The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats.
What’s Surging? Our Picks of The Most Thunderous News From March 2023
(1) An Extensive Infection Campaign Across LATAM
Category: Threat Actor Activity | Source: Metabase Q
An analysis of 20 different spam campaigns targeting entities in Chile, Mexico, Peru, and Portugal was conducted by Metabase Q’s Threat Intelligence Team. Their review identified a large-scale credential-stealing campaign likely distributing malware that resembles the Mispadu banking trojan. The campaign is dated to have been active since August 2022, targeting organizations associated with internet banking, education, government services, social networking, gaming, retail, and technology. "In several cases, the cyber criminals created fake webpages for the victim, such as online banking windows. For the initial infection, the attackers tried to lure the victims into opening different types of fake bills via HTML pages or PDF password-protected files," as shared by the Metabase Q Team. The campaign is revealed to have compromised "a total of 90,518 credentials coming from 17,595 unique websites across all industry sectors."
Compromising legitimate websites and using them as Command & Control servers are one of their primary strategies for propagating malware. To execute this campaign, the threat actors scout for vulnerable Content Management System versions, such as WordPress, and exploit them to take control of websites. With this control, they spread malware in a tailored fashion, including excluding specific countries, delivering distinct malware types according to the infected country, and even installing a specific malicious RAT (Remote Administration Tool) based on the device. The malware does not install if the host is a mobile device. A muti-stage infection chain highlights the campaign’s potency, "the cyber criminals hide the malware inside of fake certificates so it’s harder to detect. They then misuse a legitimate Windows program ‘certutil’ to decode and execute the banking trojan." Following the decode of the initial weaponized payload, WMIC is used to execute Mispadu with persistence established from a shortcut/LNK file and a PowerShell-based remote access trojan (RAT).
(2) ‘Winter Vivern’ Running Espionage Campaigns to Support Russia and Belarus
Category: Threat Actor Activity | Source: SentinelOne
‘Winter Vivern', an advanced hacking group suspected to be a pro-Russian APT (advanced persistent threat) group, has been conducting espionage campaigns targeting European government organizations and telecommunication service providers. The group's actions align with the interests of the Russian and Belarusian governments, targeting government agencies and even telecommunication organizations supporting Ukraine. Researchers from SentinelLabs identified the threat actor initiating "various tactics, such as phishing websites, credential phishing, and deployment of malicious documents, that are tailored to the targeted organization’s specific needs. This results in the deployment of custom loaders and malicious documents, which enable unauthorized access to sensitive systems and information."
From the beginning of 2023, the hackers produced web pages that imitated those used by the Central Bureau for Combating Cybercrime in Poland, the Ministry of Foreign Affairs in Ukraine, and Ukraine's Security Service. The weaponized files distributed by Winter Vivern are used to launch PowerShell, running the 'Invoke-Expression' command to download additional payloads. SentinelLabs reports that the threat group functions on limited resources; however, their creativity compensates for these limitations. One example of Winter Vivern's resourcefulness in the SentinelLabs report is the use of Windows batch files to impersonate antivirus scanners while, in reality, downloading malicious payloads. A particular malware family used by Winter Vivern was labeled as "Aperetif" by CERT-UA. Aperetif malware can scan and extract files automatically, capture screenshots, and transmit all information in a base64-encoded format to a command and control server URL that is hardcoded.
(3) Elevating the Title, APT43 Designated for North Korean Actor
Category: Threat Actor Activity | Source: Mandiant
A recently uncovered North Korean hacking group, identified as 'APT43', has been conducting cyber attacks on government agencies, cryptocurrency services, academics, think tanks, media members and organizations across the United States, Europe, Japan, and South Korea since 2018. The threat actor's motives are focused on espionage and financially-motivated cybercrime operations in order to amass funds to support its activities. Formerly tracked as Kimsuky '' or “Thallium,” Mandiant recognizes their activities as APT43. Mandiant researchers exposed APT43's activities in their latest report, assessing "with moderate confidence that APT43 is attributable to the North Korean Reconnaissance General Bureau (RGB), the country's primary foreign intelligence service." Mandiant's observation of sudden shifts in APT43's espionage operations suggests that the group may be adjusting its objectives in response to changes in the state's strategic plans. An example was a shift to target organizations in healthcare and pharmaceutical, with specifically crafted malware likely as a response to the COVID-19 pandemic.
Techniques to exploit zero-day were not observed from APT43. "Campaigns attributed to APT43 include strategic intelligence collection aligned with Pyongyang’s geopolitical interests, credential harvesting, and social engineering to support espionage activities, and financially-motivated cybercrime to fund operations." The group uses the obtained credentials to further their interests, which involve gathering information on the U.S. military and government, defense industrial base (DIB), nuclear security policy, and research and security policies developed by academia and think tanks based in the U.S. "APT43 has displayed interest in similar industries within South Korea, specifically non-profit organizations and universities that focus on global and regional policies, as well as businesses, such as manufacturing, that can provide information around goods whose export to North Korea has been restricted," as explained by Mandiant.
Grounding the Storm with Detections from the Forge
#StopRansomware Marks Royal Ransomware
Category: Ransomware News | Source: CISA
The "Royal" ransomware gang is a serious and prolific threat group, believed to include experienced threat actors from the notorious Conti ransomware gang. This group has been responsible for multiple high-profile ransomware attacks across a variety of sectors, including critical infrastructure organizations, communications, education, healthcare, and manufacturing. To defend against this threat, it is critical to stay informed and use intelligence provided by credible sources like the Cybersecurity and Infrastructure Security Agency (CISA), which regularly publishes alerts, advisories, and other resources to help organizations protect their networks from ransomware attacks and other cyber threats, specifically their “#StopRansomware” series. By operationalizing this intelligence, organizations can fortify their detection and response capabilities against the Royal ransomware gang and other threat actors.
An insight into their activities, Royal has demonstrated a high degree of sophistication in their tactics, techniques, and procedures (TTPs), which include initial access through phishing, RDP (remote desktop protocol), vulnerable public-facing applications, and valid accounts obtained from brokers. Once the operators establish a foothold on the network, they typically initiate command and control (C2) with remote access software or a tunneling tool, and there’s evidence of them using Qakbot C2 infrastructure. From there, the group may tamper with system configurations to lower defenses, execute malicious batch scripts, create new user accounts, and modify group policies and registry settings. With a wide range of techniques observed, understanding these behaviors enables us to identify specific threat indicators, alert on singular activities, and sequence them into a comprehensive threat scenario that fortifies our detection capabilities.
The Anvilogic Armory contains over 1,500 detections created by the Forge content development and research teams to help you defend your network. These trending topics can be found in our Armory with content already mapped to help you quickly deploy detection and secure your environment.
- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy