Threat Intelligence Report August 15 - August 21 2023

Duke, a malware toolkit used by the APT29 group, also known as The Dukes, Cloaked Ursa, CozyBear, Nobelium, and UNC2452. APT29 is a Russian state-sponsored actor linked to SVR RF, engaging in politically motivated cyber espionage. Duke malware includes backdoors, loaders, data stealers, and disruptors. In 2023, The Dukes used malicious PDFs posing as German embassy invitations in a spam campaign targeting NATO-aligned Foreign Affairs ministries.

Experts found an ongoing scheme that tricks people with fake Chrome updates, getting them to install a tool called NetSupport Manager. Bad actors then misuse this tool to steal data and control victims' computers. This scheme is somewhat similar to the earlier SocGholish campaign, possibly linked to Russian threats. But the connection to SocGholish is not certain, and they are using different tools.

A targeted threat campaign named JanelaRAT has been recently discovered. It appears to be aimed at FinTech users in the LATAM region. Employing tactics like DLL side-loading, dynamic C2 infrastructure, and a multi-stage approach, the campaign utilises a customised BX RAT variant, leading to the naming of the malware as JanelaRAT. Notably, JanelaRAT focuses on harvesting financial data in LATAM, incorporates a Windows titles sensitivity feature, employs dynamic socket configuration, exploits legitimate sources for DLL side-loading evasion, and exhibits Portuguese-language indicators, highlighting the origin of the threat actor.

The initiation of the attack chain is executed through a VBScript, enclosed within ZIP archives. The VBScript undertakes two primary actions: retrieving a ZIP archive from the attackers' server and depositing a BAT file on the targeted endpoint to prime the system for the subsequent infection stage. Enclosed within the ZIP archive are two components responsible for orchestrating the ensuing stages of infection, facilitating DLL side-loading.

JanelaRAT is designed to gather and transmit data regarding the compromised host to the attacker.

A new threat has emerged under the name QwixxRAT, posing risks to both enterprises and individual users. This Trojan enters systems discreetly, extending its reach to extract a wide array of data. It was seen in early August 2023. The malicious tool is being extensively propagated by the threat actor through platforms like Telegram and Discord.

Upon successful installation on victim Windows devices belonging to, the RAT adeptly gathers sensitive information, which is subsequently dispatched to the attacker's Telegram bot, granting unauthorised access to the victim's confidential data.

To elude detection by antivirus software, the RAT utilises command and control capabilities through a Telegram bot. This mechanism empowers the attacker to remotely oversee the RAT's actions and administer its functions.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 126 new ransomware victims from 21 distinct industries across 22 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (41) spread across various countries. LockBit3.0 and Blackbasta hit 22 & 20 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 22 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 71 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 21 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with 17% and 15% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.