February might be the shortest month of the year, but cyber attackers are doing their best to make it count.
Here is a summary of February’s main attacks, indexed for easy navigation.
Cymulate Research Lab detected a new variant of the XORDDOS malware, which was analyzed to identify the Command and Control (C&C) IP address and indicators of the malware’s activity on a deployed machine. Similar malware and code were also identified by Intezer.
A new threat actor, Ice Breaker APT, is using a specific social engineering technique to gain access to a target’s network. Analysts are still investigating, but have released information about the attacker’s Modus Operandi, attack chain, and ways to mitigate the threat, along with supported IOCs, TTPs, and Yara.
A new group called DarkBit has claimed responsibility for a ransomware attack on Israel’s Technion University, demanding $1.7 million in ransom to be paid within 48 hours. The group has threatened to increase the amount by 30% if the ransom is not received in time. DarkBit shared a messenger ID for the Tox secure messaging app, which individuals can use to recover their encrypted files.
SentinelLabs has detected the first Linux variant of the Cl0p ransomware, which contains a flawed encryption algorithm making it possible to decrypt locked files without paying the ransom. SentinelLabs has published a free decryptor for this variant. The ELF Cl0p variant is developed similarly to the Windows version but contains small differences due to OS differences, and appears to be in its initial development phases. The ransomware targets specific folders, subfolders, and all files/types.
Trend Micro researchers discovered a new ransomware named Mimic that abuses the APIs of the Everything Windows filename search engine to query files that will be encrypted. This ransomware targets Russian and English-speaking users, with multiple capabilities such as deleting shadow copies and terminating applications and services.
A new financially motivated campaign is using a variant of the Xortist ransomware, named MortalKombat, and the Laplas clipper to conduct financial fraud. The Laplas clipper steals cryptocurrency by hijacking crypto transactions, while MortalKombat is a less sophisticated variant of the Xortist ransomware that targets system files and applications. It corrupts system folders and disables the Windows Run command window, among other things, and demands payment in Bitcoin.
Researchers have discovered a new malware called MyloBot that features advanced evasion, infection, and propagation techniques, which implies that the authors have experience and heavy infrastructure. Among the techniques employed are anti-VM, anti-sandbox, and anti-debugging techniques, reflective EXE, and process hollowing. The malware allows attackers to gain full control of the infected machine, enabling them to add payloads for other purposes such as banking Trojans, keyloggers, and distributed denial of service (DDoS) use.
A spear-phishing campaign targeting the government sector of Ukraine has been discovered by researchers. The attackers used a malicious attachment that appeared to have been sent from the State Emergency Service of Ukraine. Once the attachment was opened, VBScript code created a scheduled task for persistence, and a PowerShell script downloaded the DolphinCape information stealer. The malware is capable of exfiltrating system information and taking screenshots of the infected device.
An adversary was found to be using a compromised e-mail address to deliver phishing emails with a malicious PDF attachment. The files used in the attack were protected by VMProtect to hinder analysis. Successful intrusions resulted in systems being infected with variants from the RomCom, FateGrab, and StealDeal malware families.
Trigona ransomware, which first appeared on the threat landscape in late 2022, threatens to release stolen data if the ransom is not paid. The ransomware appends “._locked” to encrypted files and drops a ransom note in HTML format with instructions on how to retrieve the locked files. The threat actors behind the ransomware offer to decrypt three files for free to prove that the victims will get their sensitive data back.
Vector Stealer is an information stealer that has been sold on underground forums since 2022. The malicious software is distributed via spear-phishing emails with malicious attachments and can search and exfiltrate a range of sensitive data from the infected device. The malware uses an unknown crypter, KoiVM for virtualization, and specifically targets Remote Desktop files.
Attackers are targeting unpatched VMware ESXi servers with a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware. The vulnerability tracked as CVE-2021-21974 is caused by a heap overflow issue in the OpenSLP service and can be exploited by unauthenticated threat actors. To block incoming attacks, admins need to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that have not been updated.
The Goot Camp campaign targets users looking for business-related documents online to drop variants from the GootLoader malware family. The operation also uses the FONELAUNCH and SNOWCONE loaders to retrieve payloads from remote locations and load malicious code into memory. The malicious ZIP archive downloaded by victims launches a series of scripts that result in the system being infected with malicious software, including a Cobalt Strike beacon.
The US government has issued an advisory on malicious cyber activities involving North Korean ransomware campaigns. The TTPs associated with DPRK ransomware attacks include the acquisition of infrastructure, identity obfuscation, and VPN usage. The actors use various exploits of common vulnerabilities and exposures to gain access to networks.
The NewsPenguin threat actor targets Pakistani manufacturing, government, and military sectors with spear-phishing attachments. The final payload is an undocumented espionage tool that bypasses sandboxes and exfiltrates data from the infected system.
Mustang Panda distributed PlugX malware through malicious optical disc image (ISO) files to entities in Europe. Microsoft Windows registry run keys were used for persistence, while symmetric cryptography and standard encoding were used to exfiltrate sensitive data.
Threat actors targeted users in a phishing campaign that delivered a job application themed macro enable document. The malicious scripts made use of many OS native tools as well as some legitimate open-source packages to carry out nefarious tasks. The attackers successfully acquired access and exfiltrated some collected data but did not carry out further actions on the victim’s machines.
A malware strain that uses the Windows Help file (*.chm) has been on the rise since last year. A blank Help screen is created when the CHM file is executed, and a malicious script is run under the user’s nose. This script uses mshta to execute a malicious command that exists in a remote address. The malware is being executed in a fileless format, making it difficult for users to identify what type of malware was executed.
Threat actors use HTML Smuggling techniques to deliver malware such as Qakbot XWorm, Cobalt Strike, and IcedID. Spear-phishing emails are sent with HTML attachments that may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well-known vendors. The victim is then coerced into executing the archive or saving and executing a malicious file.
The original HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data. HardBit version 2.0 was introduced with samples seen throughout the end of 2022 and into 2023. The ransomware claims to steal sensitive data from their victims and encrypts it. Unlike many of their peers, HardBit does not appear to have a leak site at this time and is not currently using the double extortion tactic. The ransomware performs a number of steps to reduce the security posture of the host before encrypting victim data, including gathering information about the victim host via web-based enterprise management and Windows Management Instrumentation functions, dropping a custom HardBit file icon into the victim’s documents folder, deleting the Volume Shadow Copy Service and backups, editing the boot configuration, disabling many Windows Defender Antivirus features, terminating services, and ensuring the HardBit ransomware payload is automatically executed whenever the system is rebooted. The encryption phase involves maneuvering through all directories and files to locate data for encryption, overwriting the files, renaming the encrypted files with a seemingly random file name followed by an identifier, and writing a plain text ransom note and a HTML application (HTA) ransom note to the drive root and all folders containing encrypted files. An image file is saved on the victim’s desktop, which is set as the system wallpaper via a Windows Registry update, and the HTA ransom note is executed to display interactive content.
The Tonto Team, an espionage group known for targeting various strategic sectors since 2009, recently attempted to compromise the security firm Group IB. They sent weaponized attachments to employees, masquerading as employees of legitimate organizations, and used fake email IDs created with GMX Mail. The campaign used the Royal Road weaponizer to create documents that exploit CVEs related to the MS Equation Editor vulnerabilities. The Tonto Team also used the Bisonal DoubleT backdoor and the TontoTeam.Downloader to collect intellectual property.
CatB ransomware emerged in late 2022, requiring victims to contact the threat actor via email only. The malware uses DLL sideloading to execute the payload and performs system checks to ensure it is not running on virtual machines or sandboxes. The ransomware demands 50 Bitcoin to obtain the decryption key and is packed using UPX.
A new campaign targeting a government organization utilized the open-source Havoc framework, an advanced command and control framework capable of bypassing the most current and updated version of Windows 11 defender. Havoc is known for using advanced evasion techniques such as indirect syscalls and sleep obfuscation, which makes detection and analysis difficult.
IcedID (also known as Bokbot) is a backdoor malware that steals information and can lead to other malicious activities such as Cobalt Strike and VNC traffic.
It is commonly distributed through email campaigns, and security analysts have also observed it being delivered through fake software sites that use Google ad traffic.
A new attack campaign was found that uses the Havoc Command and Control (C2) framework to target government organizations.
The Havoc Demon created by the framework evades detection by disabling the Event Tracing for Windows (ETW) and uses CreateThreadpoolWait() to decrypt and execute shellcode.
The malware also loads the Havoc’s Demon DLL reflectively and resolves virtual addresses using API hashing routines.
The infection chain consists of several malicious documents including a decoy file, a downloader, a batch script, and a benign JPEG file.
The Mirai botnet has been delivering the recently discovered Medusa botnet and stealer malware. Medusa Botnet has the capabilities to target victims for DDoS attacks, encrypt targets with ransomware, and build upon its infrastructure by acquiring infected machines. The malware uses open-source tools such as psutil, ZMap, scapy, and common binaries like telnet, SSH, and wget.
The TA471 threat group, also known as Ember, Bear, Lorec53, and UAC-0056, has targeted Ukrainian government websites. They used custom backdoors, web shells, and tunneling tools such as CredPump, HoaxPen, HoaxApe, Ngrok, and Gost to carry out the infection process.
The United States National Security Agency (NSA), the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) have issued a joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. The advisory is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaigns, namely Maui and H0lyGh0st ransomware. The report highlights the TTPs (tactics, techniques, and procedures) that DPRK cyber actors use to conduct ransomware attacks targeting South Korean and US healthcare systems. The observable TTPs include acquiring infrastructure, obfuscating identity, purchasing VPNs and VPSs, gaining access through exploits of common vulnerabilities and exposures, and spreading malware through Trojanized files for “X-Popup.” The actors spread malware by leveraging two domains: xpopup.pe.kr and xpopup.com.
That is all for now.
Stay cyber safe!
Boosting Red & Blue Teaming with Cyber Attack Simulation
Breach and attack simulation can turbocharge blue and red team exercises, as well as extend both teams’ reach and save time.READ MORE
451 Research: Continuous Cyber Attack Simulations
451 Research reports how Cymulate scales red teaming activities with continuous cybersecurity simulations.READ MORE
Red Team Automation Solution Brief
Red team automation automates, scales, and customizes exercises. Read the solution brief to learn how red team automation makes a huge difference for your enterprise and employees.READ MORE