eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Domino Backdoor Malware
Bottom Line: Members of two notable financially motivated cyber crime groups have been identified working together in a recent campaign. Both groups are highly sophisticated and have previously launched widespread ransomware campaigns.
Researchers from IBM Security X-Force have identified a previously unknown backdoor, dubbed Domino Backdoor, that is actively being employed by threat actors in real-world attacks. The Domino Backdoor gathers basic system information to send to its command and control (C2) and receives an AES-encrypted payload. Since late February 2023, threat actors have deployed the Domino backdoor to victims previously infected with Dave Loader malware. Domino Backdoor leads to the deployment of a loader, dubbed Domino loader. The final payload in recently observed attacks is the .NET information stealer Nemesis Project.
Domino malware has been attributed to members of the FIN7 (aka. ITG14) cybercrime group. This group has been active since at least 2012, with tactics shifting over time. FIN7 has previously been identified conducting carding scams, deploying banking malware and initial access malware, performing supply chain attacks, as well as developing ransomware and functioning as a ransomware affiliate. The group is connected to a variety of high-profile ransomware types including REvil, Darkside, Blackmatter, and ALPHV.
While FIN7 was identified as the developer of the malware, the group is not using Domino Backdoor in attacks. Rather, the malware has been sold or rented to former members of the Trickbot/Conti syndicate (aka. ITG23). This infamous Ransomware-as-a-Service (RaaS) group operated between 2020 – 2022.
eSentire MDR for Network and Endpoint has a variety of detections in place to identify malware mentioned in this report, including FIN7 and Conti tools, Nemesis, Cobalt Strike, and Carbanak. Additionally, eSentire has blocked infrastructure associated with recent attacks and performed threat hunts across the eSentire client base.
eSentire Threat Intelligence Analysis:
The eSentire Threat Intelligence team assesses that it is almost certain the use of the Domino Backdoor malware will increase, and it is probable that other threat actors will adopt the tool in the future. While the current use of the malware has resulted in the deployment of information stealers, it is possible that Domino will be used to deliver ransomware to high-value targets. The Domino Backdoor is designed to contact a different C2 address for domain-joined systems, suggesting an additional backdoor, such as the common ransomware precursor Cobalt Strike, will be downloaded on high value targets. Alternatively, threat actors employing the malware may launch extortion only attacks. The Conti/Trickbot subgroup, Silent Ransom, was previously identified launching attacks with the goal of data theft and extortion rather than ransomware deployment. The eSentire Threat Intelligence team is actively tracking this threat for additional details and detection opportunities.
Moreover, Conti announced a shutdown in May 2022. Despite the shutdown, members of the group remain highly active, as illustrated in this recent report. It is not clear whether former members are operating in splinter groups, or if the majority of Conti has remained active but operated to maintain a lower profile. Both the Conti and FIN7 groups are highly sophisticated with years of experience. Group members will continue launching a variety of different attacks with the goal of financial gain.
ChatGPT Related Threats
Bottom Line: Sensationalized lures relating to ChatGPT are being heavily abused by threat actors for a variety of malicious purposes, including phishing, man-in-the-middle, and financial scams.
ChatGPT, the user interface which provides access to OpenAI's Large Language Model, has disrupted many industries and people's views on the future of AI. ChatGPT has generated many questions, and concerns.
On April 20th, 2023, Unit42 released a technical report on the growing threat of scammers targeting ChatGPT users, which has surged in recent months due to the platform's rapid expansion. The researchers observed a sharp increase in domain registrations and squatting domains related to ChatGPT, as well as an uptick in malicious URLs. Unit42 noted various increases in ChatGPT themed threats over the past year, including a 910% increase in monthly registrations for domains related to ChatGPT between November 2022 and early April 2023 and a 17,818% growth of related squatting domains from DNS Security logs in the same period.
The rise of copycat websites is notably concerning since threat actors might intercept and steal your input, effectively creating a man-in-the-middle attack for anything sensitive or confidential that could put your organization at risk. Additionally, the chatbot's responses could be manipulated to give you incorrect answers or misleading information. Whenever providing input into third-party tooling, users should understand the sensitivity of the data and the privacy policies of the third party. This is critical with AI-based tools that learn and train on the data input. A key example occurred earlier this year when Samsung employees leaked corporate data in ChatGPT.
eSentire Threat Intelligence Analysis:
Threat actors will constantly use popular themes as a lure for phishing and malware downloads. The rising trend of ChatGPT and large language model-based tools have driven attackers to leverage this hype cycle for their benefit. Since its inception, many spinoff websites have emerged offering their variant of ChatGPT aligned with their niche goals, for example, TaxGPT, HustleGPT, AutoGPT, and many more. These websites provide the users with a similar interface to ChatGPT, leveraging OpenAi's backend application programmer interface (API) but including their niche-based prompts to serve their goal.
It's also important to be aware of the potential dangers of using copycat chatbot services. Although these services can be helpful for many, it's important to note that they also effectively create a man-in- the-middle attack. They can harvest sensitive data or even change the output of prompts to bias the answers.
Additionally, users should exercise caution when interacting with suspicious emails or links related to OpenAI and ChatGPT. Always access ChatGPT through the official OpenAI website to ensure safety and security.
The eSentire Threat Intelligence team has tracked OpenAI's development and ChatGPT progress for years. We perform routine sweeps on known indicators of compromise related to known compromised websites or copycat sites which pose a threat across our client base.
3CX Supply Chain Attack Updates
Bottom Line: Reports continue to emerge, providing additional background on the 3CX supply chain attack. Researchers have confirmed that this incident is the first known case of a supply chain attack stemming from a previous supply chain attack.
Details around the recent supply chain attack on 3CX, a popular voice and video conferencing software, are still emerging. The attack was conducted by North Korean hackers and involved trojanizing the 3CX Desktop application with a malware-laced software package distributed via an earlier software supply chain compromise.
The attack impacted organizations in Europe, North America, and Australia, with Italy, Germany, and Austria being the most heavily impacted countries. The malware used in the attack includes an infostealer that targets the browser(s) on a compromised system and a multi-stage infostealer DLL that is still being analyzed. The compromised 3CX DesktopApp is the first stage in a multi-stage attack chain that pulls ICO files appended with base64 data from GitHub. The attack also compromised both the Windows and MacOS build environments, which led to the deployment of various malware types. The article emphasizes the importance of evaluating the security of third-party software and implementing clear guidelines and policies for their use to prevent data breaches.
Three reports were recently released related to the 3CX attack. The newest update by Mandiant provides insight into the source of the breach. 3CX was initially compromised via a previous supply chain attack. The first attack was carried out against Trading Technologies and resulted in malware being added to the X-Trader software. Threat actors added a multi-stage backdoor dubbed VEILEDSIGNAL to the X-Trader software. Once initial access was gained, the adversaries used Fast Reverse Proxy to move laterally threw the organization and harvest credentials, allowing for the trojanization of the 3CX desktop application.
ESET released a report on a newly identified campaign tracked as Operation DreamJob that adds additional credence to the attribution of North Korean based threat actors in the 3CX supply chain attack. Operation DreamJob targeted Linux users via social engineering with fake job offers. An overlap of malware between Operation DreamJob and the 3CX supply chain attack has increased ESET’s confidence in the attribution of Lazarus group to the 3CX attack.
On April 20th, CISA released a technical report on the ICONICSTEALER malware. ICONICSTEALER was identified in the recent 3CX supply chain attack. This threat is a backdoor information-stealer trojan. The malware is used to steal sensitive data from victim machines and make it available for exfiltration via a separate malicious component.
The eSentire Threat Intelligence team continues to track reports related to the 3CX supply chain attack, and threat hunts based on new Indicators of Compromise are ongoing. eSentire released an advisory on the supply chain attack on March 30th.
eSentire Threat Intelligence Analysis:
This is the first known incident of a supply chain attack being carried out due to a prior supply chain attack. North Korean threat actors showed high levels of sophistication and planning in these corresponding campaigns. By not widely leveraging the attack against Trading Technologies, they were able to impact 3CX, a platform with over 600,000 customers across 190 different countries. Moreover, the threat actors avoided detection until after trojanized versions of the 3CX desktop application were distributed, showing their ability to perform stealthy and persistent attacks. The 3CX supply chain attack is believed to be financially motivated, as threat actors delivered secondary payloads to organizations involved with cryptocurrency. North Korean APT groups have a history of targeting cryptocurrency exchanges for financial theft to fund future campaigns and the North Korean regime.
The publication of this information highlights the criticality of supply chain security. It is probable that an increase in cascading software supply chain compromises will occur as threat actors continue to evolve their tactics, and it is anticipated that we will see more potential links between financially motivated North Korean threat actors and similar attacks in the future.
To prevent the download of trojanized software, organizations are recommended to maintain an allowlist of known safe software and remove unwanted programs before an issue arises.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
