Ransomware/Malware Activity
Subscription-Based Malware Prynt Stealer Recently Observed in the Wild
A new info-stealer malware called "Prynt Stealer" was recently spotted in the wild by Cyble research labs. Prynt Stealer is advertised as a subscription-based tool, with subscription options of $100/month, $200/quarter, $700/year or $900 for a lifetime license. Currently, the malware, which is customizable by the purchaser, can steal data from over thirty (30) Chromium-based browsers, at least five (5) Firefox-based browsers, three (3) confirmed VPNs, and a range of FTP, messaging, and gaming apps. The malware begins by scanning all host drives and exfiltrates files that are smaller than 5,120 bytes. Next, it targets autofill data, credentials, payment card info, browser search history, and cookies stored in browsers. Prynt Stealer then targets messaging apps (Discord, Telegram, etc) as well as gaming authorization files before querying the registry for cryptocurrency wallets to empty. Data and credentials for VPNs are stolen, and the malware lastly enumerates and screenshots the current running processes, network credentials, and the Windows product key. Exfiltration occurs through a Telegram bot that uses a secure encrypted network connection to send the compressed data to a remote server. In addition to the previously mentioned data stealing tactics, Prynt Stealer is also equipped with a clipper tool that monitors the compromised machine's clipboard to identify and replace cryptocurrency addresses and a keylogger designed to perform bulk information stealing. Additional details as well as indicators of compromise (IOCs) can be reviewed in Cyble's report linked below.
Quantum Ransomware Attack Concludes Four Hours After Initial Infection
On April 25, 2022, researchers at The DFIR Report detailed the current tactics, techniques, and procedures (TTPs) of the Quantum ransomware, first discovered in August of 2021, and their recent observation of a domain-wide compromise within four (4) hours by the ransomware. The researchers detailed that the initial access vector was an IcedID payload within an iOS image delivered via a phishing email, which took two (2) hours to execute after the initial infection. Once executed, Cobalt Strike and Remote Desktop Protocol (RDP) were utilized via process hallowing and injection techniques in order to move laterally across the network. Then, Windows Management Infrastructure (WMI) and PsExec was utilized to deploy the Quantum ransomware. The entire process had a total Time-to-Ransom (TTR) of three (3) hours and forty-four (44) minutes, which the researchers noted is exceptionally short. This rapid speed, in combination with attacks of this type typically occurring during the weekend or late into the night, does not leave corporations with a large time frame to detect and respond before a total compromise occurs. The data exfiltration status was not disclosed by The DFIR Report, but BleepingComputer did note that Quantum ransomware attacks commonly exfiltrate data and "leak it in double-extortion schemes", which involves the exfiltration of large amounts of confidential data before encrypting the victim’s files. An in-depth analysis of the observed Quantum ransomware attack as well as indicators of compromise (IOCs) can be reviewed in their posting linked below.
Threat Actor Activity
APT37 Targets Journalists in New Goldbackdoor Campaign
A growing threat organization believed to be tied to the North Korean government has launched a malicious campaign targeting journalists with the goal of extracting sensitive information from their devices. APT37, otherwise tracked as InkySquid, Reaper, and ScarCruft, is a state-backed espionage organization that has been active since 2012. APT37 primarily targets entities within South Korea but has gone as far as Japan, Romania, China, and other surrounding Middle Eastern countries. In this campaign, APT37 threat actors impersonated NK News and disseminated the "Goldbackdoor" malware to journalists using a spear-phishing campaign. Goldbackdoor is a multi-stage program that first executes a decoy document, that tests for security protections, followed by a PowerShell script that downloads an XOR payload and executes it on the system. Goldbackdoor allows threat actors access to execute arbitrary commands on the system, conduct file collection, log keystrokes, and remotely purge itself from the system. As this campaign is still ongoing, CTIX analysts continue to urge users to verify all email correspondence prior to executing any file downloads or visiting any embedded links to lessen the chance for threat actor compromise.
Emotet Test Campaign Observed with New Tactics and Techniques
A minimal Emotet campaign was recently unleashed with newly observed tactics and techniques, specifically the incorporation of OneDrive and XLL files into the botnet. The threat actors tied to this Emotet activity are TA542, a threat organization who commonly deploys Emotet in its campaigns and has closely maintained control of the botnet since 2014. TA542 primarily targets entities throughout the Americas, Europe, Asia, and Australia with common attack vectors of credential harvesting, phishing campaigns, and social engineering techniques. This new Emotet campaign was deployed between April 4, 2022, and April 19, 2022, and had characteristics that differentiate it from other campaigns tied to this botnet. Typically, when an Emotet campaign is deployed, a massive number of messages are sent out to thousands of victims; however, in this case, there was a significantly smaller number of messages distributed. In addition, this campaign utilized OneDrive URLs rather than the more common malware-laced Office documents. Furthermore, rather than macro-malware documents, this campaign was observed using XLL files that allow for additional functionality for the Microsoft Excel platform. With such a low level of activity from this campaign, security researchers indicate this was a campaign to test out new capabilities of Emotet and will likely be followed by a much larger campaign in the coming months. CTIX will continue to monitor the botnet and threat organization and provide additional updates accordingly
Vulnerabilities
Critical Vulnerability in Java Cryptography Function Bypasses Verification Checks
In Oracle's latest quarterly security update, 174 products with 401 CVE identified bugs were patched, some dating back to 2017. Among the identified bugs, one in particular is of high interest to companies leveraging Java applications. The vulnerability, identified as CVE-2022-21449 and dubbed "Psychic Signatures," allows remote code execution (RCE) in programs that utilize Java's Elliptic Curve cryptography functions. It was discovered in November 2021 by the security researcher Neil Madden. Typically, when verifying a piece of information using cryptography, a private key is needed to prove the information was signed by the owner of the private key and was not changed. The researcher found that when passed a completely blank private key (a memory buffer filled with "0"s), the function flagged the information as valid. An attacker utilizing this exploit can modify signed information then resign it with a blank key to keep the validity of the data. Unlike the Log4Shell bug, which was only exploitable if Log4j was included in the code, Psychic Signatures exists within the standard library and can potentially infect any application that uses Elliptic Curve cryptography. To mitigate the vulnerability, users should update to the latest versions of Java 7, 8, and 11. Oracle is known for not following the trend of monthly security updates that companies such as Microsoft, Adobe, and Google follow. Due to this infrequent update schedule, organizations must stay on top of Oracle product updates as vulnerabilities in these applications could be in threat actors’ hands for months before a patch is issued.
Authentication Bypass Vulnerability Patched in Atlassian Jira Products
Atlassian, an Australian software company known for tools like Jira and Trello, has issued an alert that the company's Jira products are affected by an authentication bypass vulnerability through Seraph, Atlassian’s web application for security. Identified as CVE-2022-0540, this vulnerability allows remote attackers to bypass authentication through Seraph through a crafted HTTP request to specific vulnerable endpoints. Atlassian has stated that affected products include their Jira Core Server, Data Center, Software Server, and Management Data Center. However, this vulnerability does not affect the cloud versions of Jira products. Exploiting this vulnerability requires Seraph to have specific configurations, including apps that “specify 'roles required' under the ‘webwork1’ action namespace level and do not specific it at an ‘action’ level.” Apps that have been identified as being vulnerable to this CVE are listed in the Atlassian advisory linked below. Atlassian has released security updates for Jira Core Server, Software Server, and Software Data Center versions 8.22.0 and later, and for Jira Service Management version 4.22.0 and later. CTIX analysts will continue to monitor this situation and provide updates accordingly.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
