👋 Welcome to the Intel Brief! I am Thomas Roccia, also known as @fr0gger_.

I created this newsletter to address a common challenge many of us face: staying updated with what's happening in the cybersecurity world.

This newsletter is an experiment using LLM; it generates an automated summary and a visual for the 5 top threat reports of the week. The goal is to keep you informed about the most important news.

You now have a perfect opportunity to stay on track without spending hours reading extensive content.

Enjoy your quick read!! 🤓

🗞️ Brief News From Me

• Last Friday, after the announcement from OpenAI about the GPTs release 📣, I created my first GPT called MagicUnprotect, which is directly connected to the Unprotect.it database. The funny thing is, I had already created a RAG with the database, but I hadn't published it yet 😄.

• Many of you started creating GPTs for cybersecurity, and I struggled to find a simple way to browse them all 🤔. So, I decided to create a list. This list quickly gained popular attention from the community and has now reached more than 2K stars on Github ⭐️!

• Next week, I'll be at the Hack.Sydney conference 🌟. I'm excited to present my research on Prompt Engineering for Threat Intelligence and discuss some of my experiences in the career track 🗣️💼.

• My work has been quoted into two newsletters this week, I recommend having a look to them I am a big fan of their content:

  • Laurent Hausermann, serial entrepreneur in cybersecurity space, talks about AI, entrepreneurship, and cybersecurity.

  • Daniel Miesller, talks about AI and more.

• In this edition of the Intel Brief 📰, I've added an article that talks more about the tooling used for malware analysis 🛠️. You'll find 4 threat reports summarized and one article about malware emulation 💻.

🛡️ APT29 Attack Embassies Using CVE-2023-38831

Key Takeaways:

• Sophisticated APT29 Cyberattacks on Embassies: APT29, linked to Russia's Foreign Intelligence Service, has launched a sophisticated cyberattack targeting embassies across multiple European nations using a newly discovered WinRAR vulnerability (CVE-2023-38831).

• Innovative Exploitation Methods and Lures: The attacks involved expertly crafted lures, such as enticing BMW car sale photos and documents, which contained hidden malicious content exploiting the WinRAR vulnerability to gain access to compromised systems.

• Geopolitical Motives and Wide-Ranging Impacts: The primary targets were diplomatic entities, particularly in Azerbaijan, Greece, Romania, and Italy. This attack could be part of a broader strategy for intelligence gathering, especially with the context of Azerbaijan's strategic activities and recent military acquisitions from Italy.

Summary:

The report details an cyber-espionage campaign by APT29, a Russian-linked advanced persistent threat group. This campaign primarily targeted European embassies, leveraging a vulnerability in WinRAR (CVE-2023-38831) to infiltrate systems. The attackers used deceptive lures featuring BMW car sales to entice victims, a tactic APT29 has employed in past attacks. This approach allowed them to execute arbitrary code on the victim's systems through the exploitation of specially crafted ZIP archives.

A significant aspect of the attack was the use of a Ngrok free static domain for communicating with the malicious server, illustrating APT29's evolving tactics and their ability to adapt to changing cybersecurity landscapes. This tactic helped them remain concealed and complicated defense efforts.

The geopolitical implications of these attacks are profound, particularly in the context of Azerbaijan's strategic activities and its relations with Italy, Greece, and Romania. The targeting of diplomatic accounts and major international organizations reflects the broad scope and audacity of this campaign.

Source: APT29 attacks Embassies using CVE-2023-38831 - report (rnbo.gov.ua)

🛡️ TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities

Key Takeaways:

• From July through October 2023, the threat actor TA402, also known as Molerats, Gaza Cybergang, Frankenstein, and WIRTE, used a new initial access downloader called IronWind in phishing campaigns targeting Middle East-based government entities. The threat actor adjusted its delivery methods during this time period to evade detection efforts.

• TA402 has consistently engaged in highly targeted activity, with campaigns focused on less than five organizations at a time. The threat actor has a strong focus on government entities in the Middle East and North Africa region.

• Proofpoint researchers have been tracking TA402 since 2020 and assess that it is a Middle Eastern advanced persistent threat (APT) group, operating in the interests of the Palestinian Territories.

• The group overlaps with other known threat actors, such as Molerats, Gaza Cybergang, Frankenstein, and WIRTE.

Summary

In mid-2023, Proofpoint researchers discovered TA402 using a complex infection chain to target Middle Eastern governments. The threat actor utilized different variations of this infection chain, including Dropbox links, XLL file attachments, and RAR file attachments. These variations consistently led to the download of a DLL containing the IronWind malware. Additionally, TA402 shifted from using cloud services like Dropbox API to using actor-controlled infrastructure for command and control communication.

TA402 has employed geofencing techniques to make detection more difficult, and the threat actor has a history of targeting government entities in the Middle East and North Africa. The group has used compromised Ministry of Foreign Affairs email accounts and decoy documents to support its campaigns. The researchers believe that TA402 operates in support of Palestinian espionage objectives and has a specific interest in intelligence collection. The ongoing Israel-Hamas conflict could potentially result in changes to TA402's targeting and social engineering lures.

Source: TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities  | Proofpoint US

🛡️ IMPERIAL KITTEN Deploys Novel Malware Families in Middle East-Focused Operations

Key Takeaways:

• IMPERIAL KITTEN, a threat actor with suspected connections to the Islamic Revolutionary Guard Corps (IRGC) in Iran, has been deploying novel malware families in cyberattacks targeting organizations in the transportation, logistics, and technology sectors in the Middle East.

• The malware samples associated with IMPERIAL KITTEN's activity include IMAPLoader, StandardKeyboard, a malware sample using Discord for C2, and a Python reverse shell delivered via a macro-enabled Excel sheet. 3

• IMPERIAL KITTEN's initial access methods include the use of public scanning tools, one-day exploits, SQL injection, and stolen VPN credentials. They also use phishing to deliver malicious documents.

• The group engages in social engineering, specifically using job recruitment-themed content, to deliver custom .NET-based implants. They have historically targeted industries such as defense, technology, telecommunications, maritime, energy, and consulting and professional services.

• IMPERIAL KITTEN's activities involve strategic web compromise (SWC) operations, where they lure victims to adversary-controlled websites to compromise them. They also use email-based command and control (C2) mechanisms similar to those used in their Liderc malware family.

Summary:

The report from CrowdStrike Counter Adversary Operations highlights the activities of the threat actor IMPERIAL KITTEN in cyberattacks targeting organizations in the Middle East, particularly in the transportation, logistics, and technology sectors. IMPERIAL KITTEN is believed to have connections to the IRGC in Iran and has been active since at least 2017. The group deploys novel malware families, including IMAPLoader, StandardKeyboard, a Discord-based C2 malware, and a Python reverse shell delivered via an Excel sheet.

IMPERIAL KITTEN's initial access methods involve the use of public scanning tools, one-day exploits, SQL injection, stolen VPN credentials, and phishing. They use social engineering techniques, particularly job recruitment-themed content, to deliver custom .NET-based implants. The group's activities also include strategic web compromise (SWC) operations, where victims are lured to adversary-controlled websites. Additionally, IMPERIAL KITTEN utilizes email-based C2 mechanisms similar to their Liderc malware family.

Source: IMPERIAL KITTEN Deploys Novel Malware Families (crowdstrike.com)

🛡️ C3RB3R Ransomware | Ongoing Exploitation of CVE-2023-22518 Targets Unpatched Confluence Servers 

Key Takeaways:

• There is an ongoing exploitation of the CVE-2023-22518 vulnerability in Atlassian's Confluence Datacenter and Server software.

• The exploitation is being carried out by threat actors deploying new variants of C3RB3R (Cerber) ransomware targeting both Windows and Linux hosts.

• The vulnerability allows unauthenticated remote attackers to create a backdoor administrator account, giving them unauthorized access and control over the affected system.

• Over 5,000 vulnerable environments have been identified through a Shodan search.

• The C3RB3R ransomware has been in operation since at least 2016 and has seen increased usage in recent years.

• The ransomware payload is delivered through a multi-stage attack chain, involving the use of webshells and PowerShell scripts to download and execute the malware.

Summary:

The REPORT highlights an ongoing exploitation campaign targeting users of Atlassian's Confluence Datacenter and Server software. The campaign leverages a recently identified vulnerability, CVE-2023-22518, which allows unauthenticated remote attackers to create a backdoor administrator account on vulnerable systems. This vulnerability has been identified in multiple versions of the software, and Atlassian has provided guidance on temporary mitigations for those unable to immediately patch their systems.

The threat actors behind this campaign have been observed deploying new variants of the C3RB3R (Cerber) ransomware, targeting both Windows and Linux hosts. The ransomware payload is delivered through a multi-stage attack chain, which involves the use of webshells and PowerShell scripts to download and execute the malware. The ransomware encrypts files on the compromised system and attempts to delete Volume Shadow Copies to make data recovery more difficult.

The C3RB3R ransomware has been in operation since at least 2016 but has seen increased usage in recent years. It operates as a semi-private Ransomware-as-a-Service (RaaS) and has been associated with multiple campaigns. In this specific campaign, the ransomware displays the "C3RB3R" branding in the ransom note and victim payment portal.

The threat actors behind this campaign have been observed using multiple IP addresses to host the C3RB3R ransomware payloads. These payloads have been stored on the Command and Control (C2) server under inconspicuous names.

The ransom note directs victims to a TOR-based portal for payment instructions, warning that failure to pay will result in the stolen data being sold on the dark web.

Source: C3RB3R Ransomware | Ongoing Exploitation of CVE-2023-22518 Targets Unpatched Confluence Servers  - SentinelOne

🛠️ Applied Emulation - Analysis of MarsStealer

Key Takeaways:

• Emulation is a useful technique for malware analysis and triage that can speed up the process.

• The report focuses on the analysis of MarsStealer, a stealer malware that targets credit cards, browsers, crypto wallets, and more.

• The payload of the malware is obfuscated and partially packed, requiring dynamic analysis to extract the actual code.

• The report demonstrates the use of emulation to deobfuscate strings and analyze the malware's functionality.

• Emulation can be used to resolve strings, identify anti-analysis and anti-sandbox techniques, and gain insights into the malware's behavior and targets.

Summary:

The report provides an analysis of MarsStealer, a stealer malware that targets sensitive information like credit cards, browsers, and crypto wallets. The analysis focuses on the use of emulation as a technique to speed up malware analysis. The report explains the process of extracting the payload of the malware through dynamic analysis and identifies a deobfuscation routine within the extracted code. The deobfuscation routine is analyzed to understand its functionality.

The report then discusses the requirements for using emulation, including the need to emulate the user mode and the use of a tool called dumpulator. The report provides instructions and code for setting up the emulation process, including identifying the starting and ending points of the emulation. The script is used to extract information from the malware, including resolved strings related to common stealer targets and indications of anti-analysis and anti-sandbox techniques.

Source: https://viuleeenz.github.io/posts/2023/11/applied-emulation-analysis-of-marsstealer/