Threat Intelligence Bulletin – week ending March 6

Threat Intelligence Bulletin – week ending March 6

Lastline Threat Briefing

Welcome back to a another regular Lastline Threat Intelligence Briefing. This short email briefing intends to give Lastline customers and other interested parties a regular recap of the most important news and events surrounding malware in the world in the previous two weeks. You will find links to reports and analysis from multiple sources, and these are provided for your benefit. This briefing will also include public links to our Lastline Knowledge Base (LLKB), giving you all the technical threat intelligence information you may need to see how the malware operates (these links do not require paid access to LLKB or a login). If you received this email from someone and are not a Lastline customer, please reach out for a free demo and see how Lastline’s unmatched Threat Intelligence and Network Detection provides deep value on threats, both garden-variety and zero-day.

This briefing is provided as a free service to Lastline customers and other parties interested in reading more about events in the world of malware. We respect your time and privacy, and if you do not wish to receive this regular digest, just send us a quick note at weeklybriefing@lastline.com and we’ll immediately remove you from the distribution.

A self-registration portal is now available for people to subscribe! If you have other people on your team who you think would benefit from this short briefing, please send them to https://go.lastline.com/threat-brief-signup.html and they can sign up in seconds.

Item 1: APT34 (aka OilRig) Launches New Campaign Against Lebanese Government

Link: https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/

Summary: One of the APT groups with connections to the Iranian government has been seen deploying a new custom malicious implant focused on Lebanese government targets.

Key Takeaways: This campaign is believed to have used a compromised Exchange mail server to act as a command-and-control for the implant. Because the Exchange server was a trusted asset, and C2 messages were passed through legitimate email addresses, it was extremely hard to notice the implant. Bottom line? Watching even trusted devices and communication channels for signs of abnormal activity (something that NDR does very well) may prevent an attack like this from succeeding inside your environment.    

Mitre ATT&CK Information on APT34: https://attack.mitre.org/groups/G0049/

Detections: All samples seen in the wild thus far are easily detected as highly malicious. Links to the behaviors and actions taken by the malware samples seen thus far are below:

Item 2: New “LODEINFO” Malware Spotted Hitting Organizations in Japan

Link: https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html

Summary: A new Word-doc based malware has been spotted in Japan. It’s still under development, so expect more campaigns to follow.

Key Takeaways: In the past I’ve wondered why malware authors start campaigns while their malware isn’t perfect or lacking key functionalities. But if you give it some thought, it makes perfect sense: why not see how it works in the wild? Most organizations aren’t paying attention to the bleeding edge of malware. But in the case of tools like Lastline Defender that doesn’t matter – there’s very little new and genuinely novel malware out there; it’s all a riff on other things. AI-powered NDR will detect all those abnormal or malicious behaviors by new malware families and flag them for your security staff.

Detections: Lastline’s ability to detect malicious activities seen in other malware variants means that even new threats are detected as malicious. There is no issue detecting this campaign:

Item 3: Nuo Chong/SilencerLion APT Group Activity Spotted in the Middle East

Links: https://twitter.com/reddrip7/status/1233779793537056768

Summary:  The activities of nation state groups reach every corner of the globe. Monitoring what APT groups do elsewhere can often help your own defenses when a new campaign sets its sights on you.

Key Takeaways: There are many small teams of state-sponsored hackers focused on specific regions of the world: southeast Asia, Europe, the Middle East. Literally dozens of campaigns are launched on a regular basis and they’re often unseen by western organizations… at least until a successful campaign in one area is leveraged elsewhere. Thankfully, Lastline Defender doesn’t care about language barriers: underlying code is language-agnostic and AI-powered NDR will easily detect campaigns such as these.

Detections: At the time of this writing, we’ve analyzed dozens related to this campaign and we detect 100% of them as malicious. A small subset of samples is below:

Item 4: US-CERT Releases New Alert About North Korean Cyber Activity

Link: https://www.us-cert.gov/northkorea

Summary: US-CERT released a large set of data on North Korean cyber activity for organizations to bolster their defenses.

Mitre ATT&CK Information on Lazarus Group: https://attack.mitre.org/groups/G0032/

Key Takeaways: North Korea continues to wage low-level cyber warfare against both private sector and government targets, for both political and financial reasons. Keeping your eyes peeled as to what they’re up to is sage advice for any organization. You may not think you have any reason to be targeted by a state-sponsored group, but groups like Lazarus are indiscriminate when it comes to choosing targets to try and make cash off of.

Detections: We have reviewed a large number of samples attributed to Lazarus Group and have zero issues detecting them as malicious:

Item 5: An “Evolved” Adwind Phishing Campaign Spotted Using Heavy Obfuscation to Evade Detection

Link: https://research.checkpoint.com/2020/the-turkish-rat-distributes-evolved-adwind-in-a-massive-ongoing-phishing-campaign/

Summary: A widespread phishing/malware campaign has been spotted in Turkey delivering a new evolved version of the Adwind RAT. It uses multiple stages as well as a combination of evasion techniques in order to evade detection.

Key Takeaways: The Adwind RAT is a popular multi-platform remote access trojan written in Java. It can infect both Windows and Mac OS X systems (although it’s most commonly seen attacking Windows machines). Malware-as-a-Service has been a reality for years now, and the fact that malware authors continue to make literally millions of dollars peddling their wares means that they will continue to develop their products; it’s no different than a legitimate business improving their products to increase sales. A combination of user awareness coupled with the ability to detect a malicious incident (either at the delivery stage or very early during the infection) is your best strategy to prevent even new variants of malware such as this.

Detections: Even though Adwind has some new tricks, it’s no match for Defender:

Don’t Forget: Your Feedback is Essential! Please reach out and let us know your thoughts or suggestions.

Thank you!

Lastline Global Threat Intelligence Team

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson