Timely Intel on Qakbot, and YARA rules for every occasion

Threat Actor Reporting

North Korea’s nuclear missile GoFundMe runs out of steam

Reuters have reported that the profitability of North Korea’s offensive cyber operations has taken a hit, shedding hundreds of millions of dollars in value as cryptocurrency markets have tanked over recent weeks.

Separate blockchain analysis firms have reported a loss of between 80 and 85% in value for one of North Korea’s cryptocurrency caches, and proceeds from a series of 49 hacks performed through 2017 to 2021 have “decreased in value from $170 million to $65 million” since the beginning of this year alone.

While North Korea was credited in March with the attack on the blockchain project “Ronin” which netted it $615 million in Ether in March this year - that same Ether is worth nearly one third of that today.

The DPRK’s ongoing cyber offensive has focused heavily on companies in the cryptocurrency industry in recent years, and has propped up the dictatorial regime’s testing of nuclear missiles - estimated to amount to as much as $620 million so far this year.

It’ll be interesting to see how they respond to the continued depreciation in their ill-gotten gains - whether they try to cash their chips out while they can; increase the tempo of operations to make up for the shortfall, or explore other more profitable avenues for generating revenue for the hermit kingdom.

CISA add PwnKit vulnerability to Known Exploited Vulnerabilities Database

First reported in January this year, the PwnKit vulnerability (CVE-2021-4034) impacts all major Linux distributions, including Ubuntu, Debian, Fedora and CentOS, and can be abused to provide an attacker full root privileges on a default-install environment.

If it wasn’t bad enough that it existed in a version of Polkit dating back to May 2009, a PoC exploit was released just 3 hours after details of the vulnerability were originally reported by Qualys’ research team.

While there haven’t been any reported instances of its use in real-world campaigns, CISA’s addition of this vulnerability to the KEV highlights that it’s highly likely that exploitation has either been observed or is believed imminent by the agency. If it’s not already on your organisation’s list of vulnerabilities to patch - I’d suggest now is as good a time as any to pop it on there.

TTP Updates

Qakbot

Prominent malware, spread via malspam and email thread hijacking to enable initial access. Recently identified used during BlackBasta (apparent Conti Ransomware successor) campaign.

1. TA577 (obama196)

   • CHANGED: html smuggling > .zip > .lnk > .dll

   • Execution: lnk > cmd (set env variable) > curl (jpg > png) > regsvr32 (png)

   • TA577 has added some light command line obfuscation - setting an environment variable to contain the value “regs”, before using it to invoke regsvr32.exe to dll by referencing it in the command line

2. Don’t forget about recon:

   1. Timely reminder from @Kostas that as dynamic as Qakbot delivery is, it still relies on commonly used network enumeration commands to perform initial recon when it lands. All of these are worth building detections for - a cumulative risk-based one, if you can, where the score builds the more that are seen, and an alert is only raised where score > x.

3. Don’t rely on hashes for Qakbot:

   1. @ankit_anubhav has discovered that Qakbot dynamically generates payloads when requested during the delivery phase, meaning ordinary hashes like SHA256 are only relevant for a single target. Consider using fuzzy hashing algorithms like SSDEEP and Imphashes when trying to correlate payloads instead.

Tradecraft

1. Florian Roth has shared an excellent YARA rule looking for zip archives delivering files with double extensions (e.g. .doc.exe). Pair this with a previous one he shared to detect emails delivering ZIPs containing ISOs as attachments and you’ve got a good base to detect a large portion of payloads being delivered by actors these days.

2. Fun with comsvcs.dll dumping lsass - multiple variants that might break your detections, including one not detected by Defender at the time

   • Additional resources to help with testing, provided by John Lambert here, and here.

3. Mandiant have provided a great blog & list of YARA rules to help detect unwanted VPN, Proxy, or tunneling software and activity in your network.