Threat Intelligence Report August 22 - August 28 2023

CollectionRAT presents a repertoire of standard Remote Access Trojan (RAT) functionalities, encompassing command execution and file management on compromised endpoints. The core implant is crafted from a Microsoft Foundation Class (MFC) library-based Windows binary. This binary dynamically decrypts and executes the actual malware code, employing MFC's intricate object-oriented framework. The choice of MFC, primarily used for crafting user interfaces in Windows apps, adds layers of complexity that obscure malware analysis. However, CollectionRAT utilises MFC solely as a wrapper for decrypting malicious code.

Upon infiltration, CollectionRAT initiates by gathering system data, crafting a unique fingerprint for the infected environment. This fingerprint is communicated to the Command-and-Control (C2) server. Subsequently, commands flow from the C2 server, triggering diverse tasks on the compromised system. Among these tasks, CollectionRAT's prowess is manifested in its capacity to establish a reverse shell. This shell empowers the malware to execute arbitrary commands seamlessly. It extends its influence further, allowing the reading, writing, and manipulation of files on the disk, as well as spawning new processes. This versatility equips it to procure and deploy supplementary payloads as needed. Interestingly, the implant possesses an evasive function, permitting its removal from the endpoint under C2 directives.

In essence, CollectionRAT deftly wields a varied arsenal of capabilities within its seemingly intricate MFC framework. Its fusion of RAT functionalities with a sophisticated decryption mechanism showcases its adaptability and the intricacies that veil its core operations.

XLoader, a long-standing malware-as-a-service infostealer and botnet, has maintained its presence since 2015. Its enduring existence has witnessed numerous iterations, each evolving to adapt to the changing cybersecurity landscape.

In 2021, XLoader expanded its scope to include macOS platforms. Notably, its initial macOS variant was distributed as a Java program. However, its efficacy was hindered by the absence of the Java Runtime Environment as a default macOS component post-Snow Leopard. This constraint limited its reach to systems where Java was selectively installed.

Presently, XLoader emerges anew, shedding its previous dependencies. This resurgence is marked by a transformation in its programming foundation. The malware has transitioned to being natively coded in C and Objective C languages, a shift that affords it enhanced autonomy and versatility.

XLoader's latest incarnation employs a ruse to cloak its malicious intent. It has adopted the guise of an innocuous office productivity application named 'OfficeNote'. Remarkably, it is now signed with an Apple developer signature, lending it an appearance of legitimacy.

Ferest Smuggler is a credential harvesting campaign that leads to Business Email Compromise fraud. This phishing campaign was observed in August 2023 targeting a municipal government on the US West Coast. The attackers spoofed the domain of the Visa-owned payment processor, Authorise.net. By employing a domain with null MX records, they successfully evaded email filters, allowing the malicious email to reach its intended recipients.

A business email compromise (BEC) threat actor only requires an account that has no multi-factor authentication (MFA) protection to gain access to a staff member's inbox. Once in possession of this email inbox, especially if it belongs to an employee in departments like accounting or human resources (HR), the threat actor gains access to a wide array of potential targets. These targets are extracted from the contacts and entities found within the stolen emails. Operating under the guise of the original victim organisation, the threat actor can target clients, companies, or partners listed in the compromised email archive. This enables them to execute actions such as requesting wire transfers as typically done by the victim organisation.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 142 new ransomware victims from 18 distinct industries across 30 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (58) spread across various countries. Cloak and LockBit3.0 hit 18 & 14 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 30 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 77 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 18 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with 16% and 10% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.