In this month’s edition of Cybersecurity Threat Spotlight, we’re digging into three of the cyberthreats currently impacting users: the APT MuddyWater, the RAT Manjusaka and the malvertising campaign SocGholish.
Want to learn more about how Cisco Umbrella helps protect users? Request a free demo today!
MuddyWater
Threat Type: APT
Delivery and Exfiltration:
Description: MuddyWater (also known as MERCURY) is an APT which has primarily been used to attack Middle Eastern nations. However, attacks have also been observed against surrounding nations and further abroad. This includes targets in India and the U.S.A.
MuddyWater attacks are characterized by the use of both custom and well-known hacking tools as well as built-in operating system tools for its hands-on-keyboard attack. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.
MuddyWater Spotlight: In July, researchers observed MuddyWater using Log4j exploits with vulnerable SysAid Server instances as its initial access vector. SysAid provides IT management tools and might have been an attractive target for its presence in the targeted country.
Once initial access is achieved, the threat actor establishes persistence using several methods that include:
- Dropping a web shell that provides effective and continued access to the compromised device
- Adding a user and elevating their privileges to local administrator
- Adding leveraged tools in the startup folders and ASEP registry keys, ensuring their persistence upon device reboot
- Stealing credentials
Threat actors used different methods to communicate with their command-and-control (C2) server, including:
- Built-in operating system tools like PowerShell
- A tunneling tool called vpnui.exe, which is a unique version of the open-source tool Ligolo
- Remote monitoring and management software called eHorus
Target Geolocations: Israel, India, Pakistan, Turkey, Kazakhstan, Armenia, Syria, Bahrain, South Africa, Sudan, U.S.A.
Target Data: Credentials
Target Businesses: Government Sector, Military
Exploits: CVE-2021-44228, CVE-2021-45046
Mitre ATT&CK for MuddyWater
Initial Access:
Exploit Public-Facing Application
Persistence:
Account Manipulation
Create Account
Registry Run Keys/Startup Folder
Evasion:
Virtualization/Sandbox Evasion
Credential Access:
OS Credential Dumping
Lateral Movement:
Remote Services
Software Deployment Tools
Command and Control:
Ingress Tool Transfer
Exfiltration:
Exfiltration Over Command and Control Channel
IOCs
Domains:
sygateway[.]com
IPs:
91[.]121[.]240[.]104
164[.]132[.]237[.]64
Additional Information:
MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
Which Cisco Products Can Block:
Cisco Secure Endpoint (AMP for Endpoints)
Cisco Secure Email
Cisco Secure Firewall/Secure IPS (Network Security)
Cisco Secure Malware Analytics (Threat Grid)
Cisco Umbrella
Cisco Secure Web Appliance
Manjusaka
Threat Type: RAT
Delivery and Exfiltration:
Description: Manjusaka is a newly discovered attack framework. It includes a RAT with the C2 being an ELF binary written in GoLang. The implants are written in the Rust program language and consist of a variety of capabilities that can be used to control the infected endpoint, including executing arbitrary commands. Cisco Talos discovered EXE and ELF versions of the implant.
Functionality includes (but is not limited to):
- Collecting browser credentials
- Getting file information
- Taking Screenshots
- Obtaining comprehensive system information
- Activating the file management module to carry out file-related activities
Manjusaka Spotlight: The researchers at Cisco Talos recently discovered a new attack framework being used in the wild. The framework – which goes by the name “Manjusaka” – is currently being advertised as a Cobalt Strike imitation and has the potential to become a prevalent threat in the near future.
Implants for this new malware family are written in the Rust language for Windows and Linux. Threat actors can find a freely available and fully functional version of the command and control (C2) written in GoLang with a user interface in Simplified Chinese. This makes it easy to create new implants with custom configurations, increasing the chance of wider adoption.
The observed campaign consisted of a distribution of a maldoc to targets, leading to the deployment of Cobalt Strike beacons on the infected systems. The infection chain involves the use of a maldoc masquerading as a report and advisory on the COVID-19 pandemic in Golmud City, one of the largest cities in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province – specifically citing a case of COVID-19 and the subsequent contact tracing of individuals.
Target Geolocations: Any
Target Data: Any
Target Businesses: Any
Exploits: N/A
Mitre ATT&CK for Manjusaka
Initial Access:
Phishing
Execution:
Command and Scripting Interpreter
Defense Evasion:
Process Injection
Credential Access:
OS Credential Dumping
Credentials from Password Stores
Credentials from Web Browsers
Discovery:
System Information Discovery
System Network Connections Discovery
File and Directory Discovery
Command and Control:
Web Service
IOCs
URLs:
https[://]39[.]104[.]90[.]45/2WYz
http[://]39[.]104[.]90[.]45/2WYz
http[://]39[.]104[.]90[.]45/IE9CompatViewList.xml
http[://]39[.]104[.]90[.]45/submit.php
IPs:
39[.]104[.]90[.]45
Additional Information:
Manjusaka: A Chinese sibling of Silver and Cobalt Strike
Which Cisco Products Can Block:
Cisco Secure Endpoint (AMP for Endpoints)
Cisco Secure Email
Cisco Secure Firewall/Secure IPS (Network Security)
Cisco Secure Malware Analytics (Threat Grid)
Cisco Umbrella
Cisco Secure Web Appliance (Web Security Appliance)
SocGholish
Threat Type: Drive-By
Description: SocGholish is a drive-by malware framework which has an end goal of achieving persistence, performing recon and establishing a C&C channel for follow-up malware. SocGholish infection spreads via compromised websites injected with a malicious JavaScript implant. This implant is responsible for tricking victims into loading and installing fake browser updates. Final malware ranges from RATs to ransomware.
SocGholish Spotlight: Drive-by campaigns have been part of the arsenal of malicious actors, ranging from initial access brokers to ransomware cybercriminal gangs. One such malware framework is SocGholish, which has been in use since at least 2017.
Recent activity of the group behind SocGholish draws a direct link with ransomware groups associated with WastedLocker, PhoenixLocker and Macaw. SocGholish framework is under constant development, which results in multiple types of injects as well as the frequent detection of newly infected or re-infected websites.
It also appears that the threat actors behind SocGholish use multiple TDS services which can maintain control over infected websites for a prolonged time, thus complicating the work of defenders. This malware also uses, amongst other tricks, a domain shadowing technique which used to be widely adopted by exploit kits like AnglerEK. The evolution of such campaigns calls for a layered security approach for the networks.
Target Geolocations: Any
Target Data: Any
Target Businesses: N/A
Exploits: N/A
Mitre ATT&CK for SocGholish
Initial Access:
Drive-By
Execution:
User Execution
Discovery:
File and Directory Discovery
System Information Discovery
Command and Control:
Application Layer Protocol: Web Protocols
Exfiltration:
Exfiltration Over C2 Channel
IOCs
Domains:
0609.fluctuations.trendylevels[.]com
04be.fluctuations.trendylevels[.]com
3a4e.moments.abledity[.]com
e489.state.thegshrevolution[.]com
0239.templates.victoryoverdieting[.]com
3365.templates.victoryoverdieting[.]com
7684.telegram.godsmightywhispers[.]com
9ac4.telegram.godsmightywhispers[.]com
3a43.roles.thepowerofgodswhisper[.]com
7f2e.telegram.godsmightywhispers[.]com
8a11.roles.thepowerofgodswhisper[.]com
6f6b.roles.thepowerofgodswhisper[.]com
687e.state.thegshrevolution[.]com
b883.roles.thepowerofgodswhisper[.]com
5019.activation.thepowerofhiswhisper[.]com
5b8c.roles.thepowerofgodswhisper[.]com
a006.roles.thepowerofgodswhisper[.]com
f352.roles.thepowerofgodswhisper[.]com
9dc1.roles.thepowerofgodswhisper[.]com
05fe.roles.thepowerofgodswhisper[.]com
a6b4.roles.thepowerofgodswhisper[.]com
d5ad.templates.victoryoverdieting[.]com
8766.roles.thepowerofgodswhisper[.]com
fdcd.roles.thepowerofgodswhisper[.]com
abff.roles.thepowerofgodswhisper[.]com
cb1f.roles.thepowerofgodswhisper[.]com
577e.roles.thepowerofgodswhisper[.]com
1191.roles.thepowerofgodswhisper[.]com
25cf.roles.thepowerofgodswhisper[.]com
af86.roles.thepowerofgodswhisper[.]com
d008.roles.thepowerofgodswhisper[.]com
a1b2.activation.thepowerofhiswhisper[.]com
639b.roles.thepowerofgodswhisper[.]com
f2ed.templates.victoryoverdieting[.]com
29fe.roles.thepowerofgodswhisper[.]com
life.roles.thepowerofgodswhisper[.]com
breatheinnew.life.roles.thepowerofgodswhisper[.]com
3503.fork.topgeargroup[.]shop
8bd2.templates.victoryoverdieting[.]com
f6f2.templates.victoryoverdieting[.]com
7549.fork.topgeargroup[.]shop
4072.fork.topgeargroup[.]shop
5391.fork.topgeargroup[.]shop
75a4.fork.topgeargroup[.]shop
fa9b.roles.thepowerofgodswhisper[.]com
5111.roles.thepowerofgodswhisper[.]com
f3da.roles.thepowerofgodswhisper[.]com
839c.roles.thepowerofgodswhisper[.]com
5785.roles.thepowerofgodswhisper[.]com
57a9.roles.thepowerofgodswhisper.[]com
2639.roles.thepowerofgodswhisper[.]com
1b64.geolocation.mynewtopboyfriend[.]space
45e0.roles.thepowerofgodswhisper[.]com
328c.roles.thepowerofgodswhisper[.]com
195f.roles.thepowerofgodswhisper[.]com
f655.roles.thepowerofgodswhisper[.]com
1f19.roles.thepowerofgodswhisper[.]com
6c04.roles.thepowerofgodswhisper[.]com
1f81.roles.thepowerofgodswhisper[.]com
f08a.roles.thepowerofgodswhisper[.]com
b37b.state.thegshrevolution[.]com
094f.roles.thepowerofgodswhisper[.]com
610a.roles.thepowerofgodswhisper[.]com
4cf0.roles.thepowerofgodswhisper[.]com
Additional Information:
What is SocGholish?
CyberCrime GiG Economy
Which Cisco Products Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance
