SOC Goulash: Weekend Wrap-Up

Infosec News for 26/09/2022–02/10/2022

This is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!

Headline Items

1. Royal ransomware shows shades of Conti; the infamous Brute Ratel C4 framework gets cracked and distributed on cybercrime forums, and a China-based actor uses vSphere Installation Bundles to persist on ESXi environments;
2. Qakbot distribution hits cruise control, while IcedID use 3 different delivery methods and decoy C2 configs to mess with analysis efforts;
3. Microsoft scramble to address two actively exploited 0-days in Exchange; CERT coordinate discovery & remediation of vulnerabilities in Ethernet header stacking that could bypass inspection and prevention measures in enterprise network kit.

Royal Ransomware — a Conti fork continues big game hunting

Reference: Bleeping Computer

Vitali Kremez of Advanced Intel has shed light on Royal ransomware, which extorts victims for between $250k and $2 million and demonstrates overlaps with the defunct Conti ransomware operation. While the group has been in operation since January 2022, its activities are beginning to surface as more victims come out of the woodwork.

Figure 1: Brief overview of what we know about the Royal Ransomware kill chain

It’s noteworthy that the Royal operations share some cross-over with historical Conti activity, specifically:

1. The ransom note generated through their previous Zeon encryptor was very similar to Conti’s ransom notes;
2. They make use of Callback Phishing to manipulate users into installing Remote Access Software — a technique best known implemented through “BazaCall”, which often featured in Conti intrusions;
3. Their consistently high ransom demands are indicative of “big game hunting”, and they operate as an exclusive collective — two traits exhibited by Conti during the life of the group.

While there’s little known about the group’s standard modus operandi, their overlaps with Conti and preference for high-value targets make this group one to watch.

As with the other Conti splinters, we can expect Royal ransomware operators to have a more mature and organised approach to operations than most.

In order to mitigate the initial access techniques employed by this group, consider incorporating Callback Phishing as an attack vector into user awareness training, and continue monitoring for and investigating installation of unapproved Remote Access Software on your network.

BruteRatel goes (involuntarily) mainstream

References: Bleeping Computer | BushidoToken

A cracked version of the highly capable and commercially-sold Brute Ratel C2 framework has been widely circulated on many “of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out.” This leak has sparked concerns that we may see an acceleration in the shift by threat actors away from Cobalt Strike, towards lesser-known and more evasive alternative C2 frameworks such as this.

First reported on in July this year by Unit 42, Brute Ratel’s use was much more limited with license-checking mechanisms restricting actors to the use of leaked legitimate copies — or in the case of several ex-Conti ransomware members — setting up fake US companies to purchase a license.

Unfortunately, given the license check was removed in the release of a cracked version, license revocation isn’t going to help here. The cat is well and truly out of the bag.

While initial, identified uses of Brute Ratel in-the-wild was limited to mature, organised actors such as APT29 and former Conti affiliates, the widespread dispersal of this cracked version means its adoption is likely to increase across the spectrum of cyber actors.

Figure 2: The now-cracked Brute Ratel hits the sweet spot between Capability, Cost, and Evasiveness

For Defenders

1. MdSec published a detailed analysis piece on Brute Ratel when it first surfaced, so while it’s a good reference, some details may have changed in subsequent releases;
2. @Kostastsale has some good hunting tips based on observable C2 traffic;
3. Splunk have pulled together a collection of rules that align with Brute Ratel TTPs and behaviours.

China-Linked Actor deploys VIB-packaged Backdoors, Dropper to ESXi

References: Mandiant (Part 1) | Mandiant (Part 2)

Mandiant have reported their discovery of two ESXi backdoors deployed via a novel method — vSphere Installation Bundles (VIB). VIB files are typically used by administrators to distribute software and manage ESXi systems, and are capable of creating “startup tasks, custom firewall rules, or deploy[ing] custom binaries upon the restart of an ESXi machine” — perfect for the discerning Threat Actor.

The actor, which Mandiant tracks as UNC3886 and is believed to have ties to China, modified the package to appear to be from an approved partner, and installed the VIB package using the — force flag. This technique was used to deliver VIRTUALPITA — a basic backdoor that listens on a hard-coded port, and VIRTUALPIE — a Python-based backdoor that listens on a hard-coded port for a connection over IPv6 .

While the impact of this attack was significant in its ability to grant attackers control of the ESXi environment and virtual machines it hosts, this is not a remotely executable attack, and requires administrative privileges to conduct.

VMWare ESXi has long been a valuable target for attackers due to it being used to host virtualised servers and workstations. Compromising it will — as was the case in this intrusion — enable execution of code on the server’s hosted VMs. Ransomware actors in particular have created tools and encryptors specifically targeted at ESXi environments, with household names like Black Basta, REvil, Lockbit, and Conti among them.

Mandiant have shared detailed guidance of system hardening and detection opportunities. The TL;DR is to make sure you’re ingesting ESXi logs and looking for the indicators flagged in the report, and set up a playbook for running Yara over SSHFS, or through a locally-installed instance to bypass potential latency issues.

Bonus round: VMWare have published a blog post looking at the many ways actors will look to delete Volume Shadow Copies, including a newly discovered method that abuses the Volume Shadow Copy Coordinator (VssCoordinator). Check it out.

Qakbot TTP Summary

Qakbot hit cruise control this week, with distribution across both botnets only varying in the initial delivery mechanism being either a malicious link or malicious html file. All other TTPs remained unchanged.

One noteworthy mention is two new process injection targets — msra.exe and iexplorer.exe, identified by @Max_Mal_ in their analysis of a Qakbot dll sample.

BB Botnet

The TA577 was the most active distributor this week, and appeared to opt for malicious links as lures on all but one occasion at the start of the week. No changes over last week’s TTPs — I guess if it aint broke, don’t fix it?

26/09 (CampaignID: 1664184863, Distro #1): url > zip > iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

26/09 (CampaignID: 1664184863, Distro #2): html > zip > iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @0xToxin | Malware Bazaar | Tria.ge

27/09: url > zip > iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @pr0xylife | @ExecuteMalware | Malware Bazaar | Tria.ge

28/09: url > zip > iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

30/09: url > zip > iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @pr0xylife | Malware Bazaar | Tria.ge

Figure 3: TA577 execution chain

Obama Botnet

Not much was observed from the Obama botnet (TA570) this week, with the only analysed sample originating from a malicious HTML file and following the same execution chain as last week:

28/09 (Obama207): html > .zip > .iso > cmd.exe (.lnk) > wscript.exe (.js) > cmd.exe (.cmd) > regsvr32.exe (.dll)

• References: @ExecuteMalware | Malware Bazaar | Tria.ge

Figure 4: TA570 execution chain

IcedID TTP Summary

IcedID was distributed through three distinct methods — either a macro-enabled .doc file; through a malicious html file that downloaded further stages, or in an execution chain nearly identical to Qakbot’s.

Figure 5: IcedID execution chain

References:

1. Campaign #1 — Tria.ge
2. Campaign #2 — @pr0xylife
3. Campaign #3 — @pr0xylife

Decoy C2 Configs

Another interesting tidbit to emerge this week came from Team Cymru, who noticed that samples they detonated appeared to contain dummy configs with domains that pointed to the same IPs of the C2s they retrieved.

Figure 6: IcedID infections appear to use decoy C2 configs to hinder analysis efforts (Source: Team Cymru)

Configs for samples they detonated would update to the “true” config one day later, allowing for identification of the actual Tier 2 infrastructure used by the malware.

At this stage it’s unclear if timing is the only factor influencing the configs delivered to the detonated sample, but regardless it’s worth noting the network connections and DNS resolutions you see in sandbox results should be scrutinised carefully before deploying block rules and calling it a day!

Exchange 0-days — ProxyNotShell — just in time for Friday

Reference: MSRC | Microsoft Security Blog

As is tradition, a critical vulnerability has been disclosed at the end of the week that impacts a core enterprise application.

This time it was cyber security vendor GTSC who announced that two 0-days in Microsoft Exchange that they disclosed to the Zero Day Initiative over 20 days ago remain unpatched, and are being actively exploited to deliver the Chopper webshell — commonly used by Chinese threat groups.

Microsoft later acknowledged their existence, assigning the SSRF vulnerability CVE-2022–41040 and RCE vulnerability CVE-2022–41082.

Technical Summary

References: Double Pulsar | @GossiTheDog

Kevin Beaumont has done an amazing job pulling together threads on this one and adding actionable guidance on how to hunt for and mitigate these vulnerabilities. Instead of reinventing the wheel, here are the key points:

1. These vulnerabilities appear to be a repeat of the improperly patched ProxyShell vulnerabilities from last year, though in this case it requires a valid set of non-admin credentials for any email user;
2. If you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App facing the internet, you aren’t impacted;
3. If you run Exchange hybrid servers, a standard part of Microsoft Exchange Online migration, they are vulnerable.

I’d recommend reviewing the Hunt, Mitigation, and Detection sections of both the blogs by Kevin Beaumont and Microsoft, and figuring out which steps are most appropriate for your organisation while we await patches being released.

v2 of the On-Prem Mitigation Tool has been released, which rewrites URLs to mitigate the SSRF component of the attack chain and prevent external exploitation attempts.

Greynoise are also monitoring for scanning and exploitation traffic relating to this vulnerability — you can view known scanning IPs here, and observed exploit attempts here.

Headline Vulnerabilities

Active Exploitation: Atlassian’s Bitbucket Server and Data Center

CISA has added CVE-2022–36804 to their Known Exploited Vulnerabilities (KEV) catalogue, indicating active exploitation of the vulnerability has been observed.

The attack is performed by sending crafted malicious HTTP requests, and enables Remote Code Execution.

PoC exploit code is publicly available, with scanning and exploit attempts noted by BinaryEdge and GreyNoise since at least September 20th.

Vulnerability Disclosure: DoS, MitM flaws in Ethernet network standards

A security researcher has reported four vulnerabilities that enable DoS and MitM attacks by stacking multiple VLAN 0 and LLC/SNAP headers in order to encapsulate their traffic and bypass Layer 2 inspection & filtering capabilities.

Given the vulnerability is in a protocol standard, the potential scope extends to any manufacturer of network gear that supports that particular implementation of the protocol. CERT have listed 243 manufacturers on their advisory, with Cisco, Arista, and Juniper confirmed to be impacted so far.

Patches Available: RCE in WhatsApp on Android & iOS

Two flaws (CVE-2022–36934 and CVE-2022–27492) have been identified in the way WhatsApp handles video files and calls, which could be abused to gain arbitrary code execution on victim devices.

There was no evidence of exploitation in-the-wild at the time of discovery, but given the ease of exploitation, it’s well worth ensuring you’re on a patched version.

Offensive

1. DNS Reaper — a sub-domain scanner that identifies takeover opportunities;
2. AzTokenFinder — dump JWTs from user processes, e.g. Office Apps;
3. Guidance on abusing Resource-based Constrained Delegation for accounts without SPNs and how to forge a “Sapphire Ticket” have been added to thehacker.recipes;
4. Semperis have shared details of a new Kerberoasting technique that can bypass detections based on 4769 Kerberos ticket request events;
5. TIL you can relay the Printerbug attack to a computer that the source computer has admin over. Discover attack paths with Max.py (max.py get-info — admincomps);
6. mrd0x has shared a post detailing the potential to abuse Chromium’s Application Mode to present convincing credential-harvesting phishing pages to end-users. Michael Taggart points out that this is exactly the trick they used to create OffensiveNotion, which functions as a C2 medium by abusing the note-taking app Notion;
7. Looking for novel ways to flex on the SOC in your next Red Team exercise? Why not use VirusTotal for C2, just for funsies?

Defensive

1. MemProcFS — view physical memory dumps as files in a virtual file system;
2. YARI — a debugger for writing YARA rules;
3. PurpleCloud — an automated tool to help spin up lab environments using Azure AD and Active Directory in Azure;
4. A YARA module to extract data at a given offset — used in this example to pull DanaBot configs from static files;
5. Volume Shadow Copy (VSC) deletion is a TTP shared by many ransomware actors — check out this post from VMWare looking at how they do it, including a new technique that abuses the Volume Shadow Copy Coordinator (VssCoordinator), a part of the Volume Shadow Copy Service (VSS), to access VSCs;
6. Palo Alto’s Unit 42 have a great write-up on how attackers commonly load unsigned malicious DLLs to achieve their effects, and provide tips and hunting queries to help you surface this behaviour on your networks;
7. Splunk’s Michael Haag looks at Protocol Handlers (e.g. the msdt handler abused in the Follina vulnerability) and how to detect their use and abuse;
8. One for those managing environments with macOS assets — a blog post looking at identifying GateKeeper override attempts;
9. Microsoft have published a great blog post looking at Office365 forensic artefacts and where to find them — one to bookmark for sure!

Threat Actor Activity & Reporting

1. Russia’s APT28 were tentatively attributed to an attack that used a malicious PowerPoint file with a hlinkMouseOver method that executed a PowerShell download cradle when a hyperlink in the file was hovered over. While it may sound novel, this technique was actually first uncovered in 2017, and Microsoft’s patch for CVE-2021–40444 will prevent it from working if installed;
2. China’s TA413/LuckyCat has been observed dropping their new LOWZERO backdoor on Tibetan targets, exploiting the Sophos Firewall (CVE-2022–1040) and Follina vulnerabilities to do so;
3. CrowdStrike have uncovered a supply chain attack which delivered a trojanised installer for the Comm100 chat-based customer engagement platform to customers. The attack appears to have only lasted two days before being identified, and is believed to have been conducted by a China-affiliated actor;
4. NCC Group have published this piece detailing their response to an intrusion conducted by a Chinese threat actor. Of most interest is their analysis of the ShadowPad RAT — a trojan believed to be used exclusively by China-based threat actors;
5. Securonix have described a Phishing campaign they observed delivering heavily obfuscated PowerShell scripts that also featured anti-analysis checks — something typically reserved for compiled payloads that attackers don’t want analysed. The campaign targeted multiple military contractors, and bore several similarities to attacks conducted by the DPRK-attributed APT37 threat group;
6. Security Scorecard have pulled together a detailed analysis of CredoMap, an infostealer deployed by APT28 against targets in Ukraine;
7. The excitement surrounding the Optus hack has mostly died down, with the perpetrator backtracking on their ransom demands and apologising publicly for their actions. While damage-control is still very much ongoing, the telco sector is likely to be subject to more stringent regulations and oversight, with the potential for greater financial penalties for breaches such as this;
8. Okta subsidiary Auth0 has reported that several old source code repositories from 2020 may have been stolen by an unknown actor. Despite being unable to determine how it was stolen or by who, they’ve assured us there is no “customer impact.”
9. A report by NetScout highlights the variance in and uptick of DDoS attacks for the 1st half of 2022. Techniques such as DNS water-torture and the TP240 PhoneHome amplification attacks featured prominently, while more broadly, DDoS is being used as tool in Geopolitical conflicts.

Cyber Crime & Ransomware

1. Proofpoint have highlighted the potential for attackers to abuse Microsoft Sway — a Microsoft service that aids in website generation — to Phish users and deliver malware;
2. DFIR Report have published their latest intrusion analysis piece, looking at a BumbleBee infection that made it to lateral movement and staging for exfil/encryption before being evicted;
3. Securelist have a report looking at NullMixer — a dropper that delivers multiple malware payloads in a given infection. The campaign used SEO-optimised lures to deliver trojaned cracks/keygens, and delivered malware including SmokeLoader, LgoogLoader, Disbuk, RedLine, Fabookie, and ColdStealer;
4. zScaler have found Agent Tesla samples being delivered through chained lnk, hta, and PowerShell payloads generated by Quantum Builder, a payload generation tool sold on the Dark Web;
5. Deepwatch are reporting (data-wall) potential “foreign intelligence service influence” in a Gootloader campaign which hijacked legitimate websites to publish fake blog posts and targeted “government, legal, real estate, medical, and education victims with highly-targeted content”;
6. The Apollo OTP Bot — a Discord-based bot that abuses Google Voice to perform vishing of OTP codes to enable bypassing of MFA — has been discovered being sold on cybercrime forums;
7. Cyfirma take a look at the ErbiumStealer malware, performing a technical analysis of the infostealing malware that’s sold on cybercrime forums for as little as 500 rubles per week;
8. While REvil’s heyday are very much behind them, it’s well worth having a skim of Trellix’s analysis of the operations and dismantling of their once-formidable ransomware crew.

Misc

1. Constellation — a Kubernetes engine that wraps K8s clusters in a confidential wrapper that encrypts all data and separates it from the underlying cloud infrastructure. Supporting blog post here.

Thanks for reading! A reminder — this is a cross-post from the main Opalsec Substack. Check it out and subscribe to receive the latest newsletters straight to your inbox!