Threat Intelligence Report August 1 - August 7 2023

Fruity serves as a tool for cybercriminals to spread the Remcos RAT, a remote-control tool enabling remote computer access for malicious purposes. This gives them access to sensitive data like passwords, credit cards, and real-time screen monitoring. Moreover, it facilitates file downloads and execution, opening the door to more malware. Beyond Remcos RAT, Fruity can distribute various other malware types, including banking trojans, ransomware, and remote access tools. Banking trojans steal financial data, ransomware encrypts files for a ransom, and remote access tools compromise systems. Fruity victims face substantial harm, with unauthorised access to personal data, leading to identity theft, financial losses, and privacy breaches. Its capacity to introduce more malware triggers additional infections, causing operational disruptions, data loss, and potential ransomware extortion.

IcedID, also known as BokBot, emerged in 2017. Initially tied to the banking trojan payload, the term "IcedID" now encompasses the entire infection process. After a few years under the radar, it resurfaced in 2019 using steganography to conceal its payload.

As time passed, IcedID loaders advanced, adopting various steganography techniques such as "Photoloader" and more recently "Gziploader." The core functionalities of the banking trojan have seen limited changes. IcedID operates in three stages, employing two DLL loaders via rundll32.exe. While the final stage is a banking trojan, IcedID can serve as a conduit for other threats like Ransomware or as an entry point for lateral spreading. By employing both VMware EDR and NDR solutions, comprehensive visibility, detection, and prevention against threats like IcedID are achieved across all attack stages.

CVE-2023-35082 enables an external unauthorised attacker to gain access to the API endpoints of a publicly accessible management server. Exploiting these API endpoints provides the attacker with a range of functionalities as outlined in the official API documentation. These functionalities encompass the potential to reveal personally identifiable information (PII) and make alterations to the platform. Moreover, if an additional vulnerability is present in the API, the attacker can combine these vulnerabilities. For instance, the attacker could leverage CVE-2023-35081 in conjunction with CVE-2023-35082 to create a chain of exploits, thereby allowing the attacker to upload malicious webshell files to the appliance, potentially leading to their execution.

An inherent flaw in the wsConvertPpt module within Chamilo versions ranging from v1.11.* to v1.11.18 introduces a command injection vulnerability. This vulnerability empowers attackers to execute arbitrary commands by manipulating a SOAP API call, utilising a specially crafted PowerPoint filename.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 77 new ransomware victims from 18 distinct industries across 20 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit3.0, a specific ransomware, has affected the largest number of new victims (14) spread across various countries. RA Group and Play group follow closely with each hitting 10 and 8 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 20 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 42 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Manufacturing and Retail sectors were hit particularly hard, with 15% and 7% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.