This month, threat actors kept on refining their attack strategies for maximizing their profits.
Attack Kit of the Clones
There is a trend for threat actor groups to use sophisticated techniques using attack kits that are clones of kits used by their competitors. For example, the new ransomware operator Atom Silo, exploits a vulnerability in Atlassian Confluence, a web-based virtual workplace for the enterprise allowing teams to communicate and collaborate on projects to access the victim’s corporate environment. The ransomware kit that Atom Silo used is identical to LockFile, a ransomware family known for using a unique “intermittent encryption” method as a way to evade detection and for adopting tactics from previous ransomware operators. Atom Silo used several novel techniques, such as side-loading malicious dynamic-link libraries tailored to disrupt endpoint protection software to avoid detection. Once installed, Atom Silo moved across its victims’ network, compromising multiple servers, executing the backdoor binaries, and conducting additional reconnaissance. About eleven days after this initial intrusion, the ransomware and a malicious Kernel Driver utility payload were deployed to circumvent endpoint protection.
Have Ransomware, Will Travel
Another significant trend is the intermingling of various ransomware groups for profit. For instance, the threat actor group BlackMatter has ties to both the REvil and DarkSide ransomware operators. BlackMatter operates a ransomware-as-a-service (RaaS) model where independent cyber criminals infiltrate networks and install the ransomware on servers and PCs. The RaaS providers then handle the notification and ransom negotiation, paying their affiliates part of the received ransom payments. In October 2021, BlackMatter stepped up its game by informing its victims that in case the ransomware demands were not met, all their stolen data would be published. BlackMatter targets US critical infrastructure entities, such as farming co-ops that could result in food shortages.
Rogue nations were also stepping up their game in October 2021. Iranian Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries, launched ShellClient, a Remote Access Trojan (RAT) designed to steal sensitive information about the critical assets, infrastructure, and technologies of victimized aerospace and telecom companies. ShellClient abuses cloud-based storage services for Command and Control (C2), such as Dropbox, to remain undetected. Suspected Iranian state-sponsored threat actors using ShellClient include Chafer APT (APT39), Agrius APT, and newcomer MalKamak. But also Charming Kitten ) APT35 (uploaded an app to Google’s Play Store that masqueraded as a virtual private network service collecting call logs, text messages, contacts, and location data from compromised devices.
Bank Robbers 2.0
In October 2021, financial institutions were targeted again, this time by the MirrorBlast attack campaign, which mirrors the attack tactics, techniques, and procedures used by the Russia-based threat group TA505. MirrorBlast uses the same attack chain, GetandGo functionality, final payload, and domain name patterns. Among REvil’s victims are hardware company Acer, which was extorted for approximately $100M, Apple supplier Quanta Computer, and thousands of companies using Kaseya IT management solutions.
Year of the RAT
This month a Chinese associated hacking group, suspected to be IronHusky, exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a new RAT dubbed MysterySnail. Variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities. The MysterySnail RAT is designed to collect and exfiltrate system information from compromised hosts before contacting its C2 server for further commands. The RAT performs various tasks on infected machines, such as creating new and killing already running processes for launching interactive shells and a proxy server supporting up to 50 simultaneous connections.
Also in October 2021, an unknown ransomware group encrypted VMware ESXi servers with Python script. In general, the Python programming language is not commonly used in ransomware development. However, for targeting ESXi systems, it is a logical choice since these Linux-based servers come with Python installed by default. The attackers used a Python ransomware script to encrypt the victimized virtual machines running on a vulnerable ESXi hypervisor once they got access.
- The attackers breached the victim’s network by logging into a TeamViewer account running on a device with a domain admin logged on.
- They then started searching the network for additional targets using Advanced IP Scanner and logged onto an ESXi server via the built-in SSH ESXi Shell service.
- The ransomware operators then executed a 6kb Python script to encrypt all the virtual disk and VM settings files of the virtual machines.
- The script allowed the ransomware operators to use multiple encryption keys and email addresses also for customizing the file suffix for the encrypted files.
- The threat actors shut down the virtual machines and stored the original files on the datastore volumes.
- They then deleted the files, only leaving the encrypted files behind.
Multiple ransomware gangs, including Darkside, RansomExx, and Babuk Locker, have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space before.
The Bright Side
On a positive note, the FBI, the US Cyber Command, and the US Secret Service, in cooperation with several other countries, took over the Tor payment portal and data leak blog of the notorious hacker group REvil. It left the group crippled and without a platform. In October, the Ukrainian police arrested two members of a ransomware gang, quite likely REvil. They are suspected of having attacked more than 100 foreign companies in North America and Europe and causing $150m in damages to Western organizations. The police also confiscated $1.3m in cryptocurrencies.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threat Assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!
Stay cyber safe!