Threat Report

There’s a good mix of variety in top news over the last week. Let’s start with an update on the Norwegian MSP hack update. Then take a look at a leaked tool OilRig APT uses to brute force exchange servers. Finally, in crimeware we’re saying goodbye to GandCrab ransomware and hello to Monstercat’s RAT, KPOT Stealer.

StonePanda took the heat for RedBravo in Norwegian MSP hack

In early February, we spoke about a series of intrusions that were conducted between late-2017 and late-2018 by a Chinese state-sponsored actor against several companies, including a large Norwegian MSP.

This activity was originally attributed to a Chinese state-sponsored threat group called APT10, aka Stone Panda. This group has been attributed by the U.S. government to the Tianjin State Security Bureau, a regional office of the Chinese Ministry of State Security (MSS).

Secret sources indicate that the activity was perhaps the work of another closely affiliated Chinese group. New information on tactics and tools from another Chinese threat activity group named ZIRCONIUM (aka APT31) allow for us to take another look at this attribution.

It is now believed that the campaign targeting the three companies between November 2017 and September 2018 was not conducted by StonePanda, but by ZIRCONIUM aka RedBravo.

RedBravo employs a domain registration technique that some believe is unique to the threat group. This technique includes the use of a Bahamian internet domain registrar (internet[.]bs) coupled with Swiftydns name servers which are then changed to Topdns name servers. These domains and associated subdomains are often hosted on U.S.-based infrastructure acquired through VPS resellers.

This domain registration pattern was seen in the registration of a key C2 domain reported in the 2017 Operation TradeSecret Scanbox intrusion targeting the American National Foreign Trade Council (NFTC). This intrusion was mis-attributed to StonePanda by researchers at the time because both RedBravo and APT10 utilize an identical Scanbox obfuscation method.

RedBravo used a version of Trochilus RAT that was distinctly different from the version of Trochilus referred to as APT10’s RedLeaves. However, both the RedBravo and APT10 Trochilus variants include similar features and encryption routines that were not present in the original standard build of Trochilus. So, next we’ll probably learn that APT10 is APT31 and the attribution was right all along.

Indicators

220.104.79[.]56 
104.236.223[.]160 
club.personanddog[.]info 
www.anzen.mofa-go-jp[.]com 
admincontrol[.]org 
cec9564a7d6308a06b629618c800255f9b92c7055c7a6f854d93ddcf379a849f 
2f6329b27d5bffc511bb48f9922a0d1bb9887c46ab84b93da60b792b3a958df3 
641D200D762FD7F60ECCD5BA88EBD43D4D68F9C6 
FC4F3698E768F690425523CDFD548B81D891C3B0 
CE878FACCA3698A129E0633A93E8A9DC4105FE98 

OilRig loses track of Jason

A new tool from the arsenal of Iranian state hackers, and allegedly used by the OilRig APT group dubbed “Jason,” has been leaked online. The leak occurred recently on the Lab Dookhtegan Telegram channel stating that it is used by the Iranian government for compromising emails and stealing information.

The Jason tool is a GUI utility for brute-forcing Microsoft Exchange email servers using pre-compiled lists of a username and password combination. Jason is a simple brute-force attacker against online exchange services. In a scan performed on VirusTotal, a file with the hash 9762444b94fa6cc5a25c79c487bbf97e007cb680118afeab0f5643d211fa3f78 (Jason.exe), produced a rate of 2/72 detections.

We previously covered the first leak from this group back in March. The originally leaked OilRig information included the tools used in operations and contact details for staff supposedly working at the Iranian Ministry of Intelligence and Security.

Additionally, the tools released by Lab Dookhtegan have been confirmed by security researchers to be part of the arsenal used by the OilRig APT group. The goal of publishing the tools is a disruption of future operations from the adversary.

The following tools associated with the OilRig APT group are publicly available: Poison Frog, Glimpse, HyperShell, Highshell, Fox Panel, Webmask, and Jason tool.

Goodbye GandCrab

After a little over a year of ransomware heists, the creators of GandCrab ransomware publicly announced that they are shutting down their operation after generating more than $2 billion in ransom payments. No more candy grabs. They aim to exit before being caught with sticky fingers.

The GandCrab ransomware has been one of the most active ransomware threats in history, commonly being distributed via spam email and exploit kits. It is also known for targeting high-profile organizations.

The ransomware was frequently updated and is currently at version 5.2, at the time of announcement. Its affiliates were also told to stop promoting and distributing the ransomware within 20 days. Additionally, the victims were told to pay for needed decryption now as their keys will be deleted at the end of the month.

There is a very real chance that GandCrab infections will continue with no way to decrypt even after a ransom is paid. Last week I would have told you that you would have a very high chance of getting your data after paying a ransom. However, if you get infected with GandCrab after these 20 days, that might not be the case.

An organization’s best defense against ransomware attacks continues to be reliable and tested backup on an offline storage device that can be restored.

Hello KPOT Stealer

KPOT stealer is a remote access trojan capable of stealing credentials from a wide variety of system applications (including VPN, email, RDP, cryptocurrency wallets, FTP, and social media applications) on a victim host.

Its functionality has been developed and updated regularly by the actor MonsterCat. Unnamed researchers have analyzed KPOT active in the wild and have gained access to a KPOT admin panel to better analyze the malware and fingerprint activity related to KPOT.

Based on some private research, KPOT stealer is well maintained malware linked to the Russian criminal underground. It leverages a wide degree of functionality and analysis evasion techniques, and can be used for both reconnaissance and credential theft. KPOT’s success can be explained by the detailed technical specification, fast technical support, low cost, and the high reputation of its developer, MonsterCat. MonsterCat is an experienced underground coder active on the cybercriminal underground since at least June 2016.

KPOT stealer is primarily distributed through email spam and exploit kits. And every KPOT malware sample analyzed reaches out to a C2 with a URL that contains a directory named after a randomly generated 16-digit alphanumeric string. The directory contains three files (login.php, gate.php, and config.ini) preconfigured by MonsterCat.

Indicators

konur[.]info 
http://konur[.]info/wYGougfZ7txOTRtX/gate.php 
rigpiv1[.]biz 
http://rigpiv1[.]biz/GZkltmFDqiyCDMy6/gate.php 
Bendes[.]co[.]uk 
http://bendes[.]co[.]uk/lmpUNlwDfoybeulu/gate.php 
tester45745[.]bit 
http://tester45745[.]bit/AQZl5PTiFCs4yvHe/gate.php 
qaz1[.]com[.]cn/ 
http://qaz1[.]com[.]cn/nRt3jVn17biGpXd7/gate.php 
gkjsggd[.]org 
http://gkjsggd[.]org/KjG6rR0XiZBs92vs/gate.php 
http://5[.]188[.]60[.]131/a6Y5Qy3cF1sOmOKQ/gate.php 
http://46[.]232[.]113[.]43 
5[.]188[.]60[.]131 
176[.]119[.]158[.]213 
5[.]188[.]60[.]91 
46[.]232[.]113[.]8 
46[.[29[.[163[.]68 
185[.]176[.]27[.]149 

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday May 29th 2019