In the latest edition of the Cybersecurity Threat Spotlight, the Cisco Secure threat analysts examine the expansion of an advanced persistent threat (APT) group, the evolution of a ransomware-as-a-service (RaaS) offering, and the rise of mobile malware.
Want to learn more about how Cisco Umbrella can help protect your network against threats like these? Sign up for a free trial today!
CrimsonRAT
Threat Type: RAT
Delivery and Exfiltration:
Description: CrimsonRAT is a remote access Trojan used to take remote control of infected systems and steal data. We know this particular RAT is used by the Transparent Tribe APT group. CrimsonRAT’s targets include educational, governmental and military entities in the Indian subcontinent. The main goal of operations is to steal sensitive information and establish long-term access into a compromised network. The malware also has the following capabilities:
- Getting the running process on the system
- Getting the drives, directories, and files on the system
- Get host names, user IDs, and capture screenshots
- Get data from the C2 server using custom ports to connect to the C2 server
CrimsonRAT Spotlight: Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. This indicates that the APT is actively expanding its network of victims to include civilian users. The attacks result in the deployment of CrimsonRAT, Transparent Tribe’s malware of choice for establishing long-term access to victim networks. Transparent Tribe is suspected to have links to Pakistan and has been known to use their CrimsonRAT implant against human rights activists in Pakistan.
Target Geolocations: India, Afghanistan, Pakistan
Target Data: Credentials from Web Browsers, Data from Removable Media, Local Email Collection
Target Businesses: Government Sector, Military, Educational Institutions
Exploits: N/A
Mitre ATT&CK for CrimsonRAT
Initial Access:
Phishing
Persistence:
Registry Run Keys/Startup Folder
Evasion:
Impair Defense
Collection:
Screen Capture
Input Capture: Keylogging
Discovery:
File and Directory Discovery
Process Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery
Command and Control:
Ingress Tool Transfer
Exfiltration:
Exfiltration Over Command and Control Channel using Non-Application Layer Protocol
IOCs
IPs:
192[.]3[.]99[.]68
198[.]37[.]123[.]126
Domains:
studentsportal[.]live
geo-news[.]tv
cloud-drive[.]store
user-onedrive[.]live
drive-phone[.]online
studentsportal[.]co
studentsportal[.]website
nsdrive-phone[.]online
statefinancebank[.]com
in[.]statefinancebank[.]com
centralink[.]online
cloud-drive[.]geo-news[.]tv
drive-phone[.]geo-news[.]tv
studentsportal[.]geo-news[.]tv
user-onedrive[.]geo-news[.]tv
studentsportal[.]live[.]geo-news[.]tv
phone-drive[.]online[.]geo-news[.]tv
sunnyleone[.]hopto[.]org
swissaccount[.]ddns[.]net
URLs:
hxxps[://]studentsportal[.]live/download[.]php?file=Mental_Health_Survey[.]docm
hxxps[://]studentsportal[.]website/download[.]php?file=5-mar[.]zip
Additional Information:
Transparent Tribe begins targeting education sector in latest campaign
Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance
AvosLocker
Threat Type: Ransomware
Delivery and Exfiltration:
Description: Well funded and financially motivated, the Avos ransomware group has been active since June 2021, when they initially targeted Windows machines. More recently, a new variant of the ransomware AvosLocker – named after the group – has been spotted targeting Linux environments. The Avos group follows the ransomware-as-a-service (RaaS) model, an affiliate program used to recruit potential partners. The announcement of their program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices.
AvosLocker Spotlight: In a recent customer engagement, Cisco Talos observed a month-long AvosLocker campaign. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. Several vulnerabilities associated with Log4j were found:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
- CVE-2021-44832
These vulnerabilities can potentially allow remote code execution on Unified Access Gateways by a low-privilege non-root user named “gateway.” After a malicious actor established a foothold on the customer’s network, access to the initial servers was achieved. Then, the attackers utilized several different tools – including Cobalt Strike, Silver, and multiple commercial network scanners – to deploy AvosLocker.
Target Geolocations: Any
Target Data: Any
Target Business: Any
Exploits: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
Mitre ATT&CK for AvosLocker
Initial Access:
Exploit Public-Facing Application
Valid Accounts
Execution:
Command and Scripting Interpreter
Software Deployment Tools
Persistence:
Create Account
Boot or Logon Autostart Execution
Defense Evasion:
Modify Registry
Impair Defense
Deobfuscate/Decode Files or Information
Indicator Removal on Host
Credential Access:
OS Credential Dumping
Unsecured Credentials
Credentials from Password Stores
Discovery:
File and Directory Discovery
Network Share Discovery
Process Discovery
Remote System Discovery
Lateral Movement:
Remote Services
Software Deployment Tools
Command and Control:
Remote Access Software
Impact:
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defacement
IOCs
Hashes:
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
cee38fd125aa3707DC77351dde129dba5e5aa978b9429ef3e09a95ebf127b46b
URLs:
hxxp[://]45[.]136[.]230[.]191:4000/D234R23
IPs:
176[.]113[.]115[.]107
45[.]136[.]230[.]191
Additional Information:
Avos ransomware group expands with new attack arsenal
Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance
MaliBot
Threat Type: Mobile Trojan
Delivery and Exfiltration:
Description: MaliBot is a mobile Trojan that targets Android users. Delivered via phishing text messages or Trojanized apps, this malware can steal credentials, cookies, MFA codes, and cryptocurrency wallets. This allows it to bypass multi-factor authentication processes, remotely control infected devices using a VNC server implementation, run and delete applications on demand, steal and send SMS messages, and carry out injection/overlay attacks.
MaliBot Spotlight: Security researchers recently discovered a new strain of Android malware which they have dubbed “MaliBot.” Its main targets include online banking customers in Spain and Italy. MaliBot can steal credentials and cookies. It can also bypass multi-factor authentication (MFA) codes and remotely control infected devices using a VNC server implementation.
MaliBot’s command and control (C2) is in Russia and it appears to use the same servers that were used to distribute the Sality malware. Distribution of MaliBot occurs in one of two ways: by attracting victims to fraudulent websites – where they are tricked into downloading the malware – or by directly sending SMS phishing messages to mobile phone numbers.
Thus far, the malware actors have created two campaigns – “Mining X” and “TheCyrptoApp” – each of which has a website with a download link to the malware. As with much other Android malware, MaliBot performs most of its malicious operations by abusing Android’s Accessibility API. MaliBot also collects information from the infected device, including its IP, AndroidID, model, language, and installed application list.
MaliBot is part of a trend of mobile malware on the rise, and users should be aware of it.
Target Geolocations: Spain, Italy
Target Data: User Credentials, Cryptocurrency Wallet Data, SMS Messages, Personal Data, Financial Information
Target Businesses: N/A
Exploits: N/A
Mitre ATT&CK for MaliBot
Initial Access:
Phishing
Trojanized Apps
Execution:
Native API
Persistence:
Foreground Persistence
Event Triggered Execution
Evasion:
Foreground Persistence
Hide Artifacts
Input Injection
Native API
Virtualization/Sandbox Evasion: System Checks
Credential Access:
Access Notifications
Clipboard Data
Input Capture
Discovery:
File and Directory Discovery
Process Discovery
Software Discovery
System Information Discovery
Collection:
Access Notifications
Call Control
Clipboard Data
Input Capture
Protected User Data
Screen Capture
Command and Control:
Application Layer Protocol: Web Protocols
Exfiltration:
Exfiltration Over C2 Channel
IOCs
IP:
5[.]101[.]0[.]44
Domains:
mining-x[.]tech
mycrypto-app[.]com
Additional Information:
F5 Labs Investigates MaliBot
Which Cisco Secure Products Can Block:
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance
