Pony

CVE-2015-0311 has been first seen exploited by Angler EK ... soon after used in "standalone" mode in huge malvert campaign ... Top adult site xHamster involved in large malvertising campaign

The gang used well-crafted emails impersonating legitimate companies to conduct mass email phishing campaigns and distribute popular malware strains. They made their emails look like purchasing orders, product inquiries, and COVID-19 aid schemes.

The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.

Multiple actors and malware families are described as being delivered via spearphishing/phishing emails containing malicious links (e.g., APT28 used URL shorteners to redirect to credential harvesting sites; APT29 used links to ZIP files; APT33 used links to .hta files; BlackTech used links to cloud services; Wizard Spider used links to Google Drive/free file hosting). | APT29 used links to ZIP files containing malicious files; APT33 used links to .hta files; Leviathan used lookalike domains and stolen branding; Machete used links to external servers with ZIP/RAR archives; LazyScripter used links that redirect to download a malicious document; FIN8 used links to malicious documents with embedded macros.

APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.

CVE-2015-0311 has been first seen exploited by Angler EK ... soon after used in "standalone" mode in huge malvert campaign ... CVE-2015-0311 has been integrated today in RIG ... Fiesta successfully exploit Windows XP IE8 Flash 16.0.0.257 using CVE-2015-0311 ... Nuclear Pack successfully exploit ... using CVE-2015-0311 ... Sweet Orange firing exploit for CVE-2015-0311 ... Neutrino firing his bundle of Sploit ... Magnitude - CVE-2015-0311 exploited successfully

The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.

Examples include: "Sandworm Team leveraged Microsoft Office attachments which contained malicious macros..."; "Bumblebee has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs"; "Lumma Stealer has gained initial execution through victims opening malicious executable files embedded in zip archives, and MSI files within RAR files."

To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.

"Bumblebee has been delivered as password-protected zipped ISO files" / "Flagpro has been delivered within ZIP or RAR password-protected archived files." / "TA505 has password-protected malicious Word documents."

Anchor has used cmd.exe to run its self deletion routine. Gelsemium can use a batch script to delete itself. Pony has used batch scripts to delete itself after execution. Lazarus Group used a batch file mechanism to delete its binaries from the system.

The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).

Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

“actors used the following commands… to enumerate user accounts: net user >> %temp%\download; net user /domain >> %temp%\download … APT1 used the commands net localgroup, net user, and net group to find accounts… APT32 enumerated administrative users using the commands net localgroup administrators … OilRig has run net user, net user /domain, net group "domain admins" /domain …”

Examples include "Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found," "DropBook has checked for the presence of Arabic language," and "Maze has checked the language of the infected system using the GetUSerDefaultUILanguage function."

The info stealers most popular with SilverTerrier last year were LokiBot (446 unique samples/month), Pony (330 unique samples/month), and Agent Tesla .NET keylogger (95 unique samples/month).

Once deployed, the malware communicated with the attackers’ command-and-control (C&C) servers using common protocols like SMTP, FTP, and HTTP.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Examples include 'BeaverTail ... HTTP POST to exfiltrate data to C2 infrastructure,' 'SolarWinds Compromise ... APT29 used HTTP for C2 and data exfiltration,' and 'StealBit can use HTTP to exfiltrate files to actor-controlled infrastructure.'

The stolen credentials were then sent to predefined email addresses controlled by the attackers, enabling unauthorized access to victims’ accounts and systems.

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.