Summer may be winding down, but August was still an active month for cybercriminals. In this edition of Threat Spotlight, our cybersecurity threat analysis team discusses the ransomware attacks, trojans, and malware loaders that bad actors are currently using to cripple networks and steal data.
Want to learn more about current threat trends? Check out the data our Threat Analysis Team has compiled.
Threat Name: Conti Ransomware
Threat Type: Ransomware
Threat Actors: UNC1878, Wizard Spider, TEMP.MixMaster, and Grim Spider. These threat actors are also known for operating Ryuk Ransomware and are known to operate a leaks site where they publish data exfiltrated from victims who do not pay a ransom.
Delivery and Exfiltration:
Description: Conti is a variant of ransomware spread through droppers in phishing emails. It was first observed in 2020 and affects all versions of Microsoft Windows.
Conti Spotlight: Conti ransomware is often the last stage of exploitation in a series of compromises of victim systems.
Infection typically begins with delivery of a malicious javascript file, zipped as an attachment in a phishing email. If run on a Windows system, a DLL of IcedID is installed and the system starts beaconing to at least one C2 server. In reported infections, the C2 connections are the only activity for several days until a Cobalt Strike beacon is installed. Within hours, threat actors have been observed using both the IcedID DLL and Cobalt Strike payloads to explore the system, escalate privileges, move laterally, exfiltrate data, and finally encrypt all systems with AES-256 using Conti ransomware.
Conti is installed directly into memory, avoiding writing anything to disk. Persistence of the IcedID DLL and Cobalt Strike beacons have been seen via the creation of a local user, which has been added to the Administrators group. Antivirus and Endpoint detection software are typically disabled by modifying existing group policies.
Conti evades analysis by using encrypted hash values to call certain functions. While encrypting files, Conti continues attempting to connect to other systems using SMB.
Target Geolocations: North America
Target Data: Any
Target Businesses: Corporations, Government
Exploits: N/A
Mitre Att&ck for Conti
Initial Access: Phishing
Persistence: N/A
Execution: Command and Scripting Interpreter: Windows Command Shell, Native API
Evasion: Deobfuscate/Decode Files or Information, Obfuscated Files or Information Process
Injection: Dynamic-link Library Injection
Collection: N/A
Command and Control: N/A
Exfiltration: Exfiltration Over Web Service, Transfer Data to Cloud Account, Exfiltration Over C2 Channel
IOCs
IcedID C2s
68.183.20[.]194:80
159.89.140[.]116:443
vaclicinni[.]xyz
83.97.20[.]160:443
oxythuler[.]cyou
expertulthima[.]club
dictorecovery[.]cyou
thulleultinn[.]club
Cobalt Strike C2s
192.99.178[.]145:80
dimentos[.]com
docns[.]com
Tapavi[.]com
URL Paths
/us/ky/louisville/312-s-fourth-st.html
/menus.aspx
/Menus.aspx
Cobalt Strike Sha256
3b375dcda1f6019d986de1f7ae3458657e623c4f401c121e660add55d36a9e8c
4e3d8806e6c9ba334166f12ffe4e27dbde203425c882fccf1e452f77355b7d25
e974c09f204b99bfcdeb9fe4a561a28e064c612132829919f8b99a838c2b2106
af218e34e12216d56e5c6c86704804866100aa09ccb9160bc4029492c3f1f959
591677b54eb556e7e840670eccb2d62434e336af6d3908394d17cb26e99c4733
Conti DLL Hash
5c278c04bb19196dc8559d45b9728b3ba0c1bc5cdd20a766f56248e561c6f5a6
Which Cisco Products Can Block
AMP
CWS
Network Security
Secure Network Analytics
Secure Cloud Analytics
Threat Grid
Cisco Umbrella
WSA
Threat Name: FormBook
Threat Type: Trojan
Delivery and Exfiltration:
Description: Formbook is a trojan information stealer spread through malspam with malicious document or archive attachments. It was first observed in 2016. It operates with the malware-as-a-service (MaaS) model making it easy for cyber criminals to operate.
FormBook Spotlight: Recent campaign still utilizes Malspam vector as a means of initial access. However, weaponized files have extended from previously observed PDF and Microsoft Office documents to include Microsoft PowerPoint. Malicious actors often abuse online storage platforms and collaboration apps to host weaponized documents. The killchain also uses embedded VBA scripts, which use URL shorteners to load malicious code with Powershell. Formbook is capable of logging keystrokes, stealing clipboard contents, extracting data from HTTP sessions and network requests, grabbing passwords from browsers and email clients. One of the significant features is duplication of the ntdll.dll module – this prevents analysts from identifying the APIs and renders API monitoring mechanisms ineffective. Malware is able to detect analysis environments such as sandboxes and presence of debuggers. Persistence method includes random changes of the path, filename, file extension, and the registry key used for persistence.
Formbook can also execute commands from a command and control (C2) server. The commands include instructing the malware to download and execute files, start processes, shutdown and reboot the system, and steal cookies and local passwords.
Target Geolocations: United States, South Korea
Target Data: User Credentials, Banking Information
Target Businesses: Manufacturing, Aerospace, and Others
Exploits: CVE-2017-0199, CVE-2017-11882, CVE-2017-8570
Mitre Att&ck for FormBook
Initial Access: Malspam
Persistence: Registry Run Keys / Startup Folder, Hooking
Execution: Command and Scripting Interpreter: Windows Command Shell
Evasion: Obfuscated Files or Information, Virtualization/Sandbox Evasion, Process Injection
Collection: Man in the Browser, Screen Capture, Input Capture, Clipboard Data
Command and Control: N/A
Exfiltration: Exfiltration Over Command and Control Channel, Data Encrypted
References: Talos blog – FormBook
IOCs
Domains
2014ie[.]com
flixstra[.]com
savetheboxes[.]com
thegroveatcovina[.]com
insidescripps[.]net
algerie24news[.]com
blimpcitybrewing[.]com
communityhealingproject[.]com
joint-care02[.]xyz
prendre-soin-de-moi[.]com
stdymdmicrosoftfmast[.]dns[.]army
choshmardokaan[.]com
kabtex[.]com
mamerholding[.]com
megazila[.]online
serverbrake[.]com
vittalittashop[.]com
paysage-piscine[.]com
mistakenid[.]com
zteenpatti[.]com
kustomhydraulics[.]com
arisealf[.]com
iddomum[.]com
Which Cisco Products Can Block
AMP
CWS
Network Security
Secure Network Analytics
Secure Cloud Analytics
Threat Grid
Cisco Umbrella
WSA
Threat Name: BazarLoader
Threat Type: Loader
Delivery and Exfiltration:
Description: BazarLoader (also known as BazarBackdoor or Team9 Backdoor) is a malware family which is used by adversaries to gain a foothold in compromised enterprise networks. This malware strain uses C&C domains with top-level domain .bazar. This TLD is provided by EmerDNS, a peer-to-peer decentralized domain name system in OpenNIC. This system is designed to make it very difficult, if not impossible, for law enforcement to take over these domains. Once the C2 has been established, the loader injects the payload into a system process using the process hollowing technique. The loader creates a registry key to achieve persistence. After that, follow up malware such as Trickbot is downloaded on the compromised system.
BazarLoader Spotlight: Recent campaign dubbed BazarCall uses a very unusual method to deliver malware. The messages include a telephone number in the message body, and claim that recipients have to unsubscribe from a trial of the service otherwise their credit cards would be charged. Next part of the attack leads to a legitimate-looking website, which is operated by the threat actors. When a user tries to unsubscribe the page delivers a malicious Excel or Word document. This document invokes malicious scripts to download and execute one or more payload DLL, which spawn a legitimate Windows component and inject the malware DLL into that process’ memory space. Malware then proceeds to C&C activities which include – but are not limited to – profiling, downloading additional payload, executing PowerShell scripts, quitting, deleting itself. Similar to other loaders, the presence of BazarLoader can lead to a highly dangerous infection with more sophisticated types of malware such as TrickBot.
Target Geolocations: Any
Target Data: N/A
Target Businesses: Any
Exploits: N/A
Mitre Att&ck for BazarLoader
Initial Access: Spearphishing Attachment, Spearphishing Link
Persistence: Registry Run Keys / Startup Folder, Startup Items
Privilege Escalation: Process injection
Execution: Command-Line Interface, Execution Through API, Rundll32
Evasion: Deobfuscate / Decode Files or Information, Obfuscated Files or Information, Process Injection, Virtualization/Sandbox Evasion, File deletion, Modify Registry, Rundll32
Discovery: Account Discovery, Application Window Discovery, File and Directory Discovery, Process Discovery, Query Registry, Remote System Discovery, Security Software Discovery, System Information Discovery, System Time Discovery, System Owner / User Discovery, Virtualization / Sandbox Evasion
Command and Control: Standard Application Layer Protocol
References: Talos Blog – BazarLoader
IOCs
Domains
prinpro[.]us
printequip[.]us
printools[.]us
proprin[.]us
profiprint[.]us
australiatourism[.]bazar
bestsightsofwildaustralia[.]bazar
restinaustraliaplace[.]bazar
sightsofsydney21[.]bazar
sydneynewtours[.]bazar
vacationinsydney2021[.]bazar
Which Cisco Products Can Block
Cisco Secure Endpoint
Cloud Web Security
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance
