Weekly Intelligence Trends and Advisory | Threat Actor in Focus | Rise in Malware, Ransomware, Phishing | Vulnerability and Exploits – 4 Feb 2022

Threat Actor in Focus

APT MuddyWater Engaged in Targeting Turkish Users by Using Malicious PDFs and Executables.

Suspected Threat Actors: MuddyWater (aka Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros)

• Attack Type: Malware Implant, Spear Phishing, Data Exfiltration
• Objective: Espionage, Unauthorized Access, Intellectual Property Theft, Malware Implant, and Ransomware
• Target Technology: Microsoft Windows, Microsoft Excel Documents, PDFs
• Target Industry: Government
• Target Geography: Turkey
• Business Impact: Data Loss

Summary: Researchers recently observed a campaign by the Iran-based advance persistent threat (APT) group “MuddyWater” targeting Turkey. As an initial vector, the group is using the malicious PDFs and Microsoft Office documents masqueraded as legitimate documents related to Turkish Interior and Health Ministries including the Scientific and Technological Research Council of Turkey distributed via spear-phishing email messages. The PDF files distributed with embedded malicious links act as the first stage of infection and raises an error message to trick users to click on a link to resolve the issue. On clicking the link, the PDFs are redirected to URLs that host the XLS files having malicious macros that further deploy Visual Basic and PowerShell scripts.

VBA macros are used to gain persistence across reboots, setting up malicious VBS as well as PS scripts, and one interesting functionality was added into the latest malicious VBA code versions to track tokens by making HTTP requests to canary token from canarytokens[.]com used to serve many purposes like to keep track of successful infections, to use as a tool for anti-analysis, and to detect blocking of payload servers.

Researchers also observed some instances where instead of XLS files, the Windows executables (EXE) files were hosted by these malicious URLs and worked in a similar way to further deploy VBS and PS scripts. The EXE files used Turkish names and can also be delivered independently. Upon execution, the malicious EXE drops decoy Office or PDF document in hex format in a temporary folder. This decoy document opens and displays automatically to the victim by using a PDF or document reader and in background, the EXE starts its main malicious activity to download and execute other malicious PowerShell scripts.

The researchers have high confidence in attributing this campaign with APT “MuddyWater” based on TTPs, IOCs, technical indicators, infection chains used, code, meta-data, and other scripts that showed resemblance to earlier discovered MuddyWater artifacts.

Insights:

1. As per researchers, the MuddyWater (also known as Earth Vetala, MERCURY, Static Kitten, Seedworm) is a politically motivated APT group attributed to Iran and is active since 2017. It is motivated to run campaigns against high-value targets in Asian, European, and American countries.
2. Researchers claim that the campaigns run by the MuddyWater threat actor are used to achieve either of the following objectives:
   1. Espionage: To achieve political dominance in the Middle East region
   2. Intellectual Property Theft: To achieve economic advantage by carrying out aggressive campaigns against government and private entities of target countries
   3. Ransomware Attacks: To disrupt operations and in past was observed to have used Thanos ransomware for achieving the same objective.
3. The APT group uses HTTP for initial connection with hosting servers and relies on DNS to commute with C2 server. Visual Basic and PowerShell scripts are used for initial payloads along with LoLBins to assist in infection.

Latest Cyber-Attacks, Incidents, and Breaches

Routers exposed to EternalSilence campaign by abusing UPnP Protocol

• Attack Type: Vulnerabilities & Exploits
• Objective: Evade Detection, CryptoMining, Initial Access, and Malware Implant
• Target Industry: Multiple
• Target Geography: Multiple
• Business Impact: Data Loss, Operational Disruption

Summary: Researchers observed a malicious campaign “EternalSilence” exploiting Universal Plug and Play (UPnP) protocol – which is a connectivity protocol available in almost all modern routers – allowing the creation of port forwarding rules automatically on a router by other devices on a network. This attack converts the victim router into a proxy server which can be used by attackers to launch malicious attacks while hiding the location of attackers. The UPnP implementation is vulnerable as it allows remote attackers to add UPnP port forwarding entries through the device’s exposed WAN connection.

Under this campaign, the threat actors are trying to exploit EternalRed (CVE-2017-7494) and EternalBlue (CVE-2017-0144) on unpatched Linux and Windows machines which can further lead to other infections like cryptominers infections, initial access to corporate organizations, and initiate worm attacks to compromise whole corporate network. The attack attempts to expose TCP ports 139 and 445 of devices connected to the target router and the rulesets created by attackers contain the Spanish phrase “galleta silenciosa” which means “silent-cookie”.

Insights:

1. EternalSilence campaign could be harmful for the organization as network segmentation is ineffective against it.
2. The researchers noticed that out of 3,500,000 UPnP routers available online 277,000 are vulnerable to this attack and 45,113 have already been compromised by abusing this vulnerability by threat actors, calling the attack UPnP proxy to create proxies and hide their malicious operations.
3. Earlier if machines are not exposed to the internet directly and behind the NAT, they are most probably considered safe from the EternalBlue and EternalRed attacks. However, the EternalSilence attack removed this safe NAT barrier and expose the victims to the same old exploits.

Vulnerabilities and Exploits

A Critical Plugin RCE Vulnerability Affected 600k WordPress Sites

• Attack Type: Vulnerabilities & Exploits, Remote Code Execution (RCE)
• Target Technology: WordPress plugin (Elementor)
• Vulnerability: (Unassigned CVE)
• Vulnerability Type: File Inclusion Vulnerability

Summary: Essential Addons for Elementor, a popular WordPress plugin used in over a million sites, has been found to have a critical RCE vulnerability in version 5.0.4 and older. The flaw allows an unauthenticated user to perform a local file inclusion attack, such as a PHP file, to execute code on the site. With the plugin installed in over 1 million WordPress sites, that means there are over 600K sites that have not applied the security update yet.

Insights:

1. The local file inclusion vulnerability exists due to the way user input data is used inside of PHP’s include functions that are part of the “ajax_load_more” and “ajax_eael_product_gallery” functions. The only prerequisite for the attack is for the site to have the “dynamic gallery” and “product gallery” widgets enabled so that a nonce token check is present.
2. A researcher discovered the vulnerability on January 25, 2022, and the plugin developer already knew about its existence at that time. The author had released version 5.0.3 to fix this issue by applying a “sanitize_text_field” function on the user input data. However, this sanitization does not prevent the inclusion of local payloads. In the second attempt, the author released version 5.0.4, which added the “sanitize_file_name” function and tried to remove special characters, dots, slashes, and anything that could be used for overriding the text sanitization step. This was the version that researchers tested and found vulnerable, so the researchers informed the developer that the fix had not mitigated the issue sufficiently. Eventually, the author released version 5.0.5 that implemented PHP’s “real path” function, preventing malicious pathname resolutions.