ShadowTalk Update – XMRig Cryptocurrency Mining, FIN8 Backdoor, and Attacks Against Office 365
June 17, 2019
This week Harrison is joined by Travis and Alec to discuss the security stories of the week including a fileless malware attack delivers cryptocurrency miner to China, a return from FIN8 with a backdoor for the hospitality industry, a popular flaw exploited in a tailored spam campaign, and MuddyWater expanding tactic repertoire in Middle Eastern attacks.
Then Digital Shadows CISO Rick Holland joins Harrison to chat with principal security strategist at Splunk, Ryan Kovar, on his research around machine learning and attacks against Office 365.
Weekly highlights come from the financially motivated “FIN8” threat group and their attempt to compromise a hospitality organization, threat actors who are targeting a vulnerability in a newly detected spam campaign, and the “MuddyWater” threat group, which has been targeting a new vulnerability to attack government and telecommunications entities in the Middle East.
Fileless malware attack delivers cryptocurrency miner to China
Unidentified threat actors have revived a malicious cryptocurrency mining campaign to indiscriminately target entities in China. The attackers continue to use an obfuscated PowerShell script, known as PCastle, alongside several propagation techniques to deliver the malware, but have also demonstrated a new, multilayered fileless infection technique. The final payload is a variant of the XMRig malware, which is readily available online and mines the Monero cryptocurrency. This campaign will likely expand to other geographies in the immediate future (within the next few weeks).
FIN8 returns with backdoor for hospitality industry
The financially motivated FIN8 threat group was detected attempting to infect an unnamed hospitality organization with its “ShellTea” (aka PunchBuggy) backdoor malware. Some of the tactics and infrastructure used overlapped with the activities of “FIN7”, but ShellTea has solely been attributed to FIN8 to date, and there is no indication of the two groups actively collaborating. There has been a lack of publicly reported FIN8 activity since 2017; this lull may be because the group’s attacks have gone undetected, or its members were spending time improving their tactics and tools prior to initiating new campaigns.
Popular flaw exploited in tailored spam campaign
On 07 Jun 2019 security researchers reported on a new spam campaign tailored to various European languages. The spam emails exploited the arbitrary code execution flaw CVE-2017-11882 to automatically execute several scripts, resulting in the download of a backdoor executable. Despite the release of a patch, CVE-2017-11882 has been actively exploited since at least 2017. The online domain associated with the backdoor malware is currently offline, meaning the threat has diminished. However, should it again become active, additional infections and attacks are highly likely to occur.
MuddyWater expands tactic repertoire in Middle Eastern attacks
MuddyWater has reportedly targeted several government and telecommunication organizations in unnamed Middle Eastern countries within recent months. The objective of the threat group’s attacks were unconfirmed, but cyber espionage is a realistic possibility. The infection vector was spearphishing emails that exploited the vulnerability CVE-2017-0199 to run a PowerShell script, following which additional malware payloads were deployed. CVE-2017-0199 has been exploited by other Iran-based threat actors, but this is the first confirmed attack by MuddyWater that focused on this vulnerability.
For more details, read the full Weekly Intelligence Summary here:
And to stay up to date with the latest from Digital Shadows, subscribe below.