Threat Intelligence Posts

Method: Latest updates on the RIG Exploit Kit

July 3, 2018

On May 31st, Trend Micro posted technical analysis on updates to the RIG Exploit Kit. Updates include the delivery of a cryptocurrency mining malware as its final payload. Recently, it has been observed to exploit CVE-2018-8174, which affects the VBScript Engine accessed by Internet Explorer and Microsoft Office documents on systems running Windows 7 and later. Previously, RIG was observed delivering delivering GandCrab ransomware and Panda Banker as it’s payload. Distributing cryptocurrency mining malware is a new trend from the actors that run RIG. Following the previous methods of distribution, RIG uses malvertisements with a hidden iframe that redirects the victims to RIG’s landing page where the second-stage of the attack is then downloaded, retrieved and used to download a Monero Miner.

The Proficio Threat Intelligence Recommendations:

  • Note the trend of cybercriminal threat actors moving away from distributing banking trojans and ransomware and instead distributing cryptocurrency mining malware.
  • Be aware of indicators of cryptocurrency mining malware on systems such as increased CPU utilization and slow performance of the operating system.
General Info - Click Here

Method: FakeSpy – Android Trojan targeting Japanese and Korean Speaking Users

July 2, 2018

On June 19th, TrendMicro released technical analysis on FakeSpy malware targeting Korean and Japanese mobile users. FakeSpy has been observed sending mobile text messages with a malicious link message that prompts a malicious Android application package. This application masquerades itself as an app for local consumer financial service companies to Korean users. For Japanese users, it pretends to be an application for transportation, logistics, courier and e-commerce companies. This application is known to monitor for text messages and send these messages back to a C&C server. It has also been observed adding contacts to the devices, resetting the device, setting it to mute, updating configurations and stealing device information.

FakeSpy has also been known to check for banking related applications and replace it with counterfeit versions. These applications will then phish for user’s credentials by informing the users that their application needs to be updated and asks them to input their key. FakeSpy hides and updates their C2 server by making use of social media. The application will access the Twitter Page that the handler maintains and parse its content to retrieve the C2 IP address.

The Proficio Threat Intelligence Recommendations:

  • Considering that FakeSpy is distributed via phishing messages, users can avoid being a victim by practicing good security habits including checking for grammatical errors and avoiding unsolicited messages that contain URL links.
Technical Analysis of Malware - Click Here

Method – RANCOR Malware: Southeast Asia

July 1, 2018

A new malware campaign was observed this month, which appears to be politically driven and targets organizations operating in southeast Asia. The malware was dubbed “RANCOR” by Palo Alto researchers and falls under the Trojan malware classification. Additionally, the malware appears to make use of code from two malware families: DDKONG and PLAINTEE.

The malware has been observed in at least three cases, in which high profile individuals were targeted in spear phishing emails. The email contained malicious attachments in the form of .hta, .xlxs, and .dll file types. When opened, these attachments open decoy PDFs or web pages that claim to be related to political parties from the given country. However, these attachments would also execute scripts in the background in order to complete their installation on the host system.

While this behavior might seem easy to detect at first glance, the closer look reveals the malware writers took several steps to evade detection. Researchers noted that the malicious scripts were typically hidden in the metadata of the files and executed when certain conditions were met. Additionally, in the case of web pages opening, the websites of legitimate government organizations and Facebook were compromised in order to bypass security.

Though current findings show only Cambodia and Singapore have been targeted thus far in the RANCOR campaign, a number of other countries located in Asia Pacific could be targeted as well and it is recommended to update security controls to detect the IOCs associated with this attack. One tell tale sign of some RANCOR variants is the rare use of a custom UDP protocol. This protocol may be detected by some heuristic IDPS devices searching for file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows and corresponding to the SHA256 hash below.

IDPS devices can be updated to trigger on the following additional signatures that have been observed:

  • Domain: www.facebook-apps.com
  • IPv4: 89.46.222.97
  • SHA256: 0bb20a9570a9b1e3a72203951268ffe83af6dcae7342a790fe195a2ef109d855
  • SHA256: c35609822e6239934606a99cb3dbc925f4768f0b0654d6a2adc35eca473c505d


The Proficio Threat Intelligence Recommendations:
  • Ensure security devices are updated to latest stable firmware.
  • Monitor for IOCs related to file type PE32 executable (DLL) (GUI) Intel 80386 for MS Windows.
  • Change the default handler for “.hta” files in your enterprise environment so that they cannot be directly executed.
Source of Analysis - Click Here

Target: Exactis Data Leak – 340 Million Records Exposed

June 28, 2018

Published June 28, 2018, the database leak of Florida-based marketing and data aggregation firm Exactis has been disclosed to the public. Exactis focuses on the mass collection and trading of data in order to provide highly accurate and targeted advertisements to its audience. This is considered to be one of the biggest breaches of all time, affecting over 340 million records, with over sixty percent affecting consumers and the rest affecting businesses

The vulnerable information was discovered by a security researcher who observed Exactis' database visible on a publicly accessible server, unguarded by perimeter devices. It is unknown if this data had been acquired by other parties prior to the disclosure, but Exactis has reported that the data is no longer publicly accessible.

The information available from this exposure could allow malicious actors to improve the success of their social engineering attacks due to the highly personal nature of the data exposed. Some of the leaked data includes: age, gender, phone numbers, email addresses, home address, religious preferences, clothing size, gender of children and other information classifying behavioral data, lifestyle interests and more. At this time, no financial information or Social Security numbers have been leaked. Proficio Threat Intelligence Recommendations:

  • The severity of this exposed information allows for the heightened accuracy of social engineering attacks. If an email looks suspicious or is from an unknown entity, it is advised to delete the email immediately. Do not click on links shown within the email.
  • Ensure sensitive company-owned data is not publicly accessible.

McAfee Source Link - Click Here
Wired Source Link - Click Here

Target: Dixons Carphone Breach exposes 1.2 million customers data

On June 13th, The popular U.K. based electronic and telecom retailer Dixons Carphone disclosed that it has recently discovered that it was breached in 2017 which may have compromised almost 6 million payment cards and 1.2 million personal data records. The company disclosed that there had been unauthorized access to sensitive data starting in July 2017 with no evidence of persistent access.

With GDPR now in full force, Dixons Carphone was legally required to send out a breach notification within 72 hours of discovery otherwise face potential fines. Dixons Carphone did not disclose which specific systems were targeted in the 2017 breach, only that payment cards in one of the processing systems was compromised.

Dixons Carphone took precautionary measures by immediately notifying card companies about the potentially compromised cards to alert and protect customers of possible fraud. The company may also be required under GDPR to provide credit monitoring for the affected individuals for a year or more. There has not been any reported use of the 6 million cards in question at this time.

The Proficio Threat Intelligence Recommendations:

  • Regular credit checks and reviews of monthly financial statements to ensure fraudulent activity has not occurred
  • If an organization falls under the scope of GDPR, note the new articles explaining the new requirements around data breach notifications.
General Info - Click Here

Method – MirageFox Malware

June 27, 2018

On June 18th, malware researcher, Jay Rosenberg released some interesting findings on a binary that was analyzed by the company Intezer. The code was retrieved through VirusTotal hunting. VirusTotal is a tool used by the global cybersecurity community that allows users to upload suspicious executables to an engine to check if antivirus vendors detect anything bad about the file. The Intezer analysis revealed that the binary shared code with a remote access tool (RAT) was very similar to the code that had been mentioned in the 2017 campaign documented by NCC Group where the hacker group APT 15 had hacked entities within the UK Government.

This indicates that the group APT 15 had built a variation of their RoyalAPT malware mentioned by the NCC Group. This malware could’ve then potentially been used to perform a separate attack perhaps on an additional entity. During the article, the author states “Coincidentally, following the recent hack of a US Navy contractor and theft of highly sensitive data on submarine warfare, we have found evidence of very recent activity by a group referred to as APT15, known for committing cyber espionage which is believed to be affiliated with the Chinese government.” This infers that the author believes the MirageFox and US Navy Contractor hack are tied together. As a result, we have seen additional sources claiming that APT 15 was likely behind the US Navy hack of Operation Sea Dragon. We’d like to point out that the findings of the malware author do not prove this and this is only based on speculation at this time.

Some very interesting findings in the report are the command and control used within the binary. The IP address of the call home was 192.168.0.107. This is an internal IP address used within internal networks. This indicates that the command and control server was on the inside of the network, possibly on a VPN. This is a very abnormal configuration from the attacker and will throw off several types of perimeter security controls without special configuration.

The Proficio Threat Intelligence Recommendations:

  • Block hashes of IOCs on the corporate endpoint solution if possible. The researcher stated the binaries at the time of research had a low antivirus detection rate.
  • Note the internal command and control server and think about this type of attack when configuring perimeter IDPS technologies that look for outbound traffic as a means of command and control.
  • Potentially treat your internal VPN network ranges as an external network when configuring your IDPS controls. The organization will have to validate this will not result in false positive IDPS triggers.
Source of analysis - Click Here

Actor – APT 15 / Vixen Panda

June 25, 2018

A suspected state-sponsored Chinese threat actor that is known as APT 15 (FireEye) or Vixen Panda (Crowdstrike), and activity documented as Operation Ke3chang (FireEye and Palo Alto) has recently resurfaced again in conversations. The activity of this group was suspected to start as early as 2009. The first major public release of information on this threat actor was in FireEye’s “OPERATION KE3CHANG - Targeted Attacks Against Ministries of Foreign Affairs” whitepaper in 2014. In the whitepaper, FireEye detailed how spear phishing emails were used to install backdoors. The most discussed malware mentioned in the whitepaper was a BS2005 backdoor that has been used to trace back activity by the attacker over the years. In the attack, several broad sectors like aerospace, energy, government, and manufacturing, were mentioned as being targeted. The next major publication of activity related to the actor came from Palo Alto in 2016. In the publication, it traced a new “TidePool” malware with many similarities to the previously used BS2005 malware. The targets in this attack were stated to be against Indian embassy personnel worldwide. The most recent publication that has surfaced for an attack directly attributed to APT 15 is from the NCC Group, where the organization claims to have uncovered two previously unknown backdoors (RoyalDNS and RoyalCLI) that have similarities to BS2005. The attack which appeared to occur from May 2016 until late 2017, targeted UK government departments. The information regarding the breach was not published until March of 2018. The next development that is surfacing now is from security researchers attempting to attribute the major 2018 US Navy Contractor hack to APT 15. In the attack, 614 gigabytes of material related to the US Navy’s “Sea Dragon” Project were stolen by attackers. Researchers are drawing conclusions around an updated backdoor known as MirageFox (again with similarities to the BS2005 malware), and state that this may have been used in the compromise. At this time, based on reviewed intelligence from Intezer and other firms, Proficio believes with that these claims are loose associations and only speculative at this time. Additional future information may attribute to the hack with APT 15 as well. The Proficio Threat Intelligence Recommendations: Implement phishing training for employees Have a procedure to have employees forward suspicious emails to security operations for analysis FireEye Analysis from 2014 - Click Here Palo Alto Analysis from 2016 - Click Here NCC Group Analysis from 2018 - Click Here Intezer's MirageFox Analysis from 2018 - Click Here

Read More

Target – FAPD Phishing HIPAA Breach

June 22, 2018

On June 1st, the Florida Agency for Persons with Disabilities (FAPD) disclosed that a phishing attack had compromised a single email account. The email account contained information that had PHI of over 1,951 customers and/or guardians. Although no evidence was gathered that indicated the information was accessed, FAPD could not completely rule out that it had not been. As a result, FAPD is providing the potentially affected patients with breach credit monitoring services for the following year for free.

The Proficio Threat Intelligence Recommendations:

  • Implement multi-factor authentication for email access of users that may access ePHI
  • Validate that auditing has been enabled to prove what emails were accessed during a user session
  • Limit email access to IP addresses geolocated within the organization’s place of business
General Info - Click Here

Method: Hidden Cobra TYPEFRAME Malware Activity

June 18, 2018

On June 14th, US-CERT released a Malware Analysis Report (AR18-165A) that details a set of malware, code-named TYPEFRAME, with the earliest observed sample dating back to 2015. This malware appears to have been leveraged by North Korea’s threat actor HIDDEN COBRA (aka Lazarus). The Trojan has the capability to download and install malware, proxies and remote access tools (RATs), connect to command and control servers and modify the victim’s host based firewall to allow incoming connections. The multiple executables and malicious document referenced within the report shows that the Trojan TYPEFRAME seems to be quite modular in nature, with different installers appearing to install different malicious modules. In summary, the multiple executables detailed in the report can be summarized as the following: F5A4235EF02F34D547F71AA5434D9BB4 / BFB41BC0C3856AA0A81A5256B7B8DA51 - The installer that sets the RAT as a service on the victim’s machine 10B28DA8EEFAC62CE282154F273B3E34 - This file is an installer designed to set a proxy module as a service on the victim’s machine. 00B0CFB59B088B247C97C8FED383C115 - This file also serves as a proxy module designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. This module listens on port 8443. BF474B8ACD55380B1169BB949D60E9E4 - This file is a RAT designed to install a proxy module as a service on the victim’s system. 6AB301FC3296E1CEB140BF5D294894C5 - This malicious Word document contains a VBA macro to decode a PE binary and execute it. EF9DB20AB0EEBF0B7C55AF4EC0B7BCED - This file is designed to connect to its remote C2 servers on port 443 and wait for instructions. 1C53E7269FE9D84C6DF0A25BA59B822C - This file is a proxy module installed as a service and is designed to open the Windows Firewall on the victim’s machine for the purpose of allowing incoming connections and force it to act as a proxy server. Notably, this malware makes use of a fake TLS communication mechanism. Given the nature of the tactics used by this particular threat actor and the details available in the advisory, the threat is prevented by most common security countermeasures such as an up-to-date corporate antivirus. The risk for most organizations is likely minimal. The Proficio Threat Intelligence Recommendations Add the seven IP IOCs (indicators of compromise) flagged by US-CERT in the MAR (malware analysis report) to a firewall blocklist / SIEM monitoring watchlist. Make sure to maintain antivirus products are up-to-date as this malware appears to have good detection rates amongst antivirus vendors with the samples analyzed. Disable File and Printer sharing services if not required for business needs. Restrict users’ ability to install and run unwanted software applications. Exercise caution when opening email attachments. Enable personal, host-based firewalls on individual workstations to deny unsolicited connection requests. Source of Analysis - Click Here

Read More

Vulnerability: Zero-Day Flash Flaw

June 9, 2018

June 7, 2018 - Security Firm Qihoo 360 identified a brand new zero-day flaw in Adobe Flash that could leave users vulnerable to executing malicious software without permission. Attackers have been able to gain access to victim’s devices by sending emails that contain exploited Flash content that has been disguised as a Microsoft Office document. Victims download the document not realizing that it contains a malicious SWF file that’s connected to a remote server. At this time attackers appear to be only targeting organizations located in the Middle East.

Tracking the flaw - (CVE-2018-5002 ) - Adobe has issued an advisory summarizing and providing patches for the vulnerability across all OS for Adobe Flash Desktop Runtime and Chrome/Edge/IE browser plugins. The versions of Flash that are vulnerable to this zero-day are versions 29.0.0.171 and earlier. Adobe has recently released a new flash update (version 30.0.0.113) that patches the vulnerability.

The Proficio Threat Intelligence Recommendations:

  • Immediately ensure that Adobe Flash is updated to the latest version.
  • Require permission each and every time Flash content attempts to run.
General Info - Click Here