Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many recent samples are observed to conduct worm-like behavior to spread across network shares or via SMB, and contain multiple levels of anti-analysis controls such as VM awareness and lengthy execution delays.

REFERENCE:
https://www.carbonblack.com/2019/09/26/cb-tau-threat-intelligence-notification-qbot-qakbot-attempts-to-evade-detection-by-overwriting-itself/
MALWARE FAMILIES:
ATTACK IDS:
T1045 – Software PackingT1053 – Scheduled TaskT1055 – Process InjectionT1057 – Process DiscoveryT1060 – Registry Run Keys / Startup FolderT1064 – ScriptingT1089 – Disabling Security ToolsT1110 – Brute ForceT1112 – Modify RegistryT1124 – System Time DiscoveryT1135 – Network Share DiscoveryT1187 – Forced AuthenticationT1497 – Virtualization/Sandbox Evasion

We found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March. We’ve been actively monitoring this threat since its emergence and early development, and saw it being frequently updated. KovCoreG, active since 2011, is a long-running campaign known for using the Kovter botnet malware, which was distributed mainly through malvertisements and exploit kits. Kovter has been involved in click fraud operations since 2015, using fraudulent ads that have reportedly cost businesses more than US$29 million. The botnet was taken down at the end of 2018 through concerted efforts by law enforcement and cybersecurity experts, including Trend Micro.

REFERENCE:
https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/
TAG:
GROUP:
ADVERSARY:

Over the course of the last two years, BlackBerry Cylance researchers uncovered a suspected Chinese advanced persistent threat (APT) group conducting attacks against technology companies located in south-east Asia. The threat actors deployed a version of the open-source PcShare backdoor modified and designed to operate when side-loaded by a legitimate NVIDIA application.

REFERENCE:
https://threatvector.cylance.com/en_us/home/pcshare-backdoor-attacks-targeting-windows-users-with-fakenarrator-malware.html
ADVERSARY:
INDUSTRY:
ATTACK IDS:
T1007 – System Service DiscoveryT1010 – Application Window DiscoveryT1012 – Query RegistryT1015 – Accessibility FeaturesT1032 – Standard Cryptographic ProtocolT1041 – Exfiltration Over Command and Control ChannelT1057 – Process DiscoveryT1060 – Registry Run Keys / Startup FolderT1073 – DLL Side-LoadingT1078 – Valid AccountsT1082 – System Information DiscoveryT1083 – File and Directory DiscoveryT1085 – Rundll32T1100 – Web ShellT1105 – Remote File CopyT1140 – Deobfuscate/Decode Files or Information

The FortiGuard SE Team discovered a particularly interesting targeted attack towards the end of August in Virus Total. The attack targeted a supplier for a distribution/logistics provider to a nation state. The email contained an attachment that appeared to have been sent by a company that manufactures and distributes electrical components and other parts, and has likely dealt at least once with the targeted organization via email.

REFERENCE:
https://www.fortinet.com/blog/threat-research/trickbot-or-treat-threat-analysis.html
TAG:
ADVERSARY:
ATTACK IDS:
T1193 – Spearphishing AttachmentT1195 – Supply Chain CompromiseT1086 – PowerShellT1158 – Hidden Files and Directories

Threat hunters from IBM X-Force Incident Response and Intelligence Services (IRIS) have identified malicious activity we have attributed to a financially motivated cybercrime faction known as Magecart 5 (MG5). Our research reveals that MG5 is likely testing malicious code designed for injection into benign JavaScript files loaded by commercial grade Layer 7 routers, routers that are typically used by airports, casinos, hotels and resorts, to name a few. In that attack scenario, the compromise of the router can allow for malicious ad injection and pivoting to other parts of the network.

REFERENCE:
https://www.ibm.com/downloads/cas/O3W1LZAZ
TAG:
ADVERSARY:

Proofpoint researchers encountered new Microsoft Office macros, which collectively act as a staged downloader that we dubbed “WhiteShadow.” Since the first observed occurrence of WhiteShadow in a small campaign leading to infection with an instance of Crimson RAT, we have observed the introduction of detection evasion techniques. These changes include ordering of various lines of code as well as certain basic obfuscation attempts.

REFERENCE:
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
MALWARE FAMILIES:
RemcosCrimson RATNanoCoreFormBookAZORultAgent TeslaNanoCoreNjRATNetwireRemcos
ATTACK IDS:
T1193 – Spearphishing AttachmentT1113 – Screen CaptureT1048 – Exfiltration Over Alternative Protocol

Cisco Talos recently discovered a threat actor attempting to take advantage of Americans who may be seeking a job, especially military veterans. The actor, previously identified by Symantec as Tortoiseshell, deployed a website called hxxp://hiremilitaryheroes[.]com that posed as a website to help U.S. military veterans find jobs. The URL is strikingly close to the legitimate service from the U.S. Chamber of Commerce, https://www.hiringourheroes.org. The site prompted users to download an app, which was actually a malware downloader, deploying malicious spying tools and other malware.

REFERENCE:
https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html
GROUP:
ADVERSARY:

While summer is usually synonymous with vacations, it seems that the Sednit group has been developing new components to add to the Zebrocy malware family. The Sednit group – also known as APT28, Fancy Bear, Sofacy or STRONTIUM – has been operating since at least 2004 and has made headlines frequently in recent years. On August 20th, 2019, a new campaign was launched by the group targeting their usual victims – embassies of, and Ministries of Foreign Affairs in, Eastern European and Central Asian countries.

REFERENCE:
https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/
ADVERSARY:
INDUSTRY:
MALWARE FAMILY:
Zebrocy
ATTACK ID:
T1193 – Spearphishing Attachment

We previously reported on how we managed to temporarily shut down 15 operative QNAPCrypt ransomware campaigns targeting Linux-based file storage systems (NAS servers). We have now identified a new QNAPCrypt sample which is being used by the same threat actor group. The authors behind this new ransomware instance have revealed enough evidence for us to conclude the establishment of FullofDeep, a Russian cybercrime group operating from the Union State and the Ukraine. The group is mainly focused on ransomware campaigns.

REFERENCE:
https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/
TAG:
ADVERSARY:

Between May and June 2019, Unit 42 observed previously unknown tools used in the targeting of transportation and shipping organizations based in Kuwait. The first known attack in this campaign targeted a Kuwait transportation and shipping company in which the actors installed a backdoor tool named Hisoka. Several custom tools were later downloaded to the system in order to carry out post-exploitation activities. All of these tools appear to have been created by the same developer. We were able to collect several variations of these tools including one dating back to July 2018.

REFERENCE:
https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/
TAG:
GROUP:
ADVERSARY:
INDUSTRY:
TARGETED COUNTRY: