Threat Research

THÔNG TIN CÁC MỐI ĐE DỌA BẢO MẬT TRONG THÁNG 01 – 2021

Securonix

This monthly GTSC security overview highlights Chimera Group’s multi-target intrusions using compromised credentials, cloud services, and Cobalt Strike beacons, and covers a separate JsOutProx JavaScript RAT campaign targeting Asian government entities, plus a Solorigate-related transition and a shift by Chinese APTs toward ransomware. It also describes a large-scale PLEASE_READ_ME MySQL ransomware operation with double extortion tactics and TOR-based payments. Hashtags: #ChimeraGroup #JsOutProx #Solorigate #SUNBURST #DRBControl #AP27 #Winnti #PlugX

Keypoints

  • Chimera Group compromised credentials to access VPN/Citrix and move laterally, then deployed Cobalt Strike beacons for remote access and data collection.
  • Anti-forensic actions included deleting event logs, timestamp alterations, and scheduled task removals, with infrastructure reuse patterns (appspot.com and azureedge.net).
  • JsOutProx is a full-featured JavaScript RAT used in an Asia-focused campaign against government/financial targets, delivered via HTA files in spear-phishing and using DNS-based C2.
  • Solorigate-related activity shows a staged transition from DLL backdoors to Cobalt Strike loaders, with extensive anti-forensic and network-enumeration evasion techniques.
  • Chinese APT groups are linked to ransomware campaigns (DRBControl lineage, APT27/Emissary Panda, Winnti) and related tools (PlugX, Clambling) with CVE-2017-0213 usage.
  • PLEASE_READ_ME ransomware targets MySQL servers globally, enabling double extortion via leaked data, with a TOR-based payment site and hundreds of thousands of compromised databases.

MITRE Techniques

  • [T1110] Brute Force – Brute-forcing or credential stuffing to discover valid accounts for remote access. “credential stuffing hay password spraying” translates to “credential stuffing or password spraying.”
  • [T1133] External Remote Services – Access to VPN, Citrix, or other remote services to reach the victim network. “điều… truy cập vào VPN, Citrix hay một dịch vụ nào khác cho phép truy cập đến hệ thống mạng của nạn nhân” translates to “access VPN, Citrix or another service that allows access to the victim’s network.”
  • [T1078] Valid Accounts – Use compromised accounts to gain initial access and persistence. “tài khoản người dùng và mật khẩu chiếm được từ nạn nhân” translates to “user accounts and passwords obtained from victims.”
  • [T1053] Scheduled Task/Job – Use scheduled tasks and batch files for automation. “sử dụng scheduled tasks và batch files cho automation” translates to “using scheduled tasks and batch files for automation.”
  • [T1059.001] PowerShell – Use of PowerShell to execute or download tools.
  • [T1036] Masquerading – Rename or blend tools and data to resemble legitimate items. “trùng lặp filenames… đặt tên cho các công cụ, dữ liệu và thư mục” translates to “duplicate filenames when naming tools, data, and folders” (masquerading/aliasing).
  • [T1047] Windows Management Instrumentation (WMI) – Use WMI for discovery/persistence (e.g., WMI persistence filter name/query).
  • [T1082] System Information Discovery – enumeration steps to map the environment (implied by network enumeration).
  • [T1070.006] Timestomping – Altering file and sample timestamps to hinder attribution. “kỹ thuật timestomping để thay đổi timestamp” translates to “timestomping techniques to change timestamps.”
  • [T1562.004] Impair Defenses: Disable/Modify System Firewall – Pre-attack steps to disable event logging and minimize exposure.
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration through the C2 channel of Cobalt Strike.
  • [T1560.001] Archive Collected Data – Compressing data (WinRAR) before exfiltration.
  • [T1567.002] Exfiltration to Cloud Storage – Copying exfiltrated data to OneDrive/TOR-based storage.
  • [T1003] OS Credential Dumping – Copying NTDS.dit and other credential data from the domain controller.
  • [T1568] Exfiltration Over Unencrypted/Exfiltration to Cloud Storage via TOR (multiple exfil routes).

Indicators of Compromise

  • [Hash] – SHA256 hashes for malicious HTA samples: c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165, f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a
  • [File name] – Pilipina_Anti-Money_Laundering_Council_Resolution_pdf.hta, Information_on_Compliance_officer_xlsx.hta
  • [URL/Domain] – hxxp://myabiggeojs.myftp[.]biz:9895 (C2 URL), onion service hn4wg4o6s5nc7763.onion
  • [IP] – 185.195.79.210, 185.19.85.156 (C2/hosting or distribution points)
  • [Domain] – myabiggeojs.myftp.biz (C2 domain hosting), appspot.com and azureedge.net (infrastructure overlap)

Read more: https://gteltsc.vn/blog/thong-tin-cac-moi-de-doa-bao-mat-trong-thang-01-2021-9681.html