Lastline Threat Intelligence Briefing – 10 JAN 2020
Welcome back to a brand new year and another Lastline Threat Intelligence Briefing! We hope your new year was fantastic! This short briefing intends to give Lastline customers and other interested parties a regular recap of the most important news and events surrounding malware in the world in the previous two weeks. You will find links to reports and analysis from multiple sources, and these are provided for your benefit. This briefing will also include public links to our Lastline Knowledge Base (LLKB), giving you all the technical threat intelligence information you may need to see how the malware operates (these links do not require paid access to LLKB or a login). If you received this email from someone and are not a Lastline customer, reach out for a free demo and see how Lastline’s unmatched Threat Intelligence and Network Detection provides deep value on threats, both garden-variety and zero-day.
This briefing is provided as a free service to Lastline customers and other parties interested in reading more about events in the world of malware. We respect your time and privacy, and if you do not wish to receive this regular digest, just send us a quick note at email@example.com and we’ll immediately remove you from the distribution.
A new self-registration portal is now available for people to subscribe! If you have other people on your team who you think would benefit from this short briefing, please send them to https://go.lastline.com/threat-brief-signup.html and they can sign up in seconds.
Also new for 2020: as you are clearly reading it here, the contents of this briefing will also be placed on the Lastline Blog.
Item 1: North Korea’s Lazarus APT Group back with an update to AppleJeus
The North Korean APT group is back at it trying to steal cryptocurrency with updates to their Mac OS malware.
Mitre ATT&CK Information on Lazarus: https://attack.mitre.org/groups/G0032/
Lazarus Group has been responsible for many massive incidents over the years. Many have been to steal tens of millions of dollars to help North Korea, and many have been political in nature. North Korea’s hackers have been spotted many times over the years launching campaigns of all colors to steal currency to help support their country. While Mac OS malware is exponentially smaller than what we see hitting Windows machines, it is always important to remind users that they are not immune from attack just by moving to a Mac.
Lastline easily detects all known variants of this new modified malware as malicious:
Item 2: BRONZE PRESIDENT group spotted launching targeted campaigns against NGOs in Southeast Asia
Our colleagues at Secureworks have documented a new campaign targeting non-governmental organizations (NGOs) with the goal of long-term intelligence collection.
Mitre ATT&CK Information on BRONZE PRESIDENT: As of this writing there is no Mitre ATT&CK info on this group, but as they become more prevalent, expect a dossier on their TTPs to show. Other Chinese groups like BRONZE BUTLER are likely related, though: https://attack.mitre.org/groups/G0060/
Chinese state-sponsored groups are often sent out onto the internet to attack organizations and targets that are either unfriendly to the PRC, or known to be gathering information on their actions inside (and outside) of Chinese borders. If your organization deals with any NGO that may be collecting or disseminating information about Chinese activities globally, you may find yourself either targeted by an attacker, or have your information collected through the NGO you work with. It is essential to spend time strategizing about the potential for targeting by various state-sponsored groups and how to defend or deflect a campaign targeted at you.
We analyzed a number of samples related to this new campaign, and all were easily detectable by Defender. Most of the samples by attackers like these still rely on a targeted user to give them that initial foothold – which you can mitigate and minimize through continual security education.
Item 3: OceanLotus/APT32 spreading new campaign via Facebook
Information as of this writing is minimal, but it appears APT32 has started a new infection campaign through Facebook posts and messages attempting to lure people to download a malicious zip file from Dropbox.
Mitre ATT&CK Information on APT32: https://attack.mitre.org/groups/G0050/
While this campaign appears to be localized at the moment to Vietnam-based victims, we must remember that if a group finds success in one area with a specific attack vector, they will try it elsewhere at a later date. The only real two-pronged defense in situations like this is user education, coupled with the power of an NDR tool like Defender to detect both the malicious payload and the beaconing to a known bad location. Defense in depth is still a solid strategy.
At the time of this writing, samples are limited but our AI-powered analysis has zero problems tearing this sample apart and dissecting the numerous malicious behaviors seen:
Item 4: FIN7 is back with an updated Carbanak backdoor
The FIN7 group, known for years to be a skilled cybercriminal group, is back with an update to Carbanak that employs some new tricks to plant malware.
Mitre ATT&CK Information on FIN7/Carbanak Group: https://attack.mitre.org/groups/G0046/
This update to Carbanak isn’t the first malware out there to abuse legitimate techniques to deliver malware, and it won’t be the last. It employs numerous methods to evade detection and as of this writing, is not well-detected by many AV vendors. In cases like this, having a solution like Lastline Defender that can detect malicious code reuse by attackers is essential to stopping threats. Attackers build upon previous products just like legitimate software developers – that code reuse is easily detected by Lastline Defender.
Mitre ATT&CK information on Binary Planting/DLL Search Order Hijacking: https://attack.mitre.org/techniques/T1038/
Defender has zero issues detecting all new Carbanak samples as malicious and blocks them:
Item 5: Cloud Hopper’s damage is much bigger than initially thought
Major corporations and technology firms are reported to have fallen victim to Chinese state-sponsored APT10 – and for a much longer period than they thought.
Mitre ATT&CK Information on APT10/Stone Panda: https://attack.mitre.org/groups/G0045/
The complex and massive cloud infrastructures that we have and are building make it incredibly difficult to find and expunge an attacker who has gained a beachhead inside your environment. We’re not looking for needles in haystacks anymore… we’re looking for atoms in haystacks. This group is highly talented and been in operation for at least a decade. They are persistent, skilled, and the odds are stacked in their favor. It is essential to augment your human threat hunting assets with AI/ML-based tools that can help sift through the terabytes upon terabytes of network traffic looking for anomalous behaviors.
In the case of Cloud Hopper/APT10, our Threat Intelligence Group was able to obtain over two hundred and fifty unique samples all attributed to APT10. Posting the analysis of all of those samples here would be far too voluminous for a short briefing. If you would like to see the analysis of these samples, please drop us a line and we would be happy to share the analyses.
Don’t Forget: Your Feedback is Essential! Please reach out and let us know your thoughts or suggestions.
Lastline Global Threat Intelligence Team