Threat actors keep stepping up their game in November 2020
PyXie (aka GOLDEN DUPONT)
PyXie has conducted successful ransomware campaigns since 2018, counts healthcare, educational, government, and technology organizations and companies among its favorite targets. In its attacks, the group used the Vatet loader which was created by combining and altering the original application of various open-source tools, turning into a highly-effective attack tool. The loader executes payloads such as Cobalt Strike. The group’s malware arsenal also contains PyXie Lite, which is designed to detect and exfiltrate files that can be used to extort ransom. In its attacks, the group also uses its PyXie Remote Access Tool (RAT) and Defray777, which is the first ransomware that has standalone executables for Windows and Linux. This ability eliminates the need for cross-functional ransomware written in Java or scripting languages such as Python.
An example of a recent PyXie ransomware campaign:
- The campaign started with the delivery of bank Trojans such as IcedID or Trickbot.
- Once the bank Trojan established a foothold in the victim’s network, the Vatet loader as well as the PyXie and Cobalt Strike malware were deployed.
- Then, the Defray777 ransomware was deployed in the memory.
- The victim’s files were encrypted on local derives and file shares.
- After exiting the compromised system, no traces are left except for the encrypted files and ransom notes.
DLL Side-Loading Method
Not surprisingly, threat actors and groups keep on learning from each other, which makes their threat campaign even more persistent and devastating. For example, we saw a DLL side-loading method, which has been popular with APT groups for several years, go mainstream in the cybercrime community during November. DLL side-loading was used to execute the malicious code. Side-loading is the use of a malicious DLL spoofing a legitimate one, relying on legitimate Windows executables to load and execute the malicious code. In November 2020, we saw a new variant of this particular payload was not one that was seen before. The DLL side-loading scenarios executed malicious code and installed backdoors in the victims’ networks, using a program database path and plaintext strings. The APT group used this DLL-side loading method, script-kiddie messages, advanced deployment, and targeting techniques to cloak its identity.
On the malware front, we saw Gootkit malware making a comeback alongside REvil ransomware in a new campaign targeting Germany. The threat actors hacked WordPress sites and utilized SEO poisoning to display fake forum posts to visitors. These posts pretended to be Q&As with links to fake forms or malicious downloads. Once the link was clicked, a ZIP file containing an obfuscated JS file was downloaded and the Gootkit malware or the REvil ransomware were installed.
Also, the MedusaLocker ransomware was active in multiple attacks, especially in the healthcare industry. Apart from avoiding encryption of executable files, MedusaLocker uses a combination of AES and RSA-2048. In November, AKO, a variant of MedusaLocker, added an element of blackmail, threatening to release stolen files publicly. As we have seen before, these kinds of blackmail and extortion methods have become popular in the ransomware marketplace, where more and more auctions are organized on the dark web.
This ransomware from the Sekhmet malware family was used to target companies, steal information, and encrypt all the data on the compromised system. Egregor contains multiple anti-analysis techniques, such as code obfuscation and packed payloads, which makes it so effective. Its payload can only be decrypted if the correct key is given in the process’s command line, which means that the file cannot be analyzed manually or in a sandbox. The threat actors using Egregor have shifted the focus of their attacks from online games to the retail sector. In the coming months, it is expected that more sectors will be targeted.
We would like to end this wrap-up with some mitigation tips when your network has been breached:
- Change all user passwords used on the machine
- Search for malicious traffic using your SIEM based on the IOCs provided.
- Verify that you have offline backups for the complete restoration of all files
- Verify that your AV, EPP, EDR, Email Gateway, Web Gateway are all up-to-date
- Where applicable, block the impacted domain and any associated URLs and IP addresses
- Where applicable, block the relevant hashes
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!