PICUS LABS MONTHLY #April 2021

APRIL'S THREAT: FIN7 THREAT GROUP

A Financially-Motivated Threat Group: FIN7

FIN7 is a financially motivated threat group that has targeted victims in USA, UK, EU and Australia. It has primarily targeted finance. retail, restaurant, and hospitality sectors since mid-2015 by using point-of-sale malware. Some resources state that FIN7 is sometimes referred to as Carbanak, Anunak, but others claim that they are two separate groups using the same Carbanak malware and are therefore tracked separately.

You can test the effectiveness of your security controls against the FIN7group campaigns with '370387 FIN7 Group Attack Scenario" and 708444 "Information Gathering by using custom JScript used by FIN7 Group" in Picus Threat Library. You can also validate your defenses against FIN7 group samples with threats 709341, 382205, 789625, 490237, 447047, 756048, 498916, 224682, 573801, 704552, 269222, 502462, 346346, 107949, 219132, 926233, 793453, 601202, 512322, 691212, 692311, 159622, 205953, 197044, 102942, 704354, 904564, 705922, 803452, 703415, 169394, 207923, 234134 in Picus Threat Library.

APRIL'S THREAT ACTORS

FIN7

• Picus Threat IDs: 370387, 708444, 658518, 722273
• Aliases: Carbanak, Gold Niagara, Calcium, Anunak
• Target Regions: USA, UK, EU and Australia
• Target Industries: Finance. Retail, Restaurant, and Hospitality
• Malware: TinyMet, PillowMint

LazyScripter

• Picus Threat ID: 328863, 580048, 265063
• Target Regions: Europe, Asia
• Target Industries: Airlines, Government, Oil
• Malware: Kodiac Backdoor, Octopus RATs, PowerShell Empire, Empoder

APT28

• Picus Threat ID: 272774, 781652, 599661, 393186, 860835, 590353, 632937, 639264, 296276, 680221, 682221, 682233, 682323
• Aliases: Fancy Bear
• Target Regions: Europe, North America
• Target Industries: Airlines, Government, Oil
• Malware: Delphocy Dropper, DoubleAgent Trojan, LoJax Malware

ATTACK SCENARIOS

APT / Malware

FIN7 Group APT Scenario

Picus Threat ID: 370387

ACTIONS:

1. Execute JScript to Profile Target System

ATT&CK Technique: T1059 Command and Scripting Interpreter

ATT&CK Tactic: Execution

2. Execute Command by using FacefodUninstaller DLL Search Order Hijacking

ATT&CK Technique: T1574 Hijack Execution Flow

ATT&CK Tactics: Persistence, Privilege Escalation, Defense Evasion

3. Execute Shellcode by Reading a Registry Key

ATT&CK Technique: T1055 Process Injection

ATT&CK Tactic: Defense Evasion, Privilege Escalation.

..

10. Execute Keylogger by using Reflective DLL

ATT&CK Technique: T1056 Input Capture

ATT&CK Tactic: Collection, Credential Access

LazyScripter Threat Group Attack Scenario

Picus Threat ID: 370387

ACTIONS:

1. Bypass User Access Control via Kocktopus Loader

ATT&CK Technique: T1548 Abuse Elevation Control Mechanism
ATT&CK Tactic: Privilege Escalation, Defense Evasion

2. Disable Windows Defender via Koctopus Loader

ATT&CK Technique: T1562 Impair Defenses
ATT&CK Tactics: Defense Evasion

3. Execute Octopus Loader using Mshta.exe

ATT&CK Technique: T1218 Signed Binary Proxy Execution
ATT&CK Tactic: Defense Evasion
...

7.Execute Koadic Implant using Rundll32.exe (LazyScripter APT)
ATT&CK Technique: T1547 Boot or Logon Autostart Execution
ATT&CK Tactic: Persistence, Privilege Escalation

Sodinokibi Ransomware Scenario
Picus Threat ID: 812374

ACTIONS

1. Execute Commands by using Excel Macro

ATT&CK Technique:T1566 Initial Access
ATT&CK Tactic: Phishing

2. Create a new Registry Key for RunOnce

ATT&CK Technique: T1112 Modify Registry
ATT&CK Tactics: Defense Evasion

3. Reflective DLL Injection via Invoke-ReflectivePEInjection

ATT&CK Technique: T1055 Process Injection
ATT&CK Tactic: Defense Evasion, Privilege Escalation
...

9. Exfiltrate Collected Data via Image from the Victim over the HTTP Port 80

ATT&CK Technique: T1048 Exfiltration Over Alternative Protocol
ATT&CK Tactic: Exfiltration

Atomic Attacks

Persistence with XSL Templates

• Picus Threat ID: 515063
• ATT&CK Technique: T1220 XSL Script Processing
• ATT&CK Tactics: Defense Evasion

Source Code Obfuscation via RosFuscator

• Picus Threat ID: 871846
• ATT&CK Technique: T1027 Obfuscated Files or Information
• ATT&CK Tactic: Defense Evasion

Mimikatz Execution by using Shellcode compiled with sRDI

• Picus Threat ID: 234937
• ATT&CK Technique: T1055 Process Injection
• ATT&CK Tactic: Defense Evasion, Privilege Escalation

Our world-class red team analyzed 500.000 TTPs to identify the top 10 most common ATT&CK techniques.

Download Now: The Red Report: Your Handbook to Utilize MITRE ATT&CK Framework

MALICIOUS CODE

APT28 - Delphocy Dropper

• Picus Threat ID: 272774,781652, 599661, 393186, 860835, 590353
  
• Signature ATT&CK Techniques: T1204, T1056.004, T1055, T1112, T1010, T1436
  
• Target Regions:Asia
• Target Industries: Government, security organizations, militaries

Clop Ransomware

• Picus Threat ID: 456779, 546269, 776580, 573385
• Signature ATT&CK Techniques: T1547.006, T1012
• Target Regions: Switzerland, Great Britain, Belgium, United States, The Netherlands, Croatia, Porto Rico, Germany, Turkey, Russia, Denmark, Mexico, Canada, Dominican Republic
• Target Industries: ALL

Cring Ransomware

• Picus Threat ID: 848299
• Signature ATT&CK Techniques: T1120, T1012, T1215, T1179, T1112, T1055, T1035
• Target Regions: European countries
• Target Industries: industrial enterprise

WEB APPLICATION ATTACKS

VMware vCenter - ESXi - Cloud Foundation Remote Code Execution Vulnerability 

• Picus Threat ID: 272647
• OWASP Top 10: A1 - Injection
• CVSS 3 Base Score: 9.8 Critical
• CVE: CVE-2021-21972
• Affected Product: VMware vCenter

SonicWall Email Security Post-Authentication Arbitrary File Read Vulnerability

• Picus Threat ID: 513653
• OWASP Top 10: A5 - Broken Access Control
• CVSS 3 Base Score: 7.5 High
• CVE: CVE-2021-20023
• Affected Product: SonicWall Email Security

WordPress XML External Entity Injection (XXE) Vulnerability Variant

• Picus Threat ID: 458551
• OWASP Top 10: A4 - XML External Entities (XXE)
• CVSS 3 Base Score: 8.1 High
• CVE: CVE-2021-29447
• Affected Product: Wordpress

VULNERABILITY EXPLOITATIONS

Windows Service Elevation of Privilege via Symlink

• Picus Threat ID: 412953
• CVE: CVE-2021-26415
• CVSS 3.1 Base Score: 7.8 High
• Affected Product: Windows Win32k

Google Chrome V8 SimplifiedLowering Heap Corruption Vulnerability

• Picus Threat ID: 834931
• CVE: CVE-2020-16040
• CVSS 3.1 Base Score: 6.5 Medium
• Affected Product: Google Chrome

Google Chrome Escape Sandbox via Devtools_page

• Picus Threat ID: 875742
• CVE:CVE-2021-21132
• CVSS 3.1 Base Score: 9.6 High
• Affected Product: Google Chrome
  

SIGMA RULES

System Information Discovery by Gathering OS Information via WMIC Tool

• Picus Sigma ID: 7297
• Technique: System Information Discovery
• Tactic: Discovery

Gathering Credential Access via Windows Security Login Prompt

• Picus Sigma ID: 6126
• Technique: Input Capture: GUI Input Capture
• Tactic: Collection, Credential Access

IExplorer Data Deletion via Inet.cpl

• Picus Sigma ID: 6284
• Technique: Indicator Removal on Host
• Tactic: Defense Evasion