Co-author: Ippolito Forni, Threat Intelligence Consultant
Cybercrime Group FIN7 Returns Delivering Clop Ransomware
In April 2023, financially motivated cybercrime group FIN7 returned after a long period of inactivity as reported by Microsoft Threat Intelligence. [1] The group, also known as ELBRUS/Sangria Tempest, was observed delivering Clop ransomware. The actor uses PowerShell scripts known as POWERTRASH to deliver the Lizard tool as a bridgehead into the targeted network. Once the foothold is established, FIN7 uses OpenSSH and Impacket for lateral movement and ransomware deployment.
This is not the first time FIN7 has been spotted deploying ransomware. In the past, groups affiliated with FIN7 were seen deploying REvil, Maze, DarkSide, BlackMatter, Ryuk, ALPHV ransomware strains. [2]
Clop ransomware was first observed in February 2019 and has been active ever since using the Ransomware as a Service model. In March 2023 alone, the leak site was displaying 91 victims. The group even claimed the exploitation of a zero-day vulnerability (CVE-2023-0669) which is not very common among cyber-criminal groups but rather the realm of nation state sponsored groups. [3]
BatLoader Campaign Uses Google Search Ads to Deliver Fake Midjourney and ChatGPT Apps
Researchers at eSentire Threat Response Unit (TRU) published a report in early May describing a BatLoader campaign using Google Search Ads to lure users into downloading fake Midjourney and ChatGPT apps.[4] The two AI services have been extremely popular in 2023 but lack stand-alone applications. The actor managed to exploit this vacuum by giving the impression the user has downloaded legitimate apps.
To achieve its objective, the threat actor created landing pages with links to MSIX Windows App Installer files. Once the link is clicked, a BatLoader payload is delivered. The Windows App Package files are digitally signed by ASHANA GLOBAL LTD and can be executed by victims. They then launch an executable ChatGPT.exe and a PoweShell script Chat.ps1.
ChatGPT.exe loads a pop-up window displaying the genuine ChatGPT url giving the impression of legitimacy. Meanwhile Chat.ps1 downloads and loads RedLine Stealer from a malicious domain. RedLine Stealer then connects to an ip address controlled by the threat actor.
The same approach is used when downloading the fake Midjourney apps, but the RedLine Stealer payload connects to a different C2 domain.
Chinese State-Sponsored Group Volt Typhoon Targets US Critical Infrastructure
The United States and international cybersecurity authorities have issued a joint Cybersecurity Advisory (CSA) to highlight recently discovered activity of interest associated with the People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon.
According to a joint CSA [5], one of the actor’s primary tactics consists in living off the land techniques, which use built-in network administration tools to achieve their objectives. This tactic allows the actor to evade detection by blending in with normal Windows system and network activities, avoiding endpoint detection and response (EDR) products that would alert of the introduction of third-party applications to the host, limiting the amount of activity that is captured in default logging configurations.
Living off the land tools include:
- certutil
- dnscmd
- ldifde
- makecab
- net user/group/use
- netsh
- nltest
- ntdsutil
- PowerShell
- req query/save
- systeminfo
- tasklist
- wevtutil
- wmic
- xcopy
Threat actor uses open-source tools, such as: - Fast Reverse Proxy (frp)
- Impacket
- Mimikatz.exe
- Remote administration tools
Microsoft Threat Intelligence also published a research [6] documenting their insight into this activity. Volt Typhoon focused on critical infrastructure organizations located in the U.S. and Guam in “the communications, manufacturing, utility, transportation, construction, maritime, government, information technology and education sectors.”
Remote Code Execution Vulnerability in Barracuda Email Security Gateway
Enterprise security firm Barracuda has disclosed the exploitation of a zero-day vulnerability in its Email Security Gateway (ESG) appliances. [7] The flaw, identified as CVE-2023-2868 [8], was actively abused by threat actors for at least seven months before being discovered in May 2023.
The vulnerability affected versions 5.1.3.001 through 9.2.0.006 of Barracuda's ESG and allowed remote attackers to execute code on vulnerable installations. Barracuda released patches for the vulnerability after its discovery. The attacks resulted in unauthorized access to a subset of ESG appliances, with evidence of malware, data exfiltration, and persistent backdoor access being found.
Three malware strains named SALTWATER, SEASPY, and SEASIDE were identified, with code overlaps between SEASPY and an open-source backdoor called cd00r. The attacks have not been attributed to any specific threat actor or group. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalogue and urged federal agencies to apply the patches promptly. [9] While Barracuda did not disclose the number of breached organizations, they have contacted affected organizations and warned that additional victims may be discovered during the ongoing investigation.
Structured Data
Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.
Please refer to our support page for guidance on how to access the feeds.
About EclecticIQ Intelligence and Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.
You might also be interested in:
Chinese Threat Actor Used Modified Cobalt Strike Variant to Attack Taiwanese Critical Infrastructure
Russian Malware Network Dismantled; Iranian Threat Actors Attack PaperCut Servers
Trends and Predictions of Growing Cryptocurrency Cyberattacks
Appendix
[1] Microsoft Threat Intelligence [@MsftSecIntel], “Financially motivated cybercriminal group Sangria Tempest (ELBRUS, FIN7) has come out of a long period of inactivity. The group was observed deploying the Clop ransomware in opportunistic attacks in April 2023, its first ransomware campaign since late 2021.,” Twitter, May 18, 2023. https://twitter.com/MsftSecIntel/status/1659347799442432002 (accessed May 31, 2023).
[2] “FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7,” Mandiant. https://www.mandiant.com/resources/blog/evolution-of-fin7 (accessed May 31, 2023).
[3] “Clop Ransomware Leak Site Shows Increased Activity,” Apr. 05, 2023. https://www.secureworks.com/blog/clop-ransomware-leak-site-shows-increased-activity (accessed May 31, 2023).
[4] “BatLoader Impersonates Midjourney, ChatGPT in Drive-by Cyberattacks,” eSentire. https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks (accessed May 31, 2023).
[5] “People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection | CISA,” May 24, 2023. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a (accessed May 31, 2023).
[6] M. T. Intelligence, “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Security Blog, May 24, 2023. https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ (accessed May 31, 2023).
[7] “Barracuda identified a vulnerability (CVE-2023-2868) in our Email Security Gateway appliance (ESG) on May 19, 2023.” https://status.barracuda.com/incidents/34kx82j5n4q9 (accessed Jun. 02, 2023).
[8] “NVD - CVE-2023-2868.” https://nvd.nist.gov/vuln/detail/CVE-2023-2868 (accessed Jun. 02, 2023).
[9] “Known Exploited Vulnerabilities Catalog | CISA.” https://www.cisa.gov/known-exploited-vulnerabilities-catalog (accessed Jun. 02, 2023).