‍The Anvilogic Forge team provides a recap of monthly trending threats. The community intelligence we collect is molded into actionable defense strategies to help defend your organization from the biggest emerging threats. ‍

What’s Surging? Our Picks of The Most Thunderous News

‍(1) Emotet Storms Back

Category: Malware Campaign | Sources: BleepingComputer, Cisco Talos & ProofPoint

A flurry of email samples has been discovered with Emotet malware since its return from a four-month hiatus. Starting at the beginning of November 2022, Proofpoint researchers have noticed a significant rise in emails laced with Emotet. On a daily basis, the total volume of emails containing Emotet is measured in the hundreds to thousands. Proofpoint tracks the threat actor distributing Emotet malware as TA542. Many aspects of the Emotet infection are the same however, some changes in tactics include updates to Emotet's binary, IcedID, and Bumblebee malware loaders being dropped. Emails containing Emotet use hijacked email threads or invoice-themed lures to entice victims into opening an attached Excel file or a zip file housing the Excel file. A macro-laced document is still the detonation method of choice, however, to bypass Microsoft's Mark-of-the-Web (MoTW) security controls, the second layer of social engineering requires the victim to move the Excel into a trusted system location such as the Templates folder which requires administrator-level permissions to ve moved into. Once these hurdles are met, opening the Excel document will cause the Emotet malware to execute and download a variant of the IcedID loader. Typically a loader would initiate system checks to identify system and network specifications, however, in the observed infection chain, the threat actor has opted to forgo this step. "Proofpoint researchers believe this is because the loader is being delivered to already infected machines and therefore there is no need to do a check on the system profile." IcedID would then download any additional malware payloads needed for the attacker's objectives which may result in ransomware.

(2) Royal Ransomware Ready to Rumble

Category: Ransomware News |Source: Trend Micro

In September 2022, the Royal ransomware group emerged in cyberspace, rapidly establishing itself as a top-tier cybercrime threat. In a report shared by Trend Micro, insight is provided into the group’s attack techniques with similarities linked to the former Conti ransomware group. Trend Micro also found, "Our investigation into Royal ransomware attacks shows how the group employs a mixture of both old and new techniques, which indicates that it is no newcomer to the ransomware scene. Their use of callback phishing to lure victims into installing remote desktop malware allows them to infiltrate the victim’s machine with relative ease." The use of callback phishing is the most prominent link to Conti, an observation shared by other security firms such as Cybereason and Palo Alto Unit42. During the callback phishing routine, victims are lured through urgent emails to contact a phone number linked to a call center with the representative on the receiving end, coercing the victim into installing remote access software or other malicious payloads in order for the threat actor to gain initial access.

Following post-exploitation, the operator has often used Cobalt Strike or Qakbot to move laterally through the victim's environment. Royal ransomware operators often use public tools such as AdFind, Netscan, PCHunter, Process Hacker, GMER, and PowerTool to support reconnaissance and defense evasion efforts by disabling any active security products. Any data discovered in the attack is exfiltrated using RClone. In the final stages of the attack, AdFind is used to identify active directories for the threat actors to pivot to and deploy their ransomware using PsExec. While Royal ransomware only appeared recently in September 2022, their attack pace is making up for any lost time in 2022, as many victims across multiple countries have been compromised. It is clear Royal ransomware is a prominent threat in cyberspace with experienced cybercriminals operating the ransomware.

‍(3) Cloudy Outlooks for Cloud Security, Compromised Credentials leads to attacks in Amazon & Google Cloud

Category: Cloud Security |Source: Palo Alto Unit42

Compromised credentials are one of the leading causes of security breaches in the cloud. Researchers from Palo Alto Unit42 shared examples of attacks in Amazon Web Service (AWS) and Google Cloud Platform (GCP). Threat actors are capable of launching phishing attacks in AWS with compromised Lambda credentials and launching cryptomining from compromised Google Cloud app service accounts. Both attacks can be initiated very quickly with threat actors accomplishing the bulk of their objectives in just a little over an hour. Steps taken in the attacks include enumerating the environment, tampering with identity and access (IAM) configurations by adding new accounts, modifying firewall rules, and deploying new cloud instances.

Unit42 stresses the need to secure cloud environments as "A growing trend of attacks specifically targets cloud compute services to steal associated credentials and illicitly gain access to cloud infrastructure. These attacks could cost targeted organizations both in terms of unexpected charges for extra cloud resources added by the threat actor, as well as time required to remediate the damage." Monitoring the cloud environment is crucial to discover threat activity not only during initial access but also during post-exploitation. Sequences of suspicious behavior should be investigated to identify signs of misuse to cloud resources.

‍Grounding the Storm with Detections from the Forge

Our threat scenario surrounds plain document execution with additional threat behaviors to enhance fidelity and tells a bigger story. Documents are opened daily in any corporate network, to reduce burnout from the review of so many document execution analytics, and chain them with other proven threat behavior analytics that can aid in the identification of malicious activity. An alert detailing the execution of a document followed by activity with living-off-the-land-binaries (LOLBin), persistence, and/or process injection detected on the network is certainly worth investigative review. Thanks to the intelligence provided by the community, we can create detection tracking activity at the tactics, techniques, and procedures (TTPs) level.

Notable Analytics to defend against malicious payloads from initial access

• Arrival: Execution of a malicious document or compressed zip archive
• LOLBin: Common binaries such as rundll32, regsvr32, wscript/cscript for VBS scripts and many others are used to proxy the execution of the attack’s payload
• Persistence or other actions on objective: The threat actor would often establish persistence with their malware by modifying registry keys or creating scheduled tasks. Other notable actions would include process injection, script execution or disabling Windows defenses as the threat actor continues to exploit the compromised host. 

Want more?

‍The Anvilogic Armory contains over 1500 detections created by the Forge content development and research teams to help you defend your network. These trending topics can found in our armory with content already mapped to help you quickly deploy detection and secure your environment.

‍
- Sign-up to receive the Forge weekly threat report or see other reports
- Read more about the Forge’s approach to detections can help create an effective threat detection strategy