HYAS Threat Intel Report April 8 2024

Weekly Threat Intelligence Report

Date: April 8, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Each week, we are sharing what we are seeing in our HYAS Insight threat intelligence and investigation platform, specifically autonomous system numbers (ASNs) and malware origins, as well as the most prominent malware families. This week, we were intrigued by a cluster of activities associated with ASN216309 and went down the rabbit hole. Read on to learn what we found.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Identification of Malicious Activities Associated with ASN216309

A cluster of IP addresses within the 185.172.128.0/24 IP range associated with ASN216309, registered to TNSecurity LTD in the UK, has been identified as facilitating malicious activities. These IPs are implicated in the distribution of StealC, gcleaner, and redline malware.

Geographic Anomaly: Despite the ASN being registered in the UK, the investigation reveals that the IPs communicate from Germany. This geographical mismatch raises suspicion and indicates potential fraudulent activities such as IP spoofing or compromised infrastructure.

Malware Behavior

StealC and gcleaner malware are observed making requests to .PHP files on websites via TCP port 80. This behavior suggests that the malware may be exploiting vulnerabilities in web servers or employing web-based attack vectors to propagate and execute malicious payloads.

Specific Malware Behavior

Network traffic captures indicate the downloading of an executable file (syncUpd.exe) from the StealC server. This executable is likely to be a component of the malware, potentially used for further propagation, data exfiltration, or system manipulation.

Implications and Threat Landscape

The presence of multiple malware strains within the same network indicates a sophisticated attack campaign, likely orchestrated by a well-resourced threat actor or group. The combination of different malware types suggests a multi-faceted approach, targeting various vulnerabilities and attack surfaces within the network.

Recommendations for Threat Mitigation

• Implement strict access controls and firewall rules to block traffic originating from the identified malicious IPs.
• Regularly update and patch systems to remediate known vulnerabilities exploited by the observed malware strains.
• Employ intrusion detection and prevention systems (IDPS) to identify and block malicious activities in real-time.
• Conduct thorough security assessments and penetration testing to identify and remediate weaknesses in web server configurations and application code.
• Enhance network monitoring capabilities to detect and respond to suspicious activities, such as unusual file downloads or anomalous traffic patterns.

Collaboration and Information Sharing

• Share threat intelligence findings with relevant cybersecurity communities, industry peers, and law enforcement agencies to increase awareness and facilitate collaborative threat response efforts.
• Engage with internet service providers (ISPs) and CERT teams to coordinate takedown efforts and disrupt the infrastructure used by threat actors.
• Continuous Monitoring and Adaptation: Establish a proactive approach to threat intelligence gathering, analysis, and dissemination to stay ahead of evolving cyber threats.
• Continuously monitor network traffic, conduct regular threat assessments, and adapt security controls and countermeasures accordingly to mitigate emerging risks effectively.

Key Insights and Inferences

This information provides insights into the tactics, techniques, and procedures (TTPs) employed by threat actors, enabling organizations to bolster their cyber defenses and mitigate the risk of cyber attacks.

Sophisticated Threat Actor: The presence of multiple malware strains and the utilization of geographically dispersed infrastructure indicate the involvement of a sophisticated threat actor or group. Such actors typically possess advanced capabilities and resources to orchestrate coordinated cyber attacks across different regions.

Targeted Attack Campaign: The choice of specific malware variants like StealC, gcleaner, and redline, along with their methods of propagation through web servers, suggests a targeted attack campaign rather than random opportunistic attacks. This implies that the threat actor may have conducted reconnaissance and selected targets strategically.

Geo-Spoofing and Infrastructure Misuse: The discrepancy between the registered location of the ASN (UK) and the actual location of IP communication (Germany) indicates potential geo-spoofing or misuse of infrastructure. This tactic is often employed by threat actors to obfuscate their true origins and complicate attribution efforts.

Exploitation of Web-based Vulnerabilities: The fact that the malware is making requests to .PHP files on websites using TCP port 80 suggests that the attackers are exploiting vulnerabilities in web servers or web applications. This underscores the importance of securing web-facing assets and regularly patching known vulnerabilities.

Data Exfiltration and Persistence: The presence of an executable (syncUpd.exe) being downloaded from the StealC server indicates potential data exfiltration or the establishment of persistence mechanisms within compromised systems. This highlights the threat actor's objectives of stealing sensitive information or maintaining long-term access to targeted networks.

Need for Enhanced Threat Intelligence and Response: The information underscores the importance of robust threat intelligence capabilities and proactive threat response strategies. Organizations need to continuously monitor for indicators of compromise, share threat intelligence with relevant stakeholders, and implement effective mitigation measures to defend against evolving cyber threats.

Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read last week's report:
HYAS Threat Intel Report - April 1, 2024

Sign up for the NEW (and free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.  

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.