PICUS LABS MONTHLY #August 2020

AUGUST'S THREAT: FASTCash 2.0

BeagleBoyz Threat Group Robbing Banks

BeagleBoyz is a newly identified group that is responsible for attempting to steal nearly $2 billion from various financial institutions in coordinated cash-out attacks in over 30 countries worldwide. These cyber-enabled ATM cash-out campaigns were recognized openly as FASTCash.

You can test the effectiveness of your security controls against the FASTCash campaigns with '265977 BeagleBoyzThreat Group FASTCash 2.0 Campaign Attack Scenario" in Picus Threat Library. You can also validate your defenses against PowerRatankba Trojan Downloader used in this attack campaign with threats 255145, 461582, and 66239 in Picus Threat Library.

AUGUST'S THREAT ACTORS

Transparent Tribe

• Picus Threat ID: 670692, 752639, 310594
• Aliases: PROJECTM, MYTHIC LEOPARD
• Target Regions: Asia, Middle East
• Target Industries: Government, Military
• Malware: Crimson RAT
  

DeathStalker

• Picus Threat ID: 886802, 425472, 686303, 381573
• Target Regions: Europe, US, UK, China, Middle East, Asia
• Target Industries: Finance, Law, Consultancy, Government
• Malware: Powersing

RedCurl

• Picus Threat ID: 214029, 519330, 406961
• Target Regions: North America, Europe, Asia
• Target Industries: All
• Malware: RedCurl Trojan Downloader

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

ATTACK SCENARIOS

BeagleBoyz Threat Group FASTCash 2.0 Campaign

Picus Threat ID: 265977

ACTIONS

1. Display the Groups using "whoami /groups"

Technique: T1033 System Owner/User Discovery

Tactic: Discovery

2. Execute a Keylogger uses GetAsyncKeyState()

Technique: T1056 Input Capture

Tactic: Credential Access, Collection

3. Connect to RDP using mstsc.exe

Technique: T1076 Remote Desktop Protocol

Tactic: Lateral Movement

...

18. C2 Communicate Over HTTPS Port 443

Technique: T1043 Commonly Used Port

Tactic: Command and Control

Conni RAT Scenario

Picus Threat ID: 506809

ACTIONS

1. Copy Certutil.exe to TEMP by using Word Macro

Technique: T1024 User Execution

Tactic: Execution

2. Download First Stage Payload using Certutil.exe

Technique: T1105 Remote File Copy

Tactic: Command and Control, Lateral Movement

3. Create New Service for Persistence

Technique: T1050 New Service

Tactic: Privilege Escalation

...

7. Exfiltrate CAB File Over TCP Port 21

Technique: T1043 Commonly Used Port

Tactic: Command and Control

Atomic Attacks

AMSI Bypass via Obfuscated Powershell Reflection Method with WMF5 Autologging Bypass

• Picus Threat ID: 531001
• Technique: T1562 Impair Defenses
• Tactics: Defense Evasion

For more information on MITRE ATT&CK T1562 Impair Defenses, here is the blog post you can read:

  MITRE ATT&CK T1562 Impair Defenses

Security Support Provider Technique by using the ImplantSSP Tool

• Picus Threat ID: 434255
• Technique: T1101 Security Support Provider
• Tactic: Persistence

Credential Dumping by using the SharpKatz Tool

• Picus Threat ID: 675942
• Technique: T1003 Credential Dumping
• Tactic: Credential Access

For more information on MITRE ATT&CK T1003 Credential Dumping, here is the blog post you can read:
    MITRE ATT&CK T1003 Credential Dumping

MALICIOUS CODE

Bisonal Backdoor Malware

• Picus Threat ID: 668690, 201911, 409211, 721511, 704112
• Signature Technique: T1574 Hijack Execution Flow
• Target Regions: Asia and Eastern Europe
• Target Industries: Military, Government, Critical Infrastructure
• Threat Group: CactusPete (Aliases: Karma Panda, Tonto Team)

M00nd3v Logger Infostealer Malware

• Picus Threat ID: 767981
• Signature Technique: T1056 Input Capture
• Target Regions: All
• Target Industries: All
• Threat Group: M00nD3v

MATA: Multi-platform targeted malware framework

• Picus Threat ID: 259609
• Signature Technique: T1055 Process Injection 
• Target Regions: All
• Target Industries: All

Watch our webinar, we dig down into T1055 Process Injection as the no. 1 technique in the Picus 10 Critical MITRE ATT&CK Techniques list.

WEB APPLICATION ATTACKS

Microsoft SharePoint DataSet/DataTable Remote Code Execution (RCE)

• Picus Threat ID: 751022
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 7.8 High
• CVE: CVE-2020-1147
• Affected Product: Microsoft Sharepoint

Apache Kylin Remote Code Execution (RCE)

• Picus Threat ID:
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 8.8 High
• CVE: CVE-2020-1956
• Affected Product: Apache Kylin

Nagios Log Server 'username' Persistent Cross-Site Scripting (XSS)

• Picus Threat ID: 608769
• OWASP Top 10: A7 - Cross-Site Scripting (XSS)
• CVSS 3 Base Score: 5.4 Medium
• CVE: CVE-2020-16157
• Affected Product: Nagios Log Server

VULNERABILITY EXPLOITATIONS

Windows Setup Elevation of Privilege

• Picus Threat ID: 306665
• CVE: CVE-2020-1571
• CVSS 3 Base Score: 7.8 High
• Affected Product: Windows Setup

Sudo PwFeedback Buffer Overflow Vulnerability

• Picus Threat ID: 482402
• CVE: CVE-2019-18634
• CVSS 3 Base Score: 7.8 High
• Affected Product: Sudo

Windows Update Orchestrator Service Privilege Escalation

• Picus Threat ID: 850862
• CVE: CVE-2020-1313
• CVSS 3 Base Score: 7.8 High
• Affected Product: Windows Update Orchestrator Service

SIGMA RULES

System Information Discovery from Registry via PowerShell

• Picus Sigma ID: 4834
• Technique: T1082 System Information Discovery
• Tactic: Discovery

 In this webinar, Dr. Erdal Ozkaya from Standard Chartered Bank joined Picus for the webinar and we talked about T1082 System Information Discovery.

Suspicious Process Execution via WMI

• Picus Sigma ID: 4256
• Technique: T1047 Windows Management Instrumentation
• Tactics: Execution

Sandbox Evasion by Querying Debuggers

• Picus Sigma ID: 5608
• Detected Technique: T1497 Virtualization/Sandbox Evasion
• Tactic: Defense Evasion, Discovery