Threat Report

This week we’re covering:

• Another round of COVID-19 miscreants targeting healthcare organizations and using the pandemic as a lure
• A de-evolution in FIN7 tactics that move from phishing e-mails to phishing snail-mails
• Details on a critical vulnerability in a popular WordPress plugin that allows site hijacking
• Sodin Holding NEDA Ransom

FBI report on Orangeworm RAT Kwampirs targeting healthcare

On March 30, 2020, the FBI released new information on a Kwampirs Remote Access Trojan (RAT) campaign by Orangeworm (aka Gorgon Group) targeting healthcare.

The Kwampirs campaign against global healthcare entities has been effective, gaining broad and sustained access to targeted entities. Targeted entities range from major transnational healthcare companies to local hospital organizations.

Over the course of this campaign, the Kwampirs RAT performed daily command and control communications with malicious IP addresses and domains that were hard-coded in the Kwampirs RAT malware.

The FBI assessment: Kwampirs actors gained access to a large number of global hospitals through the vendor software supply chain and hardware products. Infected software supply chain vendors included products used to manage industrial control system (ICS) assets in hospitals.

Significant intrusion vectors include:

• During mergers and acquisition(s), infections from one company moved laterally into the acquiring company once the networks were connected.
• During the software co-development process, malware has been passed between multiple entities through shared resources.
• During the software co-development process, shared internet facing resources have infected co-development participants.
• Software supply chain vendors infected device(s) installed on the customer/corporate LAN or customer/corporate cloud infrastructure.

According to FBI’s FLASH report, the campaign has two phases. Phase one establishes persistence on the targeted network, including execution of secondary payloads. Phase two delivers additional Kwampirs components used to exploit other hosts and move laterally.

Kwampirs has been active since 2016, targeting industries such as healthcare, software supply chains, energy, and engineering across the U.S., Europe, Asia, and the Middle East.

The FBI’s FLASH message CP-000111-MW included the following indicators:

Kwampirs RAT Created Service

Service name: WmiApSrvEx
Service display name: WMI Performance Adapter Extension
Registry key: SYSTEM\CurrentControlSet\Services
\WmiApSrvEx
Service image path: %SystemRoot%\system32\**Executable
Filename**

Kwampirs RAT Executable Files found in c:\windows\system32\;

wmiaprvse.exe
wmiapsrve.exe
wmiapsvrce.exe
wmiapsrvce.exe
wmiApSrvEx.exe
wmiapsvre.exe
wmiapvsre.exe
wmipsvrce.exe
wmipvsre.exe
wmipsrvce.exe
wmiprvse.exe
wmipsvre.exe

Kwampirs RAT DLL files dropped to disk files identified in c:\windows\syswow64\ ;

wmipadp.dll
wmiassn.dll
wmipdpa.dll
wmiamgmt.dll

Files identified in c:\windows\system32\;

wmiadrv.dll
wmipadp.dll
wmiassn.dll
wmipdpa.dll
wmiamgmt.dll

Other files created by the Kwampirs RAT Found in %SystemRoot%/inf/;

mtmndkb32.pnf
digirps.pnf
mkdiawb3.pnf
ie11.pnf

Zeus Sphinx joins the Corona Virus Malspam party

On March 30, 2020, researchers at IBM X-Force identified a new wave of attacks using “Zeus Sphinx,” taking advantage COVID-19 relief efforts. Zeus Sphinx (aka Zloader, Terdot) initially emerged as a commercial banking Trojan targeting major financial entities in the UK in 2015. The malware’s main function is to collect online account credentials from banks and a wide range of other websites.

The attack initially starts through a malicious document file that takes advantage of the Coronavirus (COVID-19) pandemic to spread the malware. Once the victim opens the malicious attachment and enables macros, the script will start its deployment and use a hijacked Windows process that will execute a malware downloader.

The malware downloader communicates with a command-and-control server to load the Zeus Sphinx variant. To maintain persistence, Sphinx writes numerous folders and files to disk and adds Registry keys to hide itself and manage its configuration file.

The following indicators of compromise were released with IBM X-Force findings.

URLs

https://seobrooke[.]com
http://brinchil[.]xyz
https://securitysystemswap[.]com
https://axelerode[.]club

IP Addresses

185.14.29[.]227
104.27.178[.]176
47.254.174[.]129
49.51.161[.]225
104.27.179[.]176

Hashes

8a96e96113fb9dc47c286263289bd667
dff2e1a0b80c26d413e9d4f96031019ce4567607e0231a80d0ee0eb1fcf429fe
c6d279ac30d0a60d22c4981037580939
70e58943ac83f5d6467e5e173ec66b28
c8dff758feb96878f578adf66b654cd7
7ca44f6f8030df33ada36eb35649be71
2fc871107d46fa5aa8095b78d5abab78

FIN7 uses Snail-mail to deliver weaponized USB drives

On March 29, 2020, researchers at Trustwave identified a new wave of attacks carried out by the Advanced Persistent Threat (APT) dubbed “FIN7.” In these attacks, the group mailed malicious USB devices to employees of targeted companies working in Human Resources (HR), Information Technology (IT), and/or Executive Management (EM) roles with the end goal of launching an attack and infecting unsuspecting users’ computers.

The attack starts with threat actors mailing malicious USB devices to victims, pretending to be Best Buy sending $50 gift cards to loyal customers. The USBs are programmed to function as USB keyboards. Upon connecting the device to a computer, the USB device starts harvesting the system information and will send the compromised data to the attackers’ command-and-control (C2) server.

PowerShell commands run that display fake message box warning errors, such as “USB Device Not Recognized - The last USB device you connected to this computer malfunctioned, and Windows does not recognize it.” The PowerShell scripts will then run a third-stage JavaScript backdoor, tracked as “GRIFFON,” that gathers system information using seven MITRE ATT&CK techniques. After gathering system information, FIN7 starts seeking administrative privileges to move laterally on the compromised network.

PCs trust USB keyboards by default, rendering these physical attacks less defensible via conventional antivirus measures. FIN7 has predominantly been associated with phishing as an attack vector, with extensive spear phishing campaigns observed throughout 2018 and into 2019, with the earliest attributable activity observed in 2015.

Critical WordPress Plugin Bug allows attackers to gain admin privileges

On March 31, 2020, WordPress disclosed a critical privilege escalation vulnerability which exists in Rank Math, a WordPress SEO plugin designed to help website owners to attract more traffic to their sites through Search Engine Optimization (SEO). The vulnerability can allow attackers to give administrator privileges to any registered user on the site. In addition, compromised sites can also allow attackers to revoke the admin rights of the site owners.

WordPress also disclosed a second vulnerability which exists in Rank Math’s optional plugin modules that helps users to create redirects on their WordPress sites. The vulnerability allows unauthenticated attackers to create redirects from any location on the site. If Rank Math is a plugin you use it should be upgraded to the latest version 1.0.41.2 that contains fixes for the security flaws.

Sodin holding NEDA Ransom

It has come to our attention that the National Eating Disorder Association is being held ransom by Sodinokibi (aka Sodin, REvil) Ransomware. In addition to ransoming NEDA’s files, Sodin is threatening to publish sensitive data on the organization. This information includes financial details, credit card information, employee PII (email, phone number, address, SSN), IRS audit info, military eating disorder research, and more.

Recently, Sodin has taken to ensuring ransom payout by extorting victims as well as ransoming their encrypted files. This extortion plays out in a few different ways: naming and shaming, data auctioning, data publishing, and reporting to financial sector or media.

All of these tactics are used to encourage the ransomware victim to pay the ransom promptly even if they have the backups to recover.

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Thursday March 26th 2020