EclecticIQ Threat Research Team
February 5, 2021

Threat actors leverage Microsoft RDP service and RTF files

Blog

Biweekly Threat Intelligence Update Week 5

Summary of Findings

  • Website offers data allegedly stolen during SolarWinds breach
  • Researchers reveal specifics of FIN7 hacking group's malware
  • RDP exposure leads to Dharma ransomware infections
  • Chinese threat groups target Windows vulnerabilities with RTF documents
  • Lokibot TTP uses blurred Images to encourage users to enable macros
  • Threat actors leak stolen COVID-19 vaccine documents following December 2020 breach


“SolarLeaks” website appears to be a scam

A website called SolarLeaks was used to advertise the sale of data allegedly belonging to SolarWinds, FireEye, Microsoft, and Windows that was stolen through the SolarWinds compromise. EclecticIQ analysts cannot certify the authenticity of the data at this time. The URLs indicate the presence of data files matching some of the names of the targeted companies.

The threat actors also claim to be selling the source code for multiple Cisco products. Cisco has stated they do not have any evidence that proprietary data was stolen in related attacks.

The domain was registered on the 11th of January 2021 using Njalla, a registrar known to be used in the past by Fancy Bear, a Russian nation state-sponsored APT group. The NS record suffixes for the domain spell out "YOU CAN GET NO IN FO" - very likely an attempt to taunt security researchers.

Based on preliminary reporting and other factors surrounding the alleged release, EclecticIQ analysts consider the following hypotheses:

  • The site is a scam attempt by unrelated actors trying to monetize the SolarWinds events.
  • The original Sunburst operators released the data.
  • The data is linked to unrelated 4th party collection and sale.
  • The sale is possibly a false flag operation intended to mislead attribution by leveraging known APT associated infrastructure.

Morphisec researchers publish details about a malware variant called JSSLoader

FIN7, a financially motivated threat actor, is suspected of using a remote access trojan named JSSLoader during several campaigns. JSSLoader acts as a RAT and provides features such as exfiltration, persistence, auto-update, downloads of malware, and more. Morphisec researchers confirmed the attack begins with installing a VBScript via a phishing email and includes downloading and installing the primary JSSLoader payload.

The RAT is responsible for the reflective loading of the Carbanak malware and its execution. The researchers noted that the JSSLoader connects to a command-and-control server hosted by a company called FranTech Solutions, which has been used before by the FIN7 group.

Unsecured RDP services enable installation of Dharma ransomware

According to Zscaler, threat actors are scanning for machines with an open Remote Desktop Protocol (RDP) service. After finding potential victims, the attackers gain initial access through brute-forcing RDP or using stolen RDP credentials, eventually installing Dharma Ransomware. Organizations should secure RDP services and/or use zero trust architecture to allow remote users to securely access these servers without exposing them to the entire internet.

Chinese threat groups exploit Microsoft Office

Several Chinese threat groups utilize Royal Road RTF Weaponizer to exploit Microsoft Office Equation Editor vulnerabilities and gain initial access. Organizations whose security landscape includes Chinese threats groups should review RTF files attached to incoming emails and to limit exposure by remediating the targeted vulnerabilities.

Latest Lokibot sample relies on common technique to infect users’ machines

Researchers at Talos have discovered the latest Lokibot sample, which uses the known technique of blurring images in documents to encourage users to enable macros. The researchers also observed that the bot uses a multi-layered dropper and employs three stages and three encryption levels to cover its final payload.

The attack begins with a malicious XLS attachment sent in a phishing email containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage includes three-layered encrypted Lokibot, which is deployed in the third stage after a privilege escalation. Attackers have also been observed combining different techniques to make detection more complex.

Pfizer and BioNtech COVID-19 vaccine data released online

The European Medicines Agency (EMA) issued a statement on 9 December 2020 disclosing that the agency was the subject of a cyberattack. No details of the incident were given at the time. However, on 12 January 2021, EMA posted an update revealing that threat actors unlawfully accessed documents related to COVID-19 medicines and vaccines belonging to third parties, and that the documents were illegally leaked on the internet.

BioNtech, a COVID-19 research and vaccine producer, revealed that documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, were stored on an EMA server and were unlawfully accessed as part of the incident. According to the statement, no Pfizer or BioNTech systems were breached.




Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo