NEW IMMEDIATE THREAT DISCOVERED
TONTO TEAMS FAILED ATTEMPT TO COMPROMISE GROUP IB
Activity attributed to the Chinese espionage group the Tonto Team has targeted various strategic sectors including healthcare government financial education military energy and Information technology since at least 2009.
In a recent campaign the threat group targeted the security firm Group IB by sending weaponized attachments to employees.
Masquerading as employees of legitimate organizations the Tonto team used fake email ID created with GMX Mail.
The malicious attachments were created with the Royal Road weaponizer which can create documents that attempt to exploit CVEs related to the MS Equation Editor vulnerabilities.
The campaign further used the Bisonal DoubleT backdoor as well as the TontoTeam.Downloader (akaQuickMute) to obtain the threat actors objective which included collecting GroupIB intellectual property.
HARDBIT 2.0 RANSOMWARE
When first observed HardBit is a ransomware threat that targets organizations to extort cryptocurrency payments for the decryption of their data.
Seemingly improving upon their initial release, HardBit version 2.0 was introduced with samples seen throughout the end of 2022 and into 2023.
Like most modern ransomware threats, HardBit claims to steal sensitive data from their victims, likely upon first gaining access to the network, before launching their payload to encrypt data.
Unlike many of their peers, however, HardBit does not appear to have a leak site at this time and is not currently using the double extortion tactic, in which victims are "named and shamed" and threatened with public exposure of their stolen data.
While the threat of stolen data being sold or published remains, the group threatens further attacks against the victim should their ransom demands not be met.
HIDING HTML SMUGGLERS IN YOUR INBOX
Threat actors utilize HTML Smuggling techniques in recent campaigns to deliver Qakbot XWorm Cobalt Strike and IcedID.
Initially a spear-phishing email is sent to the target with an HTML attachment once opened the HTML file may directly drop an archive file containing a malicious LNK file to the victim machine or present a file impersonating well know vendors such as Adobe Google or Dropbox.
The victim is then coerced into executing the archive or saving and executing a malicious file in the form of an .ISO .IMG or VHD image file.
In either scenario the file contains an LNK file that executes commands to load a decoy file and uses the native binary rundll32 to load the malware payload.
SEVEN DAYS OF THE COLLECT EXFILTRATE SLEEP REPEAT SPIN CYCLE
Threat actors targeted users in a phishing campaign that delivered a job application themed macro enable document.
If the unsuspecting recipient executed the document and enabled the macro VBS and PowerShell files were created for further compromise of the machine.
The malicious scripts made use of many OS native tools as well as some legitimate open source packages to carry out nefarious tasks.
Scheduled tasks were created to gather system information gather local and domain user account and install a keylogger that was developed from the opensource software AutoHotkey.
Although the attackers successfully acquired access and exfiltrated some collected data the attackers were not seen carrying out further actions on the victim machines.
MIRAI BOTNET DELIVERS MEDUSA BOTNET TO TARGET LINUX USERS
A Mirai botnet campaign has been delivering a recently discovered botnet and stealer malware called Medusa Botnet.
The malware has the capabilities to acquire infected machines to build upon its infrastructure as well as target victims for DDoS attacks and encrypt targets with ransomware.
The malware has been seen using open-source tools such as psutil, ZMap, scapy as well as common binaries like telnet, SSH and wget.
New MortalKombat ransomware targets systems in the U.S.
Hackers conducting a new financially motivated campaign are using a variant of the Xortist commodity ransomware named 'MortalKombat,' together with the Laplas clipper in cyberattacks.
Both malware infections are used to conduct financial fraud, with the ransomware used to extort victims to receive a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions.
Laplas is a cryptocurrency hijacker released last year that monitors the Windows clipboard for crypto addresses and, when found, substitutes them for addresses under the attacker's control.
As for MortalKombat, Cisco Talos says the new ransomware is based on the Xorist commodity ransomware family, which utilizes a builder that lets threat actors customize the malware.
Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities | CISA
This CSA is supplementary to previous reports on malicious cyber actor activities involving DPRK ransomware campaignsnamely Maui and H0lyGh0st ransomware.
The authoring agencies are issuing this advisory to highlight additional observed TTPs DPRK cyber actors are using to conduct ransomware attacks targeting South Korean and U.S.
New Mimic Ransomware Abuses Everything APIs for its Encryption Process
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
This ransomware (which Analysts named Mimic based on a string analysts found in its binaries), targets Russian and English-speaking users.
Water Dybbuk Using Open-Source Toolkits To Carry Out BEC Campaign
The Water Dybbuk threat group targets large companies around the world with a Business Email Compromise (BEC) campaign to steal credentials.
The initial attack vector consists of spear-phishing emails with malicious attachments directing victims to malicious websites.
Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware.
Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.
The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.
To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't yet been updated.
CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.
CVE-2021-21974 affects the following systems:
ESXi versions 7.x prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670-202102401-SG
ESXi versions 6.5.x prior to ESXi650-202102101-SG
Operation Ice Breaker
This is a new threat actor.
Analysts are tracking it as Ice Breaker APT.
Although research is still ongoing, analysts are releasing the attacker's Modus Operandi, attack chain, ways to mitigate the threat and supported IOCs, TTPs and Yara.
Ice Breaker is using a very specific social engineering technique that somewhat sacrifices their identity.
Convincing the human operator to open the ZIP or LNK file, the threat actor was only steps away from harvesting credentials, open a reverse shell and start the 2nd stage of the attack.
Trigona Ransomware Analysis
Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen data if the ransom is not paid.
The threat actors behind the malicious software will decrypt three files for free to prove the victims will get their sensitive data back.
The ransomware appends "._locked" to encrypted files and drops a ransom note in HTML format with instructions on how to retrieve the locked files.
Ukraine CERT-UA: Compromised Email Address Used To Deliver Malware Variants
An adversary was discovered using a compromised e-mail address to send phishing emails with a malicious PDF attachment.
The files used in the attack were protected by VMProtect to hinder analysis.
Successful intrusions resulted in systems infected with variants from the RomCom, FateGrab, and StealDeal malware families.
Ukraine Government Sector Targeted With The DolphinCape Information Stealer
The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which appeared to be sent from the State Emergency Service of Ukraine.
Opening the attachment resulted in VBScript code creating a scheduled task for persistence and a PowerShell script downloading the DolphinCape information stealer.
The malicious software is capable of exfiltrating system information as well as screenshots of the infected device.
Multiple Malware Variants Distributed Through Microsoft OneNote
Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook, Remcos, and XWorm malware families.
Multiple legitimate Microsoft Windows utilities were used to carry out the operation including cmd, BITSAdmin, PowerShell, wscript, and curl.
The adversary took advantage of the right-to-left override (RTLO or RLO) technique to convince the victim to execute files which appeared to be benign.
Playing Whack-a-Mole With New Dharma Ransomware Variants
The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS) model.
Incidentally, one version of the ransomware was leaked and whomever gained access altered it to suit their needs.
The malware uses multiple initial access vectors such as exposed Microsoft Remote Desktop Protocol (RDP) servers and phishing with attachments masquerading as legitimate software.
The ransomware encrypts files within the system and launches mshta.exe to display an HTML file containing ransom details.