Cymulate’s May 2021 Cyberattacks Wrap-up
During May 2021, threat actors, quite likely DarkSide, went big-game hunting, hacking the Colonial Pipeline Co., which operates one of the largest U.S. fuel pipelines. The company decided to comply with the ransom demand and paid $5 million to restore operations.
Also in May 2021, branches of insurance giant AXA based in Thailand, Malaysia, Hong Kong, and the Philippines were hit by ransomware cyberattacks. This cyber attack followed the announcement of AXA that it would no longer cover ransomware extortion payouts. The Avaddon ransomware group claimed to have stolen 3 TB of sensitive data from AXA's Asian operations.
In an interesting turn of events, one of the most popular Russian-speaking hacker forums, XSS, has banned promoting ransomware. In this forum, threat actors share knowledge about exploits, vulnerabilities, malware, and network breaching. The forum was a favorite of ransomware groups such as REvil, LockBit, DarkSide, Netwalker, and Nefilim. The reason for the ban is to avoid scrutiny by law enforcement. Russian cyberspies from APT29 also changed their tactics due to scrutiny by Western agencies. They are now deploying a red-teaming tool to blend into targeted networks posing as legitimate pen-testers.
On the malware front, we saw Epsilon Red, new ransomware written in the open-source Go programing language, entered the market in May 2021. RED.exe is a 64-bit Windows executable programmed in Go lang, compiled using the MinGW tool, and packed with a modified version of the runtime packer UPX. During a ransom attack using Epsilon Red, all components were written as a PowerShell script, except for Epsilon Red, which was delivered as the final executable payload. Once the threat actors got access to the targeted network, they downloaded and installed a copy of Remote Utilities and the Tor Browser to secure an alternate foothold if the initial access point would be locked down. The injected red.ps1 script unpacked RED.7z into the %SYSTEM%\RED directory, followed by creating scheduled tasks to run the unpacked scripts.
After one hour, commands were executed that modified the Windows Firewall rules using the RED.ps1 script to block inbound connections on all TCP ports except for the Remote Desktop Protocol (3389/tcp) and the communications port used by Remote Utilities (5650/tcp). The threat actors used a commercial Remote Utility software that can be used for free and allows for generating a digitally signed executable installer and preconfiguring embedded into the .exe.
The NOBELIUM malware group, notorious for the SolarWinds hack, launched a new spear-phishing campaign, gaining access to an email marketing account for the U.S. government development agency USAID. They used to send messages intended to trick users into clicking malicious URLs. In May 2021, MOBELIUM leveraged legitimate mass-mailing service Constant Contact to pose as USAID targeting a wide range of organizations and industry verticals. Before launching its spear-phishing campaign in May, NOBELIUM performed a reconnaissance mission at the beginning of 2021 by sending the tracking portion of the email to record targets who clicked on the link. No malicious payloads were used at this stage. Next, NOBELIUM attempted to compromise systems through an HTML file attached to a spear-phishing email. During March, the threat actors executed similar spear-phishing campaigns, which included made alterations to the accompanying HTML document based on the intended target.
NOBELIUM also experimented with removing the ISO from Firebase to encode it within the HTML document and redirecting the HTML document to an ISO containing an RTF document with the encoded malicious Cobalt Strike Beacon DLL. In April 2021, the threat actors stopped using Firebase, shifting to encoding the ISO within the HTML document to store target host details on a remote server using the api.ipify.org service.
In May 2021, NOBELIUM changed its tactics again, dropping a custom .NET first-stage implant (TrojanDownloader:MSIL/BoomBox), which downloaded additional payloads from Dropbox cloud storage platform. The new NOBELIUM spear-phishing used Constant Contact to target around 3,000 individual accounts across more than 150 organizations.
- The emails sent via Constant Contact, appeared to have originated from USAID due to using firstname.lastname@example.org as the sender's email address duping Constant Contact.
- The Reply-To address in the Constant Contact email was email@example.com.
- Once the recipient clicks on the email link, the URL is directed to the legitimate Constant Contact service, followed by being redirected to the NOBELIUM-controlled C&C.
- A malicious ISO file is then delivered to the system. Within this ISO file are the following files that are saved in the %USER%\AppData\Local\Temp\<random folder name>\ path:
- Several malicious payloads were executed, allowing the NOBELIUM threat actors to gain persistent access to the compromised systems.
We end this wrap-up with threat actors using the Microsoft Build Engine MSBuild to deliver the Remcos Remote Access Tool (RAT) and the password-stealing malware RedLine Stealer filelessly. The malicious MSBuild files contained encoded executables and shellcode; in some cases hosted on the Russian image-hosting site "joxi[.]net. Using MSBuild allows threat actors to evade detection while installing malicious payloads directly to a targeted computer's memory. Once the Remcos Trojan executed, it started stealing credentials and other sensitive info.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!