SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Transparent Tribe APT expands its Windows malware arsenal
Description: Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. While military and defense personnel continue to be the group's primary targets, Transparent Tribe is increasingly targeting diplomatic entities, defense contractors, research organizations and conference attendees, indicating that the group is expanding its targeting. Transparent Tribe uses a two-pronged approach for registering malicious domains: Fake domains masquerading as legitimate sites belonging to government, defense, or research entities, and malicious domains that resemble file-sharing websites.
Snort SIDs: 57551 - 57562
Title: Lemon Duck cryptocurrency miner targeting vulnerable Microsoft Exchange Servers
Description: Cisco Talos has recently observed updated infrastructure and new components associated with the Lemon Duck cryptocurrency mining botnet that target unpatched Microsoft Exchange Servers and attempt to download and execute payloads for Cobalt Strike DNS beacons. This activity reflects updated tactics, techniques and procedures (TTPs) associated with this threat actor. After several zero-day Microsoft Exchange Server vulnerabilities were made public on March 2, Cisco Talos and several other security researchers began observing various threat actors, including Lemon Duck, leveraging these vulnerabilities for initial exploitation before security patches were made available. Microsoft released a report on March 25 highlighting Lemon Duck's targeting of Exchange Servers to install cryptocurrency-mining malware and a malware loader that was used to deliver secondary malware payloads, such as information stealers. Talos also discovered that Lemon Duck actors have been generating fake domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain since at least February 2020, highlighting another attempt to make their operations more effective.
Snort SIDs: 45549:4, 46237, 50795, 55926, 57469 – 57474
ClamAV signatures: Ps1.Trojan.Lemonduck-9856143, Ps1.Trojan.Lemonduck-9856144, Win.Trojan.CobaltStrike-7917400, Win.Trojan.CobaltStrike-8091534
Cisco Secure Endpoint Cloud IOCs: W32.LemonDuckCryptoMiner.ioc, Clam.Ps1.Dropper.LemonDuck-9775016-1, Win.Miner.LemonDuck.tii.Talos, Ps1.Dropper.LemonDuck, Clam.Js.Malware.LemonDuck-9775029-1