Cyber Threat Breakdown June 2023

Here is the June  2023 summary of threats, with a short list of IoCs. The full IoC list for each specific threat is available from the Cymulate app.

Reminder: The Cymulate BAS Immediate Threat capabilities can be configured to automatically update your SIEM list of IoCs, including hashes, URLs, domain names, etc.

Table of Content

8base Ransomware – A Heavy Hitting Player

Tracing The Footsteps of Red Wolf

Wagner Ransomware Cyber Recruitment

Operation Magalenha – Long-Running Campaign Pursues Portuguese Credentials and PII

Crysis and Venus Ransomware Installed via RDP

Python-Based Loader Masquerading as Onedrive Utilities to Drop Multiple Rats

Mallox Ransomware Implements New Infection Strategy

Redeyes Group Wiretapping Individuals (Apt37)

Uncovering a New Activity Group Targeting Governments in the Middle East and Africa

Tracking Diicot, an Emerging Romanian Threat Actor

Formbook from Possible Modiloader (Dbatloader)

Big Head Ransomware

Novel Malware Campaign Targets LetsVPN Users

Chamelgang Targets Linux Users with Chameldoh Malware

Ghostwriter Uses Picasso Loader Against Ukraine (CERT-Ua6852)

UNC4841 Exploits Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868)

Unveiling the Hidden Workings of Mustang Panda APT

Icefire Ransomware

Mystic Stealer Lurking in the Cyber Sphere

Gamer Community Targeted with Wannacry-Imitator Ransomware

Fin11 Uses Cobalt Strike and Flawedgrace to Deploy MBR Killer

New Terminator IOCs

Infected Minecraft Mods Lead to Fractureiser Information Stealer

Unmasking Darkrace Ransomware

US Cert Alert – Cl0P Ransomware Gang Exploits CVE-2023-34362 MoveIt Vulnerability

Recent Satacom Campaign Delivers Cryptocurrency-Stealing Add-on

Deep-Dive into the Hiddeneyez Cyber Crime Group

Dark Pink APT Expands its Targeting Portfolio

Investigating Blacksuit Ransomwares Similarities to Royal

Analysis Of New Active Malware Mediaarena – Pua

Terminator Antivirus Killer is a Vulnerable Windows Driver in Disguise

 

8base Ransomware – A Heavy Hitting Player

8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023. Describing themselves as “simple pen testers”, their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. What is interesting about 8Base’s communication style is the use of verbiage strikingly familiar to another known group, RansomHouse. 8Base Ransom Group’s top targeted industries include but are not limited to Business Services, Finance, Manufacturing, and Information Technology

IOCs

• Eightbasebgiiacggfh4_browsingExe.exe
  • SHA1: f79fe555c492a9effe26ead87ec7eb3c53899083
  • MD5: e7ac55d61ab9cfcf180c92c1381a2fa
  • SHA256: afddec37cdc1d196a1136e2252e925c0dcfe587963069d78775e0f174ae9cfe3
• Eightbasebgiiacggfh3_browsingExe.exe
  • SHA1: d6d0631a1f95e3972a803ed1c57b120815b2b5cf
  • MD5: d1f12c03b8ce33b36d8423b057c7d6c5
  • SHA256: c6bd5b8e14551eb899bbe4decb6942581d28b2a42b159146bbc28316e6e14a64
• Eightbasebgiiacggfh2_browsingExe.exe
  • SHA1: 5d0f447f4ccc89d7d79c0565372195240cdfa25f
  • MD5: 9769c181ecef69544bbb2f974b8c0e10
  • SHA256: e142f4e8eb3fb4323fb377138f53db66e3e6ec9e82930f4b23dd91a5f7bd45d0

Tracing The Footsteps of Red Wolf

The Red Wolf espionage group also known as RedCurl was discovered sending phishing emails with malicious attachments to entities across Russia Canada Germany Norway Ukraine and the United Kingdom. The attachment contains an LNK file hidden folder and several files with one file containing malicious content. Successful infections result in a scheduled task created for persistence and sensitive data collected and exfiltrated to command-and-control servers.

IOCs

• Tracingbgiiaaecbg1_browsingIso.iso
  • SHA1: 7d01c27e827e02f32f12ada25da929fa911e965c
  • MD5: 9d7d79c17dab6ff01c5804866eb4c81d
  • SHA256: e7b881cd106aefa6100d0e5f361e46e557e8f2372bd36cefe863607d19471a04
• Tracingbgiiaaecbg2_browsingLnk.lnk
  • SHA1: a1cb733708debb4c51967bf56ca0a0f750156cfa
  • MD5: 46a7d14e899171a136f69782a5cbbe35
  • SHA256: 3bd054a5095806cd7e8392b749efa283735616ae8a0e707cdcc25654059bfe6b
• Tracingbgiiaaecbg3_browsingDll.dll
  • SHA1: 1d1a59b1a3a9e5477ff6763ff97f90b52613932d
  • MD5: 6ece95df231083c37ecf9a39c324e2bb
  • SHA256: 4188c953d784049dbd5be209e655d6d73f37435d9def71fd1edb4ed74a2f9e17

Wagner Ransomware Cyber Recruitment

An unknown threat actor behind Wagner ransomware urges citizens to join the PMC Wagner instead of demanding a ransom. The malware enters a sleep state if the binary is not running from the %APPDATA% folder appends the “.Wagner” extension to encrypted files and drops a ransom note titled “Wagner.txt”. The ransomware uses the vssadmin wmic wbadmin and bcdedit Windows tools to delete shadow copies and hinder recovery of the infected system.

IOCs

• Wagnerbgihjbhidd5_browsingExe.exe
  • SHA1: 8ee7fc0171b980aa93b687e334d1e29a8d634085
  • MD5: d26b2c8fc07cb5c72bfc40779f09d491
  • SHA256: 1238ab3dd3ed620536969ee438e99a33a418ba20f5e691962ed07904e075b2a4
• Wagnerbgihjbhidd5_edrExe.exe
  • SHA1: 8ee7fc0171b980aa93b687e334d1e29a8d634085
  • MD5: d26b2c8fc07cb5c72bfc40779f09d491
  • SHA256: 1238ab3dd3ed620536969ee438e99a33a418ba20f5e691962ed07904e075b2a4

Operation Magalenha – Long-Running Campaign Pursues Portuguese Credentials and PII

The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain. The threat group simultaneously deploys two backdoor variants to maximize attack potency. To ensure uninterrupted operations, the threat actor has shifted its infrastructure hosting from IaaS providers implementing stricter anti-abuse measures, such as a major US-based cloud provider, to Timeweb, a Russian IaaS provider known for its more relaxed policies.

IOCs

• Magalenhabgihgjegca10_browsing7Exe.exe
  • SHA1: fff1b8681eadf590034f61ddd69ba035c6980e12
  • MD5: 5ffe427533794819a0a949a7eb168201
  • SHA256: 762856bc8ff75a46634935b85ffc41393d2897f8ad49925b27510ee16bcfafa3
• Magalenhabgihgjegca105_browsingExe.exe
  • SHA1: f9db9f525f2bf09f2b85c91ea09f6251e00e2a95
  • MD5: d3d1a11a003483966888b47a64937a51
  • SHA256: 4bea0b5ff37563575cb0cfe46d544932449f3f0f6189421c59bfeb812a256328
• Magalenhabgihgjegca104_browsingExe.exe
  • SHA1: f72ade72050a6ce63224aad2c7699160705b414c
  • MD5: 7748010a9f1e7a4ab849b51c34267a03
  • SHA256: 189273fc11a384979a5bd11c11bc9a6eee805ed39454105622b210bee1ab42c3

Crysis and Venus Ransomware Installed via RDP

Threat actors are attacking internet facing systems with RDP enabled to gain initial access. Successful intrusions result in devices infected with Crysis or Venus ransomware variants. Various legitimate tools are used including multiple applications from NirSoft along with Mimikatz to steal credentials.

IOCs

• Crysisbgihfhcije1_browsing79Exe.exe
  • SHA1: 401e6815bbc62b092f96e93e9535f09d77aa4522
  • MD5: 67b1a741e020284593a05bc4b1a3d218
  • SHA256: d74758f7cd701f111f3d2188a639abc64ca7b8ffce508024d5cf510626cff9eb
• Crysisbgihfhcije180_browsingExe.exe
  • SHA1: 6f62e7fe75a0876939e0dd95d314b83e25e1e395
  • MD5: 786ce74458720ec55b824586d2e5666d
  • SHA256: 1a05cba6870798d2e73001bf872e4d579460c380c060fd051f33a703f504b8a3
• Crysisbgihfhcije181_browsingExe.exe
  • SHA1: 3fb552a575713181856b208aff35545d4f22141e
  • MD5: 8d0a0f482090df08b986c7389c1401c2
  • SHA256: 3e02e94e3ecb5d77415c25ee7ecece24953b4d7bd21bf9f9e3413ffbdad472d2

Python-Based Loader Masquerading as Onedrive Utilities to Drop Multiple Rats

Researchers discovered a phishing campaign dubbed MULTISTORM that deploys commodity malware such as Warzone RAT and QuasarRAT using a custom Python-based downloader. The campaign relies on OneDrive to store the malicious software and hide network traffic from security analysts. The malicious software collected and exfiltrated sensitive information to command-and-control servers.

IOCs

• Python_basedbgihfhchhc166_browsingExe.exe
  • SHA1: bce8a87a9bbfec492e78b4910db2876a5bf7e848
  • MD5: ba291f98812dd69f656c9727a4bbebf4
  • SHA256: 18c876a24913ee8fc89a146ec6a6350cdc4f081ac93c0477ff8fc054cc507b75
• Python_basedbgihfhchhc16_browsing7Dll.dll
  • SHA1: d214bb1f252df2549a64bd898e72d62a8fd8fd9d
  • MD5: 5f382d3a2cec2944982099894bc39d15
  • SHA256: 02212f763b2d19e96651613d88338c933ddfd18be4cb7e721b2fb57f55887d64
• Python_basedbgihfhchhc168_browsingPs1.ps1
  • SHA1: e4d2ad7b22b1a8b5b1f7a702b303c7364b0ee021
  • MD5: 213c60adf1c9ef88dc3c9b2d579959d2
  • SHA256: 37c59c8398279916cfce45f8c5e3431058248f5e3bef4d9f5c0f44a7d564f82e

Mallox Ransomware Implements New Infection Strategy

An unknown threat actor targeted various sectors across the globe with Mallox ransomware. Initial access utilized spam email attachments while file and directory permission modifications hidden files and directories and masquerading was used for defense evasion. Multiple Windows commands were used to kill stop disable or delete hundreds of processes and services.

IOCs

• Malloxbgihfhcdgj16_browsingBat.bat
  • SHA1: 8054569d8b449e4cd0211cb2499c19f42557fb21
  • MD5: dcf060e00547cfe641eff3f836ec08c8
  • SHA256: 5158b0a023299c1922423a065b9825fd1769f1a87ffd2031375a0e893d523318
• Malloxbgihfhcdgj16_edrBat.bat
  • SHA1: 8054569d8b449e4cd0211cb2499c19f42557fb21
  • MD5: dcf060e00547cfe641eff3f836ec08c8
  • SHA256: 5158b0a023299c1922423a065b9825fd1769f1a87ffd2031375a0e893d523318

Redeyes Group Wiretapping Individuals (Apt37)

A Security Emergency Response Center (ASEC) has published analysis of malware developed by the RedEyes group and used a backdoor developed using the Ably platform to send commands to their C&C server.

IOCs

• Redeyesbgihdjjchf_browsing7Chm.chm
  • SHA1: a00dd8d1a84b52f0cb6d7976918e9666b856f025
  • MD5: 1352abf9de97a0faf8645547211c3be7
  • SHA256: 56914bc6034073546d0e3c64c563e6f121ca7465207405aab26f2e5e0d2dcb74
• Redeyesbgihdjjchf_edr7Chm.chm
  • SHA1: a00dd8d1a84b52f0cb6d7976918e9666b856f025
  • MD5: 1352abf9de97a0faf8645547211c3be7
  • SHA256: 56914bc6034073546d0e3c64c563e6f121ca7465207405aab26f2e5e0d2dcb74
• http://172.93.181.249

Uncovering a New Activity Group Targeting Governments in the Middle East and Africa

Researchers have recently identified multiple espionage attacks targeting governmental entities in the Middle East and Africa. According to the findings the main goal of the attacks was to obtain highly confidential and sensitive information specifically related to politicians military activities and ministries of foreign affairs.

IOCs

• Uncoveringbgihdagaba92_browsingExe.exe
  • SHA1: c792029bcbd793433ba755396fe3b946dd352d97
  • MD5: 2304a87e41f922bb03abc70fea11b491
  • SHA256: 0f22e178a1e1d865fc31eb5465afbb746843b223bfa0ed1f112a02ccb6ce3f41
• Uncoveringbgihdagaba93_browsingExe.exe
  • SHA1: 1ef67d5a3fe42e561486a6b52bd3c0e143e89259
  • MD5: 9dd9d006d40d7e43eedbd1db385844b8
  • SHA256: e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee
• Uncoveringbgihdagaba94_browsingExe.exe
  • SHA1: 4ae846e33e0b1d522e1957571de818d428d1fa35
  • MD5: 1397da1382f4da05c45e43f16c2b7f30
  • SHA256: 73b9cf0e64be1c05a70a9f98b0de4925e62160e557f72c75c67c1b8922799fc4

Tracking Diicot, an Emerging Romanian Threat Actor

In a recent review of honeypot sensor telemetry researchers detected an interesting attack pattern that could be attributed to the threat actor Diicot (formerly Mexals).

IOCs

• Trackingbgihcbcbic33_browsingElf.elf
  • SHA1: e998494f91b08b52b28fe3304e9322962e3d1b58
  • MD5: 946689ba1b22d457be06d95731fcbcac
  • SHA256: 14779e087a764063d260cafa5c2b93d7ed5e0d19783eeaea6abb12d17561949a
• Trackingbgihcbcbic3_browsing7Elf.elf
  • SHA1: a5e524e6689040a8f76e34864354b47790d54a0d
  • MD5: d45ab42f54d3345381388b87584ab562
  • SHA256: 7d93419e78647d3cdf2ff53941e8d5714afe09cb826fd2c4be335e83001bdabf
• Trackingbgihcbcbic40_browsingElf.elf
  • SHA1: 02d5a7503ba65be4acd228b7c77dfee6c6fcbae8
  • MD5: 0874c80875045b0f40b9d2a2fbac1bbc
  • SHA256: 7389e3aada70d58854e161c98ce8419e7ab8cd93ecd11c2b0ca75c3cafed78cb

Formbook from Possible Modiloader (Dbatloader)

Threat researcher Brad Duncan came across an example that kicks off with an Excel file exploiting CVE-2017-11882 to use what seems like ModiLoader (also known as DBatLoader).

IOCs

• Formbookbgihcbcajg13_browsingExe.exe
  • SHA1: 861b78a549dc321bd48206d4b9f1d8f905851d42
  • MD5: 191e6663f1c7dd7e357aa9f03ec286f7
  • SHA256: 8566d2bf58fe371e646076c60874a8fbb50de2fbf9b950c457804d316a3de89f
• Formbookbgihcbcajg16_browsingDll.dll
  • SHA1: 1ab71cea96db2445573afe8381baf6f6537c335d
  • MD5: 8c08b9b19a0e91746694a884caef3882
  • SHA256: cfc4f6c4931fc8df03919d96181178a903a6ccd39eb5268ac00b3a223c027b5b
• Formbookbgihcbcajg18_browsingXls.xls
  • SHA1: 5a2d492fbc206f2d81563f1e1d74ca2027d82173
  • MD5: 458942431ed6e9d9918cc0b2335b417a
  • SHA256: 4f6e9a66f50f443d07676ef43a7f2349fc713c96522058c1c4d425da7be4a4bf

Big Head Ransomware

Big Head is a sophisticated ransomware discovered in May 2023 and consists of multiple variants. The ransomware is distributed as a fake Windows update screen or as counterfeit software. Big Head encrypts files modifies file names and subsequently drops a ransom note for obtaining the decryption key after paying the ransom.

IOCs

• Bigbgihabafga_browsing7Exe.exe
  • SHA1: 400f58379ecb22519beebddf0aad001bcddc8ef0
  • MD5: 68974e2fce3960049f8398fe11b08619
  • SHA256: bcf8464d042171d7ecaada848b5403b6a810a91f7fd8f298b611e94fa7250463
• Bigbgihabafga11_browsingExe.exe
  • SHA1: 1b8ab4569dff4952a5781c4c7874e22a96344ba6
  • MD5: f6329e75cb5626b1d26758e09c12f7fc
  • SHA256: 1942aac761bc2e21cf303e987ef2a7740a33c388af28ba57787f10b1804ea38e
• Bigbgihabafga3_browsingExe.exe
  • SHA1: e5057f7997412b941168bf060011505e3597e460
  • MD5: 2a3e1126a556eaf2838e6e04103e2e7f
  • SHA256: 6d27c1b457a34ce9edfb4060d9e04eb44d021a7b03223ee72ca569c8c4215438

Novel Malware Campaign Targets LetsVPN Users

An unknown threat actor hosted multiple counterfeit LetsVPN websites that mimic legitimate websites and were used to deceive users. Victims who visited the websites downloaded sophisticated malicious payloads such as KrBanker KingSoft (PUA) and Gh0st RAT for achieving persistence and stealing sensitive information.

IOCs

• Novelbgigjghhbb192_browsingExe.exe
  • SHA1: 51fc61ce15b2c0fbd44608dd0a0667a505c2d40c
  • MD5: e84192f3f3a1f74ac6b4b7a12309225c
  • SHA256: 888d47d26e861c10e1df3ff81dac7c198e5edd4092b03eaf45c0ba329890e50a
• Novelbgigjghhbb191_browsingExe.exe
  • SHA1: d6cfeedb11025b1ae0f479f33fb60cc764661927
  • MD5: 4de841949ede68d74507f545ea3e04c6
  • SHA256: 90701156e937348a1f3d2ad50f0f38b4071acaaa38f4d58a91889153317443c2
• Novelbgigjghhbb195_browsingExe.exe
  • SHA1: 4e6575aefaaec7386a2b49201d065bf570ef920b
  • MD5: 34028e2d59d73ba916600cecd5334c4b
  • SHA256: decc5c92b09bb6ef97ad68caf0ec802c530aa8974cd6a90ab313c8a309bf27f3

 

Chamelgang Targets Linux Users with Chameldoh Malware

The threat actor tracked as ChamelGang is targeting Linux environments with custom malware used to communicate DNS requests over HTTPS the malware is using a custom base-64 encoding to ensure transmission of encoded data over DNS to the threat actors C2. Capabilities of commands sent back to the malware include executing shell commands downloading files via wget uploading and downloading files as well as deleting them. The threat group has been seen targeting energy aviation and government organizations in Russia the United States Japan Turkey Taiwan Vietnam India Afghanistan Lithuania and Nepal in the past with Windows malware targets of the Linux variants were not identified as if yet.

IOCs

• Chamelgangbgigjghdhj19_browsingElf.elf
  • SHA1: 1addea509875cdcb0852c23bdab94caae24d7a26
  • MD5: 22021b26ae7ac7e36b55076431aa5746
  • SHA256: 92c9fd3f81da141460a8e9c65b544425f2553fa828636daeab8f3f4f23191c5b
• Chamelgangbgigjghdhj19_edrElf.elf
  • SHA1: 1addea509875cdcb0852c23bdab94caae24d7a26
  • MD5: 22021b26ae7ac7e36b55076431aa5746
  • SHA256: 92c9fd3f81da141460a8e9c65b544425f2553fa828636daeab8f3f4f23191c5b

Ghostwriter Uses Picasso Loader Against Ukraine (CERT-Ua6852)

The Ghostwriter APT group targeted entities in Ukraine with a malicious PowerPoint file. Successful infections resulted in the Picasso Loader malware downloading and infecting devices with a Cobalt Strike beacon. Persistence was carried out with either a scheduled task or a LNK file created in the startup folder.

IOCs

• Ghostwriterbgigjghdec1_browsingPpt.ppt
  • SHA1: 4be8a759afbf0b52ab7c319e352a3b071203f9cd
  • MD5: 6e556f6d3f74a4d70b934a0b9a8e3f5f
  • SHA256: 991a19fb00cda372dd1ce4a42580dc40872da5c5bfbb34301615f3870ea3fb58
• Ghostwriterbgigjghdec2_browsingDll.dll
  • SHA1: 30c986ae5db230b142a1a87f37c2493be4fe4f06
  • MD5: adf00c9e47cc724dd4ff1f9af14401b5
  • SHA256: 35d1e819d2ac2535f0aa9e2294570135f37519386872c415e326146e931b8fb9
• Ghostwriterbgigjghdec1_edrPpt.ppt
  • SHA1: 4be8a759afbf0b52ab7c319e352a3b071203f9cd
  • MD5: 6e556f6d3f74a4d70b934a0b9a8e3f5f
  • SHA256: 991a19fb00cda372dd1ce4a42580dc40872da5c5bfbb34301615f3870ea3fb58

UNC4841 Exploits Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868)

The UNC4841 espionage actor exploited a zero-day vulnerability (CVE-2023-2868) in the Barracuda Email Security Gateway (ESG) to drop malware and exfiltrate sensitive data. Organizations affected include government agencies research firms and foreign trade offices across the Americas EMEA and APAC regions. Multiple malware families were used during the attacks including SeaSide, SeaSpray, SeaSpy, SkipJack, SSLShell, and SaltWater.

IOCs

• Unc4841bgigjcehdj196_browsingSo.so
  • SHA1: 10b621c5e07648bd7a7391e569aa62a510be82f4
  • MD5: 827d507aa3bde0ef903ca5dec60cdec8
  • SHA256: 1c6cad0ed66cf8fd438974e1eac0bc6dd9119f84892930cb71cb56a5e985f0a4
• Unc4841bgigjcehdj194_browsingTar.tar
  • SHA1: 290e5cb4d32f97963bdc95ef2cc4b44a4de5666d
  • MD5: 0d67f50a0bf7a3a017784146ac41ada0
  • SHA256: 8c5c8e7b3f8ab6651b906356535bf45992d6984d8ed8bd600a1a056a00e5afcb
• Unc4841bgigjcehdj192_browsingTar.tar
  • SHA1: 1903a3553bcb291579206b39e7818c77e2c07054
  • MD5: 42722b7d04f58dcb8bd80fe41c7ea09e
  • SHA256: 949d4b01f31256e5e9c2b04e557dcca0a25fc2f6aa3618936befc7525e1df788

Unveiling the Hidden Workings of Mustang Panda APT

Mustang Panda is a Chinese advanced persistent threat (APT) that launches spear-phishing campaigns for targeting government higher education telecommunication and think tanks around the globe. Recently the threat actor added additional tools to their arsenal including new initial access vectors and malware for targeting victims. Recently identified tools include QMAGENT MIROGO TONEDROP TONESHELL and TinyNote backdoor. After gathering sensitive information from victim systems the information is exfiltrated to adversaries C2 servers.

IOCs

• Unveilingbgigjcefjj1_browsing77Unkn.unkn
  • SHA1: cd2205f63f7cba0b4ee81eae4f01d0242663e92e
  • MD5: d74d5d642c0c8f7fa9e41d3c939097de
  • SHA256: 2682888c53284609770b8bf76ee6b3ed5497d5686d36ca6469152b6fb329defb
• Unveilingbgigjcefjj1_browsing76Dll.dll
  • SHA1: c8c0f2665a79b9efa9c1f91a0141898662ad99bc
  • MD5: c0b81dd0c83b5b63690fd80fdf96b3df
  • SHA256: e4981f406bf4a0a3f94b3cfb92b52c1dd5828767e36f531680128b458d5263f9
• Unveilingbgigjcefjj1_browsing79Exe.exe
  • SHA1: fed0672e9e7343886b3f6995310911c2d954730c
  • MD5: 4613986d2a47ceac2e733bda51c5aebb
  • SHA256: ae134a7687a191274ae00a44fcea24ccadc1612a336ca867ae6a033870c6a7c3

Icefire Ransomware

IceFire Ransomware was discovered in 2022 and targets both the Windows and Linux platforms. The malware focuses on large enterprises including the technology media and entertainment sectors locating across multiple countries including Turkey Iran Pakistan and the United Arab Emirates. The threat actor behind the malware is known to exploit a vulnerability (CVE-2022-47986) in IBM Aspera Faspex file sharing software to gain initial access.

IOCs

• Icefirebgigiibbgi14_browsingElf.elf
  • SHA1: 57d8eef52d67110ca9b3a05daea94e4eca5aff9d
  • MD5: 7bba9eb1fe9ec5f0bbe290562237cc60
  • SHA256: fc6a88d1a4360b50a787a6d0f3dbb037b8146ea2fc4df4d90e6848ad98fe9166
• Icefirebgigiibbgi13_browsingElf.elf
  • SHA1: b676c38d5c309b64ab98c2cd82044891134a9973
  • MD5: 01de715b0f9e3725ef453d31acaaf598
  • SHA256: e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b
• Icefirebgigiibbgi13_edrElf.elf
  • SHA1: b676c38d5c309b64ab98c2cd82044891134a9973
  • MD5: 01de715b0f9e3725ef453d31acaaf598
  • SHA256: e9cc7fdfa3cf40ff9c3db0248a79f4817b170f2660aa2b2ed6c551eae1c38e0b

Mystic Stealer Lurking in the Cyber Sphere

Mystic Stealer is an information stealer that appeared on the threat landscape in April 2023. The malicious software targets multiple web browsers browser extensions cryptocurrency wallets and Steam and Telegram accounts. Polymorphic string obfuscation hash-based import resolution and runtime calculation of constants are used for defense evasion.

IOCs

• Mysticbgigiibadd2_browsingExe.exe
  • SHA1: 84597cc313080e0e4667784b308d031dbe7a11bc
  • MD5: 5753bdaf1c0e6ea82d405ef1ceb452e7
  • SHA256: fc4aa58229b6b2b948325f6630fe640c2527345ecb0e675592885a5fa6d26f03
• Mysticbgigiibadd1_browsingExe.exe
  • SHA1: f2007a5856fc2a0d1d96b7ea455b7deeeb521447
  • MD5: b7be4082bca4e283624704ad2421ce93
  • SHA256: 5c0987d0ee43f2d149a38fc7320d9ffd02542b2b71ac6b5ea5975f907f9b9bf8
• Mysticbgigiibadd10_browsingExe.exe
  • SHA1: 218f228454d4032ec65236c1c289e9c256eccda6
  • MD5: df80b1e50cfebb0c4dbf5ac51c5d7254
  • SHA256: 7ab8f9720c5f42b89f4b6feda21e7aa20334ba1230c3aef34b0e6481a3425681

Gamer Community Targeted with Wannacry-Imitator Ransomware

Threat actors were discovered targeting Russian-speaking gamers with a phishing page that mimics the legitimate Enlisted Game website. The fake site hosts a legitimate game installer along with ransomware which pretends to be the WannaCry ransomware. The malicious code is a modified version of an open-source ransomware written in Python.

IOCs

• Gamerbgighebbcg39_browsingExe.exe
  • SHA1: 6515911679fdb3d6267ab44b67415dc32e587440
  • MD5: 65fdd5e706d45e8bb83bc13311fb4da4
  • SHA256: c14081d8d8eff8191eb182e83b106d4ee683768d9c4dabb5a759e41914884dc2
• Gamerbgighebbcg43_browsingExe.exe
  • SHA1: 31278826e062d0a8b4ffe52caf1aa5c2804f3441
  • MD5: 55fac3a480c154fd5f2344992db4c5b0
  • SHA256: 444383bcff5139c30cc74d5dd7c35bdb236b468e18ed9a28e923acb12c2f3790
• Gamerbgighebbcg40_browsingExe.exe
  • SHA1: 0dc36a78cb251f6272991d541b7dffb438e2eb36
  • MD5: 66742054e5ba484ef06d7cc2b52bd6c3
  • SHA256: dd49296f07192452a7394bd99a4d15594961dccea1e0517695d23e2d74bca005

Fin11 Uses Cobalt Strike and Flawedgrace to Deploy MBR Killer

An attack campaign attributed to the FIN11 threat group was found leveraging the 404 Traffic Distribution System (TDS) service to deliver spear phishing emails. Cobalt Strike and FlawedGrace were loaded with Truebot which masqueraded as a PDF document. Scheduled tasks were used for persistence while multiple for loops were utilized to find live endpoints and enumerate open shares.

IOCs

• Fin11bgiggbajgd3_browsingExe.exe
  • SHA1: 4f4f8cf0f9b47d0ad95d159201fe7e72fbc8448d
  • MD5: 12011c44955fd6631113f68a99447515
  • SHA256: c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
• Fin11bgiggbajgd4_browsingExe.exe
  • SHA1: 96b95edc1a917912a3181d5105fd5bfad1344de0
  • MD5: 6164e9d297d29aa8682971259da06848
  • SHA256: 717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb
• Fin11bgiggbajgd4_edrExe.exe
  • SHA1: 96b95edc1a917912a3181d5105fd5bfad1344de0
  • MD5: 6164e9d297d29aa8682971259da06848
  • SHA256: 717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb

New Terminator IOCs

On May 21, 2023, an online persona named spyboy began advertising an endpoint defense evasion tool for the Windows operating system via the Russian-language forum Ramp. The author claims that the software – seen in a demonstration video as being titled “Terminator” – can bypass twenty-three (23) EDR and AV controls. At the time of writing, spyboy is pricing the software from $300 USD (single bypass) to $3,000 USD (all-in-one bypass).

IOCs

• Terminatorbgigeihbdb1_browsingExe.exe
  • SHA1: 16d7ecf09fc98798a6170e4cef2745e0bee3f5c7
  • MD5: 21e13f2cb269defeae5e1d09887d47bb
  • SHA256: 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91
• Terminatorbgigeihbdb1_edrExe.exe
  • SHA1: 16d7ecf09fc98798a6170e4cef2745e0bee3f5c7
  • MD5: 21e13f2cb269defeae5e1d09887d47bb
  • SHA256: 543991ca8d1c65113dff039b85ae3f9a87f503daec30f46929fd454bc57e5a91

Infected Minecraft Mods Lead to Fractureiser Information Stealer

Unidentified threat actors infected dozens of Minecraft mods and plugins with the Fractureiser information stealer. The malicious rigged plugins and mods were hosted on CurseForge and Bukkit accounts. The campaign was carried out in multiple stages and compromised Linux and Windows OS victims predominantly in the United States. After successfully compromising victim systems the malware stole logins clipboard data browser credentials cookies and authentication tokens and exfiltrated the data to command-and-control servers.

IOCs

• Infectedbgigdfbhdc9_browsingZip.zip
  • SHA1: 0c6576bdc6d1b92d581c18f3a150905ad97fa080
  • MD5: aa1cc7d9799419510f8964ea8aeda6be
  • SHA256: ffbba21fab302033a24f889e03d87d3bf915dd39265156adc5e70f2914de3424
• Infectedbgigdfbhdc12_browsingZip.zip
  • SHA1: 33677ca0e4c565b1f34baa74a79c09a3b690bf41
  • MD5: 68497517a7e43c024f32fcd0ece61674
  • SHA256: 8d00bb6e058390a2843a9236d31c6d0aa9a7966c4adf71689599a9b7a0c6ae19
• Infectedbgigdfbhdc15_browsingZip.zip
  • SHA1: 284a4449e58868036b2bafdfb5a210fd0480ef4a
  • MD5: e269b782c7bef2de0e81b2691c705a0e
  • SHA256: 8915683dd6adc5e871806ff9b79015183f95c6c7311ecb0f3714b2b8de17ce48

Unmasking Darkrace Ransomware

Darkrace contains some similarities to LockBit ransomware and is focused on encrypting files only on Windows devices. The malware creates a mutex to prevent reinfection and intentionally excludes files with certain extensions to encrypt files faster. The ransomware uses wmic and vssadmin to delete shadow copies and hinder recovery.

IOCs

• Unmaskingbgigcgfdic2_browsingExe.exe
  • SHA1: c55c60a23f5110e0b45fc02a09c4a64d3094809a
  • MD5: 1933fed76a030529b141d032c0620117
  • SHA256: 0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4
• Unmaskingbgigcgfdic3_browsingExe.exe
  • SHA1: 892cd69f889b25cb8dc11b0ac75c330b6329e937
  • MD5: cb1c423268b1373bde8a03f36f66b495
  • SHA256: 74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3
• Unmaskingbgigcgfdic2_edrExe.exe
  • SHA1: c55c60a23f5110e0b45fc02a09c4a64d3094809a
  • MD5: 1933fed76a030529b141d032c0620117
  • SHA256: 0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4

US Cert Alert – Cl0P Ransomware Gang Exploits CVE-2023-34362 MoveIt Vulnerability

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

IOCs

• Clopmovitbgigcbedae31_browsingHtml.html
  • SHA1: 3f95cebb7a7bd0491912d461208118784f802ca6
  • MD5: a85299f78ab5dd05e7f0f11ecea165ea
  • SHA256: fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f
• Clopmovitbgigcbedae23_browsingHtml.html
  • SHA1: e7f3f1b8925411a8e33e0dc6e5767cfcda7136f5
  • MD5: 317552cac7035e35f7bdfc2162dfd29c
  • SHA256: c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37
• Clopmovitbgigcbedae35_browsingDll.dll
  • SHA1: 62f5a16d1ef20064dd78f5d934c84d474aca8bbe
  • MD5: 82d4025b84cf569ec82d21918d641540
  • SHA256: c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c

Recent Satacom Campaign Delivers Cryptocurrency-Stealing Addon

Satacom downloader also known as LegionLoader is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The main purpose of the malware that is dropped by the Satacom downloader is to steal BTC from the victims account by performing web injections into targeted cryptocurrency websites.

IOCs

• Recentbgigaaceii2_browsingDll.dll
  • SHA1: 2998514523267f1f85a6d7e6db6b04a7e8e91d19
  • MD5: 199017082159b23decdf63b22e07a7a1
  • SHA256: f2e13474644635160b9534db20d60ccc625e0cd6e3aceb1e5e706b75f82d3ecc
• Recentbgigaaceii1_browsingZip.zip
  • SHA1: cf2d2dae7ece1b8ba5f234595e160c7f10409647
  • MD5: 0ac34b67e634e49b0f75cf2be388f244
  • SHA256: afaad4f2046c842c4cc0d470e5f407c1c41eae4f01ae7f617051a7e25da0c207
• Recentbgigaaceii2_edrDll.dll
  • SHA1: 2998514523267f1f85a6d7e6db6b04a7e8e91d19
  • MD5: 199017082159b23decdf63b22e07a7a1
  • SHA256: f2e13474644635160b9534db20d60ccc625e0cd6e3aceb1e5e706b75f82d3ecc

Deep-Dive into the Hiddeneyez Cyber Crime Group

The HiddenEyeZ cybercrime group sells malware and stolen data to threat actors over Telegram. The threat actor offers their custom HiddenEyeZ HVNC RAT/infostealer which can be purchased for a few hundred dollars per month or a lifetime license for $1500. The malicious software contains the r77 rootkit Icarus stealer and tools to disable Windows Defender and maintain persistence.

IOCs

• Deep_divebgifhadiic2_browsing7Dll.dll
  • SHA1: 096d850244c31a9d4c1da7ac3b243e3f61b503d8
  • MD5: bf2ac81c25ebc55e88af9233c6c0e1b5
  • SHA256: ed3ee849ae71001941d03983a65eacdd726be75d91b076475a89a3a75e79d82e
• Deep_divebgifhadiic23_browsingExe.exe
  • SHA1: be23cf7d356b13a3f233c6b3d807854e8083bd2d
  • MD5: 4c9bc0e73872ba91b88fda7a45e5379a
  • SHA256: bb86e41bb6d5eccad1ff84ab343506f4f5fcd78b0618966edc0ae0e05fcc8683
• Deep_divebgifhadiic28_browsingDll.dll
  • SHA1: 336f3fb4baa098ea4f54d881f2a2cf696e37c44e
  • MD5: 8d54e4abe1762f96134a0c874cfb8cdc
  • SHA256: 2141974f665f4d8fecb6d8ea06add624b57f320f901368847175570ee716fd8e

Dark Pink APT Expands its Targeting Portfolio

Dark Pink APT is believed to originate from Asia-Pacific and has been extensively targeting multiple sectors since 2021. It primarily targets government educational institutions military NGO developmental entities located in East Asia and recently expanded its operations within Europe. This group is known to use sophisticated custom tools and multiple kill chains for maintaining access within victim systems and remain undetected while exfiltrating victim data.

Dark Pink continues to rely on ISO archives sent via spear-phishing to gain initial access to victim systems and employs DLL side-loading to launch backdoors such as “TelePowerBot” “KamiKakaBot”. After downloading backdoors It can exfiltrate sensitive information in a ZIP archive to attacker-controlled telegram accounts from compromised victim hosts. Threat actors use an HTTP protocol called web-hook.site to create a temporary endpoint used for sending sensitive information in the past cloud services such as Dropbox were used for exfiltrating data. The threat actor also maintains a GitHub account where multiple payloads are hosted and uses TextBin.net for distributing payloads within victim systems

IOCs

• Darkbgifhadhgh3_browsingDll.dll
  • SHA1: 3a47a3e498445041373d323192f55219b6842a6d
  • MD5: 8ae76848a8f5f80bccf089c8aaec6d94
  • SHA256: 8dc3f6179120f03fd6cb2299dbc94425451d84d6852b801a313a39e9df5d9b1a
• Darkbgifhadhgh1_browsingDll.dll
  • SHA1: 78cebcb6528e1eacdc51a094ca1fca73d219c4d0
  • MD5: a904e16443ea47c4e60de7435ac474a9
  • SHA256: d23784c30a56f402bb71d116ef8b5bcc8609061be0ecc6d1014686ff4227197f
• Darkbgifhadhgh5_browsingDll.dll
  • SHA1: 42d40f8502b48262fb52a8f0e7e061904d9b553b
  • MD5: 187435ffa73536096bdb2ab57504f903
  • SHA256: 6d620e86fd37c9b92a0485b0472cb1b8e2b1662fbb298c4057f8d12ad42808b4

Investigating Blacksuit Ransomwares Similarities to Royal

The emergence of BlackSuit ransomware (with its similarities to Royal) indicates that it is either a new variant developed by the same authors a copycat using similar code or an affiliate of the Royal ransomware gang that has implemented modifications to the original family.

IOCs

• Investigatingbgifghfafj65_browsingExe.exe
  • SHA1: 30cc7724be4a09d5bcd9254197af05e9fab76455
  • MD5: 748de52961d2f182d47e88d736f6c835
  • SHA256: 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
• Investigatingbgifghfafj64_browsingElf.elf
  • SHA1: 861793c4e0d4a92844994b640cc6bc3e20944a73
  • MD5: 9656cd12e3a85b869ad90a0528ca026e
  • SHA256: 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e
• Investigatingbgifghfafj61_browsingElf.elf
  • SHA1: 7e7f666a6839abe1b2cc76176516f54e46a2d453
  • MD5: 2902e12f00a185471b619233ee8631f3
  • SHA256: b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c

Analysis Of New Active Malware Mediaarena – Pua

MediaArena is a piece of software that masks itself as a useful tool but secretly reconfigures some browser settings to steal your search queries. It masks for instance a docx-to-pdf converter a tool to convert video to animated GIF and so on. Distribution appears to occur via advertisements shown on webpages in an ongoing malvertising campaign. The victim is tricked to click the advert and may install this tool on their workstation. All search queries the victim enters are redirected to a third party where search results are served with ads and the search queries are collected and sold. This allows bad actors to manipulate search gather data on your company inject drive-by downloads in a targeted way and do many other things.

IOCs

• Analysisbgifghejgf49_browsingExe.exe
  • SHA1: 10331bf7546f8ec83a237af7c4ef2cdbb7dd6492
  • MD5: 9fd7214015f132f644adb7de47270ea4
  • SHA256: e9fad9727b8a66e6b593d8b416f1c60b692ffc91b72e14bb30c40a1ce9b6a260
• Analysisbgifghejgf43_browsingExe.exe
  • SHA1: 33c02d70abb2f1f12a79cfd780d875a94e7fe877
  • MD5: 1e2a99ae43d6365148d412b5dfee0e1c
  • SHA256: e248b01e3ccde76b4d8e8077d4fcb4d0b70e5200bf4e738b45a0bd28fbc2cae6
• Analysisbgifghejgf46_browsingExe.exe
  • SHA1: c5220b3c86b9c259d5b9c7eed8c7cc7ca1e6b33d
  • MD5: 81e306432126aad69430f5616eaa7cc0
  • SHA256: 5e1cec9e9011fc96638620a2ca8e08eeaeaea8a28c47fe619082abcc6794aebc

Terminator Antivirus Killer is a Vulnerable Windows Driver in Disguise

Terminator is allegedly capable of bypassing 24 different antivirus (AV) Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) security solutions including Windows Defender on devices running Windows 7 and later. Terminator just drops the legitimate signed Zemana anti-malware kernel driver named zamguard64.sys or zam64.sys. Hashes for this driver are in Virustotal link.

IOCs

• Terminatorbgifghejbd14_browsingExe.exe
  • SHA1: c83075a691401c015566eff8b0d06c42410a9cbb
  • MD5: a603df50c86d427aafd85f8f965613ca
  • SHA256: ff113339f97e4511a3e49fd2cc4bc1a80f69a9e57e090644271fafb803f25408
• Terminatorbgifghejbd14_edrExe.exe
  • SHA1: c83075a691401c015566eff8b0d06c42410a9cbb
  • MD5: a603df50c86d427aafd85f8f965613ca
  • SHA256: ff113339f97e4511a3e49fd2cc4bc1a80f69a9e57e090644271fafb803f25408

 

That is all for now!
Stay cyber safe and see you next month!