ALPHV Blackcat, GCP-Native Attacks, Bandook RAT, NoaBot Miner, Ivanti Secure Vulnerabilities, and More: Hacker’s Playbook Threat Coverage Round-up: February 2024

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for newly discovered or analyzed threats, including those based on original research conducted by SafeBreach Labs. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.

US-CERT Alert AA23-353A UPDATE – ALPHV Blackcat

On February 27th, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued an advisory related to the most recent IOCs and TTPs associated with the ALPHV Blackcat ransomware-as-a-service (RaaS). This advisory is essentially an update to the previous advisories issued by the FBI in April 2022 and the original CISA advisory issued in December 2023.

According to the information available, ALPHV Blackcat actors have now employed improvised communication methods by creating victim-specific emails to notify them of the initial compromise. According to the FBI investigation, this threat has affected close to 70 victims since December 2023, mostly from the healthcare industry. The investigators believe that healthcare victims have been primarily targeted due to the ALPHV Blackcat administrator encouraging affiliates to go after hospitals.

ALPHV Blackcat affiliates use advanced social engineering techniques and open-source research on a company to gain initial access. Actors pose as company IT and/or help desk staff and use phone calls or SMS messages to obtain credentials from employees to access the target network. After gaining access to a victim network, ALPHV Blackcat affiliates deploy remote access software such as AnyDesk, Mega sync, and Splashtop in preparation of data exfiltration. ALPHV Blackcat affiliates claim to use Brute Ratel C4 and Cobalt Strike as beacons to command and control servers. ALPHV Blackcat affiliates use the open-source adversary-in-the-middle attack [T1557] framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies. The actors also obtain passwords from the domain controller, local network, and deleted backup servers to move laterally throughout the network

Some ALPHV Blackcat affiliates exfiltrate data after gaining access and extort victims without deploying ransomware. After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR, Tox, email, or encrypted applications. The threat actors then delete victim data from the victim’s system.

SafeBreach’s Updated Coverage of US-CERT Alert AA23-353A

The SafeBreach platform has now been updated to include the new IOCs and TTPs identified in this update. This is in addition to the attacks previously available in the platform. The newly added/mapped attacks include:

• #9542 – Email Convagent (f67905) RAT as a compressed attachment (INFILTRATION)
• #9541 – Email Convagent (f67905) RAT as a compressed attachment (LATERAL_MOVEMENT)
• #9540 – Transfer of Convagent (f67905) RAT over HTTP/S (INFILTRATION)
• #9539 – Transfer of Convagent (f67905) RAT over HTTP/S (LATERAL_MOVEMENT)
• #9538 – Pre-execution phase of Convagent (f67905) RAT (Windows) (HOST_LEVEL)
• #9537 – Write Convagent (f67905) RAT to disk (HOST_LEVEL)
• #8377 – Golden Ticket (host level)
• #8360 – Silver ticket (lateral movement)
• #2205 – Extract NTLM Hashes using Invoke-Kerberoast (PowerShell) (host level)
• #7225 – Extracting Active Directory tickets using Kerberoasting (host level)
• #8336 – Extract Credentials Using Invoke-WCMDump (host level)

Google Cloud Platform (GCP) Native Attacks

SafeBreach users can now validate their GCP services against 10 control-plane attacks, including seven discovery and three data-collection attacks. This is in addition to the 9000+ attacks already available in the platform, focused on other cloud-specific vectors like containers and web applications.

With the introduction of these GCP-native attacks, the SafeBreach platform now enables organizations to continuously validate their cloud-native applications, cloud workloads, containers, and the cloud control plane across all three major cloud service providers (AWS, Azure, and GCP). This is particularly valuable for organizations leveraging more than one cloud provider to ensure redundancy, increase the speed of adoption, etc.

SafeBreach’s GCP-Native Attacks

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their GCP deployment:

• #8902 – Discover service accounts (GCP) (INFILTRATION)
• #8903 – Discover firewalls (GCP) (INFILTRATION)
• #8904 – Discover virtual machines (GCP) (INFILTRATION)
• #8905 – Discover IAM policy (GCP) (INFILTRATION)
• #8906 – Discover VPCs (GCP) (INFILTRATION)
• #8907 – Discover buckets (GCP) (INFILTRATION)
• #8908 – Discover buckets and blobs (GCP) (INFILTRATION)
• #8909 – Collect service accounts keys (GCP) (INFILTRATION
• #8910 – Collect API keys (GCP) (INFILTRATION)
• #8911 – Collect secrets (GCP) (INFILTRATION)

Bandook RAT: What you need to know

Fortinet researchers have identified a new variant of the infamous Bandook malware that has been around since 2007. The new variant of this remote access trojan (RAT) is targeting Windows systems and is distributed via phishing attacks. The phishing email contains a PDF file that includes a shortened URL that downloads a password-protected .7z file. Upon extracting the malware from the archive, the malicious code injects its payload into msinfo32.exe. The injector decrypts the payload in the resource table and injects it into msinfo32.exe. A registry key created before the injection controls the payload’s behavior. Once injected, the payload initializes strings for the key names of registries, flags, APIs, etc. After that, it locates the registry key using the PID of the injected msinfo32.exe and then decodes and parses the key value to carry out the task that the control code specifies.

There are 139 actions that the malicious payload supports, including those from earlier variants. The new variant also includes additional new commands for C2 communications. Bandook typically supports common capabilities such as file manipulation, registry manipulation, download, information stealing, file execution, invocation of functions in dlls from the C2, controlling the victim’s computer, process killing, and uninstalling the malware.

SafeBreach Coverage of Bandook RAT

The SafeBreach platform has been updated with the following new attacks to ensure our customers can validate their security controls against this trojan variant:

• #9450 – Write Bandook (fa0057) RAT to disk
• #9451 – Pre-execution phase of Bandook (fa0057) RAT (Windows)
• #9452 – Transfer of Bandook (fa0057) RAT over HTTP/S
• #9453 – Transfer of Bandook (fa0057) RAT over HTTP/S
• #9454 – Email Bandook (fa0057) RAT as a compressed attachment
• #9455 – Email Bandook (fa0057) RAT as a compressed attachment

NoaBot Cryptominer: What you need to know

Akamai researchers have uncovered a new crypto-mining campaign that has been active since the beginning of 2023. This campaign leverages NoaBot, a new Mirai-based botnet. Mirai is a botnet that typically targets Linux-based IoT devices and is typically used to execute distributed denial-of-service (DDoS) attacks. This new botnet is believed to be brute-forcing SSH logins and distributing crypto-mining malware on Linux servers.

The NoaBot botnet has most of the capabilities of the original Mirai botnet, including having a scanner module and an attacker module, being able to hide its process name, etc. However, the primary difference between this botnet and the original Mirai is that NoaBot’s malware spreader is SSH-based and not Telnet-based.

Research has also revealed that malware exhibits peculiar behavior, including having the lyrics to the song “Who’s Ready for Tomorrow” embedded in the malware code. Compared to Mirai, NoaBot Botnet also uses a different credential dictionary for its SSH scanner and includes a lot of post-breach capabilities, such as installing a new SSH-authorized key as a backdoor to download and execute additional binaries or spread itself to new victims. The malware also comes statically compiled and stripped of any symbols. This, combined with the fact that the malware was compiled in a nonstandard manner, makes reverse engineering the malware extremely challenging and frustrating.

SafeBreach Coverage of NoaBot Cryptominer

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the crypto miner:

• #9460 – Write NoaBot (5dc866) miner to disk (HOST_LEVEL)
• #9461 – Transfer of NoaBot (5dc866) miner over HTTP/S (LATERAL_MOVEMENT)
• #9462 – Transfer of NoaBot (5dc866) miner over HTTP/S (INFILTRATION)
• #9463 – Email NoaBot (5dc866) miner as a compressed attachment (LATERAL_MOVEMENT)
• #9464 – Email NoaBot (5dc866) miner as a compressed attachment (INFILTRATION)

Ivanti Connect Secure Chained Vulnerabilities (CVE-2023-46805/ CVE-2024-21887)

In December 2023, a Chinese nation-state threat actor was observed actively exploiting two 0-day vulnerabilities in Ivanti Connect Secure (formerly known as Pulse Connect Secure) VPN appliances to steal configuration data, modify and download files, establish a reverse tunnel, and ultimately place web shells (GLASSTOKEN) on multiple internal and external-facing web servers. The threat actors chained these two vulnerabilities (CVE-2023-46805 and CVE-2024-21887) together to achieve unauthorized remote code execution (RCE) on the impacted devices and perform further malicious activities.

The CVE-2024-21887 (rated CVSS 9.1/ Critical) is a vulnerability in the web component that could allow an authenticated threat actor to send specially crafted requests and execute arbitrary commands on the vulnerable appliance. The CVE-2023-46805 (rated CVSS 8.2/ High) is a vulnerability in the web component that could allow a remote threat actor to access the vulnerable appliance by bypassing control checks.

When these two 0-day vulnerabilities were chained together, they enabled threat actors to run commands on the system and ultimately gain access to other systems on the affected network. We advise all SafeBreach customers to run the below-listed attack and use the Ivanti-recommended mitigations.

SafeBreach Coverage of Ivanti Connect Secure Chained Vulnerabilities

The SafeBreach platform has been updated with the following attack to ensure our customers can validate their security controls against these chained vulnerabilities:

• #9482 – Remote exploitation of Ivanti Connect Secure vulnerability chain CVE-2023-46805 CVE-2024-21887 (WAF) (INFILTRATION)

NoJustice Wiper: What are they and what you need to know

According to the cybersecurity firm ClearSky, Albanian organizations were the victims of cyber-attacks by pro-Iranian threat actors – Homeland Justice. These threat actors leveraged a wiper called NoJustice, which is a Windows-based malware that crashes the OS such that it cannot be rebooted. Victims included ONE Albania (Telecom), Eagle Mobile Albania (Telecom), Air Albania (Airline), and the Albanian parliament (Government).

Homeland Justice primarily leveraged an executable wiper and a PowerShell script that was designed to propagate the wiper to other machines in the victim network after enabling Windows Remote Management (WinRM). The No-Justice wiper (NACL.exe) is a binary that requires administrator privileges to erase the data on the computer. This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM. Threat actors also leveraged legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

SafeBreach Coverage of NoJustice Wiper

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the wiper variant:

• #9488 – Email No Justice (e2531f) wiper as a compressed attachment (INFILTRATION
• #9487 – Email No Justice (e2531f) wiper as a compressed attachment (LATERAL_MOVEMENT
• #9486 – Transfer of No Justice (e2531f) wiper over HTTP/S (INFILTRATION)
• #9485 – Transfer of No Justice (e2531f) wiper over HTTP/S (LATERAL_MOVEMENT
• #9484 – Pre-execution phase of No Justice (e2531f) wiper (Windows) (HOST_LEVEL
• #9483 – Write No Justice (e2531f) wiper to disk (HOST_LEVEL

LambLoad Downloader: What are they and what you need to know

Microsoft Threat Intelligence researchers recently discovered a new supply chain attack by North Korean threat actors Diamond Sleet (ZINC) that used a malicious variant of an application originally developed by CyberLink Corp, a company developing software products. The threat actors modified the original and legitimate software installer to include a malicious code that can download, decrypt, and load a secondary malicious payload. According to the information available, this threat has impacted organizations across multiple countries, including Japan, Taiwan, Canada, and the United States.

Based on the information available, the malicious executable, known as LambLoad is a weaponized downloader and loader. Before launching the malicious payload, the executable file first checks the system date and time to ensure that deployed protection does not include tools from FireEye, Tanium, or CrowdStrike. If any of these tools are found in the initial check, the executable abandons the installation of the malicious payload. If none of these tools are deployed, the tool attempts to contact three malicious domains to download a second payload that is embedded inside of a file masquerading as a .PNG file. As the 2^nd stage of the payload communicates with infrastructure previously attributed to Diamond Sleep, Microsoft researchers were able to attribute this attack to the North Korean threat group.

SafeBreach Coverage of LambLoad Downloader

The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant:

• #9499 – Email LambLoad (baaeac) downloader as a compressed attachment (INFILTRATION)
• #9497 – Transfer of LambLoad (baaeac) downloader over HTTP/S (INFILTRATION)
• #9496 – Transfer of LambLoad (baaeac) downloader over HTTP/S (LATERAL_MOVEMENT)
• #9495 – Pre-execution phase of LambLoad (baaeac) downloader (Windows) (HOST_LEVEL)
• #9494 – Write LambLoad (baaeac) downloader to disk (HOST_LEVEL)

Interested in Protecting Against Advanced Ransomware?

SafeBreach now offers a complimentary and customized real-world ransomware assessment, RansomwareRx, that allows you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:

• Training: Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
• Assessment: Review goals and ensure simulation connections to our management console and all configurations are complete.
• Attack Scenario: Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
• Report: Receive a custom-built report with simulation results and actionable remediation insights.

Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.