Ankura CTIX FLASH Update - March 17, 2023
Actors Observed Abusing Adobe Acrobat Sign Service to Spread "Redline" Malware
Researchers have recently observed actors taking advantage of the legitimate e-signature service Adobe Acrobat Sign to distribute info-stealing malware. The campaign operators register for the service and send targeted emails containing documents hosted on Adobe's servers. The emails involve a real Adobe email address and legitimate Adobe URL to trick users into opening the shared documents and clicking a link contained in the documents' text. The link redirects users to a different website that prompts for a hard coded CAPTCHA to be entered. Once the CAPTCHA is completed, the users are prompted to download a malicious ZIP file that contains one (1) of two (2) possible "Redline" trojan variants, which have capabilities to exfiltrate passwords, cryptocurrency wallets, and more from a victim device. Researchers noted that the campaign operators "artificially increased the size of the Trojan to more than 400MB", which is suspected to be due to bypassing antivirus engines that behave differently for large files. Currently, it appears this technique is targeted to a specific victim, but there is a chance that it could be picked up by additional actors and see more widespread usage in the future. CTIX analysts recommend users to be cautious of all files they are emailed and ensure their legitimacy prior to interacting.
Threat Actor Activity
Threat Profile: Winter Vivern
Threat actors from the Russia-aligned Winter Vivern APT group have been conducting global cyberespionage campaigns against those who support and aid Ukraine. Winter Vivern, named after a command-and-control (C2) node URL string, was brought to light in early 2021 and has since been an underreported group. These actors attempt to stay out of the limelight as much as possible; however, this recent campaign has brought attention back to the group. Historically, the group has targeted numerous government organizations throughout India, Lithuania, Slovakia, and Vatican with espionage-related cyberattacks. Recent activity from Winter Vivern involved targeting the Ukraine & Italy Ministry of Foreign Affairs, Polish government agencies, and high-profile individuals throughout the Indian government. Tactics, techniques, and procedures (TTPs) of this campaign include Winter Vivern actors hosting clones of websites to disseminate their malicious payloads, hosting websites for credential phishing, and deploying masked Windows batch files to execute on a set schedule. One (1) malware variant observed during this campaign is “APERETIF”, which is often hosted on vulnerable WordPress websites for malware distribution. Indicators of compromise (IOCs) uncovered in this recent Winter Vivern campaign can be referenced from the reports below. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Over 100 Organizations Actively Exploited with Fortra GoAnywhere MFT Bug
A spokesperson for the cloud data management firm Rubrik, confirms that the company was compromised by malicious threat actors from the Clop ransomware group, exploiting a vulnerability in a third-party file transfer tool. The threat actors exploited a flaw in the GoAnywhere MFT managed file-transfer solution from Fortra, a critical vulnerability which has already led to the compromise of over 100 additional organizations. The flaw, tracked as CVE-2023-0669, is a pre-authentication command injection vulnerability from deserializing an arbitrary attacker-controlled object within GoAnywhere's License Response Servlet. A malicious attacker who has gained access to an administrator console could exploit this flaw to conduct remote code execution (RCE). The exfiltrated Rubrik data comes from a non-production IT testing environment containing internal sales information such as customer and partner names, business contacts, and a “limited number” of distributor orders. The third-party firm conducting Rubrik's post breach analysis stated that "there was no sensitive personal data such as Social Security numbers, financial account numbers, or payment card numbers exposed in the servers accessed." The data is slowly being posted on Clop's leak site, in an attempt to further extort ransom payment from Rubrik. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to their Known Exploited Vulnerabilities (KEV) catalog, meaning that regulated agencies must quickly patch the flaw or be held accountable. This vulnerability has since been patched, and CTIX analysts urge any organizations using GoAnywhere MFT to upgrade to version 7.1.2 to prevent exploitation. Attacks from Clop ransomware have been on the rise since the end of January, adding exfiltrated data to their leak site from several other organizations.
ChipMixer Platform Seized and Dismantled for Laundering Ransomware Payments
Adding to recent efforts to tackle international cybercrime, the US (FBI), Germany (BKA), and other European law enforcement agencies led a coordinated effort to seize four (4) servers belonging to ChipMixer along with $46.5 million in Bitcoin and seven (7) TB of data. ChipMixer has been a notorious player in the cryptocurrency mixing platform arena, having facilitated the laundering of up to $3.75 billion Bitcoin since beginning their operations in 2017. Cryptocurrency mixers offer a way for hackers, ransomware groups, and scammers to obfuscate financial tracks by commingling users’ crypto assets and funneling the pool of clean, untraceable money back out to the designated recipients. The ChipMixer platform has facilitated mixing $844 million worth of digital assets linked to illicit addresses with known criminal activity, a large majority of which has been traced back to stolen funds. ChipMixer is suspected to have aided prominent criminal groups such as North Korea’s Lazarus Group, APT28 (aka Fancy Bear or Strontium), LockBit, Zeppelin, SunCrpyt, Mamba, and Dharma. Beyond dismantling the clearnet and dark web websites connected to the platform, DOJ also charged Minh Quốc Nguyễn, the 49-year-old Vietnamese national, for money laundering and his association with creating and running the unlicensed crypto currency mixing service.