LuminousMoth, Tnega Malware, Advanced IP Scanner, RDP Abuse, and SolarMarker

The Blackpoint Active SOC’s Week in Review for July 12, 2024

Between July 03 – 10, 2024, Blackpoint’s Security Operations Center (SOC) responded to 98 total incidents. These incidents included 15 on-premises MDR incidents, 3 Cloud Response for Google Workspace, and 80 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

Tnega Malware Incident with Professional & Commercial Services Partner on July 4, 2024

Topline Takeaways

  • Industry target: Professional & Commercial Services
  • Attacker information:
    • Tnega Malware
    • LuminousMoth
    • Removable Media (USB)
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Tnega malware to exploit other Professional & Commercial Services organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Heuristics-based activity monitoring and remediation
    • Employee security training
    • Least-privilege access controls
    • Network segmentation for common ports
    • Removeable media access controls

Tnega Malware Incident Timeline for 2024-07-04

  • Blackpoint’s MDR+R technology alerted to a Tnega malware detection on a Professional & Commercial Services partner’s host.
  • Further investigation by the Active SOC identified a malicious .dll file associated with the cybercriminal group LuminousMoth.
  • The Active SOC team isolated the host to prevent any further malicious activity before reaching out to the Professional & Commercial Services partner with additional remediation advice and information.
  • Post-incident of the infected host found a suspicious USB device installed on the same day the alert occurred.

More About Luminous Moth and Tnega Malware

Click for details

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020 (1).

Linked to the China-based Mustang Panda threat group based on network infrastructure connections and the use of similar TTPs, the LuminousMoth threat group has conducted large-scale attacks that affect a wide range of targets. Their apparent goal is successfully targeting and infiltrating the few that are of strategic interest to the Chinese government. (2).

LuminousMoth is also known for their use of suspicious and malicious USB drives to spread through a network and deliver malware (2), as this specific incident illustrates.

As for Tnega malware, it’s a generic malware detection for dropper malware that is often used to deliver other malware payloads (3). Tnega is used by both LuminousMoth, Mustang Panda, and other threat groups.

APG Threat Assessment for LuminousMoth in 2024

Click for details

Blackpoint’s APG assesses that the LuminousMoth threat groups will likely remain active over the next 12 months.

Our assessment is based on internal Blackpoint observed attacks and external incident reports that detail LuminousMoth activity.

In a strikingly similar report to this specific incident, Bitdefender security researchers reported on a 2021 LuminousMoth campaign that targeted victims from Myanmar and Thailand for espionage and intelligence gathering purposes. The group reportedly delivered malicious .exe binaries masquerading as COVID-19-related documents to deliver PlugX malware and other tools used for data exfiltration (3).

Recommended LuminousMoth and Tnega Malware Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate social engineering attacks and other malicious activities conducted by LuminousMoth and other APT groups.

  • Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used in suspicious or abnormal methods and identify behaviors consistent with APT activity.
  • Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority, as well as process and policies around removable media such as USB drives.
  • Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conduct certain activities.
  • Use network segmentation to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments.
  • Employ access controls that restrict end users’ removable memory access, to reduce the opportunity for malicious USB drives or other media to execute their payloads.

Return to Top

Advanced IP Scanner Incident with Industrials Partner on July 7, 2024

Topline Takeaways

  • Industry target: Industrials
  • Attacker information:
    • RDP abuse
    • Advanced IP Scanner
    • Brute force attempts
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use Advanced IP Scanner to exploit other Industrials organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Multifactor authentication (MFA)
    • Application allowlisting and blocklisting
    • Heuristics-based activity monitoring and remediation
    • Dedicated software center

Advanced IP Scanner Incident Timeline for 2024-07-07

  • Blackpoint’s MDR+R technology alerted to a public admin RDP session under a Industrials partner’s user account to a server.
  • Shortly after the RDP event, Active SOC analysts observed the user account enumerating domain trusts and domain admins, as well as checking current active sessions using quser.exe.
    • The user account was then observed using Advanced IP Scanner in an unusual folder to map out the network.
    • Additionally, an event for the affected user account attempted to authenticate to a server from a malicious Russian IP address, 83.97.73[.]188.
  • The Active SOC team isolated the user account to prevent any additional malicious activity, then contacted the Industrials partner with incident details and more remediation advice.

More About Advanced IP Scanner and RDP Abuse

Click for details

Advanced IP Scanner

As we discussed in last week’s incident summary about a threat actor’s attempt to exploit a Technology partner using Advanced IP Scanner and FortiClient, Advanced IP Scanner
Advanced IP Scanner is a free network scanner used to analyze local area networks (LANs) (4) to:

  • Show all network devices;
  • Access shared folders;
  • Remotely control and switch off computers.

Advanced IP Scanner is frequently abused by threat groups, including both APT and cybercriminals, for reconnaissance and discovery activities. It is likely used so frequently due to its versatility as an installer with additional capabilities, as well as its portable version (5).

RDP

Remote desktop protocol (RDP) is a protocol that allows users to use a desktop remotely. Threat actors can use RDP to move laterally through compromised networks. RDP is often used for two purposes:

  1. Remote Desktop Access: Users can remotely access their physical desktop computer from another device.
  2. Remote Administration: Users can perform remote administrative work by accessing the device.

Threat actors target RDP through a variety of methods (6):

  • Hijacking RDP sessions;
  • Using accessibility features, such as Sticky Keys;
  • Brute force attacks;
  • Malware specifically designed to target RDP; and
  • Protocol tunneling.

APG Threat Analysis of Advanced Scanner IP and RDP Abuse for 2024

Click for details

Blackpoint’s APG assesses that threat actors will likely continue to deploy and abuse Advanced IP Scanner and RDP over the next 12 months.

This assessment is based on internal Blackpoint observed attacks, as well as extensive external reporting related to the use of Advanced IP Scanner tool and RDP during reported cyberattacks.

Specifically, Blackpoint’s APG has tracked at least 13 ransomware operations that have used the Advanced IP Scanner tool and 30 ransomware operations that have used RDP for various activities during reported cyberattacks.

Prominent threat groups that have used both Advanced IP Scanner and RDP include:

  • Akira,
  • INC Ransom,
  • Phobos,
  • BianLian, and
  • LockBit.

Blackpoint’s Active SOC team has frequently combatted RDP abuse in particular, including attacks against:

Outside of Blackpoint managed environments, other security researchers have detailed widespread abuse of RDP. In fact, Barracuda security researchers reported earlier this year that RDP abuse accounted for nearly 1.6% of the attempted attacks the researchers witnessed over the previous 12 months (6).

The report detailed the targeting and abuse of RDP by threat actors, and stated that the majority of attacks against RDP originated in North America, followed by China and India.

Recommended Advanced IP Scanner and RDP Abuse Mitigations and Remedidations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate tools such as Advanced IP Scanner and RDP.

  • Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
  • Implement application controls to help manage and control the installation of software, including network scanners.
  • Monitor system activity through heuristics-based triggers and alerts, which can aid in identifying the malicious install, use, and presence of unapproved tools and malicious activities on devices.
  • Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location. Dedicated and approved software can aid in detecting software, such as Advanced IP Scanner, that is installed from a third-party location outside of a dedicated center.

Return to Top

SolarMarker Malware Incident with Legal Services Partner on July 9, 2024

Topline Takeaways

  • Industry target: Legal Services
  • Attacker information:
    • PowerShell
    • SolarMarker malware
    • Social engineering
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use SolarMarker Malware to exploit other Legal Services organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Password managers
    • Multifactor authentication (MFA)
    • Patch immediately!
    • Heuristics-based activity monitoring and remediation

SolarMarker Malware Incident for 2024-07-09

  • Blackpoint’s MDR+R technology alerted to suspicious PowerShell activity on a Legal Services partner’s host.
  • Further investigation by the Active SOC team revealed that a temp file loading, decrypting, and executing an obfuscated file.
    • The execution led to the subsequent callout to a French IP address via PowerShell. The file hash for the callout IP is known to be associated with the SolarMarker malware.
    • The impacted user’s download folder contained a .exe binary – likely the initial access vector.
  • Active SOC analysts isolated the host to prevent any further malicious activity, then reached out to the Legal Services partner with additional information and advice.

More About SolarMarker

Click for details

SolarMarker (AKA Deimos, Jupyter, Yellow Cockatoo, Polazert) is an information stealing malware that has been active since at least October 2020. The malware is written in .NET and has backdoor functionality, as well.

(Note that while many researchers refer to both SolarMarker and Jupyter as the same malware, reports have indicated that Jupyter is not the same malware. Rather, Jupyter appears to be a module deployed by the SolarMarker malware (7).)

While the its original developer remains unknown, Morphisec researchers theorize that SolarMarker’s developers are likely Russia-based (8), based on:

  • The common Russian to English spelling of “Jupyter”,
  • Multiple C2 servers that have been traced back to Russia, and
  • The malware’s admin panel posted on Russian-language cybercriminal forums.

APG Threat Analysis of SolarMarker for 2024

Click for details

Blackpoint’s APG assesses that threat actors will very likely continue to deploy the SolarMarker malware over the next 12 months.

This assessment is based on the frequency of internal Blackpoint observed attacks, along with external reporting of incidents involving SolarMarker malware.

  • In April 2024, we reported on a threat actor using SolarMarker malware during an attack on an onboarding Healthcare partner (9).
    • In this incident, PowerShell created several variables and then called upon them to set up the malicious payload as persistence disguised as a shortcut (lnk file) in this user’s startup folder.
    • PowerShell employed a fileless persistence technique by creating a registry key in the user’s registry hive.
  • In May 2024, Recorded Future security researchers reported that the threat actors behind the SolarMarker malware established a multi-tiered infrastructure, likely in an attempt to complicate law enforcement takedown efforts (10).
    • The researchers reported that the core of SolarMarker’s operations is a layered infrastructure including at least two clusters – a primary one for active operations and a secondary one assessed to be for testing new strategies or targeting specific regions or verticals.

Recommended SolarMarker Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the deployment of SolarMarker malware for information theft cyberattacks.

  • Encourage the use of secure password managers versus browser-based password storage that can be accessed by information stealing malware, such as SolarMarker.
  • Enable multi-factor authentication (MFA), to help add an additional layer of security and make it challenging for attackers to abuse compromised credentials.
  • Implement a risk-based patch management program to ensure that strategic and relevant security vulnerabilities are patched in a timely manner to prevent exploitation.
  • Monitor system activity through heuristics-based triggers and alerts, to help identify malicious behaviors that can be stopped prior to information theft and exfiltration.

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full reference list
  1. MITRE’s Repository: “LuminousMoth” by MITRE on 2023-04-17
  2. Securelist’s Blog: “LuminousMoth APT: Sweeping attacks for the chosen few” by Mark Lechtik; Paul Rascagneres; Aseel Kayal on 2021-07-14
  3. Gridinsoft ‘s Repository: “Trojan:Win32/Tnega!MSR” by Gridinsoft on 2024-06-27
  4. Bitdefender’s Blog: “LuminousMoth – PlugX, File Exfiltration and Persistence Revisited” by Bogdan Botezatu; Victor Vrabie on 2021-07-21
  5. Advanced IP Scanner’s Website: “Advanced IP Scanner” by Famatech Corp. on N/A
  6. Hunt & Hackett’s Blog: “Advanced IP Scanner: the preferred scanner in the A(P)T toolbox” by KRIJN DE MIK on 2021-10-22

  7. Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022-05-31
  8. Blackpoint Cyber’s Blog: “Brute Ratel, Advanced IP Scanner, and NetSupport RAT” by Andi Ursury and Ashley Stryker on 2024-06-28
  9. Barracuda’s Blog: “Threat Spotlight: The remote desktop tools most targeted by attackers in the last year” by Jonathan Tanner on 2024-05-01
  10. eSentire’s Blog: “eSentire Threat Intelligence Malware Analysis: SolarMarker: To Jupyter and Back” by eSentire Threat Response Unit (TRU) on 2023-11-16
  11. Morphisec’s Whitepaper: “Threat Profile Jupyter Infostealer” by Morphisec on 2020
  12. Blackpoint Cyber’s Blog: “DarkGate, SolarMarker, and Malicious PowerShell Commands” by Blackpoint Cyber on 2024-04-12
  13. Recorded Future’s Whitepaper: “Exploring the Depths of SolarMarker’s Multi-tiered Infrastructure” by Insikt Group on 2024-05-13
DATE PUBLISHEDJuly 11, 2024
AUTHORBlackpoint Cyber

Subscribe to the Blackpoint Blog

Don’t let a lack of awareness leave the organizations you protect vulnerable to sophisticated and elusive attacks. Subscribe now for a weekly roundup of Blackpoint’s empowering articles.

Subscribe now!