The CyberWire Pro Research Briefing for 4.14.20

Summary

By the CyberWire staff

At a glance.

A look at APT41's backdoor for unpatched Citrix appliances.
New IoT botnet is significantly more effective than others of its kind.
FIN6 teams up with the TrickBot gang.
RDP scanning on the rise.
Attackers are increasingly using encrypted, cloud-hosted payloads.
Disinformation campaign targets Estonia and Georgia.

Analyzing APT41's FreeBSD backdoor.

Palo Alto Networks's Unit 42 published an analysis of a backdoor used by APT41, a Chinese-government-aligned threat actor whose recent activities were outlined by FireEye late last month. Between January and March 2020, FireEye observed the threat actor targeting Citrix, Cisco, and Zoho network devices used by organizations across a broad range of industries.

Unit 42 examined a backdoor the threat actor deployed on Citrix devices running the open-source Unix-like operating system FreeBSD. The backdoor, which Unit 42 calls "Speculoos," was delivered via CVE-2019-19781, a path-traversal vulnerability found in Citrix's Application Delivery Controllers and Gateways that was disclosed in December 2019. The attackers used this vulnerability to command the targeted devices to download the malware over FTP. Once installed and connected to the command-and-control server, Speculoos is "a fully functional backdoor which gives the adversary full control over the victim system." It can't establish persistence on its own, however, so the researchers surmise the attackers use another tool or step to gain a lasting foothold.

The researchers are certain that Speculoos was tailored to execute on Citrix devices, and they believe the malware was created exclusively for this campaign. They note the timing of the Citrix vulnerability's disclosure, along with the rarity of malware designed specifically for FreeBSD.

While the malware appears to have been developed for this operation, the researchers believe the campaign itself "may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries." Specifically, based on the wide variety of targeted industries and regions, Unit 42 suspects APT41 saw the newly disclosed Citrix vulnerability as a low-hanging fruit that could allow them to "gain footholds in a large number of organizations with minimal effort to expand their attack infrastructure."

New IoT botnet is notably effective.

Bitdefender discovered a new IoT botnet designed for launching DDoS attacks. The researchers call the botnet "dark_nexus," and they say it's "significantly more potent and robust" than other botnets of its kind. They believe dark_nexus may have been developed by greek.Helios, a malware author who's been creating and selling botnet services and code for several years. Dark_nexus uses some code from the Qbot and Mirai malware, but Bitdefender says "its core modules are mostly original."

The malware infects devices by brute-forcing default credentials over Telnet. It tries to disguise its traffic as regular, browser-generated traffic, and it contains a module that will kill any other suspicious processes on the infected device in order to block any other malware from using the device.

Dark_nexus is being actively maintained and has received more than thirty updates in the three months since it was spotted.

FIN6 teams up with the TrickBot gang.

IBM X-Force says the sophisticated cybercriminal group FIN6 (tracked by X-Force as "ITG08") has partnered with TrickBot's developers to use the TrickBot gang's new malware, Anchor, in financially motivated operations. The researchers tied FIN6's use of the More_eggs backdoor and the TerraLoader loader, as well as the group's TTPs in previous operations, to campaigns involving Anchor. The researchers conclude that "ITG08’s partnership with the TrickBot gang not only provides the group with new malware and potential access to enterprises infected with the TrickBot Trojan; it also reveals additional evidence of the group’s strategy to partner with other threat actors and malware developers. These varied relationships with elite cybercriminal actors and those who sell them tools, access and software allow ITG08 to continue to rely on its strengths in post-exploitation tactics, such as lateral movement, privilege escalation and data exfiltration, and outsource other attack vectors as needed."

RDP scanning on the rise.

Johannes Ullrich at the SANS Internet Storm Center warns that scans for open Remote Desktop Protocol (RDP) ports increased significantly in March compared to the previous five months. Ullrich's research was motivated by a report from Shodan in late March that found that the number of exposed RDP ports was on the rise as organizations shift to working remotely. Ullrich found that the number of source IP addresses scanning for RDP's default port (3389) rose to 3,540 addresses per day in March, up from an average of 2,600 addresses per day between October and February. He concludes that the "increased interest in scanning port 3389 indicates that attackers are ready for some of the changes to network configurations as a result of increased remote access requirements."

Attackers are using encrypted, cloud-hosted payloads.

Check Point Research says attackers are increasingly using cloud infrastructure like Dropbox and Google Drive to host their malware payloads. The attackers are sending phishing emails that simply contain a "stub," which, when clicked, will download a malicious payload from a cloud service. Importantly, the researchers found that cloud-hosted malware is now being encrypted in storage and only decrypted once it's on the victim's machine. They stress that when faced with this technique, cloud providers such as Google "cannot do much more than employ the stop-gap measure of looking for plain malicious binaries and praying that this practice doesn’t catch on. Of course they can also follow the payloads when campaigns come to light, investigate the uploads, follow the leads, create deterrence. But this is complicated, manual, delayed." Making matters worse is the fact that the installed payload exists only in memory and likely won't leave evidence of the attack.

The researchers posit that sandboxing can perhaps mitigate this technique, since a sandbox can view the entire process before it occurs on the victim's computer.

Operation Pinball targets Estonia and Georgia.

Recorded Future released a report outlining "Operation Pinball," an ongoing disinformation campaign directed at Estonia and Georgia. The campaign is tied to Secondary Infektion and similarly uses fake leaked documents in an attempt to stir up tensions within the targeted countries.

Selected Reading

Threat Actors Migrating to the Cloud (Check Point Research) Where do malware payloads come from? It’s a question with an apparently trivial answer. Usually these sit on dedicated servers owned by the campaign managers, and occasionally on a legitimate website that has been broken into and commandeered. But, as we were recently reminded, there is a third option: keeping payloads at accounts on cloud... Click to Read More

New Phishing Campaign Spoofs WebEx to Target Remote Workers (Cofense) The Cofense Phishing Defense Center (PDC) has observed a new phishing campaign that aims to harvest Cisco WebEx credentials via a security warning for the application, which Cisco’s own Secure Email Gateway fails to catch.

Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns (Unit42) New research shows COVID-19 themed phishing campaigns are targeting healthcare organizations and medical research facilities around the world

()

TrickBot Emerges with a Few New Tricks (Zscaler) Trickbot often works with other malwares, whether it is using them as initial infection vectors to find its way into the target host or downloading other malware families, Ryuk ransomware, coinminer, etc, to get most out of the infection.

How Cyber Adversaries are Adapting to Exploit the Global Pandemic (Secureworks) Threat actors pivot their tactics to exploit perceived COVID-19 information vacuums, increased reliance on remote conferencing platforms, and victims’ fears.

Intent to Infekt: ‘Operation Pinball’ Tactics Reminiscent of ‘Operation Secondary Infektion’ (Recorded Future) Insikt Group identified an ongoing information operation that they assess shares significant overlap with “Operation Secondary Infektion."

APTs and COVID-19: How advanced persistent threats use the coronavirus as a lure - Malwarebytes Labs (Malwarebytes Labs) We review the top APT groups taking advantage of the current pandemic.

APT41 Using New Speculoos Backdoor to Target Organizations Globally (Unit42) Unit 42 identifies the payload installed onto a Citrix appliance by APT41, which we are calling Speculoos.

()