Threat Intel Digets by RISKQ, 5/16/2022



PassiveTotal Threat Intel Digest


This digest highlights OSINT and original research that RiskIQ has gathered and enriched weekly.


Commodity Skimming & Magecart Trends in First Quarter of 2022

Digital credit skimming has undergone a significant transformation since researchers first started tracking the phenomenon in the early twenty aughts. Once, skimming was a space ruled by a handful of highly skilled groups that carefully chose and hit their targets, manipulating the JavaScript on websites to steal customers' credit card info, often to sell on the black market. Today, it's a much more inclusive group packed with cybercriminals that take advantage of cheap, widely available, and easy-to-use skimmers.

RiMageCart Group7 Group8 Group12 Skimmer JavaScript

1740 Indicators      42 Public      1698 RiskIQ


RiskIQ: CVE-2022-1388 - F5 BIG-IP Command Execution

This critical vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the iControl management port to execute arbitrary system commands, create or delete files, or disable services.

RiskIQ CVE-2022-1388 Vulnerability Alert webshell

40 Indicators      40 Public     


Info-stealer Campaign targets German Car Dealerships and Manufacturers - Check Point Software

Check Point researchers uncovered a dedicated campaign targeting German companies with a focus on German car dealerships and manufacturers. There is extensive infrastructure designed to look like existing German car dealerships and manufacturers. According to the researchers, emails with receipts and contracts in German are designed to instill confidence and lure recipients were sent to carefully selected targets. The main malware hosting site is an Iranian hosted non-governmental website with a double connection to the campaign.

InfoStealer Germany Automotive Malware Phishing MaaS AZORult BitRAT Raccoon

49 Indicators      49 Public     


Network Footprints of Gamaredon Group

Gamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an APT group based in Russia. Their activities can be traced back as early as 2013, prior to Russia’s annexation of the Crimean Peninsula. This blog post contains observations of Cognitive Intelligence Team over Gamaredon Group's activities during the month of March 2022.

APT Gamaredon Russia Malware Pteranodon Crimea

96 Indicators      96 Public     


RiskIQ: Dridex Certificates and C2 Infrastructure 2022/05/12

Here we provide updated IOCs for Dridex command and control infrastructure gathered through observations based on our previous analysis. See our list of reference below for further information.

Dridex C2 Malware

51 Indicators      0 Public      51 RiskIQ


RiskIQ: GootKit Payload Delivery URLs, May 12, 2022

Between 6 May 2022 - 11 May 2022, RiskIQ detected eight fake forum pages containing a link to the GootKit payload delivery URL.

RiskIQ GootKit

13 Indicators      13 Public     


Threat Advisory: Critical F5 BIG-IP Vulnerability

A recently disclosed vulnerability in F5 Networks' BIG-IP could allow an unauthenticated attacker to access the BIG-IP system to execute arbitrary system commands, create and delete files, disable services and could lead to additional malicious activity. Cisco has reported out a list of attacker IPs based on their telemetry associated with this CVE.

CVE-2022-1388 Scanning Cisco

118 Indicators      118 Public     


Bitter APT adds Bangladesh to their targets

Cisco Talos discovered an ongoing campaign operated by what they believe is the Bitter APT group since August 2021. This campaign targets an elite unit of the Bangladesh's government with a themed lure document alleging to relate to the regular operational tasks in the victim's organization. The emails contain either a malicious RTF document or a Microsoft Excel spreadsheet weaponized to exploit known vulnerabilities. Once the victim opens the maldoc, the Equation Editor application is automatically launched to run the embedded objects containing the shellcode to exploit known vulnerabilities described by CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802, all in Microsoft Office, then downloads the trojan from the hosting server and runs it on the victim's machine. The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, opening the door to other activities by installing other tools. In this campaign, the trojan runs itself but the actor has other RATs and downloaders in their arsenal.

Cisco BitterAPT T-APT-17 SpearPhishing CVE-2017-11882 CVE-2018-0798 CVE-2018-0802

25 Indicators      25 Public     


TA578 using thread-hijacked emails to push ISO files for Bumblebee malware

Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. These threat-hijacked emails either have links to URLs similar to those used in the Contact Forms campaign, or they have password-protected zip attachments. Either method delivers an ISO file containing files to install Bumblebee malware. Today's diary compares two examples of ISO files for Bumblebee malware from Monday 2022-05-09 that appear to be from TA578.

Bumblebee Malware TA578 ISC

22 Indicators      22 Public     


Please Confirm You Received Our APT | FortiGuard Labs 

FortiGuard Labs examined a spearphishing email sent to a diplomat in Jordan. The email contained a malicious attachment that had capabilities and techniques usually associated with advanced persistent threats (APTs). Based on the techniques used in this attack, it appears to be another campaign launched by APT34. This blog analyzed the attack chain associated with this email and the traits that set it apart from average malware, such as DNS tunneling and stateful programming.

SpearPhishing FortiGuardLabs APT34 VBA WMI Saitama

21 Indicators      21 Public     


RiskIQ: Dridex Certificates and C2 Infrastructure 2022/05/11

Here we provide updated IOCs for Dridex command and control infrastructure gathered through observations based on our previous analysis. See our list of reference below for further information.

Dridex C2 Malware

53 Indicators      0 Public      53 RiskIQ


Bitter APT adds Bangladesh to their targets

Cisco Talos has observed an ongoing malicious campaign since August 2021 from the Bitter APT group that appears to target users in Bangladesh, a change from the attackers' usual victims. As part of this, there's a new trojan based on Apost Talos is calling "ZxxZ," that, among other features, includes remote file execution capability. Based on the similarities between the C2 server in this campaign with that of Bitter's previous campaign, Cisco Talos assess with moderate confidence that this campaign is operated by the Bitter APT group.

CVE-2017-11882 CVE-2018-0798 CVE-2018-0802 Microsoft MicrosoftOffice Bitter APT T-APT-17 Bangladesh ZxxZ RAT Trojan

59 Indicators      59 Public     


Mass distribution of the JesterStealer malware using the topic of chemical attack (CERT-UA # 4625)

The Ukraine CERT-UA discovered a mass distribution of e-mails using the subject "chemical attack" and a link to an XLS-document with a macro. When opened, the macro downloads and runs an EXE file, which damages the computer with the malicious program JesterStealer. Note that executable files are downloaded from compromised web resources.

Ukraine CERT-UA Phishing JesterStealer

25 Indicators      25 Public     


RiskIQ: Identifying Dridex C2 via SSL Certificate Patterns

On 2022/01/14 we published an article on patterns in self-signed SSL certificates related to Dridex command and control (C2). This blog expands on that work, looking at additional Dridex C2 SSL cert patterns. Using those patterns we were able to identify previously unreported, live C2 servers.

Dridex Malware C2

74 Indicators      6 Public      68 RiskIQ


RiskIQ: VBScript Hosted on BlogSpot URL Deploys Malware Associated with NyanCat

On 27 April 2022, RiskIQ detected malicious VBScript at a BlogSpot URL. The code was similar to prior code observed by RiskIQ in November 2021. The deployment of this newly observed code was likely conducted back in February 2021.

RiskIQ Malware NyanCat

18 Indicators      4 Public      14 RiskIQ


The Data Analysis Behind the Cyber Attack on Beijing Healthbao

Beijing HealthCare suffered a DDoS attack on April 28.

Botnet DDoS 360NetLab RipprGang Fbot

48 Indicators      48 Public     


Cybereason vs. Quantum Locker Ransomware

The Quantum Locker is a ransomware strain that was first discovered in July 2021. Since then, the ransomware was observed used in fast ransomware attacks, in some cases even Time-to-Ransom (TTR) of less than 4 hours, leaving defenders little time to react. IcedID was used to deploy Quantum Locker execution via a phishing attack.

Ransomware Cybereason IcedID QuantumLocker

25 Indicators      25 Public     


Octopus Backdoor is Back with a New Embedded Obfuscated Bat File

Xavier Mertens covers an example of Octopus Backdoor delivered via a Word document.

Backdoor Malware OctopusBackdoor Word MalDoc

5 Indicators      5 Public     


F5 BIG-IP Unauthenticated RCE Vulnerability (CVE-2022-1388)

An unauthenticated remote code execution (RCE) vulnerability has been discovered for BIG-IP devices older than BIG-IP 17. There are currently exploits publicly available for this vulnerability. Patches are available for BIG-IP 13-16. Patches are *NOT* available for BIG-IP 11 and 12 as they are too old (these versions are still vulnerable). Such devices should be patched and their management interfaces should not be directly exposed to the internet.

F5-BIG-IP Vulnerability ActiveExploitation Exploit RCE CVE-2022-1388

0 Indicators      0 Public     
RiskIQ | 22 Battery Street, 10th Floor | San Francisco, CA 94111
© Copyright 2022 RiskIQ, Inc. All rights reserved.