Threat Intelligence Report July 12 - July 18 2022

SilentLibrarian is an APT group that primarily targets universities for research data. This group has been active since 2013 and its members are said to be affiliated with Iran. Their primary motive is to steal proprietary research data from the academe and other private research agencies. Their main observed technique is to gather and use compromised accounts from university domains. They then use these accounts to phish and trick their specific targets into authenticating into their own fake university login portal.

Red Piranha is continuously monitoring the domains that this APT group is known to be using. Rules are being updated to include the most recent domains that have been observed.

Initial Access T1566 – Credential Access T1056

YourCyanide is a newly observed ransomware that is distributed via Discord as an attachment. Upon execution, it creates a .lnk file that retrieves and executes the main dropper malware. Once the dropper is executed, it creates a new directory where it will save a batch script that it will fetch from Pastebin and execute. The dropper deletes the directory where it stored the files. It achieves persistence through the Registry by adding itself as a startup item. Upon locking the user's machine, it fetches another batch script which uploads data to a Telegram bot. It also downloads a token stealer that is used on the user's web browser local storage and sends the contents to the Telegram bot.

This malware can also spread via email by sending a copy of itself through Outlook. It retrieves the user's contact list and sends an email that resembles a love letter.

The rules in place are to detect the usage of Discord and an unusual user-agent that is observed being used by the malware.

Execution T1204 – Persistence T1547 
Discovery T1087/T1046/T1012/T1518/T1082/T1016/T1033
Collection T1119/T1115/T1056/T1113/T1125 – Command and Control T1071

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP

The CVE-2020-1350 is an integer overflow vulnerability that leads to a heap-based buffer overflow when processing malformed DNS SIG resource records. A SIG record is a type of DNS resource record that contains a digital signature for a record set (one or more DNS records with the same name and type). To exploit SIGRed, an attacker can configure an “evil” domain whose NS record points to a malicious DNS server. When a client makes a DNS query for the “evil” domain to the victim server, the victim server will query the DNS server above it. The DNS server will respond back with an NS record indicating that the malicious DNS server is the authority for that domain, and the record will be cached by the victim. Afterwards, when a client sends the victim a DNS SIG query for the domain, the victim server will query the malicious DNS server. The malicious DNS server will send a malformed DNS SIG record as a response.