Intel Reports

Activity Summary - Week Ending on 23 February 2023:

• Red Sky Alliance identified 8,782 connections from new IP’s checking in with our Sinkholes
• Gigi in Poland hit 349x
• Analysts identified 577 ‘new’ IP addresses participating in various Botnets
• CatB Ransomware
• German Airports
• Start of a Storm
• Russia & Ukraine are Frozen
• Fog of War

Red Sky Alliance Compromised (C2) IP’s 

On 22 February 2023, Red Sky Alliance identified 8,782 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 22 February 2023, analysts identified 557 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).

Red Sky Alliance Vessel Impersonation and Supply Chain Indicators / Last 30 Days

Vessel Impersonation Indicators:

Supply Chain Indicators:

MALICIOUS CYBER TRENDS:

CatB Ransomware - CatB Ransomware Infection Vector - Information on the infection vector used by this group is not currently available. However, it’s not likely to differ significantly from those used by other ransomware groups.

CatB Ransomware Dropper Execution - CatB uses a dropper packaged into a Microsoft Windows Dynamic Link Library (.dll) file. Contained within the dropper is a second .dll file that contains the payload responsible for encrypting files on the victim’s machine. This particular version of CatB uses DLL sideloading to execute the payload’s code. (DLL sideloading places a malicious DLL file in the same directory as a trusted executable. When the executable tries to load a DLL with the same name, the attacker’s DLL is loaded instead.)[1]  Execution of the dropper is accomplished using the Windows “rundll32.exe” application.

Figure 1. Terminal execution of the CatB dropper.

The dropper is packed using UPX, which unpacks the file and executes the code inside.

Figure 2. Tell-tale sign a file has been packed with UPX.

Once the primary code executes, CatB creates an array of barriers to prevent analysis and execution on virtual machines/sandboxes. To validate that the malware has been loaded on a legitimate target, each barrier must be met before the payload is dropped and executed.  Among the first of these is a check for the number of processors on the system.

Figure 3. Using GetSystemInfo to obtain the number of processors on the system.

Given that most modern physical Windows devices are multi-processor/multi-core computers, there must be at least two to continue.

Figure 4. Using GlobalMemoryStatus to obtain the amount of RAM on the system.

In addition to multi-core processors, most current systems have more than 2GB of RAM installed. Figure 4 above shows a comparison being made to the value of 800 in hexadecimal. In decimal, this corresponds to 2048 or 2GB. The value must be this or greater to continue.

The next test involves the hard disk. Most virtual machines are created with just enough resources to do their intended job, while a physical device will have much more.

The dropper attempts to validate that the hard disk on the machine meets certain criteria. It uses the API call “DeviceIOControl” to determine this by passing a value of 70000 in hexadecimal. This corresponds to 458752, which is the control code for IOCTL_DISK_GET_DRIVE_GEOMETRY.  This provides a mechanism to obtain information on a physical disk (e.g. tracks, sectors and cylinders).

If all checks pass, the dropper creates the file “oci.dll”.

Figure 6. Committing “oci.dll” to disk.

As mentioned, this version of CatB uses DLL sideloading to execute the payload in “oci.dll”.  To do this, the Microsoft Distributed Transaction Coordinator (MSDTC) service is used to facilitate the process. As MSTDC starts, it reads several DLLs from “C:\windows\system32”, which now contains the malicious version of “oci.dll”.

CatB alters the username of the service to “LocalSystem” and then starts MSDTC.

Figure 8. MSDTC process start.

Even if one anti-VM check fails, MSDTC will still be started. However, it will quickly be followed by a termination event, thereby ending the execution of CatB.

Figure 9. MSDTC taskkill event.

Otherwise, “oci.dll” begins its run to encrypt the host system.

CatB Ransomware Payload Execution - CatB looks for files to encrypt beyond just the “C:\” drive, enumerating additional mounted hard drive volumes up to “I”.

Figure 10. Looking beyond “C:\”.

The ransomware will not encrypt anything that might be considered a functional system file that would prevent a possible recovery (and thereby eliminate any reason to pay a ransom).  Interestingly, CatB does not deploy a ransom note in an obvious location (e.g., the user’s desktop) as other ransomware strains do. Instead, every encrypted file has the ransom note prepended to the top of the file.

Figure 11. Ransom note as it exists in “oci.dll”.

Figure 12. A file showing the ransom note and then the start of its encrypted contents.

As shown in figures above, the ransom demanded is steep at 50BTC on day 1. This is approximately $1,102,010.00 (as of the date of this writing). The cost escalates daily until day five, when it indicates that data will no longer be recoverable.

The Bitcoin address used in this sample, along with similar ransomware samples FortiGuard Labs has found, had no funds at the time of writing.  As mentioned earlier, the only contact method available is through the attacker’s Proton Mail address.

File-based IOCs:

GLOBAL TRENDS:   

Germany - Multiple German airport websites have gone offline due to a systems failure.  Reports suggest that cyberattacks might be behind the outages.  No airport operations have been impaired by the website troubles, meaning the IT issue seems to be restricted online.  However, continuing outages will impact passengers in the coming days, especially as other airports face strikes.

Websites under attack: So far, only four airports have had issues with their websites.  The websites of Düsseldorf International Airport (DUS) and Dortmund Airport (DTM) have been unreachable.  Erfurt Weimar Airport (ERF) also found its website offline today.  The airport's internet provider has begun an investigation into the incident to determine if a cyberattack caused the outage.  Nürnberg Airport (NUE) also had its website crash this morning.  According to AP News, the airport reported that its website received so many requests in such a short period that it collapsed.[2]

While websites will have issues from time to time and may even go offline, it is uncommon for multiple airport websites to suddenly go offline around the same time as one another.  Due to the close time proximity and nature of the outages, it is believed that these outages are the result of cyberattacks targeting airport infrastructure. For now, no airport operations have been disrupted by any of these outages.  Airport authorities are working quickly to resolve the issues and bring the websites back online before any operations are affected by the outage.

Start of a Storm: The website outages, which could lead to operational disruptions in the coming days, come a day before a massive daylong strike.  The trade union Ver.di has called for a one-day airport worker walkout which will last all day tomorrow, February 17^th.  Travelers have been warned to avoid air travel throughout Germany tomorrow as the walkouts will likely cause massive disruptions at airports across the country.  Due to the strikes, Lufthansa has canceled all flights out of Frankfurt and Munich tomorrow, leading to widespread trouble and bookings for passengers.

DUS is the only airport affected by the website outage that is on the list of airports where a walkout is planned.  However, the massive number of flight disruptions that the strike will likely cause will start a domino effect, affecting nearly all German Airports.  This will lead to flight disruptions throughout the country and many neighboring countries for the next several days.  This coming storm will only be fueled by the website outages.

Not the only IT issue: The airports affected by the website outages are not the first victims of technological failures this week.  On February 15^th, Lufthansa Group's operations were severely affected by an IT failure. The failure led to disruptions across all of the group's airlines.   The disruptions caused Frankfurt Airport (FRA) to be closed to all arrivals.   This forced hundreds of flights and thousands of passengers to change their travel plans. With all the flight disruptions and anticipated disruptions, the German air transit industry is moving towards what looks to be an unforgettable weekend. 

Russia & Ukraine are Frozen  - Cyber operations play a prominent role in Russia's war against Ukraine; attacks on Ukraine and NATO countries are carried out by five hacker groups linked to the Russian government, some of which cooperate with the Chief Intelligence Office (GRU) and the Federal Security Service (FSB).

Source: report titled "Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape", based on analysis conducted by Google's Threat Analysis Group [TAG], as well as Mandiant and Trust & Safety companies, analysed and reported by Radio Liberty.  Details: The Ukrainian government is under ceaseless cyber-attack, say Google experts.

Russian government-backed hackers stepped up cyber operations starting in 2021, just before Russia's invasion of Ukraine.[3]   In 2022, Russia increased its targeting of users in Ukraine by 250% compared to 2020, and its targeting of users in NATO countries by over 300%.

Among the hacker groups that organize cyber-attacks on Ukrainian and NATO institutions are FrozenLake, Coldriver, Summit, FrozenBarents and FrozenVista.

Experts name phishing as one of the main strategies of these hacker groups. Most often, hackers attack Gmail, as well as the mail services of various government institutions: the Ministry of Defence, the Ministry of Foreign Affairs, and others.

In particular, the FrozenBarents group, according to the Google threat analysis group, is connected to the GRU and the Russian army, and is engaged in espionage, disinformation, and destruction of information systems.  The targets of the group's attacks include Ukrainian infrastructure that was hit in 2015 and 2016, NATO countries, Georgia, and South Korea. One of the targets of the FrozenBarents cyberattacks was the Turkish drone manufacturer Bayraktar.  The Summit group, according to experts, is connected to the FSB.  They are engaged in espionage.  The targets of the hackers were mainly the security forces of NATO countries.

In July 2022, the group disguised malware as a program that can be downloaded from a domain like the website of the Azov Regiment.  Google's report also highlights the Belarusian group Pushcha, which engages in espionage and conducts information campaigns.  In 2021, the group conducted the Ghostwriter campaign, during which it distributed pro-Russian publications by hacking news sites and placing fake publications there.

[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-catb-ransomware/

[2] https://www.reuters.com/technology/websites-several-german-airports-down-focus-news-outlet-2023-02-16/

[3] https://news.yahoo.com/cyber-attacks-ukraine-nato-carried-154925774.html