SISA Weekly Threat Watch – September 26th, 2022

Over the last week, organizations around the globe were targeted by multiple new attack tactics and campaigns. From intermittent encryption and multi-persona impersonation (MPI) to modified RATs and state-sponsored phishing techniques, threat actors have been seen improving their methods to breach the networks. The recent findings by the researchers also suggest that attackers are capable of leveraging a variety of modified tools and services that can obfuscate and complicate investigations of such attacks.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Ransomware gangs switching to new intermittent encryption tactic

A growing number of ransomware organizations are utilizing a fresh strategy that speeds up the encryption process while decreasing the likelihood of being discovered and stopped. According to a research study, the LockFile ransomware gang supposedly uses intermittent encryption technique that encrypts only a portion of the content of the targeted files.

The Black Basta, PLAY, Agenda, Qyick, and ALPHV (BlackCat) ransomware groups have also employed the same technique. These organizations are promoting sporadic encryption techniques to get potential affiliates to join RaaS operations. To lower the risks involved, it is advised that businesses increase their investments in anti-ransomware solutions with behavior-based detection and a reliable backup of sensitive information.

2. TA453 uses Multi-Persona Impersonation (MPI) tactic in phishing attacks

The Iranian hacker group TA453 has created a new phishing technique called Multi-Persona Impersonation through which the group lures targets into extremely realistic and hard-to-detect email discussions by using various personas and email accounts. The group uses personal email accounts (Outlook, AOL, Gmail, and Hotmail) and CCed personas from fake businesses in all its attacks.

To perform template injection, hackers share OneDrive links that contain malicious documents that are password-protected. The Korg template macros are used to collect information from my-ip[.]io, including the user’s public IP address, a list of actual operating processes, and the username. The Telegram API is used by macros to steal this data. Future directions of techniques like MPI are expected to increase its impact. Organizations are advised to spread greater awareness within the firm about emails from suspicious or unknown senders to prevent data compromise.

3. Webworm hackers use modified RATs in latest cyber espionage attacks

A threat actor known as Webworm has been connected to customized Windows-based remote access trojans, some of which are allegedly in the testing or pre-deployment stages. The malicious “[TEMP]logexts.dll” file is loaded by calling the “LoadLibraryA” API from the genuine application Logger.exe. A loader is the logexts.dll file. Once executed, it verifies the command-line parameters for the process and tries to steal a token from the “WINLOGON.EXE” process if the command-line contains the single parameter “isdf”.

The Gh0st RAT version has capabilities like network service creation, UAC bypassing, shellcode unpacking and memory launch, layers of obfuscation to get around security measures and prevent analysis, and more. To stay protected from such attacks, it is recommended to implement and use security solutions which employ file-based, behavior-based or ML-based detection mechanisms.

4. Hackers targeting WebLogic servers and docker APIs for mining cryptocurrencies

The creators of the Kinsing malware are utilizing security flaws in the WebLogic Server by spreading cryptocurrency miners. Kinsing, who already had financial motivations, was discovered by Trend Micro dropping Python scripts that switched off OS security features and service agents. The recent attacks exposed a vulnerability – CVE-2020-14882, a two-year-old RCE vulnerability by utilizing unpatched servers to take control of the server and spread malware.

The Kinsing malware is downloaded from a remote server via the shell script. In addition to launching a cryptominer, the operators were seen spreading the malware to additional hosts and containers. The vulnerability can be successfully exploited to cause RCE, which enables a variety of malicious actions on infected systems, such as the execution of malware, data exposure, and total machine control. Enhanced employee awareness, MFA enforcement, deployment of DLP solution and automatic software updates are some of the best practices to minimize the chances of a cyber breach.

5. Gamaredon APT targets Ukrainian government agencies in new campaign

In an evolving espionage campaign, Gamaredon, a Russian state-backed threat group have been using malware that steals information from Ukrainian victims by using spear phishing and social engineering to gain continuous access to their systems. According to researchers, Gamaredon’s new infostealer can steal files from attached storage devices (local and remote).

A PowerShell script that was recently mentioned in a Ukraine CERT alert is used to spread the infostealer. Phishing mails with Office documents that contain malicious VBS macros are used to spread the malware. Each stolen file produces a POST request along with its content and metadata. The Gamaredon threat group is present and utilizes the new infostealer to attack Ukrainian entities. However, to prevent such espionage activities, the researchers have published a detailed list of IoCs regarding the new infostealer.