Threat Intelligence Report August 2 - August 8 2022

Knotweed is an Austria-based Private Sector Offensive Actor (PSOA) known to use Windows and Adobe 0-day exploits. They sell offensive tools or services as their business. They are well-known for having developed and sold a malware called Subzero which leverages Windows' and Adobe products' vulnerabilities. They are directly involved in the usage of the Subzero malware but recent discoveries indicate otherwise. Recently observed activities have originated from Knotweed-associated infrastructure. A common tactic from Knotweed is to distribute an Adobe remote code execution along with Windows privilege escalation exploits; packaged into a PDF document through an email. 

These Indicators of Compromise are blended into Crystal Eye as rules for detection and response to such threats.

Ave Maria RAT is a trojan that is used to steal sensitive information, remote access, and camera manipulation among others. It is known to be distributed via phishing emails with attached documents. Upon opening the attachment, it uses PowerShell to download additional malicious files, creates a scheduled task for persistence and exfiltrates data via web traffic to its Command-and-Control server.

Red Piranha has deployed new rules to the Crystal Eye platform as recent Ave Maria RAT activities that include data exfiltration have been observed.

Trojan-activity

The source code for an information-stealing malware coded in Rust has been released for free on hacking forums, with security analysts already reporting that the malware is actively used in attacks. As the info-stealer is written in Rust, a cross-platform language, it allows threat actors to target multiple operating systems. However, in its current form, the new info-stealer only targets Windows operating systems. When executed, the malware attempts to steal data from thirty Chromium-based web browsers, where it will steal stored credit cards, login credentials, and cookies. The stealer also targets a range of "cold" cryptocurrency and "hot" wallet browser addons, Steam accounts, Discord tokens, Ubisoft Play, and more. Where Luca Stealer stands out against other info-stealers is the focus on password manager browser addons, stealing the locally stored data for 17 applications of this kind. In addition to targeting applications, Luca also captures screenshots and saves them as a .png file and performs a "whoami" to profile the host system and send the details to its operators. 

Execution T1047/ T1059 - Privilege Escalation T1055 - Defense Evasion T1036 / T1562.001/ T1055 – Discovery T1518.001/ T1057/ T1082 - Command and Control T1105/ T1071

Recently researchers discovered T-RAT 2.0 selling on a Russian cybercrime forum which can be controlled via smartphone with the Telegram app. The attacker controls T-RAT 2.0 via Telegram using text-based commands and command buttons provided by the RAT. The commands are in English, and the help messages are mostly in Russian. One section of the advertisement banner demonstrates the controls and how they look on the phone. The first known stage of infection is the downloader which obtains an encrypted file. For decrypting the payload, the downloader applies XOR with the key 0x01. For the second part of the malware path the downloader generates a random number between 347 and 568203, converts that to a string, and then generates the hash either using MD5, SHA1 or SHA256. It uses the hash's hexadecimal representation as the second part of the malware path. The archive contains the actual T-RAT executable as well as several DLLs that the RAT needs. Some notable libraries are the Telegram.Bot.dll and socks5.dll. A subfolder named service contains six more files. The T-RAT 2.0 has 98 commands and provides the feature to Threat Actors like Stealer, clipper, keylogger, create a screenshot, record audio via microphone, take picture from webcam, and UAC bypass. It can disable Windows Defender and Smart Screen notifications. The malware provides a PowerShell or CMD terminal via Telegram. Remote control can also be done via HRDP or VNC.

Trojan-activity 

Initial Access T1190/T1133 - Execution T1203 - Persistence T1098 – Discovery T1046-Command and Control T1102

Sharpext is a malicious browser extension deployed by SharpTongue following successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. The latest version (3.0 based on the internal versioning) supports three browsers: Chrome, Edge, and Whale. 

Prior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script. The workflow of the installation script is as follows: 

1. Download supporting files:

- The malicious browser extension files 

- Browser configuration files 

- Additional scripts (pow.ps1 and dev.ps1) to ensure the extension is loaded 

2. Run the setup script (pow.ps1)