Ankura CTIX FLASH Update - November 1, 2022
Two New Reports Published on the LODEINFO Malware Targeting Japanese Organizations
Kaspersky researchers have recently published two (2) reports on their observations of APT10, the Chinese Cicada hacking group abusing antivirus software to target Japanese organizations with a new version of the "LODEINFO" malware. LODEINFO is a sophisticated and fileless backdoor that is regularly updated to target "think tanks" as well as media, governmental, diplomatic, and public sector organizations in Japan. Researchers first discussed their observations from March and June of 2022, where APT10 attacks in Japan used a Microsoft Word file as the initial infection vector and later used an SFX file that utilized a decoy file with the name of a famous Japanese politician in the filename. During this time, a new downloader shellcode called "DOWNNIISSA" was observed being used to deploy the LODEINFO backdoor. From March to June of 2022, various improvements were made to the backdoor shellcode and multiple versions were produced. Some of the improvements include adding encryption for command-and-control (C2) communication with an "ancient crypto algorithm," 2-byte obfuscation for backdoor command identifiers, and a hashing algorithm to gain API functionality. Other improvements include adding evasion capabilities for US environments, generation of user agents for C2 communications, the injection of the 64-bit shellcode in memory command, and reducing backdoor commands to improve the efficiency of the backdoor. Kaspersky researchers also noted that versions v0.6.6 and v0.6.7 have been observed in September 2022 utilizing new tactics, techniques, and procedures (TTPs), which are detailed at a high level in the conclusion of the second report. Technical details as well as indicators of compromise (IOCs) can be viewed in Kaspersky's two (2) reports linked below.
Threat Actor Activity
Threat Profile: Cranefly
An emerging threat organization tracked as Cranefly, also known as UNC3524, has been observed utilizing new techniques, tools, and scripts in their active campaigns. Cranefly threat actors focus on launching campaigns against corporate development, mergers & acquisitions, and large corporate transactions. Stealthy attacks are Cranefly's preferred attack method, hiding within the infected system by deploying several backdoors on unprotected appliances such as load balancers and wireless access point controllers. Recently, threat actors began targeting employees who are heavily involved with major corporate transactions, specifically with the “Geppei” dropper and “Danfuan” malware. The Geppei dropper sets the stage for the attack, which allows for the Danfuan malware and other threat actor payloads to be deployed onto the compromised system. These malicious payloads are able to communicate stealthily by reading commands from Internet Information Services (IIS) logs which are masked as harmless web requests from Cranefly command-and-control (C2) servers. No data has been observed being exfiltrated from the victim’s infrastructure, leading researchers to believe Cranefly's primary motive is intelligence gathering. CTIX continues to monitor threat actor activity worldwide and will provide updates accordingly.
ConnectWise Patches Critical RCE Vulnerability Impacting Thousands of Users Across the Globe
IT solution provider ConnectWise has patched a critical remote code execution (RCE) vulnerability in their ConnectWise Recover and R1Soft Server Backup Manager (SBM) secure backup solutions. If successfully exploited, threat actors could execute arbitrary code within the vulnerable environment, as well as pilfer sensitive information. The flaw is described as an Improper Neutralization of Special Elements in Output Used by a Downstream Component vulnerability. This type of vulnerability occurs when the affected software constructs a command utilizing external user-supplied inputs from an upstream component, but the software fails to neutralize special elements which can modify how the command is processed and interpreted when it's sent back to a downstream component. The R1Soft SBM backup solution is a very popular tool utilized by cloud hosting providers and managed service providers. According to a Shodan scan, more than 4,800 R1Soft servers are exposed to the internet and may be vulnerable to attacks if they haven't been patched. CTIX analysts recommend that ConnectWise users ensure their instances of Recover SBM have been automatically updated to v2.9.9, and R1Soft users should upgrade to SBM v6.16.4 immediately.