]exe. By tricking targets into downloading fake browser updates in the form of ZIP packages, DEV-0206 spreads FakeUpdates. The malware then distributes the payloads through the access from DEV-0206.

4. Cloned Atomic Wallet website is pushing Mars Stealer malware

Copies of the information malware ‘Mars Stealer’ are being distributed by a fake website pretending to be the official portal for the Atomic wallet, a well-known distributed wallet that also serves as a cryptocurrency exchange portal. A technical analysis by Cyble says that the ongoing Mars Stealer campaign’s delivery mechanism puts in a significant effort to avoid being discovered. The ZIP download includes a batch file called AtomicWallet-Setup.bat that executes a PowerShell command to give the host more privileges. The bat file then copies the directory’s powershell.exe executable, assigns it a new name, and hides it before using it to execute base64-encoded PowerShell content.

This code executes the very last Powershell command that acts as the malware loader, which is Base64-encoded with Encryption algorithms and GZip compressing. A copy of Mars Stealer is downloaded by the loader from a Discord server and placed in the host device’s % LOCALAPPDATA % file. The malware launches after installation and steals data from the infected device.

It is recommended to use reliable internet security and antivirus software on all the connected devices, MFA wherever possible, and strong passwords to safeguard against malware. It is essential to use the official project download links when downloading bitcoin wallets and never rely on links posted on social media or instant messaging services. Furthermore, avoid clicking on any results marked as advertising because malicious Google Ads campaigns and SEO poisoning can enable malicious websites to look higher in Google Search results than genuine sites.

5. New Linux malware Brute-forces SSH servers to breach networks

A new botnet dubbed as “RapperBot” which is based on the Mirai trojan has been used in attacks with a focus on brute-forcing its way into Linux SSH servers to gain the system’s credentials. Threat experts at Fortinet have discovered that RapperBot exclusively scans and attempts to brute force SSH servers set to accept password authentication, as opposed to the majority of Mirai variants that natively brute force Telnet servers using default or weak passwords.

An implementation of an SSH 2.0 client that can connect to and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR is found in the majority of the malware code. A list of credentials that were downloaded from the C2 using host-unique TCP requests is used for the SSH brute-forcing, and the malware informs the C2 when it is successful. RapperBot used a self-propagation technique via a remote binary downloader, which was deleted by the threat actors in mid-July, according to Fortinet researchers who followed the bot and continued to sample new variants.

RapperBot has undergone some significant and odd changes, so its primary motivation remains a little unclear. However, this threat can be easily minimized by setting strong passwords for devices or disabling password authentication for SSH since its main method of propagation is brute forcing SSH credentials.