Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 28 Jan 2022

Threat Actor in Focus

APT36 Expanded its Malware Arsenal to include Android RAT: CapraRAT

Suspected Threat Actors: APT36 (aka Earth Karkaddan, Operation C-Major, APT36, PROJECTM, Mythic Leopard, and Transparent Tribe)

• Attack Type: Malware Implant, Vulnerabilities & Exploits, Data Exfiltration
• Objective: Unauthorized Access, Potential Data Theft, Espionage
• Target Technology: Android Devices
• Target Industry: Government, Military, Aerospace & Defense, Medical
• Target Geography: India, Afghanistan, Islamic Republic of Iran, Israel, Kazakhstan, Saudi- Arabia, United States
• Business Impact: Data Loss

Summary: According to researchers, the suspected Pakistani threat actor group APT36 aka Earth Karkaddan has expanded its malware arsenal by adding a new Android Rat malware -CapraRAT. The android-based malware is not new for the APT group, as back in 2018, it also used “StealthAgent”, an android-based spyware that has the capability to track a victim’s location, steal data, intercept messages and phone calls. Similarly in 2020 the APT36 group used another Android RAT “AhMyth” disguised as an obscene app to target the Indian government and military personnel.

The new Android RAT – CapraRAT is possibly a custom version of other open-source AndroRATs. CapraRAT has properties like the malware named CrimsonRAT which has been used to target Windows Systems by the APT36 group. Researchers have observed the presence of CapraRAT since 2017.

Malicious phishing links are generally used to distribute this malware. Upon execution, the user must give permissions to access stored data and the malware has capabilities which include access to contacts and call history, camera, microphone, can drop other APK files, and can launch other apps or installation packages.

Insights:

1. As per researchers, the APT36 is a politically motivated, advance persistent threat (APT) group which mainly targets Indian government, as well as diplomatic and military resources.
2. The group’s arsenal includes Microsoft Windows malware Crimson, ObliqueRati, NetWire, and android based malware StealthAgent, AhMyth, and the recent addition of CapraRAT.
3. The major timeline for the group involves:
4. 2016: Target Indian Military and Government officials by using spear-phishing attacks to conduct data theft.
5. 2018: Target Pakistan activists to deploy Android spyware StealthAgent and CrimsonRAT.
6. 2020: Target an Indian military organization by using social engineering tactics which include fake profiles of women.
7. 2021: Target the Indian medical industry by using fake covid-19 campaigns.
8. According to the researchers, the group generally used social engineering tactics and phishing emails for the deployment of malware. The most common method used by the group to distribute malware is spear-phishing email having an attached malicious document that contains an embedded macro, which when enabled will further drop and execute RAT. The RAT then tries to connect with the C2 server to download other malware or to receive commands for backdoor operations.

Latest Cyber-Attacks, Incidents, and Breaches

Unconventional IP Addresses Format Used by “Emotet” to Evade Detection

• Attack Type: Social Engineering, Phishing, Spear Phishing
• Objective: Evade Detection, Payload Delivery
• Target Industry: Multiple
• Target Geography: Multiple
• Business Impact: Data Loss, Financial Loss, Operational Disruption

Summary: Researchers recently observed a new Emotet campaign that includes octal and hexadecimal representations for an IP address possibly to evade pattern-matching detections. These unconventional IP addresses are automatically processed by the operating system to be converted into normal dotted decimal quad representation and used by the malware for further communication with the C2 server. This new campaign also uses social engineering tactics for malware distribution and execution including convincing users to enable document macros. A typical attack chain involves the following steps:

1. Spam email containing malicious attachment is sent to the victim.
2. The user is tricked into download such malicious attachments and enable the macro.
3. Once enabled, the macro triggers an unconventional URL having hexadecimal or octal representation as follows: “h^tt^p^[:]/^/0xc12a24f5/cc[.]html” (Hexadecimal representation of URL) or “h^tt^p^[:]/^/0056.0151.0121.0114/c[.]html” (Octal format representation of URL).
4. Such obfuscated URL bypass detections are based on pattern matching.
5. Obfuscated URL convert to dotted decimal quad representation by the underlying operating system and initiate a connection with C2 server.

Insights:

1. Emotet was originally started as a banking trojan used to steal sensitive, financial, as well as other private information. Later, it evolved to malware dropper and was used by cybercriminals to deliver other malware which includes other banking trojans.
2. The macros contain malicious codes that is generally used as a loader in the infection chain and will help in downloading and execution of other payloads. As per researchers, this new Emotet campaign uses Excel 4.0 macros.
3. Researchers found new evidence in December 2021 regarding this malware advancing its technique to drop Cobalt strike beacons directly into the compromised machine.
4. Evasion techniques like obfuscated IP addresses indicate that the capabilities of this malware are continuously evolving to bypass current solutions dependent on pattern matching.
5. Security Operation teams must use filters to keep an eye on such unconventional IP addresses as suspicious and associate them with malicious behaviour.

Vulnerabilities and Exploits

Two Critical Flaws in Control Web Panel Allows Remote Code Execution as Root on Linux Servers

• Attack Type: Vulnerabilities & Exploits, Remote Code Execution (RCE)
• Target Technology: Control Web Panel (CWP)
• Vulnerability: CVE-2021-45467, CVE-2021-45466
• Vulnerability Type: File Inclusion Vulnerability, File Write Bug

Summary: Researchers have found two critical security vulnerabilities in CWP – a popular web hosting management software used by more than 200K servers – that could permit for RCE as root on vulnerable Linux servers. These two vulnerabilities discovered by researchers are traced as CVE-2021-45467 (a file inclusion vulnerability) and CVE-2021-45466 (file write bug) that could be misused as part of an exploit chain to achieve pre-authenticated RCE on vulnerable Linux servers.

Insights:

1. In order to exploit these vulnerabilities and inject malicious code from a remote resource, and succeed in code the attacker merely needs to modify the include statement, which is used to insert the content of one PHP file into another PHP file, before the server execution.
2. The CWP application was designed to flag attempts that tried to switch to a parent directory (denoted by “..”). However, the protections failed against the PHP interpreter accepting specially crafted strings such as “.$00.” which allowed a full bypass.
3. These vulnerabilities not only permit threat actor to gain access to restricted API section without authentication but it can also be utilized in combination with an arbitrary file write vulnerability (CVE-2021-45466) to obtain full remote code execution on the server as follows —(a) Send a null byte powered file inclusion payload to add the malicious API key (b) Use API key to write to a file (CVE-2021-45466) (c) Use step #1 to include the file we just wrote into (CVE-2021-45467)