Threat Intelligence Report April 11 - April 17 2023

A novel Android Banking Trojan has recently been identified by researchers and is dubbed "Chameleon". This new strain appears to be unrelated to any known Trojan families and has been active since January 2023, with users in Australia and Poland being specifically targeted. The Chameleon Trojan uses the Accessibility Service to perform malicious activities similar to other Banking Trojans and masquerades as legitimate apps like CoinSpot, a cryptocurrency app, and government agencies in Australia and Poland, such as IKO Bank. The Trojan was observed using different software icons to infect Android users, including ChatGPT, Chrome, and Bitcoin.

Distribution of the Chameleon Trojan is through various means, including compromised websites, Discord attachments, and Bitbucket hosting services. The Trojan is capable of several malicious activities, such as keylogging, overlay attacks, SMS harvesting, preventing uninstallation, cookie stealing, lock grabbing, and employing anti-emulation techniques. Additionally, the Trojan can disable Google Play Protect, and to auto-uninstall.

At present, the Chameleon Banking Trojan is still in its early stages of development and has limited capabilities, with injection and keylogging techniques being its primary methods for stealing users' credentials. However, the malware may have new features added in the future. The Trojan communicates with a Command-and-Control (C&C) server and users are advised to be cautious while downloading applications from unknown sources.

A new ransomware that can target both Linux and Windows operating systems has been identified by researchers. The ransomware has the ability to accept different command line parameters and can flexibly adjust to customized encryption tactics. Upon execution, the ransomware enables various Windows privileges for the current process, which allows access to restricted actions typically only permitted for processes with higher privileges. These actions include debugging other processes, modifying system security settings, and restoring files and directories. The ransomware then creates a scheduled task entry for persistence, enabling it to run automatically every time the victim logs into their computer.

The ransomware gathers details about disk volumes and their associated file systems. As organizations implement measures to protect themselves against ransomware attacks, there is a corresponding increase in the number of new ransomware groups emerging. These groups continuously evolve their tactics and expand their operations to maximize their financial gains.

A new threat campaign leveraging the open-source Havoc C2 framework targeting Government organisations has been observed. The backdoor consists of three components –

- ShellCode Loader
- KaynLdr Shellcode
- Demon DLL

The shellcode loader Disables the Event Tracing for Windows (ETW) to evade detection mechanisms and decrypts and executes the shellcode via CreateThreadpoolWait(). The KaynLdr Reflectively loads the Havoc’s Demon DLL without the DOS and NT headers to evade detection and Performs an API hashing routine to resolve virtual addresses of various NTAPIs by using a modified DJB2 hashing algorithm. The Demon DLL's tasks are Parsing configuration files, Usage of Sleep Obfuscation Techniques, Communication with the CnC Server - CheckIn Request and Command Execution, Performs In-Direct Syscalls and Return Address Stack Spoofing and more.

A destructive wiper termed CaddyWiper has been found targeting government organisations. The wiper is deployed by group policy to the infected system. Once run, as administrator, the system will crash. Once the computer is rebooted it crashes and will not start anymore and prompt that it cannot locate the operating system. If the sample is opened in a disassembler, in this case, Ghidra, it can be seen that it uses a lot of stack strings for obfuscation. Upon start, the wiper uses the API call DsRoleGetPrimaryDomainInformation to check if the computer is the primary domain controller by comparing it to the hard-coded value 0x5, which comes from the struct DSROLE_MACHINE_ROLE. If it is the primary domain controller it will exit. This is probably done because the threat actor is using the domain controller as the source of distribution of the wiper and not to ruin its foothold.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 82 new ransomware victims from 20 distinct industries across 29 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit 3.0, a specific ransomware, has affected the largest number of new victims (32) spread across various countries. Bianlian and Money message groups follow closely with each hitting 11 and 08 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 29 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 39 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 19 industries globally. Last week, the manufacturing and Business Services sectors were hit particularly hard, with the loss of 20 and 07 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.