Trellix Threat Labs Research Report: April 2022

Letter From Our Lead Scientist

Welcome to our latest threat report.

Nearly a quarter into the new year, it would be an understatement to say that we had an easy start of the year. We are slowly moving out of the pandemic, but uncertainty around the recent conflicts in the Eurasia region dominates our daily lives and conversations.

First, Trellix stands for peace. No matter which parties are involved in any conflict, our mission is to protect our customers and comply with international laws. Our research and vigilance continued as we prepared this report. For example, the Lapsus$ group attacked major corporations around the world with an initial focus on South American victims, leaking sensitive data including source-code and certificates.

We observed those certificates being abused. An example to sign malware binaries, a method to attempt bypassing the trust of operating systems and security products. Details of this group, their latest breach and countermeasures can be read here.

In our second threat report since the launch of our new company, we acknowledge the (cyber) events that dominated global headlines. From attacks on Ukrainian infrastructure to HermeticWiper malware destroying the boot sectors of any infected machine, cybersecurity was top of mind for many in the new year. We also look back at the fourth quarter of 2021, which saw the Log4shell vulnerability impact hundreds of millions of devices and many now brace for new threats coming in the new year.

The Trellix Threat Labs team has been at the frontline of analyzing and researching ransomware for many years. Working together with the public sector, we were proud to celebrate success when in December 2021 arrests were made and ransomware operations were shut down. The recent leaks of chats from both the Conti ransomware group and the Trickbot malware group revealed how professional these operations are run. It demonstrates that we need a united answer between public and private sectors to stop the disruption of these attacks.

In addition, please check out our Trellix Threat Labs blog page featuring our latest threat content, videos, and links to the security bulletin.

This report also spotlights other prevalent threats and attacks observed in the wild.

—Christiaan Beek
Lead Scientist

John Fokker Twitter

Trellix Labs Discover Suspected DarkHotel APT Activity Update

In March, Trellix discovered a first-stage malicious campaign targeting luxury hotels in Macao, China since the latter half November 2021. The attack started with a spear phishing email directed to the hotel’s management staff in roles like the vice president of HR, assistant manager, and front office manager. Based on the job titles we can assume that the targeted individuals have sufficient access into the hotel’s network, including the book systems. How it works:

• The email used for this spear phishing attack contains an attachment with an Excel sheet. The Excel sheet is used to trick the victim and enable malicious macros embedded when it’s opened.
• Those macros enable several mechanisms detailed in the Technical Analysis part and summarized in the Infection Flow Chart below.
• In the beginning, macros create a schedule task to perform recognition, data listing and data exfiltration.
• Then, to enable communication with the Command-and-Control server used to exfiltrate victim data, macros are using a know lolbas (Living Off the Land Binaries and Scripts) technique to perform PowerShell command lines as trusted script.

Read our blog for more DarkHotel APT background, attribution, campaign, and technical analysis.

Trellix Threat Labs Identify Prime Minister's Office Compromise

In January our team announced its identification of a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia. Trellix undertook pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments.

Analysis of the attack process begins with the execution of an Excel file containing an exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444). This is used to execute a malicious DLL file acting as a downloader for the third stage malware we called Graphite. Graphite is a newly discovered malware sample based on a One-Drive Empire Stager which leverages OneDrive accounts as a command and control server via the Microsoft Graph API.

The last phases of this multi-stage attack, which we believe is associated with an APT operation, includes the execution of different Empire stagers to finally download an Empire agent on victims’ computers and engage the command and control server to remotely control the systems.

The following diagram shows the overall process of this attack.

Read our blog for more in-depth analysis including stages, infrastructure, and attribution.

Methodology

Trellix's backend systems are providing telemetry that we use as input for our quarterly threat reports. We combine our telemetry with open-source intelligence around threats and our own investigations into prevalent threats like ransomware, nation-state activity, etc.

When we talk about telemetry, we talk about detections, not infections. A detection is when a file, URL, IP-address or other indicator is detected by one of our products and reported back to us.

Privacy of our customers is key. It also is important when it comes down to telemetry and mapping that out to the sectors and countries of our customers. Client-base per country differs and numbers could be showcasing increases while we have to look deeper into the data to explain. An example is that the Telecom sector is always scoring high in our data. It doesn’t mean necessarily that this sector is highly targeted. The Telecom sector contains ISP providers as well that own IP-address spaces that can be bought by companies. What does that mean? Submissions from the IP-address space of the ISP are showing up as Telecom detections, but could be from ISP clients that are in a different sector operating.

Ransomware

In the final quarter of 2021, the ransomware landscape has continued to change. In lieu of the large attacks we described in our previous report, ransomware actors had to find a new underground home and law enforcement started to crack down on several high-profile ransomware groups. One of these groups was REvil/Sodinokibi, which was still ranked amongst the top ransomware families in Q3. However, REvil left the stage after a coordinated takedown of their infrastructure, several internal disputes, and members being arrested. Trellix is proud to have assisted in the REvil investigation by providing malware analysis, locating key infrastructure and identifying multiple suspects.

Our top 3 in Q4 2021 belonged to Lockbit, Cuba, and Conti Ransomware. We suspect that remaining members of REvil, most likely have found a new home with these ransomware families.

While the ink for this report isn’t even dry the landscape has shifted yet again. Conti which has grown to one of the largest families had thousands of internal chats leaked on the internet, essentially exposing their inner secrets. We dubbed this leak the Panama Papers of ransomware and we will be sure to highlight our findings in the next quarterly report.

To help enterprises better understand and defend against ransomware attacks in the threatscape, our Threat Labs team presents research and findings into the prevalence of a wide variety of ransomware threats including families, techniques, countries, sectors, and vectors from Q4 of 2021.