Threat Intelligence Report August 29 - September 4 2023

The Konni Advanced Persistent Threat (APT) group, suspected to originate from North Korea, has been operating since at least 2014. Their primary focus has been infiltrating government agencies and institutions in South Korea and the United States. This North Korean hacking group delivers the Konni Remote Access Trojan (RAT) through deceptive phishing messages or emails. The infection process starts when the target interacts with a rigged file. Once inside a victim's system, Konni RAT enables the attackers to gather data, capture screenshots, pilfer files, and establish a remote interactive connection. KONNI has been associated with multiple cyberattacks, allegedly orchestrated by North Korea, targeting political entities across Russia, East Asia, Europe, and the Middle East. Notably, KONNI shares a substantial code base with the NOKKI malware family. Konni's APT group maintains its focus on attacking documents written in Russian, often related to Russian-North Korean trade and economic investments. In January 2022, this APT group was detected targeting the Russian diplomatic sector, using a spear-phishing scheme centred around New Year's Eve celebrations as bait. When the recipient opens and processes the malicious email attachment, a sequence of events unfolds, ultimately resulting in the installation of a Konni RAT family implant as the final payload.

IcedID, a persistent malware, circumvents antivirus defences via process-hollowing. It infiltrates key API functions erasing the hooks to spawn a "svchost.exe" service process, embedding itself in "KERNEL32.DLL" and "SHLWAPI.DLL." Payload placement in "%ProgramData%" or "%AppData%" depends on account privileges. A scheduled task ensures reboot persistence, with three "svchost.exe" subprocesses containing its shellcode. IcedID delays execution until reboot, mimicking legitimate OS functions. It spreads across networks, observing activities, exfiltrating data, and executing man-in-the-browser attacks. These assaults involve web-injection, proxy setup, and redirection. IcedID injects shellcode into web browsers, adjusting memory and altering protection. It intercepts traffic through "Ws2_32:connect," channelling it to a proxy server for data capture. Recent versions include an Automatic Transaction System (ATS) Engine for autonomous data theft and injection, apart from the Command-and-Control (C2) server. The proxy crafts counterfeit banking sites, snaring login details and bypassing multi-factor authentication (MFA). IcedID communicates via HTTPS through its proxy, employing obfuscation and encryption to confound analysis. These tactics enable IcedID to infiltrate systems, exfiltrate sensitive data, and exploit network weaknesses.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 214 new ransomware victims or updates in few past victims from 24 distinct industries across 36 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of victims (100) updates spread across various countries. LockBit3.0 and Everest updated 50 & 14 victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 36 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 114 victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 24 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with 21% and 11% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.