Intel Reports

Activity Summary - Week Ending on 9 March 2023:

• Red Sky Alliance identified 8,782 connections from new IP’s checking in with our Sinkholes
• com.ua in Ukraine hit 465x
• Analysts identified 577 ‘new’ IP addresses participating in various Botnets
• 90 Days in Sinkhole Traffic
• MyDoom
• WH Smith
• City of Oakland CA
• Play Ransomware

Red Sky Alliance Compromised (C2) IP’s 

On 9 March 2023, Red Sky Alliance identified 6,270 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 22 February 2023, analysts identified 557 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Red Sky Alliance Sinkhole Data Set / Last 90 Days

Sinkhole Traffic – Red Sky Alliance run a proprietary sinkhole and collect numerous indicators from known former malicious domains.  This data is not available from any other source.  Between 7 December 2022 and 7 March 2023, our collections captured 290,507 hits. It appears to be quiet so far in March.

MALICIOUS CYBER TRENDS:

MyDoom - Art, automobiles, and wine are often associated with things that appreciate in value as they age. Malware isn’t usually thought of this way, as most threat actors strive to keep their tools as current as possible with new lures and exploitation techniques.  However, every once in a while, a campaign appears that turns this paradigm on its head. FortiGuard Labs came across one such recent campaign using the MyDoom worm.  MyDoom (also known as Novarg and Mimail) was first discovered back in 2004. And while it has seen some updates and modifications since its introduction, it is an anachronism in the malware world that continues to operate well beyond expectations.

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium

Typical phishing e-mail - The typical MyDoom phishing e-mail contains subjects referencing a delivery error or testing. Email headers contain a rejection reason and a custom “Content-Type”. There is also an attachment that may or may not be zipped. This attachment (unless zipped) is the MyDoom executable.[1]

Figure 1.  Typical MyDoom phishing e-mail.

FortiGuard Labs encountered the following message subjects in our recent investigation:

• Click me baby, one more time
• RETURNED MAIL: SEE TRANSCRIPT FOR DETAILS
• Isnydosj anhr
• ayownizdiitis
• Delivery failed
• Test
• Delivery reports about your e-mail
• Status
• Returned mail: Data format error
• RETURNED MAIL: DATA FORMAT ERROR
• Returned mail: see transcript for details
• Mail System Error - Returned Mail

The following attachment names were also found to be used repeatedly:

• zip
• zip
• zip
• zip
• .zip
• zip
• scr
• com
• scr
• zip
• cmd
• <random number>@7686f6a96.com
• zip
• scr

Typical attachment - The MyDoom executables attached to its phishing e-mails have an extension hidden by default by most Windows deployments (.cmd, .scr, .com, etc.). This increases the chances that users won’t identify it as malicious.

Figure 2.  MyDoom executable with hidden file extension.

Despite the extension, the file is a 32-bit Windows executable packed using the UPX (Ultimate Packer for Executables) packer (https://en.wikipedia.org/wiki/UPX) to compress and make it more difficult to analyze.

Figure 3.  A tell-tale sign that an executable has been packed with UPX – a renamed PE header.

With that being said, UPX has been around for quite some time. When used without modification, it is quite easy to decompress the original executable using the tool itself.

Figure 4.  Decompressing the MyDoom executable using the UPX utility.

MyDoom Unpacked - The packer decompresses and executes the actual MyDoom code. Upon execution, an attempt to alter the Windows firewall settings is made.

Figure 5.  Rundll32.exe shown executing the firewall control applet.

A user logged on to the system would see a request to grant access for the executable to communicate out through the Firewall.

Figure 6.  Windows firewall request made by MyDoom.

MyDoom next makes a copy of itself, places it in the “Temp” folder (C:\Users\<user>\AppData\Local\Temp), and changes the name to a known Windows application/process. In this case, it used “lsass.exe”.

Figure 7.  Attempt by MyDoom to create a copy of itself.

It also creates a file full of garbage text that is not referenced again once created.

Figure 8.  Garbage text file creation.

MyDoom communicates over port 1042 to both send and receive.

Figure 9.  MyDoom with local port 1042 open to listen.

It rotates through a number of possible C2 domains in an attempt to locate an active one.  As part of the legacy of spreading through file-sharing utilities, MyDoom also litters the “C:\Program Files\Common Files\Microsoft Shared” folder with multiple versions of itself.  It renames itself as some now very old and obsolete applications (e.g., Kazaa Lite) with a random name or phrase attached.

Figure 10.  Additional copies of MyDoom throughout the “Microsoft Shared” directory.

Application names include:

• Kazaa Lite
• Harry Potter
• ICQ 4 Lite
• v.3.2
• Winamp 5.0 (en) Crack
• Winamp 5.0 (en)

Conclusion - Despite its advanced age, there are still fresh infections of MyDoom occurring in the wild, along with corresponding phishing events.  This goes to show that even older malware can still be dangerous no matter their age.

IOCs - File-based IOCs:

Network-Based IOCs:

GLOBAL TRENDS:   

UK – Britain’s high-street retailer WH Smith was hit with their second cyber-attack in the space of a year last week, becoming the latest high-profile UK business to be hacked in recent months.  The leading retail company, which operates at over 1700 locations across the UK, confirmed in a statement that they had suffered an online data breach, exposing personal information to cybercriminals who gained access to their system.  "WH Smith PLC has been the target of a cyber security incident which has resulted in illegal access to some company data, including current and former employee data," reads the company's cybersecurity notice, filed with London's Stock Exchange.  The books and stationery chain employs over 12,500 people, reporting a revenue of $1.67 billion in 2022.

However, WH Smith claimed that customer data was not affected because the information was stored on separate systems that remained protected from unauthorized access.  "The breach will not impact trading business or customers," noted WH Smith.[2]

The latest incident serves as a reminder that no business is safe, according to the Director of the SANS Institute for Cyber-Security.  He said, "As another well-known name falls victim to a cyberattack, both new and established businesses must act now to protect their systems - everyone has a role to play in digital fortification."

Spain - A ransomware cyber-attack has targeted one of Barcelona’s leading hospitals, shutting down its computer system and forcing the cancellation of 150 non-urgent operations and up to 3000 patient checkups.  Reported earlier this week on Twitter, the attack against Hospital Clinic de Barcelona occurred on 5 March.  At the time, the institution said it was working to determine the scope of the leak and restore systems.  A few hours after first reporting the incident, Hospital Clinic published a new post, saying 10% of visits for external consultations would be restored by today, alongside some non-urgent operations.[3]  “We have recovered 10% of consultation activity and part of elective surgery,” the hospital confirmed.  “Patients able to be visited will receive a call to confirm their booking.  Rescheduled visits will be announced soon.”

A Catalonia government statement (in Catalan) further explained the region’s cybersecurity agency was working to restore the hospital’s systems.  The attack was attributed to the threat actors known as RansomHouse.  According to the CISO of security company SafeBreach, despite the few details about the attack, some information can be deduced from what was said by the Catalonian Cybersecurity Agency.  “This was a remote access attack – the spokesperson for the hospital [stated] the attack originated outside of Spain. This means that the malicious actors could breach the hospital network remotely,” he explained.  “The malicious actors were able to spread laterally, considering that multiple locations were shut down (laboratories, emergency rooms, pharmacies and several external clinics).  This suggests that the hospital’s networks were not properly segmented and segregated from each other.”

The security expert also discussed the alleged attribution of the attack, clarifying that RansomHouse typically does not encrypt the data but instead focuses on data exfiltration.  “This indicates that shutting down the computers was done to prevent further data exfiltration.  This also suggests that Hospital Clinic de Barcelona does not have good egress security controls to prevent data leakage,” SafeBreach added.  “This conjecture is further supported by the fact that the hospital seems to indicate that it will not pay the ransom, leading me to believe that it still has access to all its data.”

The attack against Hospital Clinic comes months after the RansomHouse threat actor claimed a separate attack against Colombian healthcare provider Keralty.

US, Oakland CA - An unauthorized third party has released stolen files from the City of Oakland's computer network; the latest development in a ransomware attack that the city has struggled to contain for nearly a month.  A spokesperson for the city said Oakland was working with third-party specialists and law enforcement to determine the contents of the released files.  If the files are found to contain personal information, the involved individuals will be notified.  Oakland said in a statement to media that it is currently working with the FBI and the state's Office of Emergency Services to investigate the attack.[4]

Late Friday, for the first time the city revealed the identity of the organization responsible for the ransomware demand: a "threat actor group" called Play.  According to IT management company Avertium, Play launched in June 2022 and has been previously responsible for ransomware attacks on Argentina's Judiciary of Cordoba and the German hotel chain H-Hotels.  It is unclear why the group targeted Oakland, California.

An internal email sent by the interim city administrator, encouraged city employees to "follow best practices when it comes to protecting your information by remaining vigilant against incidents of identity theft and fraud."  It would be prudent to regularly review your financial accounts such as credit card accounts, checking and saving accounts," the Oakland email said.  "If you notice any suspicious or unauthorized charges or withdrawals, contact your financial institution immediately.  The privacy and security of the data entrusted to us is of the utmost importance to us," it reported.  "We take seriously our responsibility to safeguard this information and continue working with cybersecurity experts to further enhance the security of our systems."

The president of the police union said that the city has not specified what files were taken, but he is assuming that all personal files for city employees and anyone affiliated with the city could be at risk.  "You have to assume the worst and hope for the best," he said.

The ransomware attack, which occurred on 8 February, has disrupted the city's ability to process parking tickets and business licenses. Parking citations payments must still be paid online.  Cashier booths and cashiers still cannot make phone calls to process parking tickets (7 March).

In mid-February, the City Council declared a state of emergency over the cyber-attack.  The city has not released details on why they're calling it ransomware and whether, or how much, Oakland may have paid to the attackers.  It is unclear when the city's systems will be fully restored.  The city said in a 7 March update that the 311 phone system was back up and running after being impacted during the storms last week.

Play - Who is Play Ransomware?  On 22 June 2022, in the BleepingComputer forum, someone wrote that his files were encrypted with the extension “Play.”  Afterward, Trend Micro published an analysis article about the new ransomware variant, Play Ransomware.  The main target of Play Ransomware is the Latin American region, and Brazil is at the top of the list.  Even though they seem like a new ransomware group, their identified TTPs look like Hive and Nokayawa ransomware families.  One of the similar behaviors that make them look similar are they use AdFind, a command-line query tool capable of collecting information from Active Directory.[5]

Figure 11. Play Ransomware infection chain.

[1] https://www.fortinet.com/blog/threat-research/just-because-its-old-doesnt-mean-you-throw-it-away-including-malware/

[2] https://www.ibtimes.co.uk/wh-smith-now-among-latest-victims-new-wave-cyber-attacks-1713792

[3] https://www.infosecurity-magazine.com/news/ransomhouse-target-barcelona/

[4] https://www.govtech.com/security/authorities-investigate-data-released-in-oakland-cyber-attack

[5] https://socradar.io/dark-web-profile-play-ransomware/