Cymulate’s Cyberthreat Breakdown
November 2022

November 2022 saw the emergence of several new cyber threats such as Alchemist, Insekt and Cryptonite. In addition, legacy threats such  DTrack (Lazarus) and LockBit 3.0 made a comebacks with improved tactics.

Alchimist and Insekt

Discovered by Talos,  the Alchimist command and control framework is written in Golang and capable of leveraging scripts generate the Insekt RAT payload and attaching it to the framework.

Also built in Golang, the new trojan Insekt RAT can perform many tasks ranging from screen capture to a variety of payload deployments.

Azov Ransomware

Distributes through adware bundles, pirated software, SmokeLoader application, and other means, the Azov data wiper irremediably destroys the target’s data and attempts to infect other programs.

Conceived as a timebomb, Azov ransomware included a trigger time enabling it to stay dormant until at least the original October 27th, 2022 trigger time. When triggered, Azov corrupts all data on the device by overwriting alternating 666-bite chunks with garbage data.

Aside from an attempt to troll cybersecurity researchers by naming them as the data wiper’s creator, the threat actor’s goal is unclear, with guesses ranging from attempts to cover up other malicious behaviors to simply a whimsical game of random data destruction, just for the fun of it.

As Azov Ransomware victims cannot recover their files and risk seeing other executables infected, reinstalling Windows is recommended.

Cryptonite Ransomware

Programmed in Python and available as a FOSS (Free and Open Source) ransomware, Cryptonite is fully functional ransomware, though it requires configuring a server to receive input from a malicious payload running on a victim machine.

It relies on NGrok to establish a reverse proxy that hides the IP address.

The Comebacks  

Known threat actors have kept busy improving on old tactics, techniques and processes. 

Emotet

Dormant since last July, Emotet returned this November with malspam campaigns built with “thread hijacking” techniques, where the attacker attaches a plain or zip-protected file to the email thread.

There have been reports of Emotet dropping IceID and Bumblebee in addition to Excel attachments visual lures.

In addition, it is also used to deploy Quantum ransomware (a rebrand of MountLocker Ransomware). The Quantum ransomware attacks used various tools (including Cobalt Strike, Rclone, Tactical RMM, and AnyDesk) to achieve lateral movement, data exfiltration, and remote access. In contrast, it uses legitimate Windows tools such as systeminfo, ping, net, nltest, and whoami for local and remote discovery.

Bumblebee

Already quite active last month, Bumblebee is back this November with new loading options, including Meterpreter agent and Cobalt Strike Beacons, used after delivering an ISO file that contains an LNK and a DLL.

Additional attack steps include reconnaissance, using two different UAC bypass techniques, dumping credentials, escalating privileges through a ZeroLogon exploit, and moving laterally through the targeted environment.

APT 36 – Limepad

APT 36 (AKA Transparent Tribe, ProjectM, Mythic Leopard, or TEMP. Lapis) has been using the previously unknown Limepad data exfiltration tool to target India, using a series of new domain names hosting web pages masquerading as the official Kavach app download portal.

Kavach is an Indian app that provides two-factor authentication to the user for accessing their government email service.

Both the Limepad exfiltration tool and the malvertising approach are newly documented APT36 techniques.

APT 10 – LODEINFO

New versions of the fileless malware LODEINFO shellcode (v0.5.9, v0.6.2, v0.6.3, and v0.6.5) beacons out machine information such as current time, ANSI code page (ACP) identifier, MAC address, hostname, and more. It also contains a hardcoded key (NV4HDOeOVyL) used later by the age-old Vigenere cipher.

Furthermore, randomly generated junk data is appended to the end of the data, possibly to evade beaconing detection.

Guloader New Variant

Unit 42 uncovered a Guloader variant carrying a shellcode payload protected by anti-analysis techniques designed to slow human analysts and sandboxes processing infected samples.

Unit 42 created the IDA Processor module extension script to automatically deobfuscate the sample.

QakBot

QakBot modular malware started using valid code signing certificates stolen from smaller “micro-organizations” in order to attempt evading detection.

Still using spear-phishing attachments as the initial attack vector, Qakbot might be using Cobalt Strike and built-in modules for MimiKatz capabilities to dump the code signing certificate from victims.

In a subsequent attack wave, QakBot modified deployment tactics and exploited a DLL hijacking technique that abuses the Windows 10, or later, control panel executable file.

Once executed, the HTML  attachment included in the phishing campaign displays a fake Google Drive page that auto-downloads a password-protected archive file and displays the password required to access the infected archive.

This archive contains four files used to launch the Control panel, side-load the QakBot loader, and ultimately infect the system with the QakBot malware.

APT41 – Earth Longzhi

Earth Longzhi is a subgroup of China-linked APT 41 seen targeting multiple sectors across Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

Earth Longzhi customized versions of known hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and disabling security products. Instead of using public tools as they are, the threat actors are able to reimplement or develop their own tools based on some open-source projects.

Earth Preta

A wave of spear-phishing attacks targeting the government, academic, foundations, and research sectors worldwide and monitored by Trend Micro was identified as a large-scale cyberespionage campaign.

The attackers used various techniques to evade detection and analysis (i.e., code obfuscation, custom exception handlers, …), and analysts also believe that the attackers could conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity.

LockBit 3.0

The infamous LockBit group that had improved its ransomware through a bug bounty program has been intensively used lately, including in an attack against Continental, with a claim of 40k gigabytes of data that they have begun to release as they did not receive payment.

Regardless of the public spotlight, LockBit continues its rise to the top of the ransomware ecosystem and, according to The Record, is currently the most prevalent ransomware strain.

Aurora – Cheshire

Available as a Malware-as-a-service (MaaS) commercialized by the threat actor Cheshire, Aurora multipurpose botnet (data collection, information stealer, downloading, and remote access Trojan (RAT) capabilities) is gaining traction among traffers.

Traffers are malicious actors in charge of generating non-legitimate traffic and play a key role in distributing threats.

Written in Golang, Aurora targets browsers, cryptocurrency wallets, and local systems and can even act as a loader.

RansomExx

RansomExx ransomware has been rewritten in Rust, a technique designed to lower the AV detection rate. This is the main difference with its C++ predecessor. Both require a list of target directories to encrypt to be passed as command line parameters and then encrypt files using AES-256, with RSA used to protect the encryption keys.

Named RansomExx2, based on strings found within the ransomware, it is designed to run on Linux OS.

The Oldies  

Known actors, even if they are not creating new offensive tools, can increase their activities enough to raise alarm. 

DTrack- Lazarus

First spotted in 2019, DTrack is a backdoor developed by Lazarus that allows criminals to upload, download, start or delete files on the victim host. The standard DTrack toolset includes a keylogger, a screenshot maker, and a module for gathering victim system information.

Lazarus group DTrack backdoor was seen in numerous localized attacks targeting Europe and Latin America this month.

LockBit 3.0

The infamous Lockbit group that had improved its ransomware through a bug bounty program has been intensively used lately, including in an attack against Continental, with a claim of 40k gigabytes of data that they have begun to release as they did not receive payment.

Regardless of the public spotlight, LockBit continues its rise to the top of the ransomware ecosystem and, according to The Record, is currently the most prevalent ransomware strain.

And that concludes this month’s cyberthreat breakdown.

 —–

To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI! 

Stay cyber-safe!