Threat Intelligence Report July 19 - July 25 2022

Cloaked Ursa (APT29) is a threat group that has been traced back to Russia. They are popularly known to be the threat actors behind the Solarwinds supply chain attack in 2020. They have operated since 2008 and have been targeting large organizations such as governments and research institutes.

A newly observed campaign from Cloaked Ursa leverages trusted cloud services such as Google Drive to deliver malware. The most recent incidents were targeted at embassies in Portugal and Brazil. The phishing documents delivered to these targets contained a link to a malware dropper that would gather additional malicious files and payloads.

Red Piranha has rules in place to detect requests for domains that are related to Cloaked Ursa, a specific parameter for suspicious Google Drive authentication events, and download traffic for the malware dropper.

ChromeLoader is a malware used to hijack a user's browser and usually originates from malicious advertisements. Historically, the events start with a user downloading a cracked version of software through malicious adverts. Installing this malicious software means installing the malware on your machine. Through the years, the ChromeLoader has been observed to be improving on its techniques. The most recent ChromeLoader activity started with malicious advertisements and ended up with deploying a browser extension instead. This browser extension is used as an infostealer and will present you with advertisements.

Red Piranha has deployed rules to detect a pattern used by the authors of this malware. It detects outgoing requests for domains associated with ChromeLoader.

Initial Access T1189 - Execution T1059 - Persistence - Command and Control T1102

Raspberry Robin is usually launched via infected removable drives, often USB devices. The Raspberry Robin worm often appears as a shortcut .lnk file hidden as a legitimate folder on the infected USB device. Soon after the Raspberry Robin infected drive is connected to the system, the User Assist registry entry is updated and records the execution of a ROT13-ciphered value referencing a .lnk file when deciphered.

: Initial Access T1091 - Execution T1059.003 - Defence Evasion T1218.008 - Command and Control T1218.007/T1071.001

The Microsoft Threat Intelligence Center (MSTIC) recently reported a new malware strain attacking small to middle-sized businesses across the globe since June 2021. The ransomware named H0lyGh0st has been initially developed by an emerging North Korean APT tracked under the DEV-0530 moniker. The ransomware attacks are explicitly financially motivated, targeting such sectors as manufacturing, education, financial services, and tech. Analysis of DEV-0530 activity reveals the ties to another North Korea-backed threat actor known as Plutonium (aka Andariel), an active unit of the Lazarus umbrella.

A vulnerability classified as critical has been found in Kaswara Modern VC Addons Plugin up to 3.0.1 on WordPress (WordPress Plugin). Affected is the function uploadFontIcon of the file wp-content/uploads/kaswara/fonts_icon. The manipulation with an unknown input leads to a privilege escalation vulnerability. CWE is classifying the issue as CWE-434. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. The critical-severity security bug allows an unauthenticated attacker to upload malicious PHP files to a vulnerable site, potentially achieving remote code execution. An attacker can exploit the flaw to inject malicious JavaScript code into any file on the WordPress installation and completely take over a vulnerable site. Over the past two weeks, Wordfence has seen a massive surge in the number of attack attempts targeting the vulnerability.

Maui ransomware (maui.exe) is an encryption binary. The ransomware appears to be designed for manual execution by a remote actor. The remote actor uses a command-line interface to interact with the malware and to identify files to encrypt. Maui uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt target files:

Maui encrypts target files with AES 128-bit encryption. Each encrypted file has a unique AES key, and each file contains a custom header with the file’s original path, allowing Maui to identify previously encrypted files. The header also contains encrypted copies of the AES key.Maui encrypts each AES key with RSA encryption.Maui loads the RSA public (maui.key) and private (maui.evd) keys in the same directory as itself. Maui encodes the RSA public key (maui.key) using XOR encryption. The XOR key is generated from hard drive information (\\.\PhysicalDrive0).