Threat actors stepped up their game during September 2021. For starters, the Nobelium threat actor group launched its FoggyWeb malware designed to exfiltrate credentials and introduce a permanent backdoor into Active Directory servers. Threat actors also launched TangleBot malware to gain access for spying, data-harvesting, stalking, and fraud attacks. Threat actors also upped their phishing game using deep-sea phishing in their attacks. Deep-sea phishing combines phishing, spear-phishing, and whaling to launch more aggressive attack campaigns. Ransomware, such as Ryuk, and worm-like capabilities were used in the campaigns to make them more effective.
During September, the threat group TeamTNT was active gain, this time targeting multiple operating systems and applications. Operating since the middle of 2020, TeamTNT has been responsible for thousands of infections globally. The group’s trademark is the use of open-source tools such as Masscan and port scanner to detect new infection targets, libprocesshider to execute its bot directly from memory, 7z to decompress downloaded files, b374k shell to control infected systems, and Lazagne to collect stored credentials from numerous applications. This time, TeamTNT used multiple shell/batch scripts, new open-source tools, a cryptocurrency miner, and its TeamTNT IRC bot for its attack campaign. The new open-source tools were designed to steal usernames and passwords from the infected machines. The threat actors targeted operating systems such as Windows, Linux distributions including, Alpine, AWS, Docker, and Kubernetes. The attacks, dubbed the Chimaera campaign, had low to zero detection.
This month, Windows CVE-2021-40444 zero-day vulnerability still posed a danger despite Microsoft Office's 'Protected View' feature to block the exploit. The vulnerability enabled threat actors to take over corporate networks by using malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 for downloading and installing malware on the compromised machines. Although the "Protected View" feature mitigated the exploit, many users tended to ignore this warning and clicked on the 'Enable Editing' button. Furthermore, if documents in a container were not MotW-aware, there was no Protected View to block arbitrary code execution by opening an Office document. RTF files do not have Protected View, which makes them especially vulnerable. This vulnerability was abused by threat actors using phishing attacks.
Also, in September, we saw that the Turla APT group stepped up its game with new malware to keep a secret backdoor on victim machines. The Russian-based Turla group has been active for almost two decades and have compromised organizations in over 45 countries in a wide range of industries, including government, embassies, military, education, research, and pharmaceutical sectors. This backdoor was used as a second-chance backdoor to maintain access to the compromised system also to use it as a second-stage dropper to infect the system with additional malware.
To find out if your organization is protected against the latest malware attacks, run Cymulate's Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!
Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.