The IronNet May Threat Intelligence Brief

IronNet Threat Intelligence Brief

We are happy to report that, following the Emotet takedown operation in January, law enforcement pushed an Emotet uninstaller module to infected systems that would automatically uninstall the malware on April 25, 2021. In addition, the FBI removed ProxyLogon web shells from U.S.-based Exchange servers without warning the servers’ owners in mid-April. While these kinds of malware removal operations by law enforcement are unprecedented, it is possible we will see more operations such as this in the future. You can hear more about these success stories in today’s threat intelligence webinar, now available on demand here.

The May IronNet Threat Intelligence Brief 

This ability to analyze and correlate seemingly unrelated instances is critical for identifying sophisticated attackers who leverage varying infrastructures to hide their activity from existing cyber defenses. As reported in the April Threat Intelligence Brief, our analysts review alerts from millions of data flows that are ingested and processed with big data analytics. We apply ratings to the alerts (benign/suspicious/malicious) and immediately share them with IronDome Collective Defense participants. 

Here is a snapshot of what we discovered across the IronDome communities in April, showing 780 correlated alerts across IronDome participant environments:

IronNet analysis of IOCs 

In addition to correlated alerts, significant IronDome community findings revealed 675 Indicators of Compromise (IoC) that may pose risk to IronDome participant environments. For example, we analyzed the malicious ifollc-onedrive[.]com. This domain hosts a phishing site. The URL ifollconedrive[.] com/next.php was one of multiple referred URLs that resulted from a user clicking a link in a spearphishing email. If this domain is seen in your network, ensure no data was extracted from the endpoint and block appropriately.

All the IoCs we analyzed are used to trigger alerts that are mapped to the Cyber Kill Chain to identify the stage and progression of the threat. They can be used to create detection rules for network, endpoint, or other security tools currently deployed to mitigate cyber risk in each IronDome participant’s environment. 

See the May Threat Intelligence Brief for the full list of recent IoCs.

The bigger picture of Collective Defense 

Every month, IronNet’s expert threat analysts create threat intelligence rules (TIRs) based on significant community findings from IronDome, malware analysis, threat research, or other methods to ensure timely detection of malicious behavior targeting an enterprise or other IronDome community participants. 

In April, we created 5,284 threat intel rules of our 208,058 created to date. Some examples of this month’s research include indicators associated with command and control (C2) domains for FluBot malware, which targets Android smartphones, and IoCs surrounding the NAIKON campaign. This combination of behavior-driven and IoC signature-based detection, alert ranking, and sharing ensures IronDome participants have the broadest view of threats facing their enterprise.

A closer look at the NAIKON campaign

In a recent investigation into the abuse of vulnerable legitimate software, Bitdefender Labs  uncovered an attack campaign conducted by the threat group NAIKON that ran from at least June 2019 to March 2021. Likely tied to the People’s Republic of China (PRC), NAIKON has been active for more than a decade and is known to pursue high-profile targets, such as government agencies and military organizations, specifically in the Asia Pacific (APAC) region.

In its most recent campaign, NAIKON abused legitimate software to side-load malicious payloads, namely the first-stage backdoor RainyDay and the second-stage malware Nebulae. NAIKON deployed the RainyDay backdoor (also known as FoundCore) to perform reconnaissance, upload reverse proxy tools, perform lateral movement, execute password dump tools, and establish persistence. The first-stage malware RainyDay is also used to deploy second-stage payloads, including the Nebulae backdoor, which is believed to be used as a precautionary measure to maintain persistence in case the infection is detected. Nebulae provides the added capabilities of collecting system information, manipulating data, downloading files from the C2 server, executing processes, and more.

Aiming this campaign at military organizations in APAC for purposes of espionage and data exfiltration, NAIKON was able to drop these malicious payloads by exploiting side-loading and DLL (dynamic link library) hijacking vulnerabilities. These payloads impacted legitimate software such as ARO 2012 Tutorial, VirusScan On-Demand Scan Task Properties (McAfee), Sandboxie COM Services, Outlook Item Finder (Microsoft), and Mobile Popup Application. Employing a heavy use of side-loading DLLs, NAIKON plants malicious DLLs in legitimate locations and then executes the legitimate program to load the DLLs, which helps mask their malicious actions under a legitimate, trusted process.

You can see the latest industry news in the full monthly brief or check out our monthly Cyber Lookback series.



About Ironnet
Founded in 2014 by GEN (Ret.) Keith Alexander, IronNet, Inc. (NYSE: IRNT) is a global cybersecurity leader that is transforming how organizations secure their networks by delivering the first-ever Collective Defense platform operating at scale. Employing a number of former NSA cybersecurity operators with offensive and defensive cyber experience, IronNet integrates deep tradecraft knowledge into its industry-leading products to solve the most challenging cyber problems facing the world today.