Ransomware/Malware Activity
New Chinese-based Attack Framework "Manjusaka" Used in Maldoc Campaigns
Researchers from Cisco Talos discovered a relatively new attack framework dubbed "Manjusaka" that mimics the popular Cobalt Strike framework. Cobalt Strike is an offensive framework that allows penetration testers and ethical hackers to easily implant and manage beacons during security tests, but malicious threat actors have also gotten their hands on the tool. Due to the popularity of the Cobalt Strike tool, many endpoint detection and antivirus products detect the beacons it plants on victim machines. The risk of detection led to sophisticated threat actors developing their own frameworks. The Manjusaka framework uses Golang to program it's command and control (C2) server and user interface while the implants that are installed on victim devices are written in Rust. The implants are remote access trojans, arriving on victim computers through a malicious Microsoft Word document. They have multiple functionalities on both Windows and Linux devices, such as command execution, harvesting credentials, taking screenshots, and file management capabilities. The researchers discovered a C2 project on GitHub that features the same C2 user interface written in the Simplified Chinese language that Manjusaka uses. The C2 server is built on the Gin Web Framework and interacts with the implants using HTTP requests. The communications can also be encrypted using a cryptographic key. When analyzing the Rust implants, the researchers also noticed the malware does not use the default "crates.io" library repository. Instead, it is manually configured to use a package mirror run by the University of Science and Technology of China. This, along with OSINT findings, resulted in the malware being attributed to the GuangDong region of China, though its operators may reside elsewhere. Interestingly, the campaigns where Manjusaka was used also installed a Cobalt Strike beacon on the victim's device. Due to the open-source nature of the C2 framework, it is possible this malware may become popular outside of its original operators. CTIX analysts recommend blocking known hashes and IOCs relating to the Manjusaka framework and utilizing endpoint detection to defend against the implants.
Access-as-a-Service Malware Loader "Gootkit" Resurfaces with an Updated Infection Chain
"Gootkit", a malware loader utilizing the access-as-a-service (AaaS) model, has recently resurfaced with updated techniques and procedures. Trend Micro researchers detailed its latest infection routine, which involves search engine optimization (SEO) poisoning that leads a victim to click on a Gootkit operator-compromised website. Once the victim accesses the website, a legitimate-appearing open forum is shown that directly answers the victim's initial search query. This forum contains a ZIP archive that holds a malicious JavaScript file that, once downloaded and opened, spawns an obfuscated script that adds encrypted code to the registry via stuffing and configures scheduled tasks to ensure persistence. The code in the registry is then loaded through PowerShell to reconstruct a Cobalt Strike binary that runs in-memory only (i.e. "fileless" execution). While much of the latest infection chain is similar to the attacks that previously occurred in 2020, the following small updates were noted by researchers: first, the search query leverages legal document templates as opposed to freeware installers, and the second is the encrypted code added to the registry now utilizes a custom text replacement algorithm rather than base64 encoding. The small changes indicate that "Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims." The researchers also explained that, as of late July, the analyzed website is no longer accessible, which is expected with SEO poisoning. An in-depth analysis of the Gootkit loader as well as indicators of compromise can be viewed in Trend Micro's report linked below.
Threat Actor Activity
Luxembourg Power Company Ransomed by BlackCat
A recent ransomware attack against the Luxembourg gas and electricity supply company Creos has been claimed by BlackCat Ransomware threat actors. Around July 22, 2022, owners of Creos reported a significant cyberattack stating "a number of data was exfiltrated from computer systems or made inaccessible by hackers" and that the exfiltration of personal identifiable information was plausible. The threat group BlackCat, also tracked as ALPHV and the believed rebrand of Darkside, is a notorious ransomware-as-a-service (RaaS) organization known for their unusual use of Rust in their malicious payloads and underlying ties to other threat organizations responsible for major attacks on critical infrastructure. After claiming responsibility for the attack on Creos, BlackCat actors threatened to leak 180,000 files (150 gigabytes) worth of data from the attack if the ransom was not paid. It is currently unknown what the ransom demands are; however, the data exfiltrated supposedly includes personal identifiable information such as emails, passports, legal documents, and consumer monthly bills. CTIX will continue to monitor the fallout of this ransomware attack and provide additional updates once more information is released.
Threat Actors Shift to New Attack Methods After Macro-Blocking Updates
Recently, Microsoft pushed an update to their Office platforms to automatically block macros when opening a document or spreadsheet. Since this update, threat actors have been attempting to find new ways to compromise assets without the use of Office macro-enabled documents. According to statistics from Proofpoint, the use of macro-enabled malicious attachments in social engineering campaigns is down roughly 66% since the update. However, some new methods of compromise have surfaced throughout the threat landscape. Rather than macro-enabled documents, threat actors are shifting to using Windows image files (ISO), RAR archives (RAR), and Windows Shortcut files (LNK) as the deployed malicious file in social engineering campaigns. A recent campaign targeting Korean users displayed the use of these new tactics. Threat actors launched a phishing campaign containing invoice-themed emails with an attached ISO file. Once the ISO file is opened on the user's system, a LNK file collects device hardware information and executes a malicious dynamic link library (DLL). With the ever-changing threat landscape, threat actors will continue to find new innovative methods to compromise assets even in the face of new security protocols.
Vulnerabilities
ParseThru Vulnerability Affects Golang-based Cloud Applications
Researchers from the Israeli cybersecurity firm Oxeye have reported on a new parameter smuggling vulnerability known as "ParseThru". This vulnerability affects Golang-based APIs, which could be exploited by threat actors to bypass validations and gain unauthorized access to vulnerable cloud applications. The flaw was caused by a recent behavioral change implemented in Golang's URL parsing logic in builds 1.17 and later which conflicts with Golang applications running older versions of the framework. In previous versions of Golang, a semicolon (";") character was utilized as a delimiter, breaking up URLs to yield multiple query parameters. However, in versions 1.17 and later, the semicolon is no longer valid and causes the "parseQuery" method to return an error. In Oxeye's case studies, this vulnerability can be exploited when two Golang-based applications that handle semicolons differently interact with one another. For example, a user-facing application running version 1.17 could send a malicious request containing semicolons to a backend service running a version prior to 1.17. In this scenario, the semicolons would be ignored by the public-facing API and processed by the backend service without the semicolon. Once the validations are bypassed, the attackers would be able to further carry out unauthorized activity. CTIX analysts recommend that any administrators responsible for Golang-based applications and services upgrade to the latest secure version. If the entire Golang environment cannot be updated immediately due to business needs, then administrators should sanitize the raw query so that any invalid input of a semicolon is rejected before the method call.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed and the CTIX team (ctix@ankura.com) for threat intelligence inquiries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.