Emerging Cyber Threats of November 2022

Keep up to date with latest blog posts

November was another busy month for new malware families and ransomware campaigns. As always, Picus Labs swiftly added attack simulations to Picus Threat Library for these new threats as they were discovered.

This blog briefly explains the top five cyber threats observed in November 2022. You can easily simulate these threats and validate and improve your security controls against them with the Picus Complete Security Validation Platform.

 

Simulate Emerging Cyber Threats with 14-Day Free Trial of the Picus Platform

Top Cyber Threats of November 2022

1. Iranian Government-Sponsored APT Actors (AA22-320A)

2. Hive Ransomware Group (AA22-321A)

3. TONESHELL Backdoor Loader

4. Koxic Ransomware

5. Aurora Infostealer Malware

1. Iranian Government-Sponsored APT Actors (AA22-320A)


On November 16, 2022, CISA and FBI released a joint advisory on Iranian government-sponsored APT actors [1]. In their attack campaign, threat actors exploited the Log4Shell vulnerability to gain a foothold on an unpatched VMware Horizon server, which belongs to a Federal Civilian Executive Branch (FCEB) organization.  

Upon initial access, adversaries allow-listed specific directories to download malicious tools without getting caught by virus scans and executed a PowerShell script to impair Windows Defender. Next, the threat actors downloaded malicious files and software (XMRig crypto miner) on the target system, which are later leveraged to establish persistence and use the victim’s computing power to mine cryptocurrency. 

Next, adversaries laterally move from the compromised VM Horizon server to the VMware VDI-KMS host using a built-in Windows user account over an RDP connection. Later, they transferred some tools to the VID-KMS host (Mimikatz, PsExec, ngrok) for post-exploitation activities. In the end, adversaries had complete control over all domain-joined assets, including the Domain Controller.

We strongly suggest simulating Advanced Persistent Threats (APTs) to test the effectiveness of your security controls against cyber attacks using the Picus Complete Security Validation Platform. You can test your defenses against infamous APT actors such as Lazarus, HAFNIUM, and DEV-0586 within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Iranian APT actors targeting FCEB Organization

Threat ID

Threat Name

21296

Apache Log4j Web Attack Campaign (Web Application)

63158

XMRig Malware Downloader Email Threat (Email Infiltration)

93377

XMRig Malware Downloader Download Threat (Network Infiltration)

77752

XMRigMinerDropper Email Threat (Email Infiltration)

24052

XMrig Cryptocurrency Email Threat (Email Infiltration)

27275

XMRigMinerDropper Worm Email Threat (Email Infiltration)

90867

XMRigMinerDropper Download Threat (Network Infiltration)

44668

XMrig Cryptocurrency Download Threat (Network Infiltration)

48749

XMRigCC Cryptocurrency Miner Download Threat (Network Infiltration)

47618

XMRigMinerDropper Worm Download Threat (Network Infiltration)

2. Hive Ransomware (AA22-321A)

As of November 2022, Hive ransomware has affected more than 1300 companies, causing a waste of $100 million US dollars as a ransom payment. 

Hive ransomware holders leverage different initial access techniques. However, it is seen that adversaries generally send phishing emails with a malicious attachment, which are crafted to exploit known vulnerabilities within public-facing applications like Windows Exchange Servers (CVE-2021-31207, CVE-2021-34473, CVE-2021-34523). 

After the foothold is gained, Hive actors download malicious binaries and an obfuscated Powershell script, which is part of the Cobalt Strike framework, from their C2 server. Upon compromising the most powerful built-in user on the local computer, NT Authority, adversaries dump all NTLM hashes to leverage a Pass-the-Hash (PtH) attack.

Using the stolen valid account credentials, adversaries send Remote Desktop Protocol (RDP) connection requests to many internal assets to see which databases they have access to. It is suspected this was done to check the expansion of their access and figure out which sensitive information they can exfiltrate before the encryption starts. Next, having a list of all domain objects, attackers execute a batch script to ping every item in the list and write the ones that respond to a file. These files later get encrypted for higher impact. 

Picus Threat Library already had a threat for the Hive Ransomware group’s attack campaigns. Picus Labs added new attack simulations to Picus Threat Library for new malware that Hive actors use. 

Picus Threat Library includes the following threats for Hive Ransomware Group.

Threat ID

Threat Name

28770

Hive Ransomware Download Threat (Network Infiltration)

59759

Hive Ransomware Campaign (Endpoint)

63385

Hive Ransomware Email Threat (Email Infiltration)

3. TONESHELL Backdoor Malware


Starting from March 2022, we started to see a new cyber-espionage activity scratching the surface. According to security researchers, this attack campaign is tracked to an Advanced Persistent Threat (APT) actor, Earth Preta [3] (a.k.a Mustang Panda and Bronze President). 

The victimology points to the usage of fake Google and DropBox accounts to distribute the Hive malware. Adversaries send targeted phishing emails, spearphishing, with a malicious Google Drive or DropBox link attached to them. Analysis shows that attachments contain malicious archive files (rar/zip/jar), consisting of various files such as images (.png), word documents (.doc), and legitimate executables (.exe). These files possess benign-looking names, luring the victims into thinking that they come from governmental sources, while in reality, they trigger the execution of the following malware families: TONEINS, TONESHELL, and PUBLOAD.

Among these three malware, TONESHELL is the backdoor that is mainly used by Earth Preta in their targeted phishing campaigns. TONESHELL gets loaded and decoded on the target system through the shellcode loader, called Backdoor.Win32.TONESHELL

Further analysis shows that the code of the TONESHELL payload contains various functions with very self-explonatory strings used for uploading, downloading, and executing files, lateral movement, and data exchange over intranet through OnePipeShell, one-way shell over one named pipe [3], and TwoPipeShell functions.

After the backdoor is installed and encrypted C2 communication is established, adversaries exfiltrate sensitive information as part of their double-extortion method.  

Picus Labs have already had the threats for Mustang Panda

Now, Picus Threat Library includes the following threats for TONESHELL backdoor, TONEINS malware dropper, and PUBLOAD malware downloader. We highly recommend you test your security infrastructure’s effectiveness against these latest threats. 

Threat ID

Threat Name

59444

TONESHELL Backdoor Malware Download Threat

91901

TONESHELL Backdoor Malware Email Threat

65814

TONEINS Malware Dropper Download Threat (Network Infiltration)

50546

TONEINS Malware Dropper Email Threat (E-mail Infiltration)

86723

PUBLOAD Malware Downloader Download Threat (Network Infiltration)

67981

PUBLOAD Malware Downloader Email Threat (E-mail Infiltration)

59489

Mustang Panda Threat Group Campaign Malware Email Threat (E-mail Infiltration)

56290

Mustang Panda Threat Group Campaign Malware Download Threat (Network Infiltration)

4. Koxic Ransomware

Even though we first started to see it in Korea, more and more users are becoming victims of a new variant of Koxic ransomware worldwide.

Upon getting executed, Koxic ransomware starts a discovery phase to retrieve the current system information. Following this, they re-configure the RDP expiry as maximum to maintain a more extended remote desktop session and disable both the real-time and behavior monitoring features of the Windows Defender to evade detection and prevent the defending systems from sending alert notifications to the SIEM systems. 

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring  HKCU\Software\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter

The ransomware continues its flow by deleting the volume shadow copies and disabling database services like MongoDB, SQLWriter, and MySQL.

Then, Koxic malware starts to make a list of all targets that can be encrypted. As a parallel process, it beings a threat that loops over this list, encrypting each item one by one. Encryption is performed using the AES algorithm in CBC mode, where the Initialization Value (IV) value and the symmetric key for the AES algorithm are encrypted by an asymmetric encryption algorithm, RSA

Picus Threat Library includes the following threats for Koxic ransomware. We recommend that organizations validate their security infrastructure against the Koxic ransomware that we will likely encounter more in the wild. 

Threat ID

Threat Name

55587

Koxic Ransomware Download Threat (Network Infiltration)

26807

Koxic Ransomware Email Threat  (E-mail Infiltration)

5. Aurora Infostealer Malware

In April 2022, Aurora was first advertised under the Russian-speaking hacking forums and Telegram channel as a Malware-as-a-Service (MaaS) botnet with data-stealing and remote access features. In August 2022, its activity almost vanished; being suspected that its developers had stopped selling it and removed its code from underground repositories. 

However, in September 2022, a new and large amount of Aurora activity drew the attention of security researchers, revealing itself not as a botnet but as an “infostealer.” It became so popular that many big traffers teams suggested its use. In November 2022, an analysis of many active C2 servers showed that Aurora had become a number-one infostealer used by adversaries. 

Aurora mainly uses the lxn/win library to get system-related information, which depends on WMIC. The following wmic commands are run in the infected host:

wmic os get Caption

wmic path win32_VideoController get name

wmic cpu get name

 


Figure 11. File grabber functionality of Aurora infostealer [7]

The data gets exfiltrated in the JSON format from the target system to an attaker-owned Aurora C2, which listens to the incoming network traffic on ports 9865 and 8081 ports over TCP. 

Picus Labs already had different RATs (PoetRAT, FairFAX) used in the Aurora malware campaign (2021).

Now, Picus Threat Library includes the following threat for the Aurora infostealer malware. We highly recommend organizations test their security infrastructure against this increasingly adapted infostealer. 

Threat ID

Threat Name

38571

Aurora Infostealer Download Threat (Network Infiltration)

56237

Aurora Infostealer Email Threat (E-mail Infiltration)

24087

Aurora Campaign Malware Download Threat (Network Infiltration)

30142

FairFax RAT Email Threat (E-mail Infiltration)

76563

FairFax RAT Download Threat (Network Infiltration)

31003

PoetRAT RAT Download Threat (Network Infiltration)

References

[1] “Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-320a. [Accessed: Dec. 06, 2022]

[2] “#StopRansomware: Hive Ransomware.” [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa22-321a. [Accessed: Dec. 05, 2022]

[3] “Earth Preta Spear-Phishing Governments Worldwide,” Trend Micro, Nov. 18, 2022. [Online]. Available: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html. [Accessed: Dec. 05, 2022]

[4] karl-bridge-microsoft, “GetSystemInfo function (sysinfoapi.h).” [Online]. Available: https://learn.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-getsysteminfo. [Accessed: Dec. 06, 2022]

[5] “Koxic Ransomware Being Distributed in Korea,” ASEC BLOG, Nov. 24, 2022. [Online]. Available: https://asec.ahnlab.com/en/42343/. [Accessed: Dec. 06, 2022]

[6] “Koxic Ransomware Deep-dive Analysis,” Cyble, Feb. 03, 2022. [Online]. Available: https://blog.cyble.com/2022/02/03/koxic-ransomware-deep-diveanalysis/. [Accessed: Dec. 06, 2022]

[7] Threat, “Aurora: a rising stealer flying under the radar,” SEKOIA.IO Blog, Nov. 21, 2022. [Online]. Available: https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/. [Accessed: Dec. 06, 2022]

Subscribe

Keep up to date with latest blog posts