RST TI Report Digest: 18 Mar 2024

RST Cloud
7 min readMar 18, 2024

--

This is a weekly threat intelligence report review from RST Cloud. We have analysed 41 threat intelligence reports this week and have created concise summaries of the reports with extracted metadata. You can find below a short summary of each report, related threats, tools, threat actors, a link to the source, and a number of extracted indicators of compromise (IoCs) from the original reports. More granular information, including TTPs, on all reports is available via RST Report Hub.

Title: Andariel Group (MeshAgent) is attacking by abusing domestic asset management solutions

Link: https://asec.ahnlab.com/ko/62771

Summary: AhnLab Security Intelligence Center (ASEC) has discovered that the Andariel group is targeting South Korean companies using tactics such as installing MeshAgent to gain remote control over systems, utilizing the AndarLoader malware to download executable data from a Command and Control server, and employing ModeLoader to install additional malicious code. The group also uses keylogger malware for keylogging and clipboard logging, post-infection activities involving remote screen control, and tools like MeshAgent and RDP for access. Along with other threat groups like Kimsuky and Lazarus, the Andariel group poses a significant cyber threat to South Korea, evolving from seeking security-related information to financial gain through attacks involving spear phishing, watering hole attacks, and software vulnerabilities exploitation.

Threats: andariel_group meshagent andarloader andardoor koivm dotfuscator_tool mimikatz_tool wevtutil_tool kimsuky_group frpc_tool lazarus_group spear-phishing_technique watering_hole_technique Backdoor/JS.ModeLoader.SC197310 Trojan/Win.Generic.C5384741 Trojan/Win.KeyLogger.C5542383 Trojan/Win32.RL_Mimikatz.R366782

Indicators of compromise:
-------------------------
ip: 84.38.129.21
domain: privacy.hopto.org:443, privatemake.bounceme.net:443
url: http://www.ipservice.kro.kr/index.php, http://www.ipservice.kro.kr/view.php, http://www.ipservice.kro.kr/moderead.php, http://panda.ourhome.o-r.kr/view.php, http://panda.ourhome.o-r.kr/moderead.php, http://panda.ourhome.o-r.kr/modeview.php, http://www.mssrv.kro.kr/view.php, http://www.mssrv.kro.kr/modeview.php, http://www.mssrv.kro.kr/moderead.php, http://www.mssrv.kro.kr/modewrite.php
hash:
- md5=a714b928bbc7cd480fed85e379966f95,
- md5=4f1b1124e34894398aa423200a8ab894,
- md5=2c69c4786ce663e58a3cc093c6d5b530,
- md5=29efd64dd3c7fe1e2b022b7ad73a1ba5

Title: Evasive Panda leverages Monlam Festival to target Tibetans

Link: https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans

Summary: ESET researchers discovered a cyberespionage campaign by the Evasive Panda APT group targeting Tibetans through strategic web compromises and supply-chain attacks, deploying Nightdoor and MgBot malware via trojanized Tibetan language translation software and watering hole attacks on websites related to the Monlam Festival and a Tibetan software company. The threat actors, Chinese-speaking with a custom malware framework, have targeted individuals and government entities in several countries in Asia and Africa since at least September 2023, utilizing techniques to evade detection and establishing persistence on compromised systems, with the Nightdoor backdoor communicating with its C&C server through either UDP or the Google Drive API, marking significant enhancements compared to previous campaigns.

Threats: daggerfly_group supply_chain_technique watering_hole_technique nightdoor_backdoor mgbot aitm_technique dll_sideloading_technique process_injection_technique

Indicators of compromise:
-------------------------
ip: 188.208.141.204
domain: update.devicebug.com
url: https://www.kagyumonlam.org/media/vendor/jquery/js/jquery.js?3.6.3, https://update.devicebug.com/getversion.php, https://update.devicebug.com/fixtools/certificate.exe, https://update.devicebug.com/assets_files/config.json, https://www.monlamit.com/monlam-app-store/monlam-bodyig3.zip, https://www.monlamit.com/monlam-app-store/monlam_grand_tibetan_dictionary_2018.zip, https://www.monlamit.com/monlam-app-store/deutsch-tibetisches_w%c3%b6rterbuch_installer_windows.zip, https://www.monlamit.com/monlam-app-store/monlam-bodyig-mac-os.zip, https://www.monlamit.com/monlam-app-store/monlam-grand-tibetan-dictionary-for-mac-os-x.zip, https://www.monlamit.com/sites/default/files/softwares/updatefiles/monlam_grand_tibetan_dictionary_2018/updateinfo.dat, https://tibetpost.net/templates, http://188.208.141.204:5040
hash:
- md5=3c5739c25a9b85e82e0969ee94062f40,
- md5=0c64c2baef534c8e9058797bcd783de5,
- sha1=77dbcdface92513590b7c3a407be2717c19094e0,
- md5=6014b56e4fff35dc4c948452b77c9aa9, sha1=d4938cb5c031ec7f04d73d4e75f5db5c8a5c04ce

Title: BianLian GOs for PowerShell After TeamCity Exploitation

Link: https://www.guidepointsecurity.com/blog/bianlian-gos-for-powershell-after-teamcity-exploitation

Summary: Avast's decryptor for the BianLian ransomware group led them to switch to extortion-based operations, monitored by GuidePoint's Research and Intelligence Team (GRIT) and DFIR team. After compromising a client's network via a TeamCity server using CVE vulnerabilities, the threat actor employed various techniques including deploying legitimate files, leveraging native Windows commands for lateral movement, using BITSAdmin for tool deployment, employing FuzzySecurity's PowerShell Suite for credential dumping, and ultimately implementing a PowerShell backdoor mimicking their standard GO backdoor functionality. The PowerShell backdoor operated within an encrypted tunnel with networking capabilities, intricate SSL certificate validation, and communication with a C2 server, resembling BianLian's GO trojan characteristics and demonstrating the threat group's evolving tactics and adaptability in exploiting vulnerabilities.

Threats: bianlian_group nltest_tool bitsadmin credential_dumping_technique scriptblock

Indicators of compromise:
-------------------------
ip: 136.0.3.71, 88.169.109.111, 165.227.151.123, 77.75.230.164, 164.92.243.252, 64.176.229.97, 164.92.251.25, 126.126.112.143, 38.207.148.147, 101.53.136.60, 188.166.236.38, 185.174.137.26
domain:
url: http://136.0.3.71:8001/win64.exe, http://136.0.3.71:8001/64.dll
hash:
- sha256=7981cdb91b8bad8b0b894cfb71b090fc9773d830fe110bd4dd8f52549152b448, md5=977ff17cd1fbaf0753d4d5aa892af7aa, sha1=1af5616fa3b4d2a384000f83e450e4047f04cb57

Title: Breaking down Atomic MacOS Stealer (AMOS). Background

Link: https://medium.com/@dineshdevadoss04/breaking-down-atomic-macos-stealer-amos-8cd5eea56024

Summary: A cyber threat intelligence analyst discovers the malicious macOS stealer named Atomic MacOS Stealer (AMOS) through a sample Slack.dmg file, initially mistaken for a red teaming payload. AMOS evades current XProtect signatures and targets macOS users to extract sensitive data from various browsers, wallets, and applications. The stealer masquerades as Privilege Helper using Apple Script to trick users into providing login passwords and exfiltrates the stolen data to a Command and Control server stealthily. The malware includes a File Grabber functionality to gather specific files, monitors for virtualization software strings, and emphasizes the importance of proactive security measures to defend against evolving threats targeting macOS users. Ongoing research and monitoring for AppleScript execution are key for detection and response to such threats.

Threats: amos_stealer applescript

Indicators of compromise:
-------------------------
ip: 5.42.65.107
domain:
url: http://5.42.65.107/joinsystem
hash:
- sha1=008afff67ec8e20b9164c74a5e962dc520466b2d,
- sha1=1f763ac756ed13f0c08d3ef3c27654a62d3204e9,
- sha1=474a0150b3eac4a7242ffdcbd32ad9b478e25017,
- sha1=28566de2edf33187ee6de111360d2e4d0fa30be4,
- sha1=2d494cdc9d58d3c64ad1dd0b8dd36a539704a47e,
- sha1=90dd36ac3a4896b51ae89b298f2cdc949631d4a7,
- sha1=4a2f08ae92e00b60381d4c3b1ab2da96b6c9d232,
- sha1=68ed3cb921454d7f0e7fde46aea1831ba6c3b4bb,
- sha1=985340ec68c3ccf0a2a4d6fae42b4b121de1db7a,
- sha1=fb50216347e2017592d2915c21eec50bd2e5facb,
- sha1=300d2951e80c9c2eef51d34155fb98f034f9d0d4

Title: Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

Link: https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal

Summary: X-Force has been tracking phishing campaigns by the cyber threat group ITG05 since February 2024, using lure documents mimicking authentic government and non-governmental documents across regions like Europe, the South Caucasus, Central Asia, and North and South America. The group introduced new techniques including the search-ms URI handler to lead victims to download malware from actor-controlled WebDAV servers, employed new backdoors like MASEPIE and OCEANMAP, and replaced older tools like CREDOMAP with STEELHOOK. ITG05, a Russian state-sponsored group linked to APT28 and Fancy Bear, targets entities globally with evolving tactics, involving impersonation of government entities and utilizing services like firstcloudit.com to host malicious payloads.

Threats: fancy_bear_group masepie_tool oceanmap steelhook headlace forest_blizzard_group beacon poshc2_tool ironjaw

Indicators of compromise:
-------------------------
ip: 172.114.170.18:55155, 194.126.178.8:55555, 148.252.42.42:54467, 74.124.219.71
domain: firstcloudit.com, webhook.site, webmail.facadesolutionsuae.com, wody-info-files.firstcloudit.com, kzgw-wody.firstcloudit.com, nas-files.firstcloudit.com, e-nas.firstcloudit.com, ua-calendar.firstcloudit.com, calendarua.firstcloudit.com, calendar-ua.firstcloudit.com, e-gov-am.firstcloudit.com, e-gov.firstcloudit.com, info-mod.firstcloudit.com, e-mod.firstcloudit.com, rada-zakon.firstcloudit.com, militarysupport.firstcloudit.com, sgg-files.firstcloudit.com, sgg-gov.firstcloudit.com, presidencia-docs.firstcloudit.com, files-presidencia.firstcloudit.com, e-presidencia.firstcloudit.com, presidencia-files.firstcloudit.com, presidencia-gov.firstcloudit.com, presidencia-gob.firstcloudit.com, gcsd.firstcloudit.com, emod.firstcloudit.com, e-military.firstcloudit.com, dls-gov.firstcloudit.com, eecommission.firstcloudit.com, eecommission-drive.firstcloudit.com
url:
hash:
- sha256=18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6,
- sha256=451f3d427ac21632f38619ef96dece25798918866d44fe82ff1ed30996f998dc,
- sha256=40a7fd89b9e51b0a515ac2355036d203357be90a2200b9c506b95c12db54c7aa,
- sha256=24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04,
- sha256=64b0037dde987c78edf807a1bd7f09cdfac072ec2a59954cc4918828b7e608a3

Title: BIPClip: Malicious PyPI packages target crypto wallet recovery passwords

Link: https://www.reversinglabs.com/blog/bipclip-malicious-pypi-packages-target-crypto-wallet-recovery-passwords

Summary: ReversingLabs has discovered the BIPClip malicious campaign targeting cryptocurrency wallets by stealing mnemonic phrases. The campaign, utilizing open source Python packages on the Python Package Index, involves tactics such as malicious file dependencies and name squatting to evade detection. The threat is designed to exploit developers utilizing the BIP39 standard for creating Bitcoin wallets and highlights the risks posed by supply chain attacks in the cryptocurrency ecosystem.

Threats: bipclip_campaign typosquatting_technique supply_chain_technique

Indicators of compromise:
-------------------------
ip: 5.42.92.191, 194.163.154.242, 65.109.70.235
domain:
url: https://github.com/hashsnake/backendapi/raw/main/settings, https://raw.githubusercontent.com/hashsnake/backendapi/main/settings
hash:
- sha1=a23db65079ef310b87d1f017742149addbb53a81,
- sha1=03baa36c6551d1414d9907775b4600c873421b34,
- sha1=45130c7a2d92282ee9c0b066206f235198b5ddfb,
- sha1=087d325c24a5b28ad5342f097c3ebce3653e9ced,
- sha1=46d3a5b3627e7de58c78f41eed4c95c6112245e7,
- sha1=f2aadcd5bd1ba46b056e2d9e4b53e21a18b61b2a,
- sha1=f6bb6216caf96246f07e3fd9ffcb5f0d83bd6f41,
- sha1=e50864e1db37a75b99596aea6538981991bf4915,
- sha1=a88802edce3d5e70ac2d79272f98c0891c793f2a,
- sha1=c3822c1f181d8f6f12325a00b5bd6cca0c18d124,
- sha1=c1dc8d26946d52a1014ccc6c02156449e8e1e3b6,
- sha1=b74c24938595fe4ccc6efe845d2b095d126ed3fc,
- sha1=7ed9e234384e564e6d41da156bc472d5f369727e,
- sha1=ed1eb28a139c456e520726307e280a26b789b367,
- sha1=db61022dd75a63e99544bb5096c2e30d4348608e,
- sha1=65dab94f5ba56b891ed9bfe20d2b1f21c2d00ee1,
- sha1=570e483dfdc6389e1d4a87f987c9b3e5a0d886ce,
- sha1=1619a6fce00eecf5946750ef47d1c5748e963456,
- sha1=f4ff1fe54132ca91ecdf7f4b48fc16b231047b96,
- sha1=a875e313026a5400a920767038d953398b4afcb6,
- sha1=4a39462ce7b3e2cda9998fb9fd42aeab3d5eb4a3,
- sha1=19d88ff3e9d32897becc33c07b4cc307871b426e,
- sha1=791e731b2db1551ccfc6df0990644ed405771aa6,
- sha1=9aa894169984cfb4835b01f5f5b49d9670818259,
- sha1=dddd55a60d5dcbec45c034330fe12b62e38a87a8,
- sha1=3e385f6b2c842a490c1729aee1b48b22a728e367,
- sha1=f2ed2e169bbe22aef73158e279e59d04a1f40ed9,
- sha1=633b858092f7e0eb435a73f5bc972baa4cf79452,
- sha1=3d82406f8e6ee1018bb39f6d40321940effeab2b,
- sha1=c05d35c4cc9038de3eae4e84fb9b7560f4112a3b,
- sha1=01b66f12e9f76342729c1260ff4f0da8fc1bbe01,
- sha1=d5400ef535a8effe8c23cb56c4cb1c2c569beb79,
- sha1=156610fff622481eb3c37e988a5c8ece20f93aef,
- sha1=3843c4add1c2960f280d07b047f0c780a7b65e4d,
- sha1=9c4d2bacc24f70112bc53742e8fe26dad1fa63d1,
- sha1=989276eb67d5179b5eda055390d850b47198cdd2,
- sha1=64cd50f3bc347c894cbf25a2013c04e73e85550a,
- sha1=206cd1758ceda4abc9622d4f50134444a639f925

Title: FakeBat delivered via several active malvertising campaigns

Link: https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns

Summary: In February, an uptick in search-based malvertising incidents was observed, with both known and new malware variants emerging, including the FakeBat family utilizing MSI installers with obfuscated PowerShell. Malvertisers initially exploited URL shorteners but later diversified tactics by leveraging legitimate websites for redirection, targeting a wider array of brands with malicious ad URLs. FakeBat's threat actor employs compromised websites and Google referer for conditional redirects, with ongoing campaigns targeting popular applications like OneNote and Epic Games hosted on a Russian provider. Despite efforts to combat the threat, FakeBat persists by deceiving users through fake software ads, requiring proactive defense measures like ThreatDown EDR to detect PowerShell executions and blocking ads at the source with tools like ThreatDown DNS Filter.

Threats: fakebat parsec_tool cloaking_technique

Indicators of compromise:
-------------------------
ip: 78.24.180.93
domain: cecar.com.ar, estiloplus.tur.ar, obs-software.cc, bandi-cam.cc, breavas.app, open-project.org, onenote-download.com, epicgames-store.org, blcnder.org, ads-pill.xyz, ads-pill.top, ads-tooth.top, ads-analyze.top
url:
hash:
- sha256=07b0c5e7d77629d050d256fa270d21a152b6ef8409f08ecc47899253aff78029,
- sha256=0d906e43ddf453fd55c56ccd6132363ef4d66e809d5d8a38edea7622482c1a7a,
- sha256=15ce7b4e6decad4b78fe6727d97692a8f5fd13d808da18cb9d4ce51801498ad8,
- sha256=40c9b735d720eeb83c85aae8afe0cc136dd4a4ce770022a221f85164a5ff14e5,
- sha256=f7fbf33708b385d27469d925ca1b6c93b2c2ef680bc4096657a1f9a30e4b5d18

Title: What s in your notepad? Infected text editors target Chinese users

Link: https://securelist.com/trojanized-text-editor-apps/112167

Summary: Malvertising is being used by cybercriminals to lead victims to malicious sites, with deceptive advertisement blocks placed at the top of search results to increase the likelihood of user clicks. A malvertising campaign spreading the RedLine stealer through Google Ads used tactics like typosquatting to mimic official websites. Recently, a similar threat targeting users of a popular Chinese search engine involved distributing modified versions of text editors through ads and search results, with malicious sites hosting downloads containing backdoors like Geacon, communicating with a C2 server named "dns.transferusee.com" for remote command execution capabilities. Ongoing research aims to uncover undisclosed stages of the threat and identifies Linux backdoors similar to the macOS version.

Threats: redline_stealer typosquatting_technique sea_turtle_group geacon cobalt_strike portscan_tool

Indicators of compromise:
-------------------------
ip:
domain: vnote-1321786806.cos.ap-hongkong.myqcloud.com, dns.transferusee.com, update.transferusee.com, vnote.info, vnotepad.com, vnote.fuwenkeji.cn
url: http://update.transferusee.com/onl/mac/<md5_hash>, http://update.transferusee.com/onl/lnx/<md5_hash>
hash:
- md5=00fb77b83b8ab13461ea9dd27073f54f,
- md5=6ace1e014863eee67ab1d2d17a33d146,
- md5=43447f4c2499b1ad258371adff4f503f,
- md5=5ece6281d57f16d6ae773a16f83568db,
- md5=47c9fec1a949e160937dd9f9457ec689

Title: BlackCat Ransomware Affiliate TTPs

Link: https://www.huntress.com/blog/blackcat-ransomware-affiliate-ttps

Summary: The FBI revealed disruption of the ALPHV/BlackCat ransomware variant, a "ransomware-as-a-service" offering, with a decryption tool provided for affected organizations. ConnectWise flagged vulnerabilities in ScreenConnect version 23.9.8, leading to security advisories. Huntress detected a healthcare-associated endpoint with modified Ransomware Canary files indicating a compromised ScreenConnect instance, unauthorized activity by threat actor 'chlsln14', and ransomware deployment efforts aiming to disable security measures and spread within the network, underscoring the sophistication and dangers of RaaS variants.

Threats: blackcat connectwise_rat screenconnect_tool shadow_copies_delete_technique

Indicators of compromise:
-------------------------
ip: 94.131.109.54:6531
domain:
url: http://94.131.109.54:6531/iw0pjckezadktma5xkv8zxs6.exe
hash:
- sha256=d72766a868fef87c0c073c1ec3b6a92b7daed7313b81ee6523386049f768b09d

Title: Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled

Link: https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware

Summary: The article delves into the BunnyLoader malware, unravelling its inception as a MaaS botnet and loader malware in September 2023 by the author "Player" aka "Player_Bunny." BunnyLoader's evolution led to the unveiling of BunnyLoader 3.0 in February 2024 with a plethora of enhanced features such as browser paths, keylogging capabilities, and encrypted communication, allowing threat actors to deliver sophisticated payloads and evade detection through tactics like packed binaries and filename obfuscation. Operating through various C2 servers and employing deceptive strategies using names of legitimate software, BunnyLoader 3.0 showcases a new array of modules for keylogging, data theft, clippering, and DoS attacks tailored to execute malicious activities on targeted machines.

Threats: bunnyloader purecryptor upx_tool themida_tool nanocore_rat player_bunny_group qakbot purelogs meduza nextronsystems_tool httpflood_technique tron

Indicators of compromise:
-------------------------
ip: 37.139.129.145, 185.241.208.83, 195.10.205.23, 172.105.124.34, 134.122.197.80, 91.92.254.31, 91.92.247.212, 185.241.208.104
domain:
url: http://ads.hostloads.xyz/baguvixju32i0/gate.php
hash:
- sha256=3a64f44275b6ff41912654ae1a4af1d9c629f94b8062be441902aeff2d38af3e,
- sha256=0f425950ceaed6578b2ad22b7baea7d5fe4fd550a97af501bca87d9eb551b825,
- sha256=82a3c2fd57ceab60f2944b6fea352c2aab62b79fb34e3ddc804ae2dbc2464eef,
- sha256=2ab21d859f1c3c21a69216c176499c79591da63e1907b0d155f45bb9c6aed4eb,
- sha256=c006f2f58784671504a1f2e7df8da495759227e64f58657f23efee4f9eb58216,
- sha256=52b7cdf5402f77f11ffebc2988fc8cdcd727f51a2f87ce3b88a41fd0fb06a124,
- sha256=5f09411395c8803f2a735b71822ad15aa454f47e96fd10acc98da4862524813a,
- sha256=cc2acf344677e4742b22725ff310492919499e357a95b609e80eaddc2b155b4b,
- sha256=ebc17dbf5970acb38c35e08560ae7b38c7394f503f227575cd56ba1a4c87c8a4,
- sha256=2d39bedba2a6fb48bf56633cc6943edc6fbc86aa15a06c03776f9971a9d2c550,
- sha256=2e9d6fb42990126155b8e781f4ba941d54bcc346bcf85b30e3348dde75fbeca1,
- sha256=74c56662da67972bf4554ff9b23afc5bdab477ba8d4929e1d7dbc608bdc96994,
- sha256=fffdf51cdb54f707db617b29e2178bb54b67f527c866289887a7ada4d26b7563,
- sha256=62f041b12b8b4e0debd6e7e4556b4c6ae7066fa17e67900dcbc991dbd6a8443f,
- sha256=1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8,
- sha256=c80a63350ec791a16d84b759da72e043891b739a04c7c1709af83da00f7fdc3a

This article was generated with the assistance of an artificial intelligence language model, ChatGPT.

--

--

RST Cloud

We democratise and revolutionise the field of Cyber Threat Intelligence and make it accessible, affordable, and effective for a wider range of companies!