Between March 13-20, 2024, Blackpoint’s Security Operations Center (SOC) responded to 170 total incidents. These incidents included 24 on-premises MDR incidents, two Cloud Response for Google Workspace incidents, and 144 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- AnyDesk and TeamViewer during a reported LockBit ransomware attack.
- Fake QuickBooks installers and associated files affecting two individual end clients.
- IsErIk malware attempting to use scheduled tasks to conduct malicious activity.
In this blog, we discuss some of the incidents we observed, why they’re important, and how you can mitigate these types of incidents with your current tech stack and Blackpoint Cyber.
LockBit Ransomware Incident with Consumer Cyclicals End Customer on March 14, 2024
Topline Takeaways
- Date: March 14, 2024
- Targeted Industry: Consumer Cyclicals
- Relevant attacker information:
- LockBit Ransomware
- PP[.]bat
- TeamViewer
- AnyDesk
- Blackpoint SOC actions:
- Isolation of infected device
- Active hunt in network for additional compromises and activity
- Client outreach with additional remediation advice
- Why this matters:
- The Adversary Pursuit Group (APG) predicts that ransomware operators will continue to target organizations in all verticals over the next 12 months.
- Additionally, the APG predicts that ransomware operators will continue to use legitimate tools, including TeamViewer and AnyDesk, to conduct malicious activities over the next 12 months.
- Recommended remediations and mitigations:
- Alert configuration on abnormal user activity
- Audit the use of legitimate tools, including RMM
- Block inbound and outbound connections on common RMM ports
What happened?
Last Thursday, the Blackpoint SOC was alerted to a customer’s end client – one not currently monitored directly by the SOC – who had potentially been targeted by the LockBit ransomware operation and asked for assistance.
The SOC began threat hunting on the impacted network and identified the execution of “PP[.]bat.” In other attacks, LockBit has dropped similarly named files via TeamViewer to directly access devices.
Additionally, the SOC identified the use of AnyDesk, which is often used by ransomware operators to maintain remote access to compromised devices.
No other malicious TeamViewer or AnyDesk use was observed in the client network, though the SOC temporarily isolated an additional device with suspicious activity out of an abundance of caution.
What are AnyDesk and TeamViewer?
Both AnyDesk and TeamViewer are remote monitoring and management (RMM) tools that are, most often, used by IT administrators to remotely access and manage devices within a network.
However, they are also attractive tools for threat groups – including ransomware operators – to maintain persistent access to compromised devices and evade detection.
The APG has identified at least 17 ransomware operators that have been observed using the AnyDesk tool during targeted ransomware attacks, with more than 2,000 instances of unauthorized use of AnyDesk in monitored environments since May 2023.
The APG has also identified the following ransomware operators using TeamViewer during attacks:
- LockBit
- Trigona
- BianLian
The APG’s analysis shows that most instances of unauthorized TeamViewer use in particular involve a weakening of its default security settings – often including the use of easily guessed passwords, which is only possible on an outdated product version.
How often will AnyDesk and TeamViewer be used by threat actors in 2024?
In January 2023, CISA released an advisory that warned of threat actors’ use of legitimate RMM software, allowing them to gain initial access and persistence, as well as evade detection.
The APG predicts that threat actors will continue to abuse legitimate RMM tools and platforms over the next 12 months – especially AnyDesk.
Recommended Mitigations and Remediations for AnyDesk and TeamViewer Abuse
The APG recommends the following mitigations for preventing the malicious use of legitimate RMM tools:
- Audit RMM tools on your network – identify currently used software, authorized software, and remove software that does not meet the established requirements for use.
- Implement application controls – application controls should prevent both installation and execution of portable versions of unauthorized RMM software.
- Block inbound and outbound connections on common RMM ports.
- Implement monitoring services to detect RMM software being loaded in memory only.
Fake QuickBooks Incident with Financials and Industrials End Clients on March 18, 2024
Topline Takeaways
- Date: March 18, 2024
- Targeted Industry: Financials and Industrials
- Relevant attacker information:
- Fake QuickBooks
- Relevant client systems:
- Webroot
- Blackpoint SOC actions:
- Proactive isolation of infected device before malicious downloads
- Client outreach with additional remediation advice
- Why this matters: Blackpoint APG predicts that fake QuickBooks instances will continue to be used to deploy second-stage malware – backdoors, trojans, ransomware – over the next 12 months.
- Recommended remediations and mitigations:
- Implement a Managed Application Control solution
- Regularly audit your environment and endpoints
- Provide a dedicated software center
What happened?
Last Monday, the Blackpoint SOC alerted to the detection of a fake QuickBooks program with an end client in the Financials vertical.
Further analysis identified that a known malicious signer of the application’s associated artifacts. The signer has been observed in fake QuickBooks incidents since at least April 2023. Additionally, the SOC observed a malicious scheduled task, which involved an attempt to maintain persistence on the host.
That same day, the SOC separately alerted to another incident of a fake QuickBooks-related file – this time, with an end client in the Industrials vertical.
The fake QuickBooks file maintained the same signer of the application’s associated artifacts as the incident above.
The same signer and similar incident in two different verticals indicates that this threat actor does not have a specific target. Instead, they likely target a large pool of victims in the hopes that at least a few are vulnerable to attack.
In both instances, the SOC isolated the impacted devices before additional devices were compromised or any data exfiltrated, and reached out to the clients for additional remediation advice.
What is QuickBooks?
QuickBooks is a legitimate accounting software by Intuit for small- and medium-sized businesses to manage finances.
However, malicious installers pretending to be the authentic QuickBooks has been used by multiple threat groups to deploy malware for at least the previous 24 months. In multiple instances, unsuspecting end users will search for QuickBooks online and find what they believe to be a legitimate installer – only for it to be a threat actor’s instance, rather than Intuit.
Threat actors use the fake installer to deploy malware and gain persistent access to steal sensitive data, in addition to other activities.
How often will fake Quickbooks installers be used by threat actors in 2024?
In May 2024, security researchers with eSentire reported an incident involving a fake Quickbooks incident that included the use of a fake popup message that included a phone number for victims to call. Upon calling the number, victims were instructed to “repair” corrupted files.
The threat actors then used Zoho Assist, a remote access software, to achieve a remote session on the victim system.
The APG predicts that threat actors will continue to deploy fake QuickBooks installers across multiple industry verticals over the next 12 months.
Recommended Fake Quickbooks Installer Mitigations and Remediations
Thankfully, the security actions which help prevent fake software and installer deployments are similar to other malware mitigations.
Specifically, the APG recommends the following to help detect malicious activity related to fake QuickBooks installers:
- Implement application allow/block listing to help restrict unauthorized program execution.
- Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths.
- Provided a dedicated software center, which allows employees to download approved software from a safe and monitored location.
IsErIk Incident with Technology Customer on March 19, 2024
Topline Takeaways
- Date: March 19, 2024
- Targeted Industry: Technology
- Relevant attacker information:
- IsErIk malware
- JScript
- Scheduled task “Search Provided by Bing ronof”
- Relevant client systems:
- Windows OS
- Blackpoint SOC actions:
- Proactive isolation of impacted endpoint
- Client outreach with additional remediation advice
- Why this matters: APG predicts that threat actors will continue to deploy persistent malware – including IsErIk malware – over the next 12 months.
- Recommended remediations and mitigations:
- Least privilege access controls
- System activity monitoring
- Multifactor authentication (MFA) & virtual private networks (VPNs)
- Scripting language controls
What happened?
Last Tuesday, the Blackpoint SOC was alerted to the execution of a JScript via Windows Script Host on an end client device.
Further analysis determined the behavior was related to the IsErIk persistent malware, designed to be an adware loader. The malware created a scheduled task on the device called “Search Provided by Bing ronof.”
The SOC isolated the affected devices and deleted the scheduled task to ensure the task was not completed. SOC analysts then reached out to the client to inform them of the remediation.
What is IsErIk?
IsErIk (aka DealPly) is a family of advanced persistent adware that features advanced evasion mechanisms, including remote code execution (RCE). The malware was first discovered in 2016 and re-emerged in large scale campaigns in 2020.
IsErlk malware has previously been observed abusing reputation services:
- Abusing reputation services provided by Microsoft’s SmartScreen and McAfee’s WebAdvisor
- Using scheduled tasks that imitate search engines, such as “Yahoo! Powered {random name}.job.”
Notably, IsErIk has been observed being present for extended periods on victim networks – lurking for weeks to months prior to connecting to attacker command and control (C2) servers. This delay is likely an attempt to ensure the malware goes undetected prior to conducting malicious activity.
How often will IsErIk be used by threat actors in 2024?
IsErIk has been active for the previous eight years; any previous lulls in activity appear to have been temporary.
The APG believes that it is likely that threat actors will continue to deploy the IsErIk malware to gain persistence, deploy second-stage payloads, and conduct RCE over the next 12 months.
Recommended Live-off-the-Land (LotL) Mitigations and Remediations
Blackpoint APG recommends the following actions to help mitigate IsErIk malware.
- Implement the practice of least privilege access controls. This can help ensure that users only have access to the data and resources required to complete their job functions.
- Monitor system activity to detect unusual access patterns that could be indicative of malicious behavior by threat actors.
- Ensure employees are using MFA and VPNs to access sensitive data and resources, providing an additional level of credential authentication.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
The Adversary Pursuit Group, including…
Andi Ursry, Threat Intelligence Analyst
Andi Ursry has over five years of experience in threat intelligence. She has experience in both small business and Fortune 500 companies, beginning her career in the retail sector helping box stores mitigate risk prior to shifting to cyber intelligence. Her expertise lies in ransomware and APT (advanced persistent threat) groups’ tactics and tracking cyber trends. She holds a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.
Connect with Andi on LinkedIn.