PICUS LABS MONTHLY #April 2020

APRIL'S THREAT: SPEARPHISHING

COVID-19 Exploited by Threat Actors

Threat actors are leveraging the COVID-19 pandemic in their malicious activities. Their operations involve coronavirus-themed phishing emails, often masquerading as trusted entities like government institutions. These phishing emails, which claim to contain critical information about the pandemic, actually contain malware. APT groups use not only phishing emails but also websites to spread their malware.

Watch our webinar, and learn how adversaries take advantage of the pandemic to improve their attack techniques.

APRIL'S THREAT ACTORS

APT32

• Picus Threat ID: 323409
• Aliases: SeaLotus, OceanLotus, APT-C-00
• Target Regions: East Asia
• Target Industries: Government, Media
• Malware: METALJACK loader

APT36

• Picus Threat ID: 233163, 461660, 479213
• Aliases: Mythic Leopard, TEMP.Lapis
• Target Regions: South Asia, Middle East
• Target Industries: Government, Defense
• Malware: Crimson RAT

APT41

• Picus Threat ID: 758260, 258837
• Target Regions: US, Europe, Eastern Asia, Southern Asia, Middle East
• Target Industries: Healthcare, Telecom, Media, Technology
• Malware: Speculoos Backdoor

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

ATTACK SCENARIOS

APT29 Threat Group

Picus Threat ID: 647501

ACTIONS

1. Create the Registry Run Key "WinNetwork Security" for Persistence

Technique: T1060 Registry Run Keys / Startup Folder

Tactic: Persistence

For more information on T1060 Registry Run Keys / Startup Folder, here is the blog post you can read:

    ATT&CK in Action #8: T1060 Registry Run Keys / Startup Folder

2. Execute File with Rundll32.exe

Technique: T1085 Rundll32

Tactic: Defense Evasion, Execution

3. Windows Credential Dumping with PowerShell Mimikatz

Technique: T1003 Credential Dumping

Tactic: Credential Access

For more information on MITRE ATT&CK T1003 Credential Dumping, here is the blog post you can read:

    MITRE ATT&CK T1003 Credential Dumping

4. Pass the Hash via Mimikatz Tool

Technique: T1075 Pass the Hash

Tactic: Lateral Movement

...

27. File Exfiltration over HTTPS

Technique: T1043 Commonly Used Ports

Tactic: Command and Control

Trickbot Banking Malware

Picus Threat ID: 647501

ACTIONS

1. Download and Execute Remote Binary via Spearphishing Document

Technique: T1193 Spearphishing Attachment

Tactic: Initial Access

2. Extract Saved Session information with SessionGopher Tool

Technique: T1214 Credentials in Registry

Tactic: Credential Access

3. Credential Dumping with Get-GPPPassword.ps1 PowerShell Script

Technique: T1003 Credential Dumping

Tactic: Credential Access

4. Dump Windows Vault Credentials with PowerSploit

Technique: T1003 Credential Dumping

Tactic: Credential Access

...

9. Disable Automated Windows Recovery Features

Technique: T1490 Inhibit System Recovery

Tactic: Impact

Atomic Attacks

Direct Syscall with NtCreateThreadEx Function

• Picus Threat ID: 305528
• Technique: T1055 Process Injection
• Tactics: Defense Evasion, Privilege Escalation
• Example Use Case: LockPoS Point of Sale (PoS) Malware

Indirect Command Execution with Forfiles

• Picus Threat ID: 460656
• Technique: T1202 Indirect Command Execution
• Tactic: Defense Evasion
• Example Use Case: Revenge RAT Remote Access Tool

Command Execution with Image File Execution Options

• Picus Threat ID: 431232
• Technique: T1183 Image File Execution Options Injection
• Tactic: Persistence, Defense Evasion, Privilege Escalation
• Example Use Case: Trickbot Banking Malware

MALICIOUS CODE

Sodinokibi Ransomware

• Picus Threat ID: 714860
• Signature Technique: T1486 Data Encrypted for Impact
• Target Regions: US, Europe
• Target Industries: MSPs, Financial Services, Government, Airport

For a brief history and further technical analysis of Sodinokibi Ransomware, here is the blog post you can read:

    A brief history and further technical analysis of Sodinokibi Ransomware

CoronaVirus Ransomware

• Picus Threat ID: 630462, 754010
• Signature Technique: T1487 Disk Structure Wipe
• Target Regions: All
• Target Industries: End Users

PoetRAT Remote Access Trojan

• Picus Threat ID: 734589, 282004, 539229
• Signature Technique: T1020 Automated Exfiltration
• Target Regions: Asia
• Target Industries: Government, Energy

WEB APPLICATION ATTACKS

rConfig Command Injection

• Picus Threat ID: 880004
• OWASP Top 10: A1-Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2020-10879
• Affected Product: rConfig before 3.9.5

Microsoft SharePoint Remote Code Execution

• Picus Threat ID: 740045
• OWASP Top 10: A1-Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2020-0646
• Affected Product: Microsoft .NET Framework

Nexus Repository Manager RCE

• Picus Threat ID: 293860, 874179
• OWASP Top 10: A1-Injection
• CVSS 3 Base Score: 8.8 High
• CVE: CVE-2020-10204
• Affected Product: Sonatype Nexus Repository before 3.21.2

VULNERABILITY EXPLOITATIONS

Zoom Denial of Service

• Picus Threat ID: 801692
• CVE: CVE-2019-13449
• CVSS 3 Base Score: 6.5 Medium 

Windows Kernel Elevation of Privilege

• Picus Threat ID: 542398
• CVE: CVE-2020-0668
• CVSS 3 Base Score: 7.8 High

Windows Installer Elevation of Privilege

• Picus Threat ID: 792978
• CVE: CVE-2020-0683
• CVSS 3 Base Score: 7.8 High
  

  

SIGMA RULES

Suspicious Dictionary Object Settings Modification in Registry

• Picus Sigma ID: 5760
• Detected Method: Command Execution using COM Objects
• Technique: T1175 Distributed Component Object Model
• Tactic: Execution

Network Configuration Discovery via Get-NetIPConfiguration Cmdlet

• Picus Sigma ID: 3003
• Detected Method: Network Configuration Discovery via Powershell Get-NetIPConfiguration Cmdlet
• Technique: T1016 System Network Configuration Discovery
• Tactics: Discovery

Arbitrary Portable Executable File Execution via Disk Shadow

• Picus Sigma ID: 8220
• Detected Method: File Execution via Diskshadow.exe OS Binary (Lolbas)
• Detected Technique: T1218 Signed Binary Proxy Execution
• Tactic: Defense Evasion, Execution