The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

BPFDoor Targets Linux Systems

May 20, 2022 11:44:39 AM / by PolySwarm Tech Team posted in Threat Bulletin, China, Linux, Red Menshen, BPFDoor, Telecommunications

0 Comments



Background

PwC Threat Intelligence recently reported on BPFDoor, a passive network implant for Linux targeting telecommunications providers. The activity was attributed to the Chinese nexus threat actor group Red Menshen.

Read More

Armageddon Leverages New Pterodo Variants

Apr 29, 2022 11:37:13 AM / by PolySwarm Tech Team posted in Ukraine, Russia, Threat Bulletin, Armageddon, Gameredon, Primitive Bear, Pterodo, Pteranodon

0 Comments



Background

This is a continuation of our coverage of cyberattacks targeting Ukrainian entities. Earlier this year, we published a blog post describing Armageddon activity targeting Ukraine and details on their infrastructure, as reported by Palo Alto’s Unit 42. Symantec recently reported on yet another wave of Armageddon attacks, leveraging new Pterodo variants to target Ukrainian assets.

What is Pterodo?

Pterodo, also known as Pteranodon, is a backdoor RAT. Armageddon is currently using at least four distinct variants of Pterodo. The four variants analyzed all used Visual Basic Script (VBS) droppers, dropped a VBScripts file, used Scheduled Tasks to ensure persistence, and downloaded code from a C2. Additionally, all four used similar obfuscation methods. Although the variants operate similarly to one another, each communicates with a different C2. Symantec assessed the threat actors likely use multiple variants to help maintain persistence by providing a fallback C2. The variants are referred to as Backdoor.Pterodo.B, Backdoor.Pterodo.C, Backdoor.Pterodo.D, and Backdoor.Pterodo.E.


Backdoor.Pterodo.B is a modified self extracting archive unpacked using 7-Zip. It contains obfuscated VBScripts, which it adds as scheduled tasks to maintain persistence. The script also copies itself to the [USERPROFILE]\ntusers.ini file. It creates two new obfuscated VBScripts. One of the VBSCripts gathers system information and sends it to the C2, while the other copies a previously dropped ntusers.ini file to another desktop.ini file.

Backdoor.Pterodo.C also drops VBScripts on the victim machine but uses API hammering, making multiple meaningless API calls, in an attempt to evade sandbox detection. The malware unpacks a script and the file offspring.gif to C:\Users\[username]\. The variant then calls the script, which in turn runs ipconfig /flushdns and executes the offspring.gif file. Offsprint.gif downloads and executes a PowerShell script from a random subdomain of corolain[.]ru.

Backdoor.Pterodo.D is yet another VBScript dropper. It creates and executes two files. One script runs ipconfig /flushdns then calls the second script and removes the original executable. The second script , which has two layers of obfuscation, downloads and executes the final payload from declined.delivered.maizuko[.]ru.

Backdoor.Pterodo.E operates similarly to variants B and C and uses script obfuscation similar to the other variants. This variant engages in API hammering then extracts two VBScript files to the victim’s home directory.

Who is Armageddon?

Armageddon, also known as Gameredon, Shuckworm, or Primitive Bear, is currently one of the most active APT groups targeting Ukrainian assets. The group’s activity has traditionally involved espionage activity aligned with Russian interests. In November 2021, the Security Service of Ukraine (SSU) publicly linked five Russian Federal Security Service (FSB) officers based in Crimea to the group. A report by the SSU stated Armageddon has been active since at least 2014 and has engaged in multiple cyber-espionage campaigns from 2017-2021. The SSU report notes Armageddon does not typically use sophisticated TTPs and does not seem to emphasize OPSEC. Some of the other tools and TTPs used by Armageddon include spearphishing, PowerShell, UltraVNC, FileStealer, and EvilGnome.


IOCs

PolySwarm has multiple samples associated with Pterodo.

119f9f69e6fa1f02c1940d1d222ecf67d739c7d240b5ac8d7ec862998fee064d

Read More

Lazarus Group Targets Crypto With TraderTraitor

Apr 25, 2022 8:26:42 AM / by PolySwarm Tech Team posted in Threat Bulletin, North Korea, Lazarus Group, TraderTraitor, Cryptocurrency

0 Comments



Background

CISA, FBI, and the US Treasury Department recently released a joint advisory on TraderTraitor, a Lazarus group campaign targeting blockchain companies.

Read More

IcedID and Zimbra Exploits Target Ukrainian Government Entities

Apr 22, 2022 10:38:37 AM / by PolySwarm Tech Team posted in Ukraine, Threat Bulletin, Infostealer, IcedID, BokBot, UAC-0098, UAC-0097, Zimbra

0 Comments



Background

CERT-UA recently released an advisory on IcedID, a modular banking trojan being dropped via a social engineering campaign targeting Ukrainian government entities, and related Zimbra exploits.

Read More

Denonia Cryptominer Targets AWS Lambda

Apr 18, 2022 11:23:54 AM / by PolySwarm Tech Team posted in Threat Bulletin, Denonia, Cryptominer, AWS, Lambda

0 Comments



Background

Cado Security recently published an analysis on Denonia cryptominer, the first malware used to target AWS Lambda.

Read More

Industroyer2 Targets Ukrainian Energy Company

Apr 15, 2022 10:06:29 AM / by PolySwarm Tech Team posted in Ukraine, Russia, Threat Bulletin, Wiper, Critical Infrastructure, Industroyer2, Sandworm, Voodoobear

0 Comments



Background

ESET recently reported on Industroyer2, a multi-component ICS malware used to target a Ukrainian energy company.

Read More

Borat RAT - A Triple Threat

Apr 8, 2022 10:25:51 AM / by PolySwarm Tech Team posted in Threat Bulletin, DDoS, Ransomware, Backdoor, BoratRAT

0 Comments



Background

Cyble recently published research on Borat RAT, a triple threat capable of providing backdoor access, facilitating spyware capabilities, and conducting DDoS and ransomware attacks. This emerging threat can be used to perform double and triple extortion attacks, where threat actors demand ransom and also threaten victims with the sale or leak of stolen data and DDoS attacks.


What is Borat RAT?

Borat RAT is a remote access trojan with extended capabilities allowing threat actors to spy on victims and conduct DDoS attacks and ransomware attacks. It is being sold on the underground and is advertised to have multiple features, allowing threat actors to tailor their attacks to a particular victim.


According to Cyble, Borat RAT comes as a package including a builder binary, supporting modules, and a server certificate. Threat actors have the option to compile the binary to perform DDoS and ransomware attacks.

Borat RAT has a number of features allowing threat actors to spy on and troll victims and to evade detection and maintain persistence. Its spyware features allow threat actors to recover saved Chrome and Edge browser passwords and Discord passwords. Other spyware features include keylogging, audio recording, and webcam recording.

Borat RAT has remote hVNC capabilities, such as hidden desktop and hidden browsers. It is advertised as having “remote fun” options allowing threat actors to troll or intimidate victims by turning peripherals on and off, enabling and disabling TaskMgr and Regedit, and showing or hiding the Start button. Borat RAT’s remote system options allow the threat actor to use remote shell, TCP,  reverse proxy, etc. Borat RAT also includes features allowing a threat actor to evade detection and maintain persistence.

IOCs

PolySwarm has a sample of Borat RAT.

b47c77d237243747a51dd02d836444ba067cf6cc4b8b3344e5cf791f5f41d20e


You can use the following CLI command to search for all Borat RAT samples in our portal:

Read More

AcidRain Wiper

Apr 7, 2022 12:31:14 PM / by PolySwarm Tech Team posted in Threat Bulletin, Wiper, AcidRain, Viasat

0 Comments



Background

Sentinel One recently published research on AcidRain, a wiper malware used in an attack on Viasat KA-SAT in Ukraine.

What is AcidRain Wiper?

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts