Blue Team News Weekly – 2023-04-23

Blue Team News (BTN) Weekly is a digest of news, articles, intelligence and reports on the latest threats and industry trends that are most relevant to information security defenders, aka the Blue Team. Get links to the most relevant information out there along with an analysis by an actual Blue Team.

BTN is sent every Sunday straight to your inbox, and is also available at roguesecurity.ca.

An open source Red Teaming tool is seen being utilised by hacking group, APT41, a Chinese, state-sponsored, group known to target industries in the USA, Asia and Europe.

Google Command and Control (GC2) is written in Go and utilises Google domains and services (Google Sheets and Google Drive) to manage command and control (C2) commands and data exfiltration.

Once connected, GC2 is used to deploy a wide variety of malware and tools on the compromised system to further actions on objectives.

This is another example of threat actors embracing red teaming tools other than Cobalt Strike (e.g. Brute Ratel and Sliver), making it harder for the Blue Team to defend.

• APT41 Taps Google Red-Teaming Tool in Targeted Info-Stealing Attacks – Dark Reading
• Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites – The Hacker News
• China-linked APT41 group spotted using open-source red teaming tool GC2 – Cyware
• China-linked APT41 group used the open-source red teaming tool GC2 in an attack against a Taiwanese media organization – Security Affaris

InterPlanetary File System (IPFS) is a “Web3” technology that decentralise’s the storage of data across a peer-to-peer network.

Threat actors are taking advantage of this decentralisation to make it much hard to remove malicious content such as hosted malware and phishing websites.

IPFS allows data to be requested via simple HTTP requests, however, making them easier to find in DNS logs.

Unit42 researchers have identified the following malware families being pushed via this method:

– OriginLogger
– XLoader
– XMRig
– Metasploit
– IPStorm
– Dark Utilities

AuKill is a custom tool being used by threat actors to bypass endpoint detection and response (EDR) tooling using a Bring Your Own Vulnerable Driver (BYOVD) model.

AuKill takes advantage of a legitimate, but outdated and exploitable, version of a driver used by Microsoft Process Explorer 16.32.

The tool also allows a threat actor to obtain detailed information on running processes, executables, and performance metrics among other details.

• ‘AuKill’ Malware Hunts & Kills EDR Processes – Sophos
• Ransomware gangs abuse Process Explorer driver to kill security software – Bleeping Computer

First seen in October 2022, EvilExtractor is an information stealer, and remote access tool that has been observed being used as a malicious tool to infiltrate target hosts via phishing campaigns.

EvilExtractor features various mechanisms to prevent it from being detected including UAC Bypass, Windows Defender Bypass, and an Anti-VM/Anti-VirusTotal feature.

Once executed, EvilExtractor uses both Python and PowerShell packages that perform various anti-host checks, as well as load additional capabilities.

• EvilExtractor malware activity spikes in Europe and the U.S. – Bleeping Computer
• ‘EvilExtractor’ All-in-One Stealer Campaign Targets Windows User Data – Dark Reading