In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting newly added coverage for several recently discovered or analyzed ransomware and malware variants, including Sabbath ransomware, 3CXDesktopApp vulnerability, amongst others. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook™ to ensure coverage against these advanced threats. Additional details about the threat and our coverage can be seen below.
What is Sabbath Ransomware?
Sabbath ransomware group is essentially a rebrand of UNC2190. The Sabbath group has targeted U.S. and Canadian infrastructure entities, including those in the education and healthcare sectors. The group has been known to steal data in bulk and attempt to destroy backups in targeted attacks. According to researchers from Mandiant, Sabbath first came to light in October 2021, when the group publicly shamed and extorted a US school district and demanded a multi-million-dollar payment after deploying the ransomware payload. The group then emailed staff, parents, and even students directly to further apply public pressure on the school district.
Sabbath’s public shaming web portal and blog were first published in October 2021. Researchers observed the threat actors deploying ROLLCOAST ransomware, a dynamic linked library (DLL) with no named exports. ROLLCOAST also encrypts files on logical drives attached to a system, with only one ordinal export (0x01) to avoid detection. Sabbath actors may have designed the sample this way to avoid detection and invoke it within memory through the Cobalt Strike BEACON provided to affiliates. Sabbath provides their affiliates with pre-configured Cobalt Strike BEACON backdoor payloads. Sabbath has been operating for over two years and has only made minor changes to its strategies and toolkit. They recently introduced a commercial packer and rebranded their service offering. This is a good example of how well-known tools like Cobalt Strike BEACON can lead to lucrative and impactful attacks even if leveraged by smaller and unknown groups.
SafeBreach Coverage of Sabbath Ransomware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against Sabbath ransomware.
- #8735 – Email Sabbath ransomware as a ZIP attachment (INFILTRATION)
- #8734 – Email Sabbath ransomware as a ZIP attachment (LATERAL_MOVEMENT)
- #8733 – Transfer of Sabbath ransomware over HTTP/S (INFILTRATION)
- #8732 – Transfer of Sabbath ransomware over HTTP/S (LATERAL_MOVEMENT)
- #8731 – Pre-execution phase of Sabbath ransomware (Windows) (HOST_LEVEL)
- #8730 – Write Sabbath ransomware to disk (HOST_LEVEL)
What is 3CXDesktopApp Backdoor?
Researchers from Sophos and CrowdStrike discovered a supply-chain attack on March 29, 2023, that targeted the software-based phone application 3CXDesktopApp. According to the researchers, the threat actors are using a digitally signed and trojanized version of the 3CX VOIP desktop client. Researchers from CrowdStrike note that malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on keyboard activity. The threat actor is suspected to be a North Korean state-sponsored group that shares similar attributes as the Lazarus group.
The attack starts when the MSI installer is downloaded from 3CX’s website or an update is pushed to an already installed desktop application. When the MSI or update is installed, it will extract malicious (ffmpeg.dll and d3dcompiler_47.dll) DLL files, which are used to perform the next stage of the attack. While the 3CXDesktopApp itself is not malicious, the malicious ffmpeg.dll DLL will be sideloaded and used to extract and decrypt an encrypted payload from d3dcompiler_47.dll. This new malware is capable of harvesting system information and stealing data and stored credentials from Chrome, Edge, Brave, and Firefox user profiles.
SafeBreach Coverage of 3CXDesktopApp (dll) Backdoor
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant.
- #8768 – Email 3CXDesktopApp (dylib) backdoor as a ZIP attachment (INFILTRATION)
- #8767 – Email 3CXDesktopApp (dylib) backdoor as a ZIP attachment (LATERAL_MOVEMENT)
- #8766 – Transfer of 3CXDesktopApp (dylib) backdoor over HTTP/S (INFILTRATION)
- #8765 – Transfer of 3CXDesktopApp (dylib) backdoor over HTTP/S (LATERAL_MOVEMENT)
- #8764 – Write 3CXDesktopApp (dylib) backdoor to disk (HOST_LEVEL)
- #8763 – Email 3CXDesktopApp (dll) backdoor as a ZIP attachment (INFILTRATION)
- #8762 – Email 3CXDesktopApp (dll) backdoor as a ZIP attachment (LATERAL_MOVEMENT)
- #8761 – Transfer of 3CXDesktopApp (dll) backdoor over HTTP/S (INFILTRATION)
- #8760 – Transfer of 3CXDesktopApp (dll) backdoor over HTTP/S (LATERAL_MOVEMENT)
- #8758 – Write 3CXDesktopApp (dll) backdoor to disk (HOST_LEVEL)
What is PlugX Malware?
Security researchers have analyzed a variant of the PlugX malware that can hide malicious files on removable USB devices and then infect the Windows hosts they connect to. The malware uses what researchers call “a novel technique” that allows it to remain undetected for longer periods and could potentially spread to air-gapped systems. Researchers from Unit42 uncovered a variant of PlugX when undertaking a Black Basta breach response.
The researchers also discovered a variant of PlugX that infects USB devices and copies all Adobe PDF and Microsoft Word files from the host. It places these copies in a hidden folder on the USB device that is created by the malware. PlugX is a second-stage implant used not only by multiple groups with a Chinese nexus but also by several cybercrime groups.
SafeBreach Coverage of PlugX Malware
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the malware variant:
- #8773 – Email PlugX backdoor as a ZIP attachment (INFILTRATION)
- #8772 – Email PlugX backdoor as a ZIP attachment (LATERAL_MOVEMENT)
- #8771 – Transfer of PlugX backdoor over HTTP/S (INFILTRATION)
- #8770 – Transfer of PlugX backdoor over HTTP/S (LATERAL_MOVEMENT)
- #8769 – Write PlugX backdoor to disk (HOST_LEVEL)
What is AuTo Stealer?
AuTo Stealer is malware written in C++ that has been used by Pakistani threat actor SideCopy since at least December 2021 to target government agencies and personnel in India and Afghanistan using romantic lures. It has been reported that this actor has similarities with Transparent Tribe (APT36) and is possibly a subdivision of this actor.
According to the information available, a loader was used to drop and load an executable (credbiz.exe) that sideloads the Stealer. There are two different variants of this loader that have been used to load an HTTP version and a TCP version of the Stealer. The loader is a C++ variant of PreBotHta.dll (a C# loader used to load other Rats used by this actor). Like PreBotHta.Dll, it checks the installed AV product on the victim’s machine and performs additional actions based on the AV product name. Using the stealer, the threat actor was able to steal several Office documents and databases that contained names, numbers, and email addresses associated with government officials. It is possible that the actor has already targeted them or may do so in the future.
SafeBreach Coverage of AuTo Stealer
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the infostealer:
- #8784 – Email AuTo infostealer as a ZIP attachment (INFILTRATION)
- #8783 – Email AuTo infostealer as a ZIP attachment (LATERAL_MOVEMENT)
- #8782 – Transfer of AuTo infostealer over HTTP/S (INFILTRATION)
- #8781 – Transfer of AuTo infostealer over HTTP/S (LATERAL_MOVEMENT)
- #8780 – Pre-execution phase of AuTo infostealer (Windows) (HOST_LEVEL)
- #8779 – Write AuTo infostealer to disk (HOST_LEVEL)
What is CVE-2023-21716?
CVE-2023-21716 consists of a heap corruption vulnerability that lies in a DLL named “wwlib.dll”, used by Microsoft Word while parsing an RTF file. To trigger this vulnerability, threat actors can potentially create an RTF file that has an excessive number of fonts in its font table. The vulnerability is critical, having a CVSS score of 9.8 out of 10, and could allow an attacker to execute code with the same privileges as the victim through rich text format (RTF) documents. If the attacker sends the malicious file over email, the victim does not even have to open the RTF file, as the exploit can be triggered through the email’s preview pane.
Although Microsoft has already released a patch for this issue, attackers may still attempt to infect users running unpatched versions of Microsoft Word. We strongly recommend that Microsoft Office users immediately update the software to address this issue. Microsoft also released a few workarounds for users who cannot immediately update the software.
SafeBreach Coverage of CVE-2023-21716
The SafeBreach platform has been updated with the following attacks to ensure our customers can validate their security controls against the vulnerability:
- #8740 – Email CVE-2023-21716 exploit as a ZIP attachment (INFILTRATION)
- #8739 – Email CVE-2023-21716 exploit as a ZIP attachment (LATERAL_MOVEMENT)
- #8738 – Transfer of CVE-2023-21716 exploit over HTTP/S (INFILTRATION)
- #8737 – Transfer of CVE-2023-21716 exploit over HTTP/S (LATERAL_MOVEMENT)
- #8736 – Write CVE-2023-21716 exploit to disk (HOST_LEVEL)
Newly Added Behavioral Attacks
Behavioral IOCs are a combination of Atomic IOCs (small fragments of data like Hostname, IP address that cannot be broken down further) and Computed IOCs (fragments of data that is computed in a certain fashion to perform the attack like a malware’s MD5 hash). Behavioral IOCs can signify a kind of signature of the attack or an attacker. These behavioral IOCs map to the MITRE ATT&CK framework. SafeBreach platform not only includes coverage for Atomic or Computed IOCs, but also Behavioral IOCs. Recent additions include:
- #8336 – Extract Credentials Using Invoke-WCMDump
- Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
- #8363 – Print spoofer privilege escalation
- Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Interested In Protecting Against Advanced Ransomware?
SafeBreach now offers a complimentary and customized real-world ransomware assessment (RansomwareRx) that can allow you to gain unparalleled visibility into how your security ecosystem responds at each stage of the defense process. This ransomware assessment includes:
- Training – Understand the methodology around ransomware attacks, persistent threats, and malware attacks.
- Assessment – Review goals and ensure simulation connection to our management console and all configurations are complete.
- Attack Scenario – Run safe-by-design, real-world ransomware attacks across the cyber kill chain on a single device of your choice.
- Report – Receive a custom-built report that includes simulation results and actionable remediation insights.
Empower your team to understand more about ransomware attacks, methodologies, and behaviors—all through the lens of the attacker. Request your complimentary RansomwareRx assessment today.