Cisco Umbrella

Enterprise network security

Cybersecurity Threat Spotlight

CrimsonRat, AvosLocker & MaliBot

Author avatar of Artsiom HolubArtsiom Holub
• 5 minute read
View blog >

In the latest edition of the Cybersecurity Threat Spotlight, the Cisco Secure threat analysts examine the expansion of an advanced persistent threat (APT) group, the evolution of a ransomware-as-a-service (RaaS) offering, and the rise of mobile malware.

Want to learn more about how Cisco Umbrella can help protect your network against threats like these? Sign up for a free trial today!

CrimsonRAT

Threat Type: RAT

Delivery and Exfiltration:

A graphic illustrating the delivery and exfiltration chain for CrimsonRAT. The chain is as follows: Malspam to Malicious Document to CrimsonRAT to Command and Control. The graphic indicates that Cisco Secure products protect users from malicious documents and command and control.

Description: CrimsonRAT is a remote access Trojan used to take remote control of infected systems and steal data. We know this particular RAT is used by the Transparent Tribe APT group. CrimsonRAT’s targets include educational, governmental and military entities in the Indian subcontinent. The main goal of operations is to steal sensitive information and establish long-term access into a compromised network. The malware also has the following capabilities:

  • Getting the running process on the system
  • Getting the drives, directories, and files on the system
  • Get host names, user IDs, and capture screenshots
  • Get data from the C2 server using custom ports to connect to the C2 server

CrimsonRAT Spotlight: Cisco Talos recently discovered an ongoing campaign conducted by the Transparent Tribe APT group against students at various educational institutions in India. This indicates that the APT is actively expanding its network of victims to include civilian users. The attacks result in the deployment of CrimsonRAT, Transparent Tribe’s malware of choice for establishing long-term access to victim networks. Transparent Tribe is suspected to have links to Pakistan and has been known to use their CrimsonRAT implant against human rights activists in Pakistan.

Target Geolocations: India, Afghanistan, Pakistan
Target Data: Credentials from Web Browsers, Data from Removable Media, Local Email Collection
Target Businesses: Government Sector, Military, Educational Institutions
Exploits: N/A

Mitre ATT&CK for CrimsonRAT

Initial Access:
Phishing

Persistence:
Registry Run Keys/Startup Folder

Evasion:
Impair Defense

Collection:
Screen Capture
Input Capture: Keylogging

Discovery:
File and Directory Discovery
Process Discovery
Security Software Discovery
System Information Discovery
System Network Configuration Discovery

Command and Control:
Ingress Tool Transfer

Exfiltration:
Exfiltration Over Command and Control Channel using Non-Application Layer Protocol

IOCs

IPs:
192[.]3[.]99[.]68
198[.]37[.]123[.]126

Domains:
studentsportal[.]live
geo-news[.]tv
cloud-drive[.]store
user-onedrive[.]live
drive-phone[.]online
studentsportal[.]co
studentsportal[.]website
nsdrive-phone[.]online
statefinancebank[.]com
in[.]statefinancebank[.]com
centralink[.]online
cloud-drive[.]geo-news[.]tv
drive-phone[.]geo-news[.]tv
studentsportal[.]geo-news[.]tv
user-onedrive[.]geo-news[.]tv
studentsportal[.]live[.]geo-news[.]tv
phone-drive[.]online[.]geo-news[.]tv
sunnyleone[.]hopto[.]org
swissaccount[.]ddns[.]net

URLs:
hxxps[://]studentsportal[.]live/download[.]php?file=Mental_Health_Survey[.]docm
hxxps[://]studentsportal[.]website/download[.]php?file=5-mar[.]zip

Additional Information:
Transparent Tribe begins targeting education sector in latest campaign

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

AvosLocker

Threat Type: Ransomware

Delivery and Exfiltration:

A graphic illustrating the delivery and exfiltration chain for AvosLocker. The chain is as follows: vulnerable server to Log4Shell exploit to mimikatz to cobalt strike to AvosLocker. The graphic indicates that Cisco Secure products protect users from Cobalt Strike.

Description: Well funded and financially motivated, the Avos ransomware group has been active since June 2021, when they initially targeted Windows machines. More recently, a new variant of the ransomware AvosLocker – named after the group – has been spotted targeting Linux environments. The Avos group follows the ransomware-as-a-service (RaaS) model, an affiliate program used to recruit potential partners. The announcement of their program includes information about the features of the ransomware and lets affiliates know that AvosLocker operators will handle negotiation and extortion practices.

AvosLocker Spotlight: In a recent customer engagement, Cisco Talos observed a month-long AvosLocker campaign. The initial ingress point in this incident was a pair of VMWare Horizon Unified Access Gateways that were vulnerable to Log4Shell. Several vulnerabilities associated with Log4j were found:

  • CVE-2021-44228
  • CVE-2021-45046
  • CVE-2021-45105
  • CVE-2021-44832

These vulnerabilities can potentially allow remote code execution on Unified Access Gateways by a low-privilege non-root user named “gateway.” After a malicious actor established a foothold on the customer’s network, access to the initial servers was achieved. Then, the attackers utilized several different tools – including Cobalt Strike, Silver, and multiple commercial network scanners – to deploy AvosLocker.

Target Geolocations: Any
Target Data: Any
Target Business: Any
Exploits: CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-44832

Mitre ATT&CK for AvosLocker

Initial Access:
Exploit Public-Facing Application
Valid Accounts

Execution:
Command and Scripting Interpreter
Software Deployment Tools

Persistence:
Create Account
Boot or Logon Autostart Execution

Defense Evasion:
Modify Registry
Impair Defense
Deobfuscate/Decode Files or Information
Indicator Removal on Host

Credential Access:
OS Credential Dumping
Unsecured Credentials
Credentials from Password Stores

Discovery:
File and Directory Discovery
Network Share Discovery
Process Discovery
Remote System Discovery

Lateral Movement:
Remote Services
Software Deployment Tools

Command and Control:
Remote Access Software

Impact:
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defacement

IOCs

Hashes:
ffd933ad53f22a0f10cceb4986087258f72dffdd36999b7014c6b37c157ee45f
cee38fd125aa3707DC77351dde129dba5e5aa978b9429ef3e09a95ebf127b46b

URLs:
hxxp[://]45[.]136[.]230[.]191:4000/D234R23

IPs:
176[.]113[.]115[.]107
45[.]136[.]230[.]191

Additional Information:
Avos ransomware group expands with new attack arsenal

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

MaliBot

Threat Type: Mobile Trojan

Delivery and Exfiltration:

A graphic illustrating the delivery and exfiltration chain for MaliBot.

Description: MaliBot is a mobile Trojan that targets Android users. Delivered via phishing text messages or Trojanized apps, this malware can steal credentials, cookies, MFA codes, and cryptocurrency wallets. This allows it to bypass multi-factor authentication processes, remotely control infected devices using a VNC server implementation, run and delete applications on demand, steal and send SMS messages, and carry out injection/overlay attacks.

MaliBot Spotlight: Security researchers recently discovered a new strain of Android malware which they have dubbed “MaliBot.” Its main targets include online banking customers in Spain and Italy. MaliBot can steal credentials and cookies. It can also bypass multi-factor authentication (MFA) codes and remotely control infected devices using a VNC server implementation.

MaliBot’s command and control (C2) is in Russia and it appears to use the same servers that were used to distribute the Sality malware. Distribution of MaliBot occurs in one of two ways: by attracting victims to fraudulent websites – where they are tricked into downloading the malware – or by directly sending SMS phishing messages to mobile phone numbers.

Thus far, the malware actors have created two campaigns – “Mining X” and “TheCyrptoApp” – each of which has a website with a download link to the malware. As with much other Android malware, MaliBot performs most of its malicious operations by abusing Android’s Accessibility API. MaliBot also collects information from the infected device, including its IP, AndroidID, model, language, and installed application list.

MaliBot is part of a trend of mobile malware on the rise, and users should be aware of it.

Target Geolocations: Spain, Italy
Target Data: User Credentials, Cryptocurrency Wallet Data, SMS Messages, Personal Data, Financial Information
Target Businesses: N/A
Exploits: N/A

Mitre ATT&CK for MaliBot

Initial Access:
Phishing
Trojanized Apps

Execution:
Native API

Persistence:
Foreground Persistence
Event Triggered Execution

Evasion:
Foreground Persistence
Hide Artifacts
Input Injection
Native API
Virtualization/Sandbox Evasion: System Checks

Credential Access:
Access Notifications
Clipboard Data
Input Capture

Discovery:
File and Directory Discovery
Process Discovery
Software Discovery
System Information Discovery

Collection:
Access Notifications
Call Control
Clipboard Data
Input Capture
Protected User Data
Screen Capture

Command and Control:
Application Layer Protocol: Web Protocols

Exfiltration:
Exfiltration Over C2 Channel

IOCs

IP:
5[.]101[.]0[.]44

Domains:
mining-x[.]tech
mycrypto-app[.]com

Additional Information:
F5 Labs Investigates MaliBot

Which Cisco Secure Products Can Block:
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Take Umbrella for a 14-day test drive

Experience it block more threats, speed incident response, and improve internet performance.

Get your Free Trial

MaliBot, a Trojan that targets Android users, is part of a trend of mobile malware on the rise, and users should be aware of it.

Tweet this quote

Additional Resources

Suggested Blogs