FIN 11 , Email Campaign on the go

FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.

Hybrid extortion attacks

Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.

  • FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
  • The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.

FIN11 & TA505 Collaboration

The researchers given a variation between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.

Attack strategy

The FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.

Recent FIN11 lightson

The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.

  • FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
  • The threat actor continued to modify its delivery tactics during Q3 2020; the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.

Concluding notes

The tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial

Silent Librarian APT in to lime light

The Silent Librarian campaign has actively targeting students and faculty at universities via spear-phishing campaigns.

The threat group (also known as TA407 and Cobalt Dickens), which operates out of Iran, has been on the prowl since the start of the 2019 school year, launching low-volume, highly-targeted, socially engineered emails that eventually trick victims into handing over their login credentials.

The emails typically masquerade as messages from university library systems or other on-campus divisions.

This APT group is going back to school with a fresh campaign that seems to be targeting institutions globally, Targets stretch across a dozen countries and so far have included: The University of Adelaide in Australia; Glasgow Caledonian, University of Kent, University of York, King’s College London, Cambridge and others in the U.K.; the University of Toronto and McGill in Canada; and Stony Brook University, University of North Texas notably.

The mode of operation remains in place, with Silent Librarian hosting a series of phishing sites that are built to mimic legitimate university domains. For instance, emails purporting to be from the University of Adelaide Library directed victims to a “library.adelaide.crev[dot]me” URL, which is very close to the legitimate “library.adelaide.edu.au” domain of the school.

Many of these have been identified and taken down,though the threat actor has sophisticated and built enough of them to continue with a successful campaign against staff and students

The APT is using the Cloudflare content delivery network to host most of the phishing hostnames, in order to hide the real hosting origin.

Considering that Iran is dealing with constant sanctions, it strives to keep up with world developments in various fields, including that of technology . It’s absolute nightmare for IT Admins in schools & University to keep things tight and hold.

PoetRAT🎶🎵🎶

PoetRAT is an emerging malware that targets the energy and government sector of Azerbaijan — especially wind turbine facilities.

There is no one specific way that PoetRAT spreads. However, research has shown that the malware is distributed via URL, which indicates that users are most likely tricked by either emails or social media messages to download the malware.

PoetRAT way of attack

PoetRAT spreads via emails or social media messages containing malicious URLs. This is not to say that other methods are not being used as well.

Talos researchers have observed three phishing emails claiming to be from the Azerbaijan government and the Ministry of Defense of India, which contained a malicious Microsoft Word document named “C19.docx.” Attempts like these play on the particularly sensitive issue of COVID-19 and take advantage of the psychological condition that many are in because of this pandemic.

Once the malicious Word document is opened or URL is clicked, a dropper enables malicious macros which deploy PoetRAT. To help evade detection and other defensive measures, it writes itself to disk in the form of an archive instead of being loaded as an executable.

PoetRAT is written in Python and has two main scripts that are the crux of the malware itself. The first script is “smile.py”, which executes commands including copying, moving and archiving files and content, taking screenshots, information exfiltration, killing processes and uploading of files from the target computer. The second script is “frown.py”, which allows for encrypted communication with the PoetRAT C2 (command-and-control) server.

Researchers have observed an array of different tools typically placed during a PoetRAT campaign:

Klog.exe: Keylogger capabilities
Dog: This .NET malware module can be used to monitor hard drive paths on an infected computers and has data exfiltration capabilities through FTP or email
Browdec.exe: Browser credential stealer
Bewmac: Webcam session recording capabilities
WinPwnage: Used for privilege escalation
voStro.exe: Credential stealer
Nmap: Used for network scanning
Tre.py: A script written in Python used to create new files and directors
Mimikatz: Credential harvesting
Pypykatz: Credential harvesting

PoetRAT is capable of is maintaining persistence via registry key manipulation, as it can modify registry entries in order to get around sandbox evasion checks.

PoetRAT has only been involved with cyberattacks in Azerbaijan thus far. This should be of particular importance to those in the energy sector, particularly wind turbine energy production facilities. Update security controls use proper email security product.

XDSpy APT not uncovered So long

XDSpy the APT group, recently discovered by researchers, targeted government and private companies in Belarus, Moldova, Russia, Serbia, and Ukraine, including militaries and Ministries of Foreign Affairs.

Experts believe that the hacker group could have targeted many other countries and a good portion of its operations has yet to be discovered.

The tools in the arsenal of the XDSpy APT are quite basic, although efficient, their primary tool is a downloader dubbed named XDDown.

The malware samples analyzed by the researchers are slightly obfuscated using string obfuscation and dynamic Windows API library loading. The malware supports multiple features, including the monitoring of removable drives, taking screenshots, exfiltrating documents, and collecting nearby Wi-Fi access point identifiers.

Experts also noticed that hackers also used NirSoft utilities to recover passwords from web browsers and email clients.

Experts observed the threat actor exploiting a remote code issue in Internet Explorer tracked as CVE-2020-0968 that was addressed by Microsoft with the release of Patch Tuesday security updates for April 2020.

ESET described XDDown as a “downloader” used to infect a victim and then download secondary modules that would perform various specialized tasks.

The XDDown malware has a modular structure, some of the plugins analyzed by ESET are:

  • XDRecon
  • XDList
  • XDMonitor
  • XDUpload
  • XDLoc.
  • XDPass
XDSpy

The analysis of the spear-phishing campaigns linked to the APT group revealed that the hackers used email subject lines with lures related to lost and found objects and the COVID-19 pandemic. These messages came with malicious attachments such as Powerpoint, JavaScript, ZIP, or shortcut (LNK) files.

“XDSpy is a cyberespionage group mostly undetected for more than nine years while being very busy over the past few months.” concludes the report. “The group’s technical proficiency tends to vary a bit. It has used the same basic malware architecture for nine years, but it also recently exploited a vulnerability patched by the vendor but for which no public proof-of-concept exists, a so-called 1-day exploit.”