Ursnif Campaign Targets Logistics and Finance

TLP AMBER ANNOUNCEMENT:

Wapack Labs recently identified a large scale Ursnif campaign, affecting multiple companies in the logistics, finance, and IT sectors. The campaign, which began in May 2017, consists of spear-phishing emails with a malicious document attached that, when opened, delivers malware identified as Ursnif. Active since 2012, Ursnif malware has undergone several variations. The current variant implements data exfiltration and sends encrypted victim data to a C2 server. By using compromised accounts and exploiting existing trust relationships, the actors are likely able to achieve a high open-rate. While additional user-interaction is required to enable the malicious macro, it probably resulted in a few installations because the delivery email was not unsolicited. Additionally, the clever social engineering exhibits a moderate to advanced level of tradecraft by the actor. Tactics, Techniques, and Procedures (TTPs) and shared infrastructure in this campaign suggest a single actor or group with Chinese attribution executed this campaign...READ MORE

Wapack Labs has cataloged and reported extensively on spear-fishing, Ursnif, and China in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

China’s Position in the U.S. & North Korean Conflict

China is attempting to play a moderating role in the current conflict between the United States and North Korea over North Korea’s development of intercontinental nuclear missiles. China has argued for restraint on all sides, and signed the United Nations sanctions measure against North Korea on 5 August 2017. A review of Chinese statements in their own media on 14-16 August 2017 indicate China is standing by its sanctions pledge and sees some hope for easing of the crisis:

• On 14 August China reaffirmed that it was imposing an import ban on coal, iron, iron ore, lead, lead ore and seafood from North Korea as a tool to bring Pyongyang back to negotiations.
• Some Chinese coverage argued that North Korean threats were just a stratagem to entice the U.S. to cancel its joint military exercises with South Korea.
• The enthusiasm for joining with the United States in pressuring North Korea may have been blunted somewhat by the White House order to start an investigation into Chinese trade practices.
• As of 16 August, China appeared to see signs that the crisis was starting to ease, based on North Korean media coverage of Kim Jong-Un’s visit to its Strategic Force Command and the “delay” in any attack decision. 

In general, China has indeed taken upon itself a relatively neutral stance in this conflict. If they stand by their pledge to block key imports from North Korea, this could over time put real economic pressure on North Korea. Whether that would be enough pain to cause North Korea to curtail their weapons programs is still in doubt. China’s statement that it would not support a preemptive strike by North Korea on the U.S. may also help keep this crisis from escalating...READ MORE

Wapack Labs has cataloged and reported extensively on China, North Korea, and sanctions in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Ukrainian Independence Day, Potential NotPetya-Like Attack?

Wapack Labs has received information suggesting a possible NotPetya-like attack that may be targeting Ukrainian Banking and critical infrastructure, today, to coincide with the Ukrainian Independence Day. On 11 August 2017, The National Bank of Ukraine (NBU, the Central Bank of Ukraine) notified Ukrainian banks about an up-coming NotPetya-like attack. Journalists reported it on 16 August 2017. Several English and Russian speaking news sites reported on the issue, but most if not all were resulting from circular reporting from the original sources:

• NotPetya-like attack
• Hitting corporate networks of the Ukrainian businesses
• On or around the Ukrainian Independence Day (24 August 2017)
• Via a malicious MS Word attachment
• Not known to anti-viruses at the moment of the NBU warning
• NBU cooperates with CERT-UA to stop similar attacks...READ MORE

Wapack Labs has cataloged and reported extensively on Ukraine and NotPetya in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

COULD IT BE HACKING? NAVAL CRASHES RAISE TROUBLING QUESTIONS - JEFF STUTZMAN SPEAKS TO HEADLINE NEWS

Jeff Stutzman, Chief Intelligence Officer of Wapack Labs Corporation of New Boston, NH was interviewed by Headline News on August 22, 2017.  The subject of the interview was “US Navy collisions stoke cyber threat concerns.”  Jeff discussed the tragic event that cost the lives of ten sailors.   He also mentioned a recent Wapack Labs report that GPS spoofing had to be identified earlier this year near the Russian Black Sea coast, where twenty ships indicated their location to have been inland at the Gelendzhyk Airport.  The report can be downloaded and viewed on Wapack Labs READBOARD. Get access to all the best cyber intelligence stories, Sign Up Today.

Russia May Have Tried Maritime GPS Spoofing

In a 22 June 2017 report, twenty (20) ships near the Russian Black Sea coast indicated their GPS location to be inland at Gelendzhyk Airport. Similar GPS position malfunctioning was noticed in automobiles driving near the Kremlin in Moscow, Russia. These GPS anomalies indicate the likelihood that Russia is testing security measures by utilizing GPS spoofing to test their capability in the event of a military conflict; both on land and at sea...READ MORE

Wapack Labs has cataloged and reported extensively on Russia and GPS spoofing in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Compromised Brazilian Government Account Advertising Hacker Shops

Wapack Labs' “Operation 8-ball” identified a hacker forum being advertised through a compromised government email account located in Para, Brazil. One of the advertised hacker shop domains was also tweeted by a novice, Canadian carder. Originating IPs were located in Kosovo. Kosovo is listed in the hacker forum's WHOIS data. The exact attribution for the Brazilian government compromise is absent...READ MORE

Wapack Labs has cataloged and reported extensively on compromised accounts and hacker forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Indian Physical Security Company Compromise

TLP AMBER ANNOUNCEMENT: 

On 15 July 2017, Wapack Labs identified, with high confidence, four keylogged email accounts identified as compromised, including username and password, belonging to an Indian physical security company. These email accounts were used to harvest information from multiple internal systems and external portals. Both the sales and customer relationship management systems may have been compromised. Since many of the keylogger infections have spread through automation, there is a potential for compromise within customer, partner, and supply chain relationships...READ MORE

Wapack Labs has cataloged and reported extensively on keyloggers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

DiamondFox in the Wild

TLP AMBER ANNOUNCEMENT: 

DiamondFox is a credential stealing multi purpose botnet that is available on the black market as MaaS (Malware as a Service). Also known as Gorynych, DiamondFox is still actively leveraged in the wild with its recent version Crystal available in online marketplaces. This dangerous malware can steal information from PoS (Point of Sale) systems with campaigns targeting multi-state healthcare providers, dental clinics, manufacturers, and technology companies. To get a picture of the current state of DiamondFox botnets, Wapack Labs has collected recent samples and extracted the command and control (C2) information from their configuration files. This report provides technical details on DiamondFox, the Russian botnet infrastructure, and details regarding the domains...READ MORE

Wapack Labs has cataloged and reported extensively on malware and botnets in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Life After AlphaBay: TradeRoute

TLP AMBER ANNOUNCEMENT: 

On 04 August 2017, Wapack Labs discovered TradeRoute, a Russian and English Tor-based marketplace and forum on the dark net that focuses on the sale of illegal drugs. However, vendors also sell electronics, digital goods, forgeries, hacking services, lab equipment for narcotics, fashion counterfeits, and fraud services. With the recent takedowns by law enforcement of Hansa Market and AlphaBay (past reporting by Wapack Labs), actors are migrating to TradeRoute quickly making it a leading dark net marketplace...READ MORE

Wapack Labs has cataloged and reported extensively on Tor marketplaces and forums in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

This TLP AMBER report is available only to Red Sky Alliance members.

Microsoft Office Hoax Phishing Site

On 27 July 2017, Wapack Labs, using our Cyber Threat Analysis Center (CTAC), discovered a phishing site disguised as a Microsoft Office Sign-in page. The phishing site is designed to trick users into entering their Microsoft related email and passwords. When a user enters their credentials into the malicious site, they are then redirected to the real Microsoft Sign-in page. The differences in the webpages can be seen in...READ MORE

Wapack Labs has cataloged and reported extensively on phishing in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM

Shadowbrokers and the Scylla Hacking Store

The ShadowBrokers (SB) have recently started a new Tor based market called Scylla Hacking Store. SB is selling several APT stolen exploits (US, Russian and Chinese exploits), crimewave exploit kits, and other crimewave hacking tools: bots, hash cracking, and Microsoft Office exploits. Analysts believe, with medium confidence, the recent Petya activity may be related to SB sales of all the payload source code for the FuzzBunch framework, which included, EternalBlue...READ MORE

Wapack Labs has cataloged and reported extensively on the ShadowBrokers in the past. An archive of related reporting can be found in the Red Sky Alliance portal.

WWW.WAPACKLABS.COM