Threat Intelligence Report April 4 - April 10 2023

Researchers have discovered a new variant of the Snake Keylogger malware, which is designed to steal sensitive information from Microsoft Windows users, including saved credentials, keystrokes, screenshots, and clipboard data. This variant was found in a Microsoft Excel sample used to spread the malware. The Snake Keylogger family has been increasing in popularity and is now one of the top 10 malware families. The blog post provides details on how this variant is downloaded, executed, and protected from the analysis. The impact of this malware is considered critical due to the sensitive information it collects from its victims.

Typhon is an information stealer that was first reported in mid-2022 and is designed to steal sensitive information, including cryptocurrency wallet data, from various applications. It has undergone continuous development, with the latest version, Typhon Reborn V2, being released in January 2023, which includes improved anti-analysis and anti-virtual machine capabilities to evade detection. The malware is being sold on underground forums for $59 per month or $540 for a lifetime subscription, which is relatively cheap compared to other info stealers. Typhon Reborn 2 has been observed in the wild, and it is expected to be used in future attacks to harvest and exfiltrate sensitive information via the Telegram API.

NetSupport Manager is a legitimate software used by helpdesk or service desk professionals to remotely access computers. However, it has been discovered recently that some malware includes a tampered version of NetSupport Manager to gain unauthorized access to computers. It is usually distributed via a phishing email and when the malware is executed, it allows its operator to gain access to the victim's machine and steal sensitive data.

Gamaredon is an APT group that is known to conduct cyber espionage campaigns against military and government organisations. They have been linked or attributed to various attacks against the Ukraine government. It was recently observed to be targeting the energy sector of different regions worldwide.

Newly discovered domains attributed to Gamaredon have been identified and were added as rules to the Crystal Eye for detection and prevention.

RapperBot exclusively scans and attempts to brute force SSH servers configured to accept password authentication. The bulk of the malware code contains an implementation of an SSH 2.0 client that can connect and brute force any SSH server that supports Diffie-Hellmann key exchange with 768-bit or 2048-bit keys and data encryption using AES128-CTR. Once RapperBot successfully brute forces an SSH server, the valid credentials are reported to the C2 server on a separate port (currently 48109) without executing further commands on the remote victim.

Adwind RAT is a cross-platform, multifunctional remote access program which is distributed through a single malware-as-a-service platform. It checks the system to see if it is running in a Virtual Environment. Adwind RAT infects the victim’s machine by initial infection vectors of spam campaigns with attachment (EML), and a suspicious URL to download the malware. The attachment is an MS Word document (.DOCX). The threat actor can trick the user to click on the blurred image to view the document’s content. Once the user opens the .img content, use the embedded doc to drop the .JAR file in the %temp% folder to start infecting and perform the threat actor’s action on the objective.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 63 new ransomware victims from 17 distinct industries across 12 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit 3.0, a specific ransomware, has affected the largest number of new victims (17) spread across various countries. Alphv and Royal groups follow closely with each hitting 13 and 10 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 12 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 44 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      

After conducting additional research, we found that ransomware has impacted 17 industries globally. Last week, the manufacturing and Business Services sectors were hit particularly hard, with the loss of 14 and 07 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.