Weekly Threat Intelligence Digest

September 18, 2020

This week, we digest the Rampant Kitten campaign, an Apple Safari vulnerability, Maze and RansomExx ransomware, APT41 arrests, and more.


Rampant Kitten – An Iranian Espionage Campaign

September 18, 2020

An on-going Iranian espionage campaign, dubbed Rampant Kitten, has been operating for at least six years, targeting Iranian minority groups on personal computers and mobile devices. In a deep dive of the campaign, researchers at Check Point Research outline attack vectors, tools, and methods used in the attacks.

MITRE ATT&CK: Standard Application Layer Protocol - T1071, Masquerading - T1036, Data Encoding - T1132, Command-Line Interface - T1059, Hooking - T1179, Video Capture - T1125, ATT&CK 10 Command and Control, Data from Network Shared Drive - T1039, Standard Cryptographic Protocol - T1032, Input Capture - T1056, Data Compressed - T1002, ATT&CK 11 Exfiltration, ATT&CK 01 Initial Access, ATT&CK 02 Execution, ATT&CK 03 Persistence, Clipboard - T1115, System Information Discovery - T1082

Indicators:
Domain
000webhostapp.com
firefox-addons.com
picfile.net
telegramdesktop.com
ozvdarozv.com
afalr-sharepoint.com
afalr-onedrive.com
File
B845A0E5720A6288794A6452ADB8D3E7C22F5E6E6B9D4F7481FBD30E3EFBA4F28
3010D9EDDB0B97B7F61025D05B543F572C7900170240B56BD9568EFB79799F11
4AE3654B7ED172B0273E7C7448B0C23C
A713A2749E9791243A89471A2603BF1F32EC11C9179771CA46FB5583B8412CB0
ECB8C2CC5EFE580D4EA8F212E39EB9B5
281908F5AFA399F725A06DF767486837
A330253626349A1F0A6F16255F05B5F7
AAC5BC1F94F32A69D7DCEA33F305E6FC
IPv4
148.251.97.102
176.31.4.14
148.251.224.29
144.76.177.244
137.74.153.98


Click here to download the full list of indicators.

Source: Check Point Research

 


Leading U.S. Laser Developer IPG Photonics Hit With Ransomware

September 18, 2020

Fiber laser developer IPG Photonics has suffered a ransomware attack, shutting down worldwide IT systems for the business and halting manufacturing and shipping. The ransom note indicates that RansomExx, also known as Defray777, is responsible for the attack.

MITRE ATT&CK: Source - T1153, Network Denial of Service - T1498, System Shutdown/Reboot - T1529, Data Encrypted for Impact - T1486

Source: Bleeping Computer

 


Talos Vulnerability Report: Remote Code Execution Vulnerability Apple Safari

September 17, 2020

A remote code execution vulnerability (CVE-2020-9951) has been discovered and reported by Cisco Talos in an Apple Safari WebKit feature. Apple released security updates for Safari 14.0 today which includes a patch for the vulnerability.

CVEs of Interest: CVE-2020-9951

MITRE ATT&CK: ATT&CK 02 Execution, Remote Code ExecutionATT&CK 02 Execution, Dylib Hijacking - T1157, Standard Application Layer Protocol - T1071, Remote Code Execution, Data Compressed - T1002, Source - T1153

Source: Cisco Talos

 


Maze Gang Distributed Ransomware Payload Inside VM

September 17, 2020

The threat actors behind the Maze ransomware have conducted an attack adopting a Rangar Locker technique in which the ransomware payload is distributed inside of a virtual machine. The incident reported took place in July 2020, and was uncovered by researchers at Sophos MTR.

CVEs of Interest: CVE-2018-15982, CVE-2019-0752

MITRE ATT&CK: Scheduled Task - T1053, Signed Binary Proxy Execution - T1218, Command-Line Interface - T1059, Regsvr32 - T1117, Source - T1153, Data Encrypted for Impact - T1486, Standard Application Layer Protocol - T1071

Indicators:
File
591D08C34B2D6945B39798A836F2CBAA9AF7E8573DF9DE82038CFE0BEF728255
6E742521A05A30C256BB5AA3A83E317132230C84E205AEF9B200DBF1D1D52AC4
5B579E53F60A2F5DCF1D29FD23A86D6EFE3ABA784F95165E1618DB1EE1ACE425
F56775B2BC86A692982B0013E1D3ED5445DB708EBBB0E70001B9E6DF1DFBD193
ED3D476CAF7A5F6C80E5DCCC9861C5AF854FC185124064A33C1CADC8BA9E4367
0DF95FE05E4C6DBE7FD1CF4221AB3BF053761027CD496AC0A84EB435080245E9
52B13207E6464A7FD57B02C3C4525339E91E60348E5A9E5D03F2B6FAF117C82B
6279E93C1AD63991B95DFD3775581835EC76F8B19A3C2947365D28736DD5741A
7EE403CA56A0BD609FF8EB9F9C893EB06456BE283E0C3A0FEEDA15FD32173742
DFB416ADD0A8D67800832863AB932CF3991424846A21DE5DFFF9DE38E3DF3C4F
F9EB9B611E49910E4FABD56379FC6142AC51F2B7D1E0C82B9CA7F37EE5DF43AC
IPv4
94.232.40.167
URL
94.232.40.167:9338/dot.gif
94.232.40.167:9338/visit.js

Source: Sophos

 


Seven International Cyber Defendants, Including “APT41” Actors, Charged

September 16, 2020

Seven cyber actors, all residents and nationals of the People's Republic of China, have been charged for their involvement in conducting computer network exploitations affecting more than 100 victim companies and organizations in the US and abroad. The threat actors are known to be affiliated with APT41. Two individuals have been arrested in Malaysia; the remaining five defendants are fugitives in China.

MITRE ATT&CK: By APT41: Network Denial of Service - T1498, Spearphishing Attachment - T1193, Spearphishing Link, Malware - State Sponsored, None - Change in TTPs, ATT&CK 11 Exfiltration, ATT&CK 08 Lateral Movement, Supply Chain Compromise - T1195, Launcher, Process Injection - T1055, Remote Access Tools - T1219, ATT&CK 10 Command and Control, Credential Dumping - T1003, Data Encrypted for Impact - T1486, Scripting - T1064, ATT&CK 01 Initial Access, ATT&CK 02 Execution, ATT&CK 03 Persistence, ATT&CK 05 Defense Evasion, ATT&CK 06 Credential Access, PowerShell - T1086, File and Directory Discovery - T1083, Process Discovery - T1057, Automated Exfiltration - T1020, Exfiltration Over Command and Control Channel - T1041, Commonly Used Port - T1043, Data Encoding - T1132, Scheduled Task - T1053, Modify Registry - T1112, Input Capture - T1056, Obfuscated Files or Information - T1027, Screen Capture - T1113, Data Compressed - T1002, Data from Local System - T1005, Application Window Discovery - T1010, Data Encrypted - T1022, Shortcut Modification - T1023, Custon Cryptographic Protocol - T1024, Data from Removable Media - T1025, Data from Network Shared Drive - T1039, New Service - T1050, Exfiltration Over Physical Medium - T1052, Registry Run Keys / Startup Folder - T1060, Uncommonly Used Port - T1065, Standard Application Layer Protocol - T1071, DLL Side-Loading - T1073, Taint Shared Content - T1080, Rundll32 - T1085, Standard Non-Application Layer Protocol - T1095, NTFS File Attributes - T1096, Execution through API - T1106, Code Signing - T1116, Automated Collection - T1119, Office Application Startup - T1137, Deobfuscate/Decode Files or Information - T1140, Hidden Window - T1143, Source - T1153, Trusted Relationship - T1199, User Execution, Template Injection - T1221, Compile After Delivery - T1500, Internal Spearphishing - T1534

Source: US Department of Justice

 


Spoofed Training Email from Phishing Simulator Company

September 16, 2020

Analysts at Cofense Intelligence have analyzed a security training-themed phishing campaign that has compromised at least 30 domains since April 2020. The phishing attacks aim to gather Microsoft Outlook credentials through malicious embedded links in the phishing emails.

MITRE ATT&CK: Data Encrypted for Impact - T1486, Web Shell - T1100, ATT&CK 11 Exfiltration, ATT&CK 01 Initial Access

Indicators:
Domain
mvoguesalon.com
2014.digitree.co.kr
digitree.co.kr
acertijos.com.ar
avellanoeuropeo.ufro.cl
ufro.cl
breckinridgecounty.net
docentes.uto.edu.bo
uto.edu.bo
g5lab.com
greenup.co.in
kikihalekararlari.com
mobiletradesman.co.uk
modoou.net
msk.turbolider.ru
turbolider.ru
niceoldtownapartment.com
otorrinosensantafe.com.mx
pandeyize.com
plazaempresarial.com
propertyask.com
rashifal.com
rotularltda.com
skinnyontherunapp.com
somelit.org
tcvsat.com
thegsmshop.com
aajtaknews.in
auntynise.com
happychappybrands.com
healthfavour.com
samicultura.com.br
search4blog.com
digitalprakhar.com
URL
https://www.mvoguesalon.com/bootstrap/cache/bid/login.php
https://2014.digitree.co.kr/samhwa/lib/bid/login.php
https://acertijos.com.ar/blog/wp-includes/bid/login.php
https://avellanoeuropeo.ufro.cl/wp-content/plugins/bid/login.php
https://breckinridgecounty.net/.well-known/acme-challenge/bid/login.php
https://docentes.uto.edu.bo/dmoyaa/wp-includes/bid/login.php
https://g5lab.com/aspera/uploads/bid/login.php
https://greenup.co.in/wp-includes/bid/login.php
https://kikihalekararlari.com/assets/plugins/flot/bid/login.php
https://mobiletradesman.co.uk/wp-admin/bid/login.php
https://modoou.net/wp-content/bid/login.php
https://msk.turbolider.ru/wp-includes/bid/login.php
https://niceoldtownapartment.com/wp-content/plugins/fusion-core/tinymce/bid/login.php
https://otorrinosensantafe.com.mx/.well-known/pki-validation/bid/login.php
https://pandeyize.com/.well-known/acme-challenge/bid/login.php
https://plazaempresarial.com/.well-known/acme-challenge/bid/login.php
https://propertyask.com/.well-known/pki-validation/bid/login.php
https://rashifal.com/img/bid/login.php
https://rotularltda.com/.well-known/acme-challenge/bid/login.php
https://skinnyontherunapp.com/.well-known/acme-challenge/bid/login.php
https://somelit.org/wp-content/plugins/bid/login.php
https://tcvsat.com/tcvsat-respnov19/wp-includes/ixr/bid/login.php
https://thegsmshop.com/wp-includes/css/bid/login.php
https://www.aajtaknews.in/wp-content/cache/all/bid/login.php
https://www.auntynise.com/.well-known/acme-challenge/bid/login.php
https://www.happychappybrands.com/wp-includes/bid/login.php
https://www.healthfavour.com/wp-includes/css/bid/login.php
https://www.samicultura.com.br/includes/bid/login.php
https://www.search4blog.com/wp-content/plugins/bid/login.php
https://digitalprakhar.com/wp-content/uploads/2016/08/bid/login.php

Source: Cofense

 


Rudeminer, Blacksquid and Lucifer Walk Into A Bar

September 15, 2020

Researchers at Check Point Research have found evidence that the threat actors behind Lucifer, a cryptojacking and DDoS hybrid malware that targets Windows, Linux, and IoT devices, started campaign operations in 2018. Data obtained through ThreatCloud shows recent Lucifer activity in the US, Ireland, the Netherlands, Turkey, and India, hitting over 25 organizations across industries including banking, manufacturing, and legal.

CVEs of Interest: CVE-2014-6287, CVE-2017-0144, CVE-2017-0145, CVE-2017-8464, CVE-2017-10271, CVE-2018-0978, CVE-2018-7600, CVE-2018-10561, CVE-2018-20062, CVE-2018-1000861

MITRE ATT&CK: Data from Network Shared Drive - T1039, Remote Code Execution, Source - T1153, ATT&CK 10 Command and Control, Launch Daemon - T1160, ATT&CK 01 Initial Access, ATT&CK 03 Persistence, Standard Application Layer Protocol - T1071, Local Job Scheduling - T1168, ATT&CK 02 Execution, Shortcut Modification - T1023, Brute Force - T1110, Network Denial of Service - T1498

Indicators:
Domain
qf2020.top
tyz2020.top
guyeyuyu.com
qianduoduo.pw
File
7CAF6F673D224EFFA207C3B3F9A0CE65EABE60230FBC70E52091F0E2F3C1F09C
53C2A0F3C3775111CBF8C09CD685E44A434BDD2D4DC0B9AF18266083FB4B41E8
82934ED1F42986BDAD8E78049E27FCB0B8E43A5B0B9332AA913B901C7344CBC6
EBCAED78AAB7B691735BB33D5C33DD6DD447A0A538FF84D0D115C2B35831D43D
D9F1878B029202195E0AEEFB8406EA13D1ED57F8042636858DFD71F204CA0B05
BCDADF4930ABAB3773DF1C184FD2B6FA34B5CB8543177D76DAF2B9F7C1F36C4F
ECA3E0DE0A9FA7CAC75617C57839E7D62C53E4690483C08A849E624A2C79D8D9
49A8F1F9A771283771E5733EF05C3D525806318EEC7C82A049EE2B05B4259204
3EA56BCF897CB8909869E1BFC35F47E1C8A454DD891C5396942C1255AA09B0CE
IPv4
122.112.179.189
URL
122.112.179.189:50208/x64

Source: Check Point Research

 


Threat Analysis: URSA Trojan Impacts Many Countries Using Sophisticated Loader

September 15, 2020

In a deep dive analysis of the URSA trojan, researchers at Seguranca Informatica have dissected the malware used to target thousands of victims across Mexico and much of South America since June 2020. The URSA trojan is designed to collect banking credentials by creating a banking overlay window that the victim interacts with when visiting their home banking portal.

MITRE ATT&CK: Standard Application Layer Protocol - T1071, Data from Network Shared Drive - T1039

Indicators:
Domain
robyn-plombier-chauffagiste.fr
kresna.co.id
medeiros-boatworks.com
File
87F9E5A6318AC1EC5EE05AA94A919D7A
D1FB8A5061FC40291CC02CEC0F1C2D13168B17D22FFCABEA62816E14ED58E925
93488EAB403FAFB3D8E10D38C80F0AF745E3FA4CF26228ACFF24D35A149F6269
FB91BDD5EE38A3E163231FA78FD85E2DA890E4E116AC530F2B4879E0E50A76A5
5B91C8ACFFE1980653718A493E24BDE7211EE825EA2947DF54C03E9733D61A70
23892054F9494F0EE6F4AA8749AB3EE6AC13741A0455E189596EDFCDF96416B3
7705B87603E0D772E1753441001FCF1AC2643EE41BF14A8177DE2C056628665C
A4F066196B1009C42C1DEA74F857180D
BDA287C97D9373052F347AC0CCEDFDF8
309335FE1E4F27029A8EC6087E0DE1F4
F3E6C0D52BAB27289DB2A70E4AAB628C
3BE539AA8D421D09CEF27723A98D2D83
71FDF07084A741B553B97B0D0815FA0E
2D2F3500836ED60303103BAFAC6357A3
7396051FD6575180166D66DDF0A9295B
7A9956E8DE89603DBA99772DA29493D3FD0FE37D
DD4B7D4D0415DD365F4ECD614674769131F4D853
83C6832A871398FC925BD6E9F387DCB43A99B1E2
3FC7E6A993D0ACD8AA02C9032419588C143DF759
IPv4
191.235.99.13
51.143.39.80
66.70.237.175
51.222.39.128
51.81.104.17
104.44.143.28
URL
https://kresna.co.id/sarikresnakimia/wp-content/!/www.edp.pt/?client=xxx
https://robyn-plombier-chauffagiste.fr/wp-admin/css/--/https:/www.policiajudiciaria.pt/?cliente=xxxx
https://medeiros-boatworks.com/wp-content/!/https:/my.vodafone.pt/?client=xxx
http://191.235.99.13/lp1a.php
http://191.235.99.13/m/

Source: Segurança Informatica

 


Magento Stores Hit By Magecart; Largest Automated Hacking Attack Since 2015

September 14, 2020

Magecart credit card skimming attack targets eCommerce company Magento, compromising 1,904 Magento stores.

MITRE ATT&CK: Zero Day Exploit, Two-Factor Authentication Interception - T1111, Standard Application Layer Protocol - T1071, Exfiltration Over Other Network Medium - T1011, Web Shell - T1100

Indicators:
IPv4
92.242.62.210
URL
mcdnn.net/122002/assets/js/widget.js
https://imags.pw/502.jsp

Source: Bleeping Computer

 


CISA Alert: Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

September 14, 2020

T.CISA warns in an advisory that Chinese MSS-affiliated threat actors are targeting US government agencies and private companies by exploiting vulnerabilities in F5, Citrix, Pulse Secure, and Microsoft Exchange Server.

CVEs of Interest: CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, CVE-2020-0688

MITRE ATT&CK: ATT&CK 09 Collection, Exploit Public-Facing Application - T1190, External Remote Services - T1133, ATT&CK 01 Initial Access, Third-party Software - T1072, ATT&CK 04 Privilege Escalation, Data Compressed - T1002, User Execution, Spearphishing Link, Web Shell - T1100, ATT&CK 06 Credential Access, Standard Application Layer Protocol - T1071, Network Service Scanning - T1046, Credential Dumping - T1003, Remote Desktop Protocol - T1076, Email Collection - T1114, ATT&CK 10 Command and Control, ATT&CK 02 Execution, Connection Proxy - T1090, Multi-hop Proxy - T1188, Remote Code Execution, ATT&CK 05 Defense Evasion, Source - T1153, Brute Force - T1110, Pass the Hash - T1075

Source: CISA

 

Weekly Threat Intelligence Digest September 18, 2020

Get Notifications

Sign up to get notifications when new Weekly Digests or Blogs are available on CyberPress.