Intel Reports

Activity Summary - Week Ending on 16 March 2023:

• Red Sky Alliance identified 25,528 connections from new IP’s checking in with our Sinkholes
• DigitalOcean in Singapore hit 141x
• Analysts identified 7,498 ‘new’ IP addresses participating in various Botnets
• 90 Days of Source Code Secrets
• ScrubCrypt
• Dark Pink
• MS Patch updates
• Germany - ChipMixer

Red Sky Alliance Compromised (C2) IP’s  

On 15 March 2023, Red Sky Alliance identified 25,528 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains. 

 Red Sky Alliance Malware Activity  

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 15 March 2023, analysts identified 7,498 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Red Sky Alliance Source Code Secrets / Last 90 Days

Red Sky analysts collect authentication keys, usernames and passwords, and API keys from open sources where users may have failed to properly configure they're GitHub, GitLab, or Bitbucket repositories.   Below is an example of our collection in the last 90 days. 

MALICIOUS CYBER TRENDS:

ScrubCrypt:  New Cryper (Fortinet Research)

Affected platforms:        Windows
Impacted parties:           Any Organization
Impact:                              Cryptojacks Vulnerable Systems
Severity level:                  Critical

Between January and February 2023, FortiGuard Labs observed a payload targeting an exploitable Oracle Weblogic Server in a specific URI. This payload extracts ScrubCrypt, which obfuscates and encrypts applications and makes them able to dodge security programs.  It already has an updated version, and the seller’s webpage (Figure 1) guarantees that it can bypass Windows Defender and provide anti-debug and some bypass functions.  Analysts analyzed the malware injected into a victim’s system and, as part of our analysis, identified the threat actor as 8220 Gang using collected indicators.  This mining group first appeared in 2017. The name “8220” comes from its original use of port 8220 for network communications.[1]

In this article, we will elaborate on the details of ScrubCrypt and other malware delivered by this crypter in the past.

Figure 1: ScrubCrypt for sale on the Web

Initial access - Based on Fortinet observations over the past two months, these attacks originate from 163[.]123[.]142[.]210 and 185[.]17[.]0[.]19. The attackers have targeted an HTTP URI, “wls-wsat/CoordinatorPortType,” which belongs to an Oracle Weblogic server. The corresponding traffic capture is shown in Figure 2.

Figure 2: Attacking traffic capture.

The attack attempts to download a PowerShell named “bypass.ps1”. The partial PowerShell script, “bypass.ps1,” shown in Figure 3, has had its main code and strings encoded to make it harder to be detected by AntiVirus solutions. After three rounds of adding constants, reversing, and Based64 decoding, we finally uncovered clear text.  The first variable, “$c”, contains ScrubCrypt.  The detail of this variable will be discussed in the next section.  The rest of the variables, from “$d” to “$f”, are for AMSI and ETW evasion, which is executed by “iex” at the end of the attack.

Figure 3: Partial code of “bypass.ps1”

After decoding “$c”, researchers found the script for the next step, shown in Figure 4.  It has another Base64-encoded code saved in the victim’s temp folder with the filename “OracleUpdate.bat” to masquerade as a normal system file.  Once the fake “update” file is decoded and saved, it executes with the Windows style “hidden” to silently load ScrubCrypt.

Figure 4: Code to create “OracleUpdate.bat”

Technical analysis – the ScrubCrypt .BAT file:  ScrubCrypt is a crypter used to secure applications with a unique BAT packing method. The batch file is shown in Figure 5.  The encrypted data at the top can be split into four parts using backslash “\”.  The final two parts are the key and iv for AES CBC decryption.  After Base64 decode, AES decryption, and unzip, we can finally see the code.  The organized code in Figure 6 is a typical .NET Reflective Injection.  In the last two lines of the code, the variable “$BmoFi” disables Event Tracing for Windows (ETW) by patching the EtwEventWrite function with 0xC3 (ret), and “$BbIpF” is used to invoke a .NET named “ScrubCrypt” for the final payload, shown in Figure 7.

Figure 5: Batch file of ScrubCrypt.

Figure 6: Organized Code

Figure 7: .NET code of ScrubCrypt

Technical analysis – the ScrubCrypt .NET file: The .NET code first modifies the extension as null, checks to see if a debugger is attached, and checks the system’s operating system version to decide whether or not to proceed.  It then gets the process ID to establish a melting file (self-delete) after execution, shown in Figure 8.

Figure 8 PowerShell for self-delete

Then, it determines whether the current user belongs to the Windows user group “BUILTIN\Administrators” (RID: 0x220).  If the user is not in that specific group, it decodes the “UAC” data from the “Resources” section and saves it to “C:\Windows\system32\perfmon.exe”.  The DLL file is shown in Figure 9. It is used to retrieve username information from the compromised endpoint.  It then decodes the PowerShell command: “cmd /c timeout /t 3 /nobreak & “C:\Windows\System32\perfmon.exe”” to pause the command processor for three seconds, ignore any keystrokes, and execute the DLL.

Figure 9 DLL file for retrieving username.

Next, it enumerates the driver in the system to bypass scans from Windows Defender using the command in Figure 10.

Figure 10 Modifying settings for Windows Defender

For persistence, it grabs registry values from “Run” and “RunOnce” to determine if this .NET file is already set.  If not, it saves the .NET file to a “Roaming” folder named “BSLkE.bat” and adds a registry value to run a VBS file with the content shown in Figure 11.

Figure 11 Addition to the registry for persistence

Finally, it decodes data “P” from the “Resources” section using the XOR key in Figure 12 and unzips it.  Then it loads the decoded data named “miner” in memory and invokes the payload, as shown in Figure 13.

Figure 12 XOR key used to decode the final payload.

Figure 13 Final payload in memory.

Technical analysis – final payload:  Analysts  collected several ScrubCrypt samples in February, and each payload is a little different.  On 2/14, ScrubCrypt loads “miner” and invokes the process “explorer.exe” to start the miner process to server 45[.]142[.]122[.]11:8080, shown in Figures 14 and 15.  This IP address and wallet were used for the 8220 Gang attack in January 2023.

Figure 14: Payload from ScrubCrypt on 2/14

Figure 15 Traffic capture from crypto miner on 2/14

On 2/15, ScrubCrypt extracted “bat”, which unzipped its array data and used “InvokeMember” to execute “Eoengmvsg.dll”, shown in Figure 16.  It decodes the three C2 servers and three port numbers shown in Figure 17.  

Figure 16: Payload from ScrubCrypt on 2/15

Figure 17 C2 Server and port number

Once that victim device receives the C2 server’s packets, it downloads another three files from 79[.]137[.]203[.]156, shown in Figure 18.  The first, “miner.bat”, is a ScrubCrypt BAT file.  The other two files are compressed PE files: “plugin_3.dll” and “plugin_4.dll” (Figure 19).  They exhibit behavior similar to that described in this previous article.

Figure 18 Downloaded files from 79[.]137[.]203[.]156

Figure 19 Decoded file "plugin_3.dll" and "plugin_4.dll"

On 2/16, ScrubCrypt loaded a module also named “bat’, as shown in Figure 20, but the data for its unzip is from its “Resources” section. It communicates with the same C2 server, and downloads two files from 163[.]123[.]142[.]210.  These files are also compressed PE files named “plugin_3.dll” and “plugin_4.dll”. They are identical to the files from 2/15 and start crypto miner activity using the same configuration, as shown in Figure 21.

Figure 20: Payload from ScrubCrypt on 2/16

Figure 21 Traffic capture from crypto miner on 2/16

The crypto wallet address:

46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ

and the server IP address used in Monero miner have all been used by the 8220 Gang in the past.  It’s why we believe the whole attack was launched by this threat actor, although the port number used is no longer 8220.

Conclusion:  8220 Gang is a well-known miner group that usually leverages public file-sharing websites and targets system vulnerabilities to infiltrate a victim’s environment.  Within a very short time, it has evolved to use a newer crypter variant, “ScrubCrypt.” Below is its complete attack chain. ScrubCrypt includes evasion and encryption functions, making it harder for anti-virus programs to detect 8220 Gang activity.  Users should be aware of this updated crypter and keep their systems patched.

Figure 22 The Attack Chain

GLOBAL TRENDS:   

Dark Pink - The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot.

Dark Pink, also called Saaiwc, was extensively profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information.[2]

The threat actor is suspected to be of Asia-Pacific origin and has been active since at least mid-2021, with an increased tempo observed in 2022.  "The latest attacks, which took place in February 2023, were almost identical to previous attacks," Dutch cybersecurity company EclecticIQ disclosed in a new report published last week.  "The main difference in the February campaign is that the malware's obfuscation routine has improved to better evade anti-malware measures."

The attacks play out in the form of social engineering lures that contain ISO image file attachments in email messages to deliver the malware.  The ISO image includes an executable (Winword.exe), a loader (MSVCR100.dll), and a decoy Microsoft Word document, the latter of which comes embedded with the KamiKakaBot payload.

The loader, for its part, is designed to load the KamiKakaBot malware by leveraging the DLL side-loading method to evade security protections and load it into the memory of the Winword.exe binary.  KamiKakaBot is primarily engineered to steal data stored in web browsers and execute remote code using Command Prompt (cmd.exe), while also embracing evasion techniques to blend in with victim environments and hinder detection.

Persistence on the compromised host is achieved by abusing the Winlogon Helper library to make malicious Windows Registry key modifications. The gathered data is subsequently exfiltrated to a Telegram bot as a ZIP archive.  "The use of legitimate web services as a command-and-control (C2) server, such as Telegram, remains the number one choice for different threat actors, ranging from regular cyber criminals to advanced persistent threat actors," the Amsterdam-based company said.  "The Dark Pink APT group is very likely a cyber espionage-motivated threat actor that specifically exploits relations between ASEAN and European nations to create phishing lures during the February 2023 campaign."

Patches Issued for Microsoft Products, 14 March  2023 - MS-ISAC ADVISORY NUMBER: 2023-030

DATE(S) ISSUED: 03/14/2023

OVERVIEW:  Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user.  Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:  Two zero-day vulnerabilities addressed in this advisory were reported by Microsoft; both have been seen in the wild.  The first zero day, CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Vulnerability, is a privilege elevation bug that allows specially crafted emails to force a target's device to connect to a remote URL and transmit the Windows account's Net-NTLMv2 hash, allowing an attacker to authenticate as the victim.  The second zero day, CVE-2023-24880 - Windows SmartScreen Security Feature Bypass Vulnerability, allows an attacker to distribute and install malware by crafting a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging.

SYSTEMS AFFECTED:  Azure Client Server Run-time Subsystem (CSRSS) Internet Control Message Protocol (ICMP) Microsoft Bluetooth Driver Microsoft Dynamics Microsoft Edge (Chromium-based) Microsoft Graphics Component Microsoft Office Excel Microsoft Office Outlook Microsoft Office SharePoint Microsoft OneDrive Microsoft PostScript Printer Driver Microsoft Printer Drivers Microsoft Windows Codecs Library Office for Android Remote Access Service Point-to-Point Tunneling Protocol Role: DNS Server Role: Windows Hyper-V Service Fabric Visual Studio Windows Accounts Control Windows Bluetooth Service Windows Central Resource Manager Windows Cryptographic Services Windows Defender Windows HTTP Protocol Stack Windows HTTP.sys Windows Internet Key Exchange (IKE) Protocol Windows Kernel Windows Partition Management Driver Windows Point-to-Point Protocol over Ethernet (PPPoE) Windows Remote Procedure Call Windows Remote Procedure Call Runtime Windows Resilient File System (ReFS) Windows Secure Channel Windows SmartScreen Windows TPM Windows Win32K

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.  A full list of all vulnerabilities can be found at this link:  https://msrc.microsoft.com/update-guide/

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:  MS-ISAC recommend the following actions be taken:

Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
• Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
• Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
• Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
• Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES: Bleeping Computer, https://www.bleepingcomputer.com/news/security/microsoft-fixes-windows-zero-day-exploited-in-ransomware-attacks/

Microsoft, https://msrc.microsoft.com/update-guide;  https://msrc.microsoft.com/update-guide/releaseNote/2023-Mar

Germany - European and US authorities have taken down a cryptocurrency mixing platform that facilitated rampant money laundering, and they arrested an alleged operator of the service.  On 15 March, Europol announced that German and US agencies seized four servers belonging to ChipMixer as well as approximately $46.5 million in Bitcoin.

The US Department of Justice (DOJ) also announced the arrest of Minh Quốc Nguyễn, 49, a Vietnamese man allegedly behind the platform, which it described in a statement as “a darknet cryptocurrency ‘mixing’ service responsible for laundering more than $3 billion worth of cryptocurrency” since 2017.  “This morning, working with partners at home and abroad, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe,” the Deputy Attorney General said in the DOJ release. The operation involved agencies in Germany, Poland, Belgium, Sweden and the US.  Cryptocurrency mixers are used to cover financial tracks by blending funds into a common pool so that their origins are difficult to follow. According to blockchain data firm Chainalysis, nearly a quarter of the $7.8 billion that went through a mixer in 2022 was for illicit purposes.

In May 2022, the Department of the Treasury’s Office of Foreign Assets Control sanctioned virtual currency mixer Blender.io and then in August targeted the mixer Tornado Cash.  The DOJ alleges that ChipMixer processed more than $700 million in stolen funds, including some from heists against cryptocurrency platforms Ronin Bridge and Horizon Bridge, which were allegedly perpetrated by North Korea’s Lazarus Group.  The mixer also attracted more than $200 million linked to purchases on darknet marketplaces, the DOJ said, and “more than $35 million in bitcoin associated either directly or through intermediaries with ‘fraud shops.’”

ChipMixer allegedly received bitcoin from the Russian Main Intelligence Directorate (GRU), as well as other Kremlin hacking groups, to make purchases related to the Drovorub malware, a Linux malware toolset publicly disclosed by the US government in 2020.  Authorities said Nguyen set up the platform in 2017 and operated and marketed the service.  He was charged in a Philadelphia federal court with “money laundering, operating an unlicensed money transmitting business and identity theft.” He faces up to 40 years in prison.

[1] https://www.fortinet.com/blog/threat-research/old-cyber-gang-uses-new-crypter-scrubcrypt/

[2] https://thehackernews.com/2023/03/kamikakabot-malware-used-in-latest-dark.html