company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Banking Trojan

Credentials Stealer

loading..
loading..
loading..

Escobar Malware: An emerging threat to stealing credentials from your Phone

Aberebot, Android banking trojan resurrected with a new name as Escobar Trojan with updated features while offering a homage to Colombian Drug Lord...

25-Mar-2022
4 min read

Related Articles

loading..

Ransomware

US authorities warn of AvosLocker Ransomware cyberattacks targeting critical inf...

On October 11, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments. ## AvosLocker: A Ransomware-as-a-Service Powerhouse AvosLocker ransomware group emerged in June 2021. AvosLocker employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware infrastructure to other threat actors for a percentage of the ransom payments. Like many other contemporary ransomware groups, AvosLocker also employs a double-extortion tactic. The group steals the victim's sensitive data and threatens to publish it on their "leak site" if the ransom isn't paid. This tactic puts additional pressure on victims, especially those who hold sensitive or confidential data. AvosLocker is known for attacking high-profile targets and demanding significant ransoms. In the recent past, they targeted critical infrastructure in different sectors in the US, Canada, the UK, and Spain. ## Initial Access: Compromised Credentials AvosLocker often uses common initial access techniques such as spear-phishing emails, exploiting vulnerable public-facing applications, or using compromised Remote Desktop Protocol (RDP) credentials. Using these valid accounts, adversaries gain initial access to the targets' networks via RDP or VPN. ### T1078 Valid Accounts AvosLocker ransomware operators acquire compromised credentials from Initial Access Brokers (IABs) and criminal forums/marketplaces. ### T1566 Phishing AvosLocker threat actors use spam email campaigns to deliver the ransomware payload to their targets. ### T1133 External Remote Services AvosLocker group uses remote system administration tools such as AnyDesk, PuTTy, Atera Agent, Splashtop Streamer, Tactical RMM, and PDQ Deploy to gain initial access to their targets. Zoho ManageEngine CVE-2021-40539 vulnerability is known to be exploited by AvosLocker threat actors as an initial access vector. ## Execution: Privilege Escalation and Lateral Movement After gaining initial access, adversaries upload custom webshells to establish persistence in the victim's network. Using known credential dumping tools, AvosLocker threat actors steal credentials from the compromised host and use them for lateral movement and privilege escalation. Prior to encryption, attackers exfiltrate the victim's sensitive files to an adversary-controlled command and control (C2) server. In the final step, AvosLocker reboots the infected machine in Safe Mode with Networking and encrypts the victim's sensitive files. ### T1059 Command and Scripting Interpreter Adversaries use custom batch files and PowerShell scripts for privilege escalation, lateral movement, and defense evasion. The names of the used scripts are Love.bat, lock.bat, update.bat, and AVO.ps1. #### Example 1: update.bat used by AvosLocker [2] ```batch @echo off sc config wuauserv start=disabled sc stop wuauserv ``` ### T1047 Windows Management Instrumentation AvosLocker uses legitimate Windows tools such as PsExec and nltest to interact with Windows Management Instrumentation and execute commands. ## Persistence: Establishing a Foothold After gaining initial access, AvosLocker operators upload custom webshells to establish persistence in the compromised network. ### T1505.003 Server Software Component: Web Shell ## Defense Evasion: Concealing the Attack Before deploying the ransomware payload, AvosLocker forces the infected Windows hosts into rebooting in Safe Mode. In Safe Mode, Windows does not enable many endpoint protections, and ransomware is less likely to be detected or prevented. ### T1562.009 Impair Defenses: Safe Mode Boot ## Credential Access: Stealing Passwords AvosLocker threat actors use known public credential dumping tools such as Mimikatz and LaZange to extract credentials from password storage mechanisms. ### T1555 Credentials from Password Stores ## Command and Control: Silent Communication AvosLocker uses open-source tools such as Ligolo and Chisel for secure communication between a compromised network and an adversary-controlled C2 server. By encrypting the channel and bypassing egress filtering, AvosLocker threat actors transfer malicious tools and steal sensitive data without being detected. ### T1572 Protocol Tunneling ## Impact: Encrypting Data AvosLocker ransomware uses a hybrid encryption methodology and combines AES-256-CBC and RSA to encrypt its victim's files. Depending on the version, encrypted files are appended with the .avos or .avos2 extension. ### T1486 Data Encrypted for Impact AvosLocker operators delete all volume shadow copies of the infected host to prevent victims from recovering their files. ```batch cmd /c wmic shadowcopy delete /nointeractive cmd /c vssadmin.exe Delete Shadows /All /Quiet ``` ## Mitigating AvosLocker Ransomware CISA previously released another cybersecurity advisory on AvosLocker ransomware in March 2022. Since then, the threat actors created new AvosLocker variants and added new capabilities to their arsenal. CISA recommends organizations continuously validate their security controls against the AvosLocker ransomware variants and their evolving threat behaviors. ### Secure Remote Access - Implement application controls to manage and control execution of software. - Apply recommendations in CISA's joint Guide to Securing Remote Access. - Frequently review and analyze log data. - Restrict access to resources over network connections. - Employ firewalls and intrusion detection/prevention systems to monitor and protect systems from Internet traffic. - Implement cybersecurity best practices and use strong passwords and two-factor authentication for all remote access. ### Security Posture - Establish network segmentation to restrict network traffic between the administrative network and the control network, as well as between the control network and the internet. - Limit network traffic with firewall rules. - Employ a least-privilege model. Restrict access to perform necessary system administration and maintenance. - Ensure systems have the latest security updates and are securely configured. ### Email Security - Implement a Sender Policy Framework (SPF) to identify servers that are authorized to send email on behalf of a domain. - Implement Domain-based Message Authentication, Reporting & Conformance (DMARC) to validate the authenticity of the email. - Utilize email security gateways. - Employ advanced anti-phishing technologies and monitor for phishing emails. ### User Training - Provide users with basic cybersecurity training. - Help users to be aware of the types of social engineering attacks and to be vigilant with email attachments. ## Conclusion The AvosLocker ransomware group has continued to evolve its tactics, techniques, and procedures since the previous advisory issued in March 2022. These threat actors target organizations in various sectors and have the potential to cause significant damage. It is essential for organizations to understand the group's techniques, adopt mitigation strategies, and continuously evaluate and enhance their security posture. This [Threat Research](https://www.secureblink.com/threat-research) is based on information available on the public domain.

loading..   18-Oct-2023
loading..   1 min read
loading..

APT

Supply Chain Attack

Malware

Newly Discovered APT Group 'Carderbee' Strikes Hong Kong and Asia with PlugX Mal...

In a constantly evolving realm of threat landscape, a newly discovered threat group named 'Carderbee,' has emerged, focusing its malevolent intentions on organizations in Hong Kong and across Asian regions. This formidable group employs cunning tactics, utilizing legitimate software to infiltrate their target's systems with the notorious PlugX malware. What's particularly intriguing is the potential connection between Carderbee and the Chinese state, as they appear to be well-versed in utilizing state-affiliated tools. In this [Threat Research](https://www.secureblink.com/threat-research), we will analyze Carderbee's malicious operations, unveiling their tactics and potential Chinese state affiliations. ## Supply Chain Attack It was initially detected as a sign of Carderbee's activity in April 2023. However, the report suggests that the threat actor's operations may date back to September 2021. The linchpin of their approach is a supply chain attack, leveraging the unsuspecting Cobra DocGuard software, crafted by Chinese developer EsafeNet, and typically used for data encryption and decryption in security applications. ### Software's Dual Role Cobra DocGuard Client, developed by EsafeNet, seemingly serves a dual purpose: safeguarding data through encryption and decryption while being manipulated by Carderbee for nefarious activities. This duality underscores the complexity of supply chain attacks, where seemingly legitimate software becomes a vector for cyber threats. ## Selective Targeting: High-Value Victims While the Cobra DocGuard software was installed on approximately 2,000 computers, malicious activity was observed on only 100 of them. This selectiveness indicates that Carderbee meticulously chooses high-value targets, highlighting their precision in victim selection. ## Enigmatic Updater The precise mechanics of how Carderbee conducts this supply chain attack using the legitimate Cobra DocGuard updater remain shrouded in mystery. Their operation involves delivering updates in the form of a ZIP file retrieved from _"cdn.streamamazon[.]com/update.zip."_ Upon decompression, this ZIP file executes _"content.dll,"_ a cunningly disguised malware downloader. ### Deceptive Signature One aspect that amplifies the challenge of detecting Carderbee's activities is the downloader's digital signature. It proudly bears the seal of [Microsoft](https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230001), specifically the Microsoft Windows Hardware Compatibility Publisher. This deceptive use of a legitimate certificate showcases the group's sophistication in evading security measures. ### Persistence is Key Carderbee's malevolent DLL not only acts as a downloader but also contains x64 and x86 drivers. These drivers are strategically employed to establish Windows services and registry entries, ensuring persistence on compromised systems. ## Art of Concealment To further obfuscate their actions, Carderbee injects the PlugX malware into the legitimate 'svchost.exe' (Service Host) Windows system process. This clever maneuver allows them to evade detection by traditional antivirus systems. ### PlugX's Arsenal Once PlugX infiltrates a system, it deploys a range of capabilities: - **Command Execution via CMD:** Providing Carderbee with the ability to execute commands on the compromised system. - **File Enumeration:** Enabling the enumeration of files present on the victim's machine. - **Process Monitoring:** Allowing Carderbee to monitor and inspect running processes. - **File Downloads:** Facilitating the download of additional malicious payloads or tools. - **Firewall Manipulation:** Opening and altering firewall ports, potentially for communication with command and control servers. - **Keylogging:** Capturing keystrokes on the victim's system, potentially revealing sensitive information. ## Carderbee's Elusive Targeting Scope While Carderbee's operations are similar to the 'Budworm' group, the extent of their relationship remains uncertain. Carderbee's exact targeting scope also remains shrouded in ambiguity. The group's discretion and selectivity in deploying malware suggest meticulous planning and reconnaissance. ## A Stealthy Threat Landscape Carderbee's approach combines two potent elements: supply chain attacks and digitally signed malware. This fusion renders their activities exceptionally stealthy and hard to detect. Their careful deployment of malware further underscores their high level of preparation and reconnaissance. # Closing Note Carderbee threat group serves as a stark reminder of the sophistication and adaptability of malicious actors. As organizations grapple with the escalating threats posed by supply chain attacks and digitally signed malware, vigilance and robust security measures are imperative. The pursuit of answers regarding Carderbee's motives and affiliations continues, leaving the cybersecurity community on high alert. ## Indicators of Compromise For those in the cybersecurity community, the following indicators of compromise (IOCs) are crucial for identifying and mitigating Carderbee's threat: ### SHA256 File Hashes: - 96170614bbd02223dc79cec12afb6b11004c8edb8f3de91f78a6fc54d0844622 - 19a6a404605be964ab87905d59402e2890460709a1d9038c66b3fbeedc1a2343 - 1ff7b55dde007b7909f43dd47692f7c171caa2897d663eb9db01001062b1fe9d - 2400d8e66c652f4f8a13c99a5ffb67cb5c0510144b30e93122b1809b58614936 - 2f714aaf9e3e3e03e8168fe5e22ba6d8c1b04cbfa3d37ff389e9f1568a80cad4 - 47b660bbaacb2a602640b5e2c589a3adc620a0bfc9f0ecfb8d813a803d7b75e2 - 5467e163621698b38c2ba82372bac110cea4121d7c1cec096958a4d9eaa44be7 - 7e6d0f14302662f52e4379eb5b69a3749d8597e8f61266aeda74611258972a3d - 85fc7628c5c7190f25da7a2c7ee16fc2ad581e1b0b07ba4ac33cff4c6e94c8af - 8bd40da84c8fa5f6f8e058ae7e36e1023aca1b9a9c8379704934a077080da76f - 8ca135b2f4df6a714b56c1a47ac5baa80a11c6a4fcc1d84a047d77da1628f53f - 9e96f70ce312f2638a99cfbd3820e85798c0103c7dc06fe0182523e3bf1e2805 - 9fc49d9f4b922112c2bafe3f1181de6540d94f901b823e11c008f6d1b2de218c - b5159f8ae16deda7aa5d55100a0eac6e5dacd1f6502689b543513a742353d1ea - b7b8ea25786f8e82aabe4a4385c6142d9afe03f090d1433d0dc6d4d6ccc27510 - b84f68ab098ce43f9cb363d0a20a2267e7130078d3d2d8408bfb32bbca95ca37 - f64267decaa982c63185d92e028f52c31c036e85b2731a6e0bccdb8f7b646e97 ## Remote IP Addresses: 45.76.179[.]209 104.238.151[.]104 ## URLs: http://111.231.100[.]228:8888/CDGServer3/UpgradeService2 http://103.151.28[.]11:8090/CDGServer3/UpgradeService2 ## Domains: cdn.stream-amazon[.]com cdn.ofo[.]ac gobay[.]info tjj.active-microsoft[.]com githubassets.akamaixed[.]net ms-g9-sites-prod-cdn.akamaixed[.]net ms-f7-sites-prod-cdn.akamaixed[.]net

loading..   04-Oct-2023
loading..   1 min read
loading..

Ransomware

Phishing

TeamPhisher

Explore Storm-0324 cyber threat tactics via Microsoft Teams phishing and stay pr...

Storm-0324, also known as DEV-0324, is a financially motivated threat group that has gained prominence for providing initial access to compromised networks. This group does not typically carry out the more damaging stages of intrusions, such as ransomware deployment, but instead specializes in gaining access and then selling that access to other malicious actors. Understanding and mitigating Storm-0324's activities is crucial because it can evade more destructive follow-on attacks. This [Threat Research](https://www.secureblink.com/threat-research) analyzes the underlying aspects of this threat group and its involvement in Ransomware access broker stealing accounts via Microsoft Teams phishing. While this threat group has been on the radar for years, and their tactics have evolved over time, culminating in a recent shift towards using Microsoft Teams as a vector for phishing attacks. This research aims to dissect their techniques, tools, and procedures (TTPs) and provide insights into how to defend against them. ### Evolution of Storm-0324 Storm-0324 has a history dating back to at least 2016, when it was involved in distributing various malware payloads through different vectors. Over the years, they have employed a variety of first-stage payloads, including Nymaim, Gozi, [Trickbot](https://www.secureblink.com/cyber-security-news/trickbot-is-going-through-a-transformational-transition-into-a-new-malware), Gootkit, Dridex, Sage ransomware, GandCrab ransomware, IcedID, and others. These payloads served as initial entry points into compromised networks. However, since 2019, Storm-0324 has primarily focused on distributing JSSLoader, a first-stage downloader that facilitates access for ransomware-as-a-service (RaaS) actors like Sangria Tempest, also known as ELBRUS, Carbon Spider, and FIN7. This tactic shift has been notable as it marks a collaboration with other cybercriminal groups. ### Email-Based Initial Infection Vectors Storm-0324 primarily relies on email-based infection vectors to distribute its payloads. Their email chains are designed to be highly evasive and make use of traffic distribution systems (TDS) like BlackTDS and Keitaro. These TDS systems help identify and filter user traffic, allowing the attackers to evade detection by security solutions, including malware sandboxes, while still successfully redirecting victims to malicious download sites. To lure victims into downloading malicious payloads, Storm-0324 typically employs themes related to invoices and payments, often mimicking popular services like DocuSign and Quickbooks. Once a user is enticed, they are redirected to a SharePoint-hosted compressed file containing JavaScript. The actors have used various file formats, including Microsoft Office documents, Windows Script Files (WSF), and VBScript, to execute the malicious code. ### Evolution to Microsoft Teams-Based Phishing One significant [development](https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributor-storm-0324-facilitates-ransomware-access/) observed in Storm-0324's tactics according to Microsoft that an initial access broker known for working with ransomware groups has recently adopted to Microsoft Teams as a platform for phishing attacks to breach corporate networks. This shift was first noticed in July 2023, and it signifies an adaptation to the changing landscape of communication and collaboration tools. #### TeamsPhisher Tool To carry out these Teams-based phishing campaigns, Storm-0324 likely leverages a publicly available tool called [TeamsPhisher](https://github.com/Octoberfest7/TeamsPhisher). This Python-based tool enables users within a Teams tenant to attach files to messages sent to external tenants. While TeamsPhisher can be used legitimately, threat actors abuse it to deliver phishing attachments. This technique allows the actors to bypass certain restrictions related to incoming files from external sources. #### Phishing Lures in Teams Chats In these Teams-based phishing campaigns, Storm-0324 sends malicious links to potential victims over Microsoft Teams chats. These links lead to SharePoint-hosted files designed to deliver the malicious payload. The attackers take advantage of the fact that when external access is enabled within an organization's settings, these phishing lures appear as messages from "EXTERNAL" users. ### Attack Chain Overview To understand the attack chain employed by Storm-0324, let's break it down step by step: #### 1. Phishing Email Storm-0324 initiates its attack by sending phishing emails to potential victims. These emails typically reference invoices or payments and are carefully crafted to mimic legitimate services. #### 2. SharePoint-Hosted Archive The victim, enticed by the email, clicks on a link that leads to a SharePoint-hosted archive file. This archive usually contains a file with embedded JavaScript code. #### 3. Malicious JavaScript Upon opening the archive, the JavaScript code is executed. The actors have used various file formats for hosting the JavaScript, including WSF and Ekipa publisher files, often exploiting known vulnerabilities like [CVE-2023-21715](https://nvd.nist.gov/vuln/detail/CVE-2023-21715) for local security feature bypass. #### 4. JSSLoader Payload The JavaScript code drops a JSSLoader variant DLL onto the victim's system. JSSLoader is the first-stage downloader employed by Storm-0324. #### 5. Handoff to Sangria Tempest After successfully delivering the JSSLoader payload, Storm-0324 hands-off access to another cybercriminal group known as Sangria Tempest (also associated with FIN7). This collaboration enables the deployment of more damaging payloads, such as ransomware. #### 6. Additional Social Engineering In some cases, Storm-0324 employs protected documents with security codes or passwords in their initial communications to users. This tactic adds an extra layer of believability for users and is an anti-analysis measure. ### Recommendations for Defense Now that we have dissected Storm-0324's attack tactics, it is crucial to understand how to defend against this threat actor. Here are recommendations for hardening networks against Storm-0324 attacks: 1. **Phishing-Resistant Authentication**: Implement phishing-resistant authentication methods for users. 2. **Conditional Access**: Use Conditional Access authentication strength to require phishing-resistant authentication for employees and external users accessing critical applications. 3. **Domain Allowlisting**: Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked for chat and meetings. 4. **Auditing**: Keep Microsoft 365 auditing enabled to investigate audit records when required. 5. **Access Settings**: Understand and select the best access settings for external collaboration in your organization. 6. **Credential Hygiene**: Educate users about social engineering and credential phishing attacks, emphasizing the importance of not entering MFA codes sent via unsolicited messages. 7. **User Caution in Microsoft Teams**: Educate Microsoft Teams users to verify 'External' tagging on communication attempts from external entities, be cautious about sharing sensitive information, and never share account information or authorize sign-in requests over chat. 8. **Suspicious Link Scanning**: Configure Microsoft Defender for Office 365 to recheck links on click, providing URL scanning and verification to protect against malicious links. 9. **Least Privilege**: Practice the principle of least privilege and maintain credential hygiene, avoiding using domain-wide, administrator-level service accounts. 10. **Cloud-Delivered Protection**: Turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus to identify and stop new and unknown threats. 11. **Attack Surface Reduction**: Enable attack surface reduction rules in Microsoft Defender to prevent standard attack techniques. ### Detection Details Microsoft provides several tools for detecting Storm-0324 activity: - **Microsoft 365 Defender**: Detects various threat components, including TrojanSpy:MSIL/JSSLoader, Trojan:Win32/Gootkit, Trojan:Win32/IcedId, Trojan:Win64/IcedId, and Trojan:Win32/Trickbot. - **Microsoft Defender Antivirus**: Identifies threat components as malware and provides protection against them. - **Microsoft Defender for Endpoint**: Generates alerts related to Storm-0324 activity in the security center. ### Hunting Queries For those using Microsoft 365 Defender, specific hunting queries can be employed to identify potential threats related to TeamsPhisher: ```markdown let allowedSharepointDomain = pack_array( 'mysharepointname' //customize Sharepoint domain name and add more domains as needed for your query ); // let executable = pack_array( 'exe', 'dll', 'xll', 'msi', 'application' ); let script = pack_array( 'ps1', 'py', 'vbs', 'bat' ); let compressed = pack_array( 'rar', '7z', 'zip', 'tar', 'gz' ); // let startTime = ago(1d); let endTime = now(); DeviceFileEvents | where Timestamp between (startTime..endTime) | where ActionType =~ 'FileCreated' | where InitiatingProcessFileName has 'teams.exe' or InitiatingProcessParentFileName has 'teams.exe' | where InitiatingProcessFileName !has 'update.exe' and InitiatingProcessParentFileName !has 'update.exe' | where FileOriginUrl has 'sharepoint' and FileOriginReferrerUrl has_any ('sharepoint', 'teams.microsoft') | extend fileExt = tolower(tostring(split(FileName,'.')[-1])) | where fileExt in (executable) or fileExt in (script) or fileExt in (compressed) | extend fileGroup = iff( fileExt in (executable),'executable','') | extend fileGroup = iff( fileExt in (script),'script',fileGroup) | extend fileGroup = iff( fileExt in (compressed),'compressed',fileGroup) // | extend sharePoint_domain = tostring(split(FileOriginUrl,'/')[2]) | where not (sharePoint_domain has_any (allowedSharepointDomain)) | project-reorder Timestamp, DeviceId, DeviceName, sharePoint_domain, FileName, FolderPath, SHA256, FileOriginUrl, FileOriginReferrerUrl ``` ### Microsoft Sentinel Microsoft Sentinel users can employ the TI Mapping analytics to match indicators mentioned in this research with data in their workspace. Additionally, Microsoft Sentinel offers detection and threat hunting content to detect post-exploitation activities related to Storm-0324.

loading..   18-Sep-2023
loading..   1 min read