Tecplix ThreatTrack Insights -January II
1. Invoice Phishing Alert: TA866 Deploys WasabiSeed & Screenshotter Malware
A threat group called TA866 has recently reappeared after a break of nine months, launching a new large-scale phishing campaign. This time, they are spreading well-known types of malicious software named WasabiSeed and Screenshotter.
In this recent campaign, which was spotted and stopped on January 11, 2024, TA866 sent thousands of fake invoice emails to people in North America. These emails had PDF files that, if opened, could lead to the installation of the malware—a version of the WasabiSeed and Screenshotter tools.
TA866 first caught attention in February 2023 with a campaign called Screentime. This campaign used WasabiSeed, a type of script, to download Screenshotter. Screenshotter is a tool that can take pictures of what's on someone's computer screen and send that information to the attackers.
In the recent attack by TA866, they kept their methods mostly the same but changed from sending emails with certain types of attachments to emails with PDFs that have a fake link to OneDrive. They used a spam service provided by TA571 to send these harmful PDFs.
TA571 is known for sending a lot of spam emails to deliver different types of malware. Some of these malware include AsyncRAT, NetSupport RAT, IcedID, PikaBot, QakBot (aka Qbot), and DarkGate. DarkGate lets the attackers do things like steal information, mine for cryptocurrency, and run any program they want on a victim's computer.
Interestingly, attackers have found a way to trick security products. They use a method where they include a link in their phishing messages that initially looks harmless to security programs. Then, they change the link to something malicious after the security system has already given it the green light. This has been particularly affecting industries like finance, manufacturing, retail, and insurance in several countries, including Italy, the U.S., France, Australia, and India.
Recommendations:
2. Microsoft's Top Execs' Emails Breached in Sophisticated Russia-Linked APT Attack
On Friday, Microsoft disclosed that it had fallen victim to a sophisticated cyberattack orchestrated by a nation-state on its corporate systems. This breach resulted in the unauthorized acquisition of emails and attachments belonging to senior executives and personnel within the company's cybersecurity and legal departments.
Microsoft attributes this attack to a Russian Advanced Persistent Threat (APT) group known as Midnight Blizzard, previously identified as Nobelium. This group is also recognized by various aliases, including APT29, BlueBravo, Cloaked Ursa, Cozy Bear, and The Dukes. Upon discovering the intrusion on January 12, 2024, Microsoft promptly initiated an investigation, implemented measures to disrupt the malicious activity, and took steps to mitigate its impact.
The campaign, believed to have commenced in late November 2023, involved the threat actor employing a password spray attack to compromise a legacy non-production test tenant account. Subsequently, the attacker leveraged this compromised account's permissions to gain access to a limited number of Microsoft corporate email accounts. The affected accounts included those of senior leadership members and employees in cybersecurity, legal, and other functional areas. The attackers exfiltrated certain emails and attached documents during this unauthorized access.
It is noteworthy that the nature of the targeting suggests the threat actors were specifically seeking information related to themselves. Microsoft emphasizes that the attack did not exploit any security vulnerabilities in its products. Importantly, there is no evidence to indicate that the adversary accessed customer environments, production systems, source code, or AI systems.
Although Microsoft did not disclose the precise number of infiltrated email accounts or the specific information accessed, the company is in the process of notifying impacted employees. This incident underscores the ongoing challenges posed by nation-state cyber threats, and Microsoft remains committed to enhancing its security measures to safeguard against such incidents in the future.
Recommendations:
3. Managed SOC Services For Enhanced Security
In today’s ever-evolving digital landscape, the proliferation of threats and increasing complexity necessitate a more intelligent and adaptable approach. Organizations need a collaborative and efficient security system with complete visibility across all security operations. While having the right tools and systems in place is crucial, the expertise to harness their full potential is essential. The priority is seamlessly integrating various security components for precise threat prevention, detection, and response.
The core mission of a Security Operations Center (SOC) revolves around the vital role of security monitoring and alerting. This encompasses the meticulous collection and scrutiny of data to uncover suspicious activities and enhance an organization’s security posture. The SOC garners threat data from a variety of sources, such as firewalls, intrusion detection systems, intrusion prevention systems, security information and event management (SIEM) platforms, and threat intelligence feeds. Read More...
4. TeamViewer abused to breach networks in new Ransomware attacks
Cyber adversaries are once again leveraging TeamViewer as a means to gain initial access to organizational endpoints, aiming to deploy encryptors based on the leaked LockBit ransomware builder. TeamViewer, a legitimate remote access tool widely embraced in the enterprise sphere for its simplicity and robust capabilities, unfortunately, finds favor among malicious actors, including scammers and ransomware perpetrators. These individuals employ TeamViewer to gain access to remote desktops, facilitating the unimpeded dropping and execution of malicious files.
A precedent for such activity was initially reported in March 2016, wherein TeamViewer was exploited to encrypt files using the Surprise ransomware. During that incident, TeamViewer attributed the unauthorized access to credential stuffing, clarifying that attackers did not exploit a zero-day vulnerability but instead utilized leaked user credentials. Given the widespread usage of TeamViewer, malicious actors often attempt to log in using compromised account information, seeking to identify corresponding TeamViewer accounts with matching credentials. Once successful, they can potentially access all associated devices to install malware or ransomware.
These nefarious techniques persist, with cybercriminals continuing to compromise devices via TeamViewer for ransomware deployment. Examination of log files (connections_incoming.txt) reveals connections from the same source in both instances, suggesting a common attacker. In the first compromised endpoint, the logs indicate multiple accesses by employees, affirming legitimate administrative use. Conversely, the second endpoint, operational since 2018, exhibited no activity in the logs for the past three months, signaling less frequent monitoring and potentially making it a more attractive target for attackers.
In both cases, the attackers sought to deploy ransomware through a DOS batch file (PP.bat) placed on the desktop. This batch file executed a DLL file (payload) via a rundll32.exe command.
While the attack on the first endpoint succeeded, it was effectively contained. In contrast, the antivirus product on the second endpoint thwarted the attempt, leading to repeated payload execution efforts with no success.
Recommendations:
5. Npm Trojan Bypasses UAC, Installs AnyDesk with "OS compatible" Package.
A malicious package identified as "OS compatible" was discovered on the npm registry, where it had been deployed to compromise Windows systems by leveraging a sophisticated remote access trojan. This package, published on January 9, 2024, garnered 380 downloads before its removal from the registry.
The "os compatible" package contained unusual binaries, including a single executable file, a dynamic-link library (DLL), an encrypted DAT file, and a JavaScript file named "index.js." This JavaScript file executes an "autorun.bat" batch script after conducting a compatibility check to ascertain if the targeted system is running Microsoft Windows.
In the event that the platform is not Windows, the script displays an error message, notifying the user that it is intended for execution on "Windows Server OS" and urging them to initiate the process accordingly. The batch script, upon verification of administrative privileges, executes a legitimate Microsoft Edge component named "cookie_exporter.exe" via a PowerShell command. Attempting to run this binary triggers a User Account Control (UAC) prompt, prompting the user to execute it with administrator credentials.
Upon successful execution, the threat actor progresses to the subsequent stage of the attack by leveraging DLL search order hijacking to run the DLL ("msedge.dll"). This trojanized library is designed to decrypt the DAT file ("msedge.dat") and initiate another DLL named "msedgedat.dll." The latter establishes connections with a domain under actor control, specifically named "kdark1[.]com," to retrieve a ZIP archive.
The ZIP file is equipped with the AnyDesk remote desktop software and a remote access trojan ("verify.dll"). This trojan is capable of retrieving instructions from a command-and-control (C2) server via WebSockets, collecting sensitive information from the host, installing Chrome extensions to Secure Preferences, configuring AnyDesk settings, concealing the screen, disabling Windows shutdown, and capturing keyboard and mouse events.
Recommendations:
In Crisis?
If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!
Get in touch with our security team by filling out this form or call at +91 6366 600 700.