SOC Goulash: Weekend Wrap-Up

31/07/2022

Headline Items

1. Initial Access Brokers are moving away from Macros following Microsoft disabling them by default - ISO and LNK files have been in heavy rotation, with recent reporting on the “Robin Banks” Phishing-as-a-Service operation, and IPFS abuse for delivery adding to the diversification of initial access methods available to attackers;

2. Lockbit account for most publicly-disclosed ransomware attacks so far this year, were observed abusing Defender to side-load Cobalt Strike, and have started leaking chat logs of failed ransom negotiations to further pressure victims;

3. USB-borne trojan, RaspberryRobin, poses long-term threat as it hibernates while waiting for secondary payloads. Recently observed dropping FakeUpdate (SocGholish) framework, with potential EvilCorp ransomware precursor activity.

Coveware’s Q2 2022 Ransomware Report

Reference: Coveware

A great report that highlights some significant moves in the ransomware landscape over the last quarter. Ransomware operations and affiliates alike are becoming increasingly wary of increasing scrutiny from law enforcement, with the marketplace continuing to fragment and all involved being more cautious in carrying out and being associated with high-profile compromises.

Key takeaways:

1. Unsurprisingly, Conti’s dispersal didn’t change much - their members fragmented to work with BlackCat, Black Basta, Hive and Quantum ransomware operations. Given their capability and experience, it’s worth keeping an eye on the activity and tradecraft of these ransomware crews going forwards;

2. Notoriety for Ransomware-as-a-Service operations is a double-edged sword - sure, you get to work with the best, but whack the wrong victim and law enforcement will start gunning for every member of the operation. This has seen more RaaS programs started, with affiliates moving between them more often;

3. While the “shared services” model that RaaS enables makes it easier to recruit talent, it exposes them to moles and disgruntled affiliates that could disrupt entire operations. Some groups have ceased offering/procuring services like initial access and negotiation as a result;

4. Ransom payments continue to reflect the fact that RaaS crews are being more selective and discrete in their targeting, shifting “towards the mid market where the risk to reward profile of attack is more consistent and less risky than high profile attacks.”

LockBit continue to be one to watch

Reference: Sekoia | Ankura | SentinelOne

Sekoia published a comprehensive report on the state of ransomware as of mid-2022 - the link’s above, and while it’s definitely worth a read in itself, the main takeaway here is that LockBit have continued their crime-spree, and have overtaken Conti on the ransomware leaderboard with 439 reported victims.

Ankura have also flagged that LockBit have begun leaking chat logs for companies that fail to pay ransoms. This is just another tactic aimed at leveraging victim reputation to punish those that fail to pay, with potential legal ramifications for those in jurisdictions with legislation prohibiting ransom negotiations and payment, and financial implications for publicly-traded organisations.

Finally, SentinelOne report having observed a LockBit affiliate “abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.” The irony of abusing an AV binary to side-load malware aside, this report is a short and sweet update on recently observed LockBit TTPs to be on the lookout for.

RaspberryRobin - just waiting for a mate

References: RedCanary | Microsoft

Firstly - some context for those unfamiliar with this gem of a clip.

RedCanary first reported on what it classed as a worm, which was spread through infected USB drives and observed on QNAP devices. Despite being first observed in September 2021, RedCanary reported that the malware simply sat dormant on infected endpoints.

Subsequently, Microsoft has reported that on 26th July it observed the FakeUpdate (SocGholish) framework being delivered via Raspberry Robin infections, followed by potential ransomware precursor behaviour from a possible EvilCorp operator.

Microsoft’s observation marks a 10 month hibernation on the part of RaspberryRobin, and highlights the understated threat of the malware - that it might one day enable subsequent infections and potentially ransomware. Until then - “nothing to see here, officer - I’m just waiting for a mate!”

While I don’t believe it’s something to prioritise over other malware families and threat groups, it should also not be overlooked. RedCanary highlight a number of detection opportunities and provide IOCs that will be helpful in hunting for infection and monitoring for related activity.

Welcome to life without Macros

Microsoft announced in October 2021 and February 2022 that they planned to block Excel 4.0 (XLM) and VBA macros by default of Office users, and threat actors have been quick to explore alternate methods of delivery and execution for their initial payloads.

Proofpoint have shared an excellent analysis of the various combinations and techniques adopted in the wild. Container formats such as ISO, RAR, ZIP, and IMG files have been relied on heavily to bypass checks for the mark-of-the-web (note there are exceptions that propagate the MOTW to deflated archives).

Figure 3: Number of campaigns leveraging container files vs macro-enabled documents as email attachments. (Source: Proofpoint)

While Excel Add In (XLL) files and HTML attachments have been seen in several campaigns, LNK files have been used consistently to execute dll payloads or side-load them using legitimate binaries.

Qakbot, IcedID, and BumbleBee are three highly capable and widespread malware families used to gain initial access, and all have consistently used some mix of ISO files for initial delivery, often with LNK files enabling execution of the payload.

Disable ISO mounting (see link in the Techniques & Tools section) and monitor for lnk files either directly (rundll32/regsvr32) or indirectly (calc.exe side-loading, etc.) attempting to run dll files.

Bypassing LibreOffice’s Certificate verification process

Reference: The Hacker News

LibreOffice has released security updates to address three new vulnerabilities in the productivity software, one of which - CVE-2022-26305 - could be exploited to execute arbitrary code on affected systems.

The flaw can be exploited through crafting and using a signing certificate with the same serial and issuer strings as one LibreOffice already trusts, thus enabling the code execution.

Patches have been released for all three vulnerabilities, which are fixed in LibreOffice versions 7.2.7, 7.3.2, and 7.3.3.

1. A neat walkthrough on how to block ISO mounting via GPO - both topical, and useful;

2. One for both blue and red teams - a helpful repo documenting known persistence mechanisms in Windows by Grzegorz Tworek;

3. Microsoft published a guide on hunting malicious IIS extensions, and ESET helpfully followed up with a report they published last year looking at exactly this, and presented on at BlackHat;

4. TLS-Anvil, a test suite that identifies misconfigurations in TLS, using 408 tests against 13 RFCs;

5. Chain-Bench can be used as a Docker instance or through Github Actions to audit your software supply chain based on the CIS Software Supply Chain benchmark.

1. Threat Intel vendor KELA have spotted Initial Access Brokers using points of information like ransomware insurance, revenue, sector, access type and level of privileges when pitching access sales to buyers. This is a continuation of what we knew at least Conti made a habit of, back when their playbook was leaked;

2. The creatively-named “Robin Banks” Phishing-as-a-Service platform is flogging phishing kits targeting prominent banks in the US, UK, Canada, and Australia. It’s provided through an affordable subscription service and offers a polished dashboard for campaign management - one to watch;

3. The InterPlanetary File System (IPFS) is a distributed peer-to-peer file storage and sharing network, which Trustwave observed being abused to provide takedown-resistant delivery of Phishing links. A news article is here, the original report is here;

4. RESecurity look into a new release of mLNK, a tool sold on the dark web that weaponises any payload as an lnk. It also offers options to obfuscate the payload and attempt bypasses for AMSI, Defender, Smart Screen and UAC;

5. CyberArk have shared their technical analysis of the Matanbuchus Loader.

6. Palo Alto have released their 2022 IR Report, full of punchy stats and insights your exec will love - worth a read if you have the time;

7. Rapid7 reported active exploitation of CVE-2022-26138 - a vulnerability stemming from a hard-coded password in the Questions for Confluence app. CISA have added this to its Known Exploited Vulnerabilities (KEV) Database;

8. Reports of Vietnamese actors observed using LinkedIn to phish Facebook Business accounts with Ducktail malware.