攻撃者行動分析（ABA）

Office 365 Spearphishing Campaigns

Verticals targeted: All

Recent threat actors are targeting Microsoft 365 credentials with spearphishing campaigns. Attacker behavior analytics have been released that detect the dynamically generated phishing URLs used in these campaigns.

For more information, reference our public blog post released by Rapid7's Managed Detection & Response (MDR) team on Aug 20: https://blog.rapid7.com/2019/08/20/how-attackers-can-harvest-users-microsoft-365-credentials-with-new-phishing-campaign/

Detections added to InsightIDR: Threat intelligence and detections for relevant spearphishing URLs.

Mshta Used to Evade Prevention Defenses

Verticals targeted: All

Macros are small Visual Basic for Applications (VBA) embedded inside of Microsoft Office documents, such as Powerpoint, Excel, Word, and Publisher. Macros are often used maliciously to run commands using a number of possible built-in Windows utilities, such as mshta.exe, to download malware and compromise the system. Malicious documents are often sent via phishing emails.

For more information on the technique, see T1170 of MITRE ATT&CK: https://attack.mitre.org/techniques/T1170/.

Detections added to InsightIDR: 4, to detect anomalous Mshta execution and activity

Hidden Cobra

Verticals targeted: All

DHS and the FBI track actors out of North Korea under the name Hidden Cobra, also known as the Lazarus Group. These actors have been responsible for a wide range of malicious activities, including WannaCry and the Sony hack. Their motivations are financial gain, espionage, and national interests. Rapid7 tracks several malware families related to Hidden Cobra, including:

• KEYMARBLE, a remote access trojan being used by North Korean entities that is capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screen shots, and exfiltrating data.

• Typeframe, a trojan being used by North Korea state-sponsored cybercriminals. This family consists of 32-bit and 64-bit Windows executable files, as well as a malicious Microsoft Word document that contains Visual Basic for Applications (VBA) macros. According to their research, these files are capable of downloading and installing malware, installing proxy and remote access trojans (RATs), connect to command control (C&C) servers to receive instructions, and alter the victim's firewall to allow incoming connections.

Detections added to InsightIDR: 23, for KEYMARBLE and Typeframe trojans.

Leafminer Attack Group

Verticals targeted: Government, businesses

Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. The group tends to adapt publicly available techniques and tools for their attacks and experiments with published proof-of-concept exploits.

Detections added to InsightIDR: 54, all related to the Leafminer attack group IOCs identified by Symantec.

Luoxkep Campaign

Verticals targeted: All

Malicious campaign identified by 360 Safe that is exploiting CVE-2018-2893 for cryptomining and DDoS attacks.

Detections added to InsightIDR: 3, for downloads, domains, and IPs related to Luoxkep.

Remote Desktop Brute-Force Attempt IPs

Verticals targeted: All, utilized via legitimate Windows protocol

Remote Desktop Protocol (RDP) is a legitimate protocol used for remote management of Windows systems, however it is often abused by attackers to gain access and control of systems. One way attackers gain access is by brute forcing RDP passwords. This threat identifies all source IPs seen to authenticate more that 50 times against RDP across ALL  Lorelei honeypots during the previous day.

Detections added to InsightIDR: 20, which identify IPs authenticating against RDP across Lorelei honeypots.

_______________________________________________________________________

Updates and Additions to Existing ABA Threats:

Malicious Document Threat: 1 new behavior added — Word Spawns Executable from Users Directory

Malicious PowerShell: 2 new behaviors added — Obfuscated Script and Download Cradles

Privilege Escalation: 2 new behaviors added — UACMe Privilege Escalation Tool, Company Name in Binary Metadata; and UACMe Privilege Escalation Tool, Original Name in Binary Metadata

Credential Theft: 4 new behaviors added — Mimikatz Flats (DumpCreds or DumpCerts), Mimikatz Sekurlsa, Mimipenguin, and Hashcat

Thrip Attack Group

Verticals targeted: Telecommunications, satellite communications, mapping and geospacial imaging, defense

Thrip is an adversary group identified by Symantec that they have been tracking since 2013. This adversary group focuses on espionage activities, primarily targeting telecommunications, satellite communications, mapping and geospatial imaging, and defense contractors in the United States and Southeast Asia. They use a combination of malware and other tools such as PSExec and Mimikatz to compromise and move through systems, identifying and exfiltrating information.

Detections added to InsightIDR: 123, which identify activity around specific trojans and backdoors.

_______________________________________________________________________

Remote Admin Tools

Verticals targeted: All

An attacker may use legitimate remote access software, such as Ammyy Admin, to create a command and control ability to target systems. These services are commonly used as legitimate technical support software and may be whitelisted in an environment.  Admin tools such as Ammyy Admin are commonly used by attackers, as seen by the Rapid7 MDR SOC.

Detections added to InsightIDR: 3, which look for the presense of Ammy Admin.

VPNFilter

Verticals targeted: All

VPNFilter is a new modular malware tracked by Cisco's Talos group. This malware has been primarily targeting home and small business routers, namely MikroTik, Netgear, Linksys, and QNAP network storage devices. This malware can be used for website credential theft and data collection, and has a destructive capability where the firmware can be destroyed, thus causing the device to be unusable.

Detections added to InsightIDR: 51, which identify specific indicators related to VPNFilter activity.

Malicious PowerShell

Verticals targeted: All

PowerShell is an interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. These are behaviors that are commonly used by attackers, as seen by the Rapid7 MDR SOC.  

Detections added to InsightIDR: 10, which identify specific behaviors related to malicious PowerShell activity.

Valyria Downloader

Verticals targeted: All, presents as phishing email

The Valyria Downloader is a trojan that is sent via phishing emails, often using "invoice overdue" or "outstanding payment" themed emails. Once the emails are opened, the downloader will initiate a connection to a command and control domain to download additional files, typical associated with the URSNIF data-stealing malware family.

Detections added to InsightIDR: 9, which identify hashes related to the downloader installation and malicious documents, and the use of Powershell spawning process out of Users/Public/Documents.

_______________________________________________________________________

OilRig

Verticals targeted: All

OilRig is a threat group tracked by Palo Alto Labs' Unit 42. They primarily target organizations in the Middle Eastern region, however, this group has targeted organizations outside of the Middle East as well. OilRig often leverages the trust relationship between organizations to attack their primary targets. The OilRig threat group overlaps with APT 34.

Detections added to InsightIDR: 9, which identify malicious credential harvesting domains and a tactic where an adversary dumps credentials from the command line, often seen with Mimikatz.

Orangeworm Attacks

Verticals targeted: Healthcare, manufacturing, agriculture

Symantec has identified an attack group named Orangeworm, who are deploying the Kwampirs backdoor in a targeted attack campaign against the healthcare, manufacturing, and agriculture sectors, as well as information technology companies who support these industries. This attack group and malware are both noisy and do not try to hide their activity, relying primarily on their targeting of older devices that are often not well monitored.

Detections added to InsightIDR: 43, which identify dropper and payload hashes, along with connections to command & control IP addresses.

______________________________________________________________________

Satan Ransomware

Verticals targeted: None, offered as ransomware-as-a-service

Satan Ransomware appeared in early 2017 and was one of the original "Ransomware as a Service" offerings on dark websites. The ransomware is spread via phishing emails or malicious links, and has recently been updated to include the EternalBlue SMB exploit for spreading within a network.

Detections added to InsightIDR: 6, which identify variants of the Satan ransomware and dropper, the EternalBlue SMB exploit, and suspicious associated command line activity.

Fauxpersky Keylogger Malware

Verticals targeted: None, spreads via USB drives

Fauxpersky is a new keylogger malware disguised as Kaspersky antivirus. The malware is based on the AutoHotKey app, which lets users write codes to automate tasks. Researchers say that the malware is highly efficient, self propagating, and persistent. It infects Windows PCs by spreading through USB drives and then replicates to all the drives on the machine. Fauxpersky then collects data using Google Forms, sends that data to the attackers' inbox, and deletes the original data from the drive.

Detections added to InsightIDR: 6, which identify variants of the Fauxpersky malware.

_______________________________________________________________________

SamSam Ransomware

Verticals targeted: Healthcare, government, education

SamSam Ransomware is a ransomware variant used by a group tracked as the SamSam Group or Gold Lowell. This group will gain access to the target, often using RDP access or scanning for server-side vulnerabilities, and then deploy their ransomware variant. SamSam is targeted, the actors will often focus on a particular industry or vertical and target organizations within that vertical before moving onto a different focus.

Detections added to InsightIDR: 7, which identify variants of the SamSam ransomware, as well as Shadow Copy deletion, a common ransomware behavior to thwart recovery efforts.