Microsoft Links Austrian Spyware Vendor "DSIRF" to Knotweed Threat Group via Subzero Malware Use
Microsoft has linked the Knotweed threat group to an Austrian spyware vendor that is currently targeting organizations in Europe and Central America with the "Subzero" malware toolkit. The Austrian spyware vendor is operating under the name "DSIRF" and promotes itself as providing "information research, forensics, and data-driven intelligence services to corporations." Researchers identified multiple links between DSIRF and the development/attempted sale of Subzero, which is a malicious tool utilized by the Knotweed threat group. Post-compromise actions of attacks utilizing Subzero include credential dumping via "comsvcs.dll", attempting to access emails from a Knotweed IP address, using Curl to download Knotweed tooling from public file shares, and "running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF". RiskIQ researchers also analyzed the Knotweed command-and-control (C2) domain's IP address and identified various additional domains with direct links to DSIRF, including the company's primary website and several subdomains appearing to be used for malware development. Microsoft also added the typical tactics, techniques, and procedures (TTPs) of the Knotweed threat group to their report. This includes deploying “Corelump”, a primary payload, and “Jumplump”, a heavily obfuscated malware loader, in observed attacks utilizing the Subzero malware. Microsoft also explained the various capabilities of the primary Subzero payload to include capturing screenshots, keylogging, exfiltrating data, and running arbitrary plugins as well as remote shells. Microsoft researchers noted multiple zero-day vulnerabilities used in Knotweed campaigns, which now includes the recently patched Windows CSRSS elevation of privileges flaw tracked as CVE-2022-22047. Current victims of Knotweed include "law firms, banks, and strategic consultants in countries such as Austria, the United Kingdom, and Panama", but CTIX analysts will provide an update if the threat group's target scope evolves. An in-depth analysis of the linkage between Knotweed and DSIRF as well as indicators of compromise can be viewed in Microsoft's report linked below.
Microsoft Researchers Identify Stealthy IIS Backdoors
Microsoft Internet Information Services (IIS), a web server platform built into Windows Server, has seen an uptick in malicious extensions according to the Microsoft 365 Defender Research Team. The platform allows developers to add pre-built extensions to their website, similar to plugins in WordPress and other content management systems. The extensions are built using native C and C++ or a managed C# and Visual Basic .NET, though many of the malicious extensions are developed using the managed languages. The researchers identified four (4) different types of IIS backdoors:
- Web shells: Malware that exposes a command-line interface using HTTP requests.
- Open-source variants: Custom backdoors that are publicly hosted on services like GitHub.
- IIS handlers: Backdoors that integrate themselves into the IIS pipeline.
- Credential stealers: Malware that monitors authentication pages and sends credentials back to the attacker.
Between January and May 2022, the 365 Defender Research Team detected a campaign targeting Microsoft Exchange servers using the ProxyShell exploit. Following a successful attack, the threat actors dropped a custom IIS backdoor with the file name "FinanceSvcModel.dll". The backdoor had advanced, built-in Exchange management operation capabilities, allowing the attacker to explore mailbox accounts and exfiltrate emails. The exfiltration functionality utilized IIS to start the process. By sending a specially crafted POST request with the cookie "EX_TOKEN" set, the malware created a mailbox export request using values stored in the cookie. To run commands, the malware uses the "PowerShDLL" toolkit, which allows PowerShell command execution without using the powershell.exe binary, a technique that can evade some endpoint detection software. Microsoft researchers outline multiple defenses against this and other backdoors such as applying the latest security updates, keeping built-in anti-virus enabled, reviewing sensitive roles and groups, practicing the principle of least-privilege, monitoring alerts, and inspecting configuration files and the binary folders for malware.
Threat Actor Activity
LockBit 3.0 and BlackMatter Ransomware Source Code Similarities Uncovered
Trend Micro researchers have emphasized the similarities between the recently released "LockBit 3.0" ransomware, aka "LockBit Black", and "BlackMatter" ransomware in their latest report. BlackMatter is a known rebrand variant of the "DarkSide" ransomware that dissipated in November of 2021. Researchers analyzed unpacked samples of LockBit 3.0 and noted that portions of the ransomware's code appear to be taken from BlackMatter's source code. LockBit 3.0 and BlackMatter have an identical routine of performing API harvesting, which involves hashing the API names of a dynamically linked library (DLL) and then comparing the hashes to the list of APIs the ransomware requires. The XOR key utilized for renaming APIs is also identical between the two (2) ransomwares. The anti-debugging technique used in BlackMatter and LockBit 3.0 to crash debuggers by adding a breakpoint is identical as well. Both ransomwares employ threading rather than directly calling an API in order to make analysis more difficult. Researchers also noted that LockBit 3.0 retains specific BlackMatter routines for privilege escalation and utilizes the same technique as BlackMatter to delete shadow copies. Researchers emphasized that "it would be no surprise if some of BlackMatter's affiliates had joined the ranks of the LockBit group, considering LockBit's recent rise in notoriety, which would explain the many similarities between the two pieces of ransomware." An in-depth analysis of additional similarities as well as indicators of compromise can be viewed in Trend Micro's report linked below.
North Korean Hackers Use Malicious Browser Extension to Steal Email Information
Threat actors backed by North Korea have been operating an information stealing browser extension for about a year, harvesting personal user information from victims’ Chrome, Edge, or Whale browsers. The threat group, tracked as Kimsuky and Thallium, is a nation-state organization that has been active since 2012 and primarily focuses on cyberespionage campaigns. Kimsuky has targeted several major countries including South Korea, United States, Russia, and European nations. The group often conducts their malicious acts to gain further intelligence on security issues tied to the Korean region, nuclear policy, and ever-growing sanctions. In this nearly year-long campaign, Kimsuky has been utilizing this malicious extension (dubbed SHARPEXT) as its persistence method after initially compromising the victim's device. SHARPEXT has the capabilities to parse and harvest information from emails in Gmail and AOL inboxes as well as send requests to download additional emails from a web page. Since the extension does not physically attempt to sign into the users email account, security alerts are not tripped, and the user is not notified of any compromise. While malicious browser extensions have been a part of the threat landscape for a long time, their use as a persistence mechanism is relatively new and has the potential of being more commonly utilized in the future by threat organizations globally. CTIX continues to monitor threat actors worldwide and will provide additional updates accordingly.
Critical Flaw in Dahua IP Cameras Allows Attackers to Take Complete Control of Vulnerable IoT Devices
The cybersecurity firm Nozomi Networks has identified a high-severity vulnerability affecting the Open Network Video Interface Forum (ONVIF) implementation of certain IP security cameras produced by the Chinese firm Dahua Technology. The flaw, tracked as CVE-2022-30563, is a packet replay attack vulnerability which, if exploited, allows attackers to take full control of vulnerable internet-facing cameras. ONVIF is an open-source forum that promotes and develops standards dictating how IP-based cameras and other physical security IoT devices communicate in a "vendor-agnostic manner." Specifically, the vulnerability exists in the authentication mechanism deployed in certain Dahua IP cameras known as "WS-UsernameToken". Using a network packet analyzer to exploit this vulnerability, threat actors perform a man-in-the-middle (MITM) attack, capturing the HTTP packets associated with an authentication request n ONVIF. If the attackers successfully capture even a single unencrypted login packet, they can replay that exact packet along with a forged "CreateUsers" request to add themselves as administrators. They can then access any of the vulnerable devices with full privileges, allowing them to perform unauthorized activities like watching live camera feeds, locking or unlocking smart doors, and performing maintenance operations. These attacks could pose a threat to national security due to these IoT cameras being used in critical infrastructure to oversee production processes and provide remote visibility to engineers and security staff. Malicious state-sponsored threat actors and adversaries could exploit this vulnerability to conduct persistent video reconnaissance prior to an attack, giving them real-time intelligence of the target environment. This could allow threat actors to find new physical and technological vulnerabilities that could be exploited to conduct devastating cyberattacks against industrial control systems (ICS) and physically disrupt critical production processes. This vulnerability has been successfully patched, and CTIX analysts urge any administrators or security personnel utilizing Dahua IoT devices to ensure they are updating their devices to the latest secure version of the firmware. Aside from patching vulnerable IP cameras, organizations are strongly recommended to limit the presence of these public internet-facing IoT devices to the bare minimum, as well as using secure protocols like HTTPS.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (firstname.lastname@example.org) if additional context is needed and the CTIX team (email@example.com) for threat intelligence inquiries.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.