CyberWire Daily - Social engineering: MINEBRIDGE RAT embedded to look like job résumés. [Research Saturday]
Episode Date: April 17, 2021Guest Deepen Desai joins Dave to talk about Zsaler's research "Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures." In Jan 2021, Zscaler ThreatLabZ discovered new instances of the... MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are often used as social engineering schemes by threat actors. MINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware.The use of social engineering tactics targeting security teams appears to be on an upward trend. The research can be found here: Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers
and analysts tracking down threats and vulnerabilities, solving some of the hard
problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We came across these resumes or resume decoys, which were embedded with command to download MindBridge Remote Access Trojan.
That's Deepan Desai.
He's CISO and VP of Security Research and Operations at Zscaler.
The research we're discussing today is titled
Return of the Mine Bridge Rat with New TTPs and Social Engineering Lures.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs,
yet breaches continue to rise
by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context. Thank you. can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Now, we have been tracking this malware family
for the past couple of years.
And what was interesting in this case was,
you know, it was leveraging the resume theme, which was also related to a couple other campaigns
that we saw. And some of the TTPs, tactics, techniques, and procedures that the threat actor
used in this campaign matched what we saw early last year as well.
Well, let's dig into the research together here.
You start off with some threat attribution.
Who do you think is likely behind this?
So based on some of the techniques that we saw here,
we are attributing this with a moderate confidence to Threat Actor 505, which is a
financially motivated threat group that has been active since at least 2014.
Now, attribution is a difficult game because it's very easy to see overlap in infrastructures
across different threat actors as well.
But based on some of the things that we observed, we feel like it's TA505.
Well, let's walk through the attack flow together.
How does someone find themselves falling victim to this?
So if you look at the attack chain, it starts with a job resume document.
It's a macro document that will prompt the victim to enable content,
which is to run the macro.
If the victim falls for that, it will pop a PDF and show the actual,
I would say, decoy profile of someone who's trying to apply for the
job. But in the backend, what happens is the macro code will leverage Windows Finger.exe,
it's a legitimate program, to download malicious content from the attacker-controlled infrastructure.
Now, that file that gets downloaded as stage one payload is an SFX binary.
It's named, again, after a Windows program called certutil.exe, which is then responsible for dropping a package.
That is actually a legitimate TeamViewer installer package.
The only caveat over there is the package also includes a DLL,
which is this MindBridge RAT.
And the reason why the attacker chose to do this was they're leveraging a vulnerable version of TeamViewer application.
So the vulnerability in that older TeamViewer application was it was prone to DLL side loading attack.
And using that vulnerability, the adversary is able to load
MineBridge DLL on the victim's machine.
And after that, it's all the CNC activity,
the attacker has full control of the system
and is able to download arbitrary files, steal information,
and even launch further attacks.
information and even launch further attacks.
So it's interesting to me that there's several things going on here, several layers, but also being able to take advantage of a known vulnerability in TeamViewer, there's a certain
degree of cleverness there, I suppose.
And additionally, I guess there's a chance that TeamViewer wouldn't draw undue attention to itself?
Yeah, this thing was patched by TeamViewer.
The newer version of TeamViewer already patches this vulnerability.
It's an old vulnerability, but yes,
this is a very clever tactic.
They're trying to bury using two to three different things
that we observed.
The first one was they were leveraging Windows operating system,
legitimate application names.
If you notice, there's a misspelled defender.exe as well
for one of the binaries that gets dropped.
CertUtil is another.
And then usage of legitimate programs like TeamViewer and Finger.exe
absolutely makes it difficult for some of the endpoint security software to flag this.
Now once it starts reaching out to the CNC controller, what's going on there?
What are you tracking from that part of things?
So once it has established persistence
on the victim machine,
I mean, there are a bunch of commands
that are embedded in this RAT.
I mean, the attacker is capable of running arbitrary commands,
downloading arbitrary payloads,
and installing them on the victim machine.
They're also able to monitor and kill
other processes that are running on the system. It could be a security software,
could be anything that the attacker doesn't want on the victim machine. Overall, they're trying to
monitor for information. This is where the motivation eventually is
to make profit out of the information
that they're able to collect.
Even having that network foothold
and selling it to another group
results in a lot of financial benefits
for the threat actor.
What about persistence? How do they go about trying to stay on a system?
Yeah, so that's, again,
the tactic that we talked about earlier, about
using Windows operating system file
names. So even for the persistence part, they actually create a
link file with the name
WindowsLogon.lnk, which is a link shortcut.
And it's created in the startup directory. This is basically what will result in
the executable file that the link file points to, which is the
MindBridge rat to execute every time the system restarts.
One of the things you highlight in your research here is that
they've also implemented some sort of an alternative attack flow.
What's going on there?
The first one, which was a unique one that we expanded in the blog,
is where the MindBridge DLL was being loaded using the DLL side loading
technique of a team viewer. The alternate attack flow that we saw, which actually is supported
by the DLL as well, is you could actually run it using the regsvr32.exe. Basically, the adversary is able to register this as a service
on the victim machine and get the
MindBridge RAT installed in that manner as well.
What's your estimation of the
sophistication of the folks who are behind this?
I think some of the techniques that we saw,
in fact, the one that I'll specifically call out,
the attacker's use of legitimate Windows binary finger.exe
to download content from the server
was one of the very few ones.
In fact, I would call it the first instance
that we saw in the wild
where a threat actor was using finger.exe
in the attack chain.
They also were leveraging things like TeamViewer,
legitimate application,
and then sideloading technique
to get the mine bridge installed
was also pretty cool.
I would say it is a sophisticated attack.
We've listed all the TTPs on the blog for anyone
interested in finding out at each layer what was
the tactic that the adversary used in order to establish
persistence, in order to exfiltrate or to perform
CNC activity.
So what are your recommendations for folks to best protect themselves against this one?
Yeah, I mean, this theme was very similar to another campaign that
Google's security group also reported, where several security researchers were being targeted.
also reported where several security researchers were being targeted.
And a lot of the components of both of these campaigns still involve use of social engineering. So the inherent trust that we place in certain contacts.
One example that comes to my mind over here is, if you get reached out on LinkedIn by a person that is also connected to five other people that are on your contact list,
chances are you will accept that connection and then you will also communicate with that person if they reach out.
So they try to exploit the trust and that's the
starting point. Beyond that, the campaign that for example Google highlighted involved further
communication and dropping off similar resume files and profiles. In this case as well,
what you notice is the job resume files are being delivered to the victims
and the victims are again being prompted to run the macro code and start the infection cycle.
So being vigilant towards any of these files that are coming from external sources,
of these files that are coming from external sources,
not running arbitrary files on your system,
especially do not enable content, do not run macro. That is never going to lead to any kind of secret message
being decrypted for you.
It will always lead to bad stuff on the computer.
Right, right, words to live by, right?
bad stuff on the computer.
Right, right. Words to live by, right?
Yeah.
You know, I think it's interesting that just sort of tracking
TA-505, as you
and your colleagues have been doing here,
that they've been around
since at least 2014. I mean, that's
a, you know, they've been around a while
and the fact that they're
evolving, that they're changing their tactics
but still in the game.
I think there's something noteworthy about that as well.
Yep, absolutely.
And overall, if you look at the threat landscape evolution,
if you look at things like ransomware,
if you look at some of the other InfoStealer campaigns as well,
the adversaries are moving away from, you know,
what I would call its prey and prey kind of approach,
like no shotgun approach.
It's more targeted, more tactical.
And the volume of emails or activity is considerably lower
in each of these campaigns that we see.
Our thanks to Deepan Desai from Zscaler for joining us.
The research is titled Return of the Mine Bridge Rat with New TTPs and Social Engineering Lures.
We'll have a link in the show
notes. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you
total control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and compliant.
approach can keep your company safe and compliant. Thanks for listening.