Earlier this year, Mandiant's Managed Defense threat hunting team identified an UNC2975 malicious advertising campaign promoting malicious websites themed around unclaimed funds.
In each investigation under this campaign, Mandiant identified browser history artifacts on affected systems showing that a user clicked on a malicious advertisement and interacted with one of two websites: claimprocessing[.
Mandiant identified three different delivery chains that PAPERDROP and PAPERTEAR used to download and execute secondary payloads DANABOT and DARKGATE malware attributed to multiple UNC groups.
Mandiant also observed PAPERDROP download and execute a malicious installation package file without using a specific transfer tool.
Although not observed in each case, Mandiant identified Run key persistence to execute the DANABOT payload in the file C:Users
AppDataLocalTempOadsoophotfp.
In a separate investigation, Mandiant identified a folder path that spoofed the Box Edit application and dropped a DANABOT payload to the path C:UsersAppDataRoamingBox IncBox EditBox EditBox.
001]. In addition to Run key persistence, Mandiant has also identified the capability for DANABOT to use a new Windows service [T1543.
WiseAds Comments: PAPERDROP and PAPERTEAR Throughout the course of the observed malvertising campaign, Mandiant encountered both PAPERDROP and PAPERTEAR Visual Basic Script files in use by malicious actors to facilitate payload deployment.
PAPERDROP Initially observed by Mandiant in January 2021 in use by UNC2975, PAPERDROP is primarily associated with DANABOT payload distribution and generally has several distinct characteristics across two different build types.
Campaign Tracking Mandiant has been disseminating intelligence on UNC2975's campaign within Mandiant Advantage, providing our customers with notable and dynamic updates regarding changes in tactics and techniques, the introduction of tools with new capabilities, and the use of new infrastructure UNC2975 has used to carry out its mission.
Mandiant tracks separate campaigns for each distribution method or actors delivering the Malware-as-a-Service backdoor DARKGATE. To differentiate between the initial malware distribution, DARKGATE infrastructure, and follow-on activity, Mandiant tracks each part of the intrusion as separate clusters until further overlaps are identified and warrant merging.
Mandiant tracks the DARKGATE Malware-as-a-Service infrastructure and associated payloads as UNC5085 while separately clustering the different distribution methods and any follow-on actors.
See our previous blog post for more insights into how Mandiant can help Gain Visibility Into Attacker Activity with Threat Campaigns.
Within the category of drive-by compromise, Mandiant has observed an increase from 2022 to 2023 in the number of investigations involving malicious advertisements where the initial infection vector was able to be identified.
In this case, Mandiant Managed Defense, in partnership with Mandiant Intelligence and the Google Ads team, was successfully able to protect users on a granular host-based level as well as at a global scale across the Google ecosystem.
Mandiant's Managed Defense threat hunting team focuses on identifying behaviors associated with threat actors and endpoint compromises, especially those that don't typically generate product-based alerts.
The Detection Opportunities section of this blog post includes commands and artifacts that Mandiant discovered beyond the initial detection events that were used to create additional signatures to identify future activity faster.
Appendix D: Mandiant Security Validation Actions Organizations can validate their security controls using the following actions with Mandiant Security Validation.
Protected Theater - UNC5085, DARKGATE Installer, Execution, Variant #1. Acknowledgements The authors would like to thank all of the technical reviewers and blog contributors spanning multiple teams, including Managed Defense Threat Hunting, Advanced Analysis (AA), Advanced Practices, Mandiant Intelligence, Google Trust and Safety, Mandiant Communications Center, and trusted external partners.
Credit for the creation of new Mandiant Security Validation actions goes to Lexie Aytes and the Validation Research team.
This Cyber News was published on www.mandiant.com. Publication date: Fri, 15 Dec 2023 05:13:05 +0000