Prestige Ransomware Emerges, Targets Ukraine and Poland
A new ransomware variant has emerged in the wild, being used in targeted attacks against the logistics and transportation sectors within Ukraine and Poland. The variant has been dubbed 'Prestige', named after their initial codename that was displayed in the group’s ransom note as 'Prestige ranusomeware'. Tactics, techniques, procedures (TTPs), and indicators of compromise from this ransomware variant are being clustered by Microsoft under DEV-0960. Prior to deployment, DEV-0960 executes stage-one malicious scripts via RemoteExec and Impacket followed by open-source collection tools which gain access to system administrator credentials. Once threat actors lay the groundwork for the ransomware attack, Prestige is deployed and is spread throughout the victim’s infrastructure. The Prestige payload can be cloned to remote systems and configured to run scheduled tasks or leverage PowerShell to establish persistence throughout several systems within the network. Prestige can also be copied to the Active Directory Domain Controller and distributed accordingly through Group Policy. Attacks from DEV-0960 actors appear to favor Russia, targeting enemies of the state and the Russia-Ukraine conflict. CTIX analysts will continue to monitor the evolution of ransomware throughout the landscape and provide additional details accordingly.
Threat Actor Activity
Operation CuckooBees Revived, APT41 Targets Organizations in Hong Kong
APT41 threat actors have launched a campaign targeting organizations throughout Hong Kong. Based on known tactics, techniques, and procedures (TTPs), this is likely a continuation of Operation CuckooBees. The original espionage operation was a massive intellectual property theft campaign which allowed APT41 threat actors to exfiltrate hundreds of gigabytes worth of research documentation, source code, manufacturing data, formulas, and diagrams. The majority of these attacks occurred throughout Eastern Asia, North America, and Western Europe. Recent activity surrounding this operation was uncovered when security analysts from Symantec identified traces of the Spyder Loader trojan, the data harvesting program utilized in the original campaign. Symantec analysts also noted that while the major payload was not seen in their analysis, the indicators showing use of Spyder Loader strongly suggests the continuation of Operation CuckooBees and broader intelligence collection. Additional similarities between attacks includes the use of “rundll32.exe” as a malware loader prior to execution on the compromised system. CTIX analysts will continue to monitor activity surrounding this campaign and will provide additional updates as they become available.
Windows MotW Zero-day Vulnerability Receives Unofficial Patch from 0patch
The 0patch micropatching service has released an unofficial security patch to mitigate a zero-day vulnerability in the Microsoft Windows Mark-of-the-Web (MotW) security mechanism that is being actively exploited in-the-wild. MotW is a security feature that labels suspicious files and webpages, forcing them to run in the security zone of the location the page was saved from. Security zones are a collection of systems that require the same access control policy, and act as invisible boundaries that prevent certain web applications from performing unauthorized actions with a browser. MotW labels tell the operating system, web browsers, and other applications that the file could be malicious, triggering a warning to the user informing them that opening the file or webpage could be dangerous. This flaw was first identified in July 2022 by Will Dormann, a senior vulnerability researcher at ANALYGENCE, who noticed that MotW flags were not being added to suspicious ZIP files. If exploited, this vulnerability could allow a threat actor to deliver maliciously-crafted files within a ZIP archive that when extracted, would not have the embedded malicious macros marked by MotW flags, allowing for the successful download of malware on the vulnerable device. At this time there is currently no official patch from Microsoft, however 0patch has developed free patches that will defend Windows users in the meantime. If customers already have an 0patch account, the patch will download automatically. Otherwise, the patch can be installed after registering an account with 0patch and downloading the 0patch agent. CTIX analysts will continue to monitor activity surrounding this MotW vulnerability, and an update piece may be published in a future FLASH Update.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (firstname.lastname@example.org) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.