Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   May 21st,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   May 20th,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   May 13th,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Android/Oji worm fake COVID-19 vaccine registration campaign

The Android worm Oji (2020) has recently re-surfaced with a fake app to register for COVID-19 vaccine. The newly discovered sample marks the beginning of a new campaign, aimed to lure its victims with a COVID-19 vaccine registration. The goal of this malware is merely to display ads and spread to the victims contacts via SMS. This malware is currently targeting users in India.

Three novel malware strains delivered worldwide by phishing

UNC2529, as Mandiant threat researchers track the "uncategorized" threat group behind this campaign, has deployed three new malware strains onto the targets' computers using custom phishing lures. UNC2529 used considerable infrastructure to pull off their attacks, with roughly 50 domains being used to deliver the phishing emails. The group also invested time into tailoring their attacks to the targeted victims, in evident attempts to make sure that their emails were seen as legitimate messages from business partners or clients. They used this tactic to increase the chance that their booby-trapped messages were opened and the targets got infected. Throughout the two waves of attacks, the threat group used phishing emails with links to a JavaScript-based downloader (dubbed DOUBLEDRAG) or an Excel document with an embedded macro that downloaded an in-memory PowerShell-based dropper (known as DOUBLEDROP) from attackers' command-and-control (C2) servers. The DOUBLEDROP dropper bundles 32 and 64-bit instances of a backdoor (named DOUBLEBACK) implemented as a PE dynamic library. The backdoor gets injected into the PowerShell process spawned by the dropper. Still, it is designed to later attempt to inject itself into a newly spawned Windows Installer (msiexec.exe) process if Bitdefender's antivirus engine is not running on the compromised computer. In the next stage, the DOUBLEBACK backdoor loads its plugin and reaches out to the C2 server in a loop to fetch commands to execute on the infected device. "One interesting fact about the whole ecosystem is that only the downloader exists in the file system," Mandiant added.

Formerly unknown rootkit used to secretly control networks of regional organizations.

Windows rootkits are pieces of malware infamous for their near absolute power in the operating system. The capability to blend into the fabric of the operating system itself, much like security products do, is the quality that earns rootkits their notoriety for stealth and evasion. A newly discovered rootkit dubbed 'Moriya' has been used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The rootkit was found on networks of regional diplomatic organizations in Asia and Africa, detected on several instances dating back to October 2019 and May 2020, where the infection persisted in the targeted networks for several months after each deployment of the malware. A couple of other tools that have significant code overlaps with Moriya were found as well. These contain a user mode version of the malware and another driver-based utility used to defeat AV software.

Darkside Ransomware Operations Uncovered

Since August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. These actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. While the threat actors commonly relied on commercially available and legitimate tools to facilitate various stages of their operations, at least in one case they also employed a now patched zero-day vulnerability. Most of the victim organizations were based in the United States and span across multiple sectors, including financial services, legal, manufacturing, professional services, retail, and technology.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   May 12th,   2021

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Microsoft Exchange attack IOCs shared by bank regulator in Chile

CMF further states that they are investigating the breach and have been in contact with the Computer Security Incident Response Team (CSIRT) of the Ministry of Finance. While indicators of compromise (IOC) will have different file hashes for each victim, in many attacks, the file names have been the same. Web shells using the names 'error_page.asp' and 'supp0rt.aspx' have been used in numerous ProxyLogon attacks, and for the most are part, are identical with only a few changes specific to the victim. These files are Microsoft Exchange Offline Address Books (OAB), whose ExternalUrl setting has been changed to the China Chopper web shell. This web shell allows threat actors to execute commands on the compromised Microsoft Exchange server remotely by visiting the URL configured in the ExternalURL setting.

Example 8

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 7

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.

Example 6

The vulnerability resides in the Ethernet Frame Decoder of the Snort detection engine. The vulnerability, tracked as CVE-2021-1285, can be exploited by an unauthenticated, adjacent attacker to trigger a DoS condition by sending it specially crafted Ethernet frames. “The vulnerability is due to improper handling of error conditions when processing Ethernet frames. An attacker could exploit this vulnerability by sending malicious Ethernet frames through an affected device.” reads the advisory published by Cisco.