At a glance.
- APT27 tied to ransomware attacks.
- Lazarus Group conducts COVID-19-related espionage.
- More analyses of the Sunburst malware.
- Emotet resurfaces.
APT27 tied to ransomware attacks.
Researchers at Profero and Security Joes report that the state-sponsored Chinese threat actor APT27 (also known as "Emissary Panda") seems to be responsible for several ransomware attacks alongside its cyberespionage campaigns. The researchers told Threatpost that the actor deployed ransomware against five unnamed gaming companies, two of which are "among the largest in the world."
The researchers explain, "What stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows. This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools. Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware actor tactics is highly unusual, however this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising."
The researchers discovered ties to a cyberespionage campaign dubbed "DRBControl" that targeted gambling and betting companies in Southeast Asia. Trend Micro connected that campaign to APT27 and the Winnti Group.
Lazarus Group conducts COVID-19-related espionage.
Researchers at Kaspersky have determined that North Korea's Lazarus Group hacked an unnamed government's health ministry and a pharmaceutical company, apparently seeking information on vaccine development and deployment. The pharmaceutical company was compromised on September 25, 2020 as part of a supply chain attack outlined by ESET in November. The threat actors compromised websites that used the South Korean security software WIZVERA VeraPort to deliver their Bookcode malware.
The researchers aren't sure how the actor initially compromised the government health ministry, but it was able to install its sophisticated wAgent malware, which operates primarily in memory. In both incidents, the threat actor used the open-source Active Directory query tool ADFind to extract information from the compromised environments.
More analyses of the Sunburst malware.
Several security firms have published reports on the Sunburst malware used in the SolarWinds supply chain attack. FireEye's updated report focuses on the malware's anti-analysis capabilities, command-and-control behavior, and modes of operation.
McAfee outlines how the malware gathers information from compromised machines, writing, "Another observation of the http routine was the search for certain keywords in the http-traffic that might indicate the adversary was looking into details/access of cloud and/or wireless networks of their victims by using the SolarWinds’ modules that are installed to monitor/administer these kinds of instances. Managing the network using SolarWinds’ Orion is executed by using a browser and localhost that is hosting the webserver. Reading out the certificate values and search for these keywords in the http-traffic would have gained this information."
Qualys gives a detailed description of how the malware establishes a connection with its command-and-control server and executes commands.
Palo Alto Networks' Unit 42 offers a timeline of the attack based on currently known information. The operators began preparing for the hack as far back as August 2019, and the malicious SolarWinds Orion update was released in March 2020. Unit 42 looked at requests to the domain used by the attackers. These requests peaked in July 2020, then declined before sharply dropping off in October and November. The researchers explain, "This pattern could be explained by organizations slowly installing the malicious updates in the weeks after release, but we can’t say for sure."
Cofense says the Emotet botnet began churning out phishing emails laden with malicious documents in late December, following a two-month hiatus. The botnet's operators have improved their phishing technique by having their malicious macros trigger a dialog box that says "Word experienced an error trying to open the file," intended to prevent victims from growing suspicious after clicking "Enable content." The researchers found that the malware itself has also received some minor upgrades:
"The malware was previously a standalone executable file with a “.exe” filename, but is now a DLL file initialized using the built-in Windows program rundll32.exe. This makes the presence of the malware a little more difficult to detect. Emotet’s command-and-control (C2) communication has also been changed to use binary data rather than plain text, which will likely make it more difficult to detect at the network level. Finally, the authors changed the binary to thwart extraction of C2 details and other indicators of compromise."
Overall, however, the malware's delivery and functionality have remained the same. Users are advised to be alert for phishing emails and to avoid enabling macros in Office documents.