FortiGuard Threat and Incident Notifications

Analyzing Sality

Affected Platforms: Machines running Windows operating system
Threat Type: Dropper/Botnet
Impacted Users: Windows Users
Impact: Follow-up Activity
Severity: Low

Sality is a malware family that has been around for nearly 20 years but continues to be identified in customer environments. This article provides details on some recent infections detected and analyzed by the FortiGuard Managed Detection and Response (MDR) team and highlights key characteristics of the Sality malware's behavior. The article identifies how these characteristics can be used to build simple detections and how behavior can be mitigated.

Play Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Play ransomware is a new ransomware family and group who originated in mid 2022. The group have targeted various business verticals across the globe typically targeting organizations who have failed to adequately patch vulnerable external facing services.This article highlights FortiEDR's ability to detect and mitigate behavior associated with this ransomware and how these behaviors map to the MITRE ATT&CK framework.

Mimic Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Mimic is a new ransomware family first reported in June 2022. Mimic employs the use of the third party tool 'Everything' to support rapid indexing of a filesystem prior to encryption. Mimic ransomware also heavily employs other third party tools to prepare an endpoint for encryption. This article analyzes the unique behavior of Mimic ransomware and provides details on how FortiEDR effectively detects and mitigates these behaviors.

Gootloader Malware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Loader

Gootloader is a multistage malware loader. Recent Gootloader campaigns have incorporated SEO poisoning to boost traffic to fake forum posts with information on generic investment topics that leads to a victim downloading and executing trojanized JavaScript libraries. This article outlines the typical Gootloader infection process and how FortiEDR can be used to detect and mitigate such an intrusion effectively.

Redline Stealer

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Stealer

Redline is an increasingly popular stealer malware family since at least 2013. Like Agent Tesla and Racoon Stealer, access to Redline can be purchased through underground forums and allows a threat actor to steal information from a compromised endpoint. The tool has been employed by a variety of threat actors including financially motivated groups and APTs who have readily incorporated the tool into their intrusion playbooks. This article outlines how FortiEDR protects against Redline installation and C2 preventing subsequent stealer activity.

Redigo Backdoor

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Backdoor

A new Go based backdoor named 'Redigo' discovered in early December 2022, has recently been employed as part of a campaign targeting vulnerable Redis servers. The campaign exploits a known vulnerability (CVE-2022-0543) to load a malicious Lua library that downloads and executes Redigo. This article provides information on how FortiEDR detects and mitigates the risk of a Redigo infection and how to identify known indicators of this campaign through FortiEDR Threat Hunting data.

Cuba Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Cuba ransomware is a ransomware family first discovered in 2020. The ransomware family is associated with numerous groups, including UNC2596 and Tropical Scorpius. Pre-ransomware TTPs vary greatly in intrusions associated with Cuba ransomware which can indicate deployment by multiple affiliates. This article outlines what behavior is detected and blocked by FortiEDR when this ransomware is executed as part of an attack to help your SOC team to triage associated events rapidly.

Prestige Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Prestige is a new ransomware family observed being employed in attacks against Ukrainian and Polish organizations starting on 11 Oct 2022. This article outlines how FortiEDR effectively detects and mitigates Prestige behavior and what events to look for in the event of an infection. Also included in this article are threat hunting queries that can be used to add additional detections through FortiEDR.

Zeppelin Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Zeppelin ransomware is a ransomware family operated through the Ransomware as a service (RaaS) model. The ransomware service has operated since at least 2019 under various names; previous iterations of the ransomware family include VegaLocker, Storm, and Buran. This article highlights FortiEDR's ability to detect and mitigate behavior associated with this ransomware and how these behaviors map to the MITRE ATT&CK framework.

Raspberry Robin

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: USB Worm

Raspberry Robin refers to a worm that is transferred to victims via compromised USB devices. On execution the worm attempts to connect to remote C2, which are typically externa; QNAP devices to download an execute a malicious MSI payload through msiexec proxy execution. Once this malicious installer executes the compromised endpoint attempts to connect to Tor exit nodes. This article outlines the associated infection chain and detection opportunities based on Raspberry Robin infections observed by the FortiGuard team.

IcedID

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Banking Trojan

IcedID is a modular banking trojan that has been a consistent feature of the threat landscape since 2017. Typically deployed following initial compromise through phishing, IcedID can be used to dump banking credentials and other financial information from compromised endpoints. This article outlines the infection chain associated with a recently observed campaign and demonstrates how FortiEDR provides protection from infection and subsequent post-exploitation activity.

Racoon Stealer v2

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Stealer

Racoon Stealer v2 is the most recent iteration of the Racoon Stealer information stealer. Racoon Stealer operators use the Malware-as-a-service (MaaS) model and sell access to their tool through the dark web. The tool has extensive features that allow it to steal files, passwords and crypto information from infected endpoints. This article examines a recent Racoon Stealer v2 sample to demonstrate how FortiEDR detects and mitigates its operation.

Agent Tesla Stealer

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Stealer

Agent Tesla is an information stealer sold as a software as a service offering. Agent Tesla has in-built functionality that allows operators to build custom payloads to be deployed through phishing campaigns. This article takes a look at one such campaign from late July detected and mitigated by the FortiGuard Responder team, and highlights how FortiEDR protects against this threat.

PurpleFox Rootkit

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Rootkit

PurpleFox is a family of malware most commonly known for its rootkit capabilities. PurpleFox was first identified in 2018 and has continued to be employed as part of global phishing campaigns since. This article examines how FortiEDR detects and mitigates various stages of the rootkits operation and installation process and looks at how Threat Hunting can be used to identify some key behaviors exhibited by the analyzed sample.

Microsoft Diagnostic Tool 'Dogwalk' Vulnerability

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: RCE Vulnerability

Dogwalk is the name given to CVE-2022-30190, a remote code execution (RCE) vulnerability in the Microsoft Diagnostic Tool. Whilst this is a vulnerability in the same Microsoft tool as the 'Follina' vulnerability identified earlier in the year these are not directly related. This vulnerability was first disclosed in January 2020 but was not acknowledged by Microsoft as a vulnerability until August 2022. This short article explains how FortiEDR provides detection and mitigation for post-exploitation activity related to this vulnerability and explains the attack chain associated with exploitation of this vulnerability.

Analyzing MSSQL Intrusion: AutoIt Obfuscation and Injected Remcos

Affected Platforms: Machines running Windows operating system
Threat Type: Remote Access
Impacted Users: Windows Users
Impact: Remote Access/Follow-up activity
Severity: Medium

This article analyses post-exploitation activity on an MSSQL server that was a victim of a number of brute-force attacks. The post-exploitation activity involves a unique process chain that employs the AutoIt scripting interpreter and a heavily obfuscated AutoIt script to execute a Remcos executable within a hollowed process. This article includes FortiEDR Threat Hunting queries, MITRE ATT&CK mappings and IOCs to support threat hunting activities.

Mindware Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

Mindware are a new ransomware group that emerged in the last quarter of 2021. The group employs their own ransomware that appears to have similarities with SFile2. The group targets organisations from various industries across the globe with double extortion through stolen data and ransomware enabled data encryption. This article analyzes some features of the ransomware employed by the group and highlights how FortiEDR detects and mitigates this threat.

CrimsonRAT Remote Access Tool

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Access Tool

CrimsonRAT is a Remote Access Trojan (RAT) which targets Windows endpoints and has been employed by threat actors to access infected endpoints to capture screenshots, steal credentials and gather information. CrimsonRAT is also known as SEEDOOR and Scarimson. CrimsonRAT campaigns (June 2021) targeting Indian government networks have been attributed to the threat actor group Transparent Tribe, a suspected Pakistan affiliated actor. This article takes a deeper dive into behavior exhibited by this RAT and how FortiEDR can be used to detect and mitigate its deployment and operation.

Confluence Vulnerability (CVE-2022-26134)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: RCE Vulnerability

On 02 June 2022 Atlassian released an advisory for a critical OGNL injection vulnerability in their Confluence product that allows for Remote Code Execution (RCE). This vulnerability is currently being used by numerous threat actors as an alternative initial access method and is rapidly being substituted into existing campaigns.FortiEDR provides protection from all currently tracked post-exploitation TTPs related to this CVE. This article walks through what this post-exploitation activity looks like and how FortiEDR keeps endpoints protected.

Microsoft Diagnostic Tool 'Follina' Vulnerability (CVE-2022-30190)

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: RCE Vulnerability

The 'Follina' vulnerability (CVE-2022-30190), a RCE vulnerability in Microsoft Office protocol and the Microsoft Diagnostic Tool, was flagged by Microsoft on 30 May 2022. This RCE vulnerability is currently being employed by numerous threat actors as a replacement for macro based execution in malicious phishing attachments and remains unpatched. This article provides some context of the vulnerability and demonstrates how FortiEDR provides behavior based protection from this vulnerability OOTB.

MicroBackdoor Remote Access Tool

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Remote Access Tool

MicroBackdoor is an open-source C2 tool (backdoor) that has been employed by a Belarusian attributed actor targeting victims in Ukraine. This article describes the associated attack chain as well as a more technical dive into the various layers of VBScript that lead to the execution of the MicroBackdoor payload, and demonstrates how FortiEDR offers protection from this tool.

Analyzing Emotet Activity

Affected Platforms: Machines running Windows operating system
Threat Type: Trojan/Malware Loader
Impacted Users: Windows Users
Impact: Data exfiltration/Follow-up activity
Severity: Critical

Emotet is a trojan typically employed as a first stage loader for secondary C2. In this article will dive into Emotet’s activities observed in the wild, mapping IOCs and TTPs to the cyber kill chain and the MITRE ATT&CK framework, as well as taking a deeper dive into an Emotet sample from a recent campaign to understand how some of it's code features exhibit themselves in endpoint behaviour.

AvosLocker Ransomware

Product Detecting and Blocking: FortiEDR v4.x, 5.x
Threat Type: Ransomware

AvosLocker is a new ransomware and extortion gang appearing on the ransomware scene in late 2021. AvosLocker has been known to target organizations responsible for managing critical infrastructure. This article demonstrates how FortiEDR can detect and mitigate the execution of AvosLocker ransomware out of the box.