Cyber Intel Brief: Feb 02 – 08, 2023

Malware

Information Stealer Discovered Capable of Stealing RDP Files

Impacted Industries: All

What You Need To Know:

Cyble observed an information-stealing malware capable of stealing .rdp files, passwords, and cookies. Cybercriminals can exfiltrate sensitive information from the victim’s machine using SMTP, Discord, and Telegram. With the capability of the stealer to steal RDP files, cybercriminals can use the stolen files to perform RDP hijacking, enabling them to gain unauthorized remote access without credentials. The stealer surfaced in cybercrime forums in the second half of 2022 and is sold through publicly available platforms.


Malware

OneNote Attachment Used to Deliver New Variant of BATLoader

Impacted Industries: Manufacturing, Retail Trade; Potential to target all industries

What You Need To Know:

Cyble recently observed a cybercriminal using a OneNote attachment (.one) in spam emails to deliver a .bat file that exhibits the same behavior as a new variant of BATLoader. Deepwatch has observed cybercriminals using OneNote attachments to deliver Qakbot malware. ATI’s Cyber Threat Intel team cannot find any reference to BatLoader being sold or offered through publicly available sources, which may suggest that a single cybercriminal or group operates BATLoader; this may indicate that the cybercriminal behind the phishing campaign is the same cybercriminal behind BATLoader. Cybercriminals using OneNote attachments could be an emerging trend. However, as of yet, it appears to be an isolated usage and not a widespread threat and may indicate that cybercriminals are testing out this distribution method.


Malware

Loader Drops Screenshot Tool and Stealers

Impacted Industries: All

What You Need To Know:

Proofpoint has observed a cluster of activity conducted by a cybercriminal they track as TA866. The initial infection is a phishing email and leads to malware they dubbed WasabiSeed and Screenshotter. Post-exploitation activity observed involved AHK Bot and Rhadamanthys Stealer. Typical campaigns observed predominantly targeted organizations across various industries in the United States and consisted of thousands of emails, occurring twice a week. This package then downloads malware dubbed WasabiSeed. This malware continuously sends traffic to a command and control server to download additional MSI packages. The first MSI package, Proofpoint observed, downloaded a tool and scripts to take screenshots of the victim’s machine. Based on the analysis of these screenshots, the cybercriminals downloaded AHK Bot and, eventually, Rhadamanthys Stealer.


Ransomware

ESXiArgs Ransomware Campaign Compromised Thousands of Victims

Impacted Industries: All

What You Need To Know:

The Record reports government agencies and cybersecurity providers warned of a “massive active network exploitation” of CVE-2021-21974, an almost 2-year-old VMWare ESXi vulnerability, to encrypt systems with the ESXiArgs ransomware, urging organizations with vulnerable systems to upgrade systems immediately. According to a recent Censys search, approximately 1,900 servers in Europe and North America have already been encrypted, with most located in France and the US. VMWare issued a patch for the vulnerability in February 2021; since May 2021, a working proof-of-concept exploit code has been available for CVE-2021-21974. Due to the number of servers encrypted in a short time frame, the cybercriminals behind this campaign are highly likely running automated scanning and exploitation scripts to identify and encrypt vulnerable ESXi systems.


Threat Actor

Threat Actor Uses AutoHotKeys and PowerShell for Data Collection

Impacted Industries: Transportation, Utilities, Financial and Insurance Services, Public Administration, and Information

What You Need To Know:

The DFIR Report’s latest incident report details an intrusion they assess was likely conducted by a threat actor tracked by Proofpoint as TA452. The initial access involved a macro-enabled Word document. The macro creates a directory with the user’s name in %AppData% and saves several scripts and one LNK file to this directory. Discovery commands were all executed via PowerShell or built-in Windows utilities. The threat actors dropped an AutoHotkey binary that performed keylogger functions and executed them by a scheduled task. The threat actors exfiltrated the data collected during discovery to the C2 server via POST requests. The DFIR Report assesses TA452 (OilRig/APT34) as the likely threat group behind this intrusion. They base this on observing two Proofpoint ruleset signatures, the custom PowerShell framework, and all activity observed aligns with Tehran local time. However, the time frame of the activity also aligns with Moscow’s local time (6:00 AM to 7:00 PM), and other threat groups or cybercriminals could have employed the same tactics, techniques, and procedures (TTPs) as a means of deception to avoid proper attribution.


Threat Actor

Latest Additions to Data Leak Sites

Impacted Industries: Manufacturing; Professional, Scientific, and Technical Services; Information

What You Need To Know:

In the past week, monitored threat groups added 35 victims to their leak sites. Twenty of those listed are US-based, Australia, Mexico, and the UK had two victims each listed. The most popular industries were manufacturing, with eight victims; professional services, with seven victims; and technical services and information, with four victims each. This information represents victims who the cybercriminals may have successfully attacked but opted not to negotiate or pay a ransom. However, we can not confirm the validity of the cybercriminals’ claims.


Exploited Vulnerabilities

CISA Adds Two CVEs to its Known Exploited Vulnerabilities Catalog

Impacted Industries: All

What You Need To Know:

Based on the evidence of active exploitation, CISA has added two CVEs to its Known Exploited Vulnerabilities Catalog. The software affected includes multiple SugarCRM products, which contain a remote code execution vulnerability in the EmailTemplates, and an unspecified vulnerability in Oracle E-Business Suite. The vulnerabilities added this week could allow a cybercriminal to execute code remotely or compromise Oracle Web Applications Desktop Integrator. Cybercriminals will likely ramp up exploitation efforts of the newly listed vulnerability within the next two weeks. However, we can not rule out the possibility that cybercriminals could switch to other tactics & techniques to gain initial access.


What We Mean When We Say

Estimates of Likelihood

We use probabilistic language to reflect the Intel Team’s estimates of the likelihood of developments or events because analytical judgments are not certain. Terms like “probably,” “likely,” “very likely,” and “almost certainly” denote a higher than even chance. The terms “unlikely” and “remote” imply that an event has a lower than even chance of occurring; they do not imply that it will not. Terms like “might” reflect situations where we are unable to assess the likelihood, usually due to a lack of relevant information, which is sketchy or fragmented. Terms like “we can’t dismiss,” “we can’t rule out,” and “we can’t discount” refer to an unlikely, improbable, or distant event with significant consequences.

Confidence in Assessments

Our assessments and projections are based on data that varies in scope, quality, and source. As a result, we assign our assessments high, moderate, or low levels of confidence, as follows:

  • High confidence indicates that our decisions are based on reliable information and/or that the nature of the problem allows us to make a sound decision. However, a “high confidence” judgment is not a fact or a guarantee, and it still carries the risk of being incorrect.
  • Moderate confidence denotes that the information is credible and plausible, but not of high enough quality or sufficiently corroborated to warrant a higher level of assurance.
  • Low confidence indicates that the information’s credibility and/or plausibility are in doubt, that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that we have serious concerns or problems with the sources.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog