Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More

Anomali Cyber Watch: TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations, Necro Python Bots Adds New Tricks, US Seizes Domains Used by APT29 and More

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, APT29, FluBot, Necro Python, RoyalRoad, SharpPanda, TeaBot and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.


Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations

(published: June 4, 2021)

Researchers at Palo Alto have identified a malware repo belonging to TeamTNT, the prominent cloud focused threat group. The repo shows the expansion of TeamTNTs abilities, and includes scripts for scraping SSH keys, AWS IAM credentials and searching for config files that contain credentials. In addition to AWS credentials, TeamTNT are now also searching for Google Cloud credentials, which is the first instance of the group expanding to GCP.
Analyst Comment: Any internal only cloud assets & SSH/Privileged access for customer facing cloud infrastructure should only be accessible via company VPN. This ensures attackers don’t get any admin access from over the internet even if keys or credentials are compromised. Customers should monitor compromised credentials in public leaks & reset the passwords immediately for those accounts.
MITRE ATT&CK: [MITRE ATT&CK] Permission Groups Discovery – T1069
Tags: AWS, Cloud, Credential Harvesting, cryptojacking, Google Cloud, IAM, scraping, TeamTnT, Black-T, Peirates

Necro Python Bots Adds New Tricks

(published: June 3, 2021)

Researchers at Talos have identified updated functionality in the Necro Python bot. The core functionality is the same with a focus on Monero mining, however exploits to the latest vulnerabilities have been added. The main payloads are XMRig, traffic sniffing and DDoS attacks. Targeting small and home office routers, the bot uses python to support multiple platforms.
Analyst Comment: Users should ensure they always apply the latest patches as the bot is looking to exploit unpatched vulnerabilities. Users need to change default passwords for home routers to ensure potential malware on your personal devices don’t spread to your corporate devices through router takeover.
MITRE ATT&CK: [MITRE ATT&CK] Scripting – T1064 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Process Injection – T1055 | [MITRE ATT&CK] Input Capture – T1056 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190 | [MITRE ATT&CK] Remote Access Tools – T1219
Tags: Bot, botnet, Exploit, Monero, Necro Python, Python, Vulnerabilities, XMRig

New SkinnyBoy Malware Used by Russian Hackers to Breach Sensitive Orgs

(published: June 3, 2021)

Researchers from Cluster25 have identified a new malware that was used in a phishing campaign attributed to APT28 (Fancy Bear, Sofacy). In early March 2021 he campaign was observed targeting the defense industry, foreign ministries and militaries of NATO or NATO aligned countries. SkinnyBoy is intended to collect information about the victim and retrieve the next payload from the command and control (C2) server, it is used during the intermediary stage of an infection. It is delivered through phishing emails with a malicious Microsoft Word attachment containing a macro that extracts a DLL file acting as a downloader. Cluster25 believes the TTPs of this attack strongly implicate APT28.
Analyst Comment: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.
MITRE ATT&CK: [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] File and Directory Discovery – T1083 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Automated Collection – T1119 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Automated Exfiltration – T1020 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041
Tags: Strontium, Fancy Bear, APT28, Sednit, Sofacy, Government, Military, EU & UK, North America, Russia, malware, APT, APT28, SkinnyBoy, NATO

SharpPanda: Chinese APT Group Targets Southeast Asian Government With Previously Unknown Backdoor

(published: June 3, 2021)

Researchers have discovered an ongoing surveillance campaign that incorporates a newly-identified backdoor into the final stage of the infection chain. The campaign has been attributed to a China-based APT group with moderate to high confidence that appears to have been active for at least three years. This spearphishing campaign begins with a targeted email to members of a Southeast Asian Government, with a malicious DOCX file that loads a remote template RTF weaponized with RoyalRoad.
Analyst Comment: Email security and phishing awareness are critical aspects of a defense in depth program. High levels of caution should be applied to email attachments and links. Up to date endpoint protection and patching can also be very effective prevention methods.
MITRE ATT&CK: [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Exploitation for Client Execution – T1203 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Template Injection – T1221 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] Software Discovery – T1518 | [MITRE ATT&CK] Process Discovery – T1057 | [MITRE ATT&CK] Query Registry – T1012 | [MITRE ATT&CK] System Service Discovery – T1007 | [MITRE ATT&CK] Credentials in Files – T1081 | [MITRE ATT&CK] Application Window Discovery – T1010 | [MITRE ATT&CK] Screen Capture – T1113 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Data Encoding – T1132 | [MITRE ATT&CK] Multi-Stage Channels – T1104 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] System Shutdown/Reboot – T1529
Tags: SharpPanda, RoyalRoad, government, asia, VictoryDll

Two Carbanak Hackers Sentenced To Eight Years In Prison In Kazakhstan

(published: June 2, 2021)

Two Carbanak members were sentenced in Kazakhstan to eight years in June 2021. They were found guilty of breaching the IT systems of two Kazakh banks between 2016 and 2017, from where they stole more than two billion tenges ($4.6 million USD). The stolen money was sent to 250 payment cards, which were subsequently sent to Europe. The funds cashed out through ATMs across Belgium, Czech Republic, France, Estonia, Germany, Lithuania, the Netherlands, Poland, Russia, Slovakia, Spain, Switzerland.
Analyst Comment: Carbanak group attracted special attention last month after the DarkSide ransomware attack Colonial Pipeline. Carbanak were changing their tactics and attracting new affiliates with different intrusion and exfiltration techniques. Complex protection measures are needed that range from anti-phishing training to network monitoring and data loss prevention (DLP).
Tags: Carbanak, banks, Financial sector, Kazakhstan

Google PPC Ads Deliver Redline, Taurus, and mini-Redline Infostealers

(published: June 2, 2021)

Researchers at Morphisec have identified info stealers being downloaded via pay-per-click ads in Google search results. The ads appear to be targeting specific IP ranges located in the US, with IPs outside the range being redirected to the legitimate download page. The malware are downloaded as AnyDesk, Dropbox and Telegram packages wrapped as ISO images and include infostealers: Taurus AutoIt, Mini Redline and Redline.
Analyst Comment: Users should exercise caution when downloading anything from the internet, even from a seemingly legitimate source. Practicing defense-in-depth will also help reduce the impact, if a user does accidentally download a malicious file.
MITRE ATT&CK: [MITRE ATT&CK] Signed Binary Proxy Execution – T1218 | [MITRE ATT&CK] Virtualization/Sandbox Evasion – T1497 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Process Injection – T1055
Tags: Google, InfoStealer, ISO images, Redline, Mini Redline, Taurus

US Seizes Domains Used by APT29 in Recent USAID Phishing Attacks

(published: June 2, 2021)

The US Department of Justice has seized two domains used in recent phishing attacks impersonating the U.S. Agency for International Development that has been attributed to APT29 (Cozy Bear). The domains are theyardservice [.]com and worldhomeoutlet[.]com. Victims were targeted with phishing emails that prompted users to download HTML attachments that then installed Cobalt Strike beacon payloads.
Analyst Comment: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Web Service – T1102 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071
Tags: APT29, Cobalt Strike, Cozy Bear, Domains, Russia, Phishing

REvil Ransomware Ground Down JBS: Sources

(published: June 2, 2021)

JBS Foods announced that they believe the recent ransomware attack that occurred in late May was launched from a criminal organization in Russia. The REvil gang, also known as Sodinokibi, is known for both audacious attacks on the world’s biggest organizations, and demanding large ransoms payments from affected organizations. The White House has offered assistance to JBS, with the incident being investigated by the FBI and CISA.
Analyst Comment: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486
Tags: DarkSide, JBS, Sodinoki, REvil, Russia, Ransomware

Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android

(published: June 1, 2021)

BitDefender researchers have identified the Android malwares TeaBot and Flubot being delivered through impersonation of legitimate Android apps. TeaBot is an Android RAT that has the ability to keylog, steal SMS, steal Google Authentication codes, carry out overlay attacks and take remote control of the device. In order to spread the malware, threat actors are taking the source code of legitimate apps and injecting malicious code before repacking. These apps include Kaspersky, VLC Media Player, PlutoTV among others.
Analyst Comment: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended. Furthermore, this story shows the potential of malicious applications bypassing the security measures of application stores and therefore it is crucial that all permissions of an applications be examined prior to download.
Tags: Android Malware, Flubot, Keylogger, RAT, TeaBot

Critical WordPress Plugin Zero-day Under Active Exploitation

(published: June 1, 2021)

A vulnerability in WordPress plugin Fancy Product Designer is being actively exploited by threat actors. Fancy Product Designer is a plugin that allows users to customize products with custom images and is installed in over 17,000 websites. The zero-day, which also affects WooCommerce, enables threat actors to deploy executable PHP files and lead to remote control with the purpose of stealing PII (Personally Identifiable Information).
Analyst Comment: Users are advised to immediately install the latest Fancy Product Design patched version that was released on June 2.
MITRE ATT&CK: [MITRE ATT&CK] Server Software Component – T1505 | [MITRE ATT&CK] Network Service Scanning – T1046
Tags: PHP, Remote Code Execution, Vulnerability, WordPress, Zero Day