Weekly Threat Intelligence Report

Date: June 24, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Malware developers will use all sorts of techniques to obfuscate their C2 location and keep security analysts from being able to understand the operation of their malware. One common technique is to have the malware communicate with a popular online service, such as Pastebin, where the malware will contact a URL that responds with the IP address of the C2 server. This type of design keeps the C2 address out of the malware, and allows the C2 operator to change or remove the C2 destination as needed. If the right service is chosen, then this request might go unnoticed because it’s seen as regular traffic.

We detonated a malware sample on Windows 7 that was identified as containing both StealC and Vidar, and we found the same technique being used on the gaming platform, Steam. In this case, the malware requests the page of a specific user account. The steam user account name contains the IP address of a component of the C2 infrastructure. Steam even shows a history of the username, so we can see previous IPs that have existed in this field.

Steam is an interesting choice as a vector for retrieving a C2 destination because it’s a gaming platform that isn’t typically used on corporate infrastructure, except perhaps in gaming companies. It is commonly used in residential communications however. A more traditional choice would be a service that is typically seen within an organization's network traffic, like a Microsoft service.

Although a direct relationship has not been confirmed, Vidar is a stealer known to be used by Scattered Spider, aka UNC3944. They are a criminal organization responsible for many high profile victims, including MGM Grand, Caesars, Snowflake, LastPass, Apple, Walmart, and Zendesk. Recently the head of the organization was arrested by the FBI, but their operations continue. 

Learn more about the
HYAS Insight threat intelligence solution.

Malware Sample Information

MD5: 8cfe70cf4f35c7f9b4ddba327d44c1f8
https://tria.ge/240617-fvryqazelj/behavioral1
https://steamcommunity.com/profiles/76561199699680841

(Image: Malicious usage of a Steam profile that contains the C2 location)

65.109.240.138 (Currently offline)

ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940

65.109.243.78 (Currently offline)

ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940

95.216.142.162

ISP:Hetzner Online GmbH
Country: Finland
ASN: AS24940

With this address we can see there is a single port open, 443, which has a banner that contains a recent date/time stamp. We can attempt to pivot off of this potentially unique banner using free accounts with Shodan or Censys.

With Censys we can take that banner in hex (to avoid problems with formatting) and create a custom search query to look for matches on that ASN.

Censys Query:
(services.banner_hex="485454502f312e3120333032204d6f7665642054656d706f726172696c790d0a5365727665723a206e67696e780d0a446174653a20203c52454441435445443e0d0a436f6e74656e742d547970653a20746578742f68746d6c0d0a436f6e74656e742d4c656e6774683a203133380d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a4c6f636174696f6e3a2068747470733a2f2f676f6f676c652e636f6d0d0a") and autonomous_system.name=`HETZNER-AS`

Link to the above search.

From our search, we end up with a list of sixteen IP addresses on this ASN that present the same service banner and are mostly-if-not-entirely Vidar C2.

Vidar C2 IOCs:
95.216.165.53
116.203.13.231
195.201.47.189
116.203.166.11
116.203.167.34
116.203.4.20
49.13.32.109
162.55.53.18
195.201.248.182
95.216.142.162
95.216.182.224
78.47.205.62
116.203.13.42
116.203.13.51
195.201.46.4

That same malware also contacted Telegram which is using a similar technique to host a different address.

https://t.me/memve4erin
https://tria.ge/240617-fvryqazelj/behavioral2

162.55.53.18:9000
ISP:Hetzner Online GmbH
ASN:AS24940
Country: Germany

5.42.67.8
ISP: LetHost LLC
Location: Russia
ASN: AS210352

In our detonation, after Telegram was contacted, another IP was contacted, which may have come from a prior entry in the Telegram field (unconfirmed, no historical record for this field). HYAS Insight, our threat intelligence solution, was able to provide some recent information about C2 usage on this server. This login screen is for Risepro malware, however, so it’s possible that multiple actors or campaigns are using this same server. It’s not uncommon for a malicious server to be used in such a way.

Date: 2024/06/15 19:48:21 UTC (Most recent data)
C2 Admin URL: http://5.42.67.8:8081/
Actor IP: 109.95.78.5
Geo: 55.434553 36.696945
Device User Agent: Mozilla/5.0 (Linux; Android 14; 23021RAA2Y Build/UKQ1.230917.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/125.0.6422.165 Mobile Safari/537.36

 

(Image: Login screen of Risepro C2 hosted on server)

 

(Image: Actor who logged into C2 server’s GPS location, southwest of Moscow)

Want to see some malware detonated? View our
webinar on-demand.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Read past reports:
Tracking an Active Remcos Malware Campaign

Revealing LOTL Techniques Used by An Active Remcos Malware Campaign

Agent Tesla Unmasked: Revealing Interrelated Cyber Campaigns

Risepro Malware Campaign On the Rise

 

Sign up for the free HYAS Insight Intel Feed

 

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

 

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Five Proven Techniques to Optimize Threat Intelligence

Leveraging ASNs and Pivoting to Uncover Malware Campaigns

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

The post StealC & Vidar Malware Campaign Identified appeared first on Security Boulevard.

• The financial sector is a prime target for cyber attacks. Financial organizations and their customers and clients feel the fallout of major ransomware and phishing campaigns more than ever, and there’s often more at stake.
• Finance needs a new approach to deal with the ongoing rise in cybercrime. The right tools coupled with unique data function as preventative measures against threat actors using innovative methods to target and exploit organizations and individuals alike.

With the number of cyber threats on the rise, no sector is truly safe from serious fallout. Banks and financial services firms in particular are obvious targets for threat actors that know which targets are most lucrative. When you have computer systems dealing with millions — or even billions — of (often other people’s) dollars, could you be any more enticing?

Luckily, even the most sophisticated ransomware attacks and phishing campaigns are not invulnerable. In fact, pioneering cyber threat intelligence tools powered with the right data can stop those responsible for cybercrime in the financial sector a lot easier.

There’s no shortage of researchable financial cybercrime on the internet. We’ve picked out four popular attack vectors targeting major financial sector institutions every day and compiled (4) use cases that details how HYAS identifies and stops them.

Download the use cases

1. Passive DNS: The Context of IP Addresses

When threat actors target financial institutions using ransomware, they deploy it via multiple IP addresses. (If they use a single IP address, cybersecurity monitors pick it up too easily.)

Workstations infected by ransomware communicate with attackers’ command and control infrastructure (also called C&C and C2), which is a requirement for conducting a successful cyber attack. Cybersecurity professionals rely on this telemetry — data obtained from networks and analyzed for monitoring network security — which typically confirms what IP addresses the threat actors are likely to use in the attack as part of their C2.

To prevent cyber attacks wreaking havoc and causing fallout for organizations, cybersecurity professionals monitor the domain name system (DNS), which is increasingly used by cyber criminals for these nefarious ends.

Passive DNS — automatic, continuous monitoring of potential threats — is (and should be) a feature of complete DNS protection solutions. Most people don’t tend to read or type IP addresses like they do domain names. IP addresses are domain names that have been translated so computers communicating with each other can read and understand them. This process of translation is known as resolution: DNS resolves to IPs. As such, if you can identify domain names used by attackers, then pivot to their (domain name) registration details, you’re able to gain valuable C2 data in helping thwart attacks.

Using passive DNS is an essential tool for tracking bad actors. Searches on particular IP addresses reveal the locations around the world as the sources of those addresses, but passive DNS shows the domain names that have resolved to the specific address. This provides context for IP addresses so that cybersecurity professionals can see how threat actors are using their C2.

Passive DNS tools can also provide information about C2 attribution: Other cybersecurity teams provide data that identifies C2 infrastructure, which then alerts all teams looking at a particular likely threat actor that there is definitive nefarious activity going on. It also provides threat intelligence teams with bad actor IP addresses to pivot off from C2 domains used by these actors.

2. Hiding Behind GDPR: Superior Domain Registration Data

Financial institutions and their customers are no strangers to phishing campaigns. Cyber attackers using this method frequently employ misspelled domains luring unsuspecting users to malicious corners of the internet. And with so many banks in the U.S. alone, it’s all too easy to impersonate even mid-sized outfits while convincing the unfortunate of their veracity.

Trying to establish phishing campaign culprits, cybersecurity professionals often rely on WHOIS — an internet protocol used to query databases about domain names. Traditional WHOIS data is rarely useful for stopping modern cyber attacks. And thanks to the EU’s General Data Protection Regulation (GDPR) introduced in 2018 — and which tightly controls privacy — it’s generally now even harder to obtain useful data.

HYAS Insight provides results for domain registrations that other solutions can easily miss. It’s then possible to pivot to other domains registered by the same bad actor.

Due to strong European privacy protection laws, threat actors can easily hide behind GDPR-masked domain data: that which, under GDPR, would not normally be viewable. HYAS Insight can still pivot off masked domain registration to uncover hosts of phishing domains utilized by threat actors. Sometimes phishers register hundreds of domains with a single email address. Successful identification can ultimately uncover huge phishing campaigns.

3. DuckDNS: If It Looks and Acts Like Dynamic DNS …

IP addresses are usually allocated dynamically to users by internet service providers. But DuckDNS is a dynamic DNS provider that gives everyone — normal users and bad actors — more freedom and control over their own IP addresses. It’s free to link addresses to domain names with DuckDNS, making it perfectly enticing for those with nefarious ends.

Phishing attacks are probably one of the biggest threats financial institutions and their customers or clients face. It should therefore come as no surprise that cybercriminals conducting phishing attacks on those organizations naturally gravitate towards using DuckDNS to send malicious emails to financial institution customers to trick them into providing their login credentials on fake websites.

Crucially, HYAS Insight provides additional useful information about DNS registration which helps teams locate threat actors by mapping them to IP addresses anywhere in the world. Even if domain registrees are located elsewhere when they register, DuckDNS still logs their actual IP addresses. It turns out that DuckDNS is very much a double-edged sword for threat actors, and yet another mode of defense for those monitoring threats.

4. Geolocation: Find Them and Destroy Them

Threat actors utilizing several different IP addresses can also prove a boon for threat intelligence teams in terms of locating where they’re operating from.

Bad actors might register numerous domains connected to services like DuckDNS, rather than just one. But single IP addresses can also be registered multiple times by different actors. If these actors are located all over the world, tracking operations is more difficult.

However, HYAS Insight can provide highly accurate data on the geolocation of trackable IP addresses — wherever they are. Pivoting off given searches is possible but not necessary. When bad actors register dynamic DNS addresses, HYAS obtains the IP addresses used during the registration process. It can then pinpoint clusters of hits for registered domains within approximately one meter of accuracy.

HYAS Insight Into Every Use Case

Threat and fraud researchers and investigators in the financial industry can easily build up dossiers of attacks to take to and promptly notify relevant law enforcement agencies. We have unique data. And being able to pivot from one data point to another data point, especially when we’ve got unique data, becomes extremely valuable.

HYAS Insight offers threat intelligence, data point pivoting and unique data capabilities invaluable for financial organizations who want to stop the myriad cyber threats that they face. The ability to uncover domain registrations not available to most other cybersecurity solution providers delivers the whole financial sector with the confidence to conduct business operations in the face of malware attacks and phishing campaigns.

Pivoting from single suspicious domains and IP addresses can ultimately uncover vast campaigns designed to destabilize business purely for financial gain. But organizations armed with relevant, unparalleled insight can ensure that bad actors don’t get far.

Further reading

HYAS Insight Shines a Light on Financial Fraud

How HYAS Protects the Financial Services Industry

HYAS Insight Threat Intelligence and Investigation

Cyber Adversary Infrastructure Explained

Book a demo today to find out what HYAS Insight can do for your organization.

The post Stopping Cyber Attacks Against the Financial Sector: Four Use Cases appeared first on Security Boulevard.

Identifying and Mitigating Complex Malware Campaigns with ASNs

This week, I spent a good deal of time going down some rabbit holes - all of which were fascinating. However, this is an example where some of the work we do we would like to share but aren't always able. In this instance, we found confidential information related to a hacked mail server within malware we detonated. The malware was configured to use a government mail server as a relay to email out keylogger data.

In each case of the malware, there were essentially two victims, the victim(s) of the malware, and the operators of the mail server being used in the attacks. We've notified the department that manages the mail server of the compromise, and of the credentials used to send mail with their server.

This brings me to the "how" of it all. Cyber threat intelligence (CTI) experts and investigators face the daunting challenge of identifying and mitigating complex malware campaigns. These campaigns, orchestrated by sophisticated threat actors, often leverage diverse infrastructure and techniques to evade detection and compromise targets.

In this blog, we'll explore in detail how CTI experts can harness the power of Autonomous System Numbers (ASNs) and employ pivoting techniques to uncover and analyze malware campaigns. By understanding the nuances of ASNs and mastering effective pivoting strategies, CTI professionals can enhance their capabilities in threat detection, attribution, and response.

Understanding ASNs

Autonomous System Numbers (ASNs) serve as unique identifiers assigned to networks participating in the global routing system. Each ASN corresponds to an organization or entity that controls a portion of the internet's IP address space. By analyzing ASNs, CTI experts can gain valuable insights into the infrastructure utilized by threat actors to conduct malicious activities.

These insights include identifying the origins of malicious traffic, pinpointing hosting providers associated with malware distribution, and tracing connections between seemingly disparate cyber threats.

Pivoting with ASNs

Pivoting is a fundamental investigative technique that involves using known information or indicators of compromise (IOCs) as a starting point to uncover additional related data and connections. When investigating malware campaigns, CTI experts can pivot using ASNs to expand their understanding of the threat landscape and uncover hidden relationships.

Here's a step-by-step breakdown of how pivoting with ASNs can be accomplished:

1. Initial Investigation: The process begins with collecting IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign. These IOCs serve as the starting point for the investigation.

2. ASN Enumeration: CTI experts utilize specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This mapping provides crucial insights into the ownership and affiliations of the networks involved in the malware campaign.

3. ASNs Analysis: Once the ASNs associated with the collected IOCs are identified, CTI professionals conduct a detailed analysis to uncover patterns, anomalies, and potential relationships between different malware campaigns. They look for commonalities such as shared infrastructure or hosting providers used by multiple threats.

4. Expand Investigation: Armed with insights from the ASNs analysis, CTI experts pivot further to gather additional IOCs associated with the same ASNs. This may involve exploring related IP ranges, domains hosted on the same infrastructure, or other ASNs controlled by the same organization.

5. Threat Attribution: The final step involves analyzing the gathered data to attribute the malware campaigns to specific threat actors or groups. By tracing connections between different ASNs and malware activities, CTI experts can uncover the broader infrastructure and operations of malicious actors.

Using ASNs to Uncover a Malware Campaign

To illustrate the effectiveness of this approach, let's consider a hypothetical scenario where a CTI team investigates a ransomware campaign targeting a financial institution. By analyzing the ransomware samples and associated IOCs, the team identifies several IP addresses used as command and control (C2) servers.

Through ASN enumeration and analysis, they discover that these IP addresses belong to a hosting provider known for harboring malicious activities. Pivoting with the identified ASN leads them to uncover additional C2 servers, domains, and IP ranges used by the same threat actor across multiple campaigns. This comprehensive view enables the CTI team to attribute the ransomware campaign to a sophisticated cybercriminal group and take proactive measures to disrupt their operations.

Read: How HYAS Insight Threat Intelligence Platform Uncovered and Mitigated a Russian-Based Cyber Attack

Conclusion

In conclusion, the strategic utilization of ASNs and pivoting techniques with HYAS Insight threat intelligence is indispensable for CTI experts and investigators in their efforts to combat malware campaigns. By leveraging ASNs to trace connections and employing pivoting to uncover hidden relationships, CTI professionals can gain deeper insights into the tactics, techniques, and procedures (TTPs) employed by threat actors.

This enhanced understanding enables organizations to better protect their assets, mitigate risks, and respond effectively to evolving cyber threats. With a proactive and strategic approach to threat intelligence, CTI experts can stay ahead of adversaries and safeguard the digital ecosystem against malicious activities.

Is your security program prepared to defend against advanced malware and other sophisticated cyberthreats? Learn how HYAS can optimize your defenses.  Request a HYAS demo today.

The post Leveraging ASNs and Pivoting to Uncover Malware Campaigns appeared first on Security Boulevard.