Threat Intelligence Report August 8 - August 14 2023

Agniane Stealer is a potent information theft tool equipped with various capabilities. Notably, it excels at extracting passwords and cookies from popular web browsers like Chrome, Firefox, and Edge, amassing valuable user credentials. It extends its reach to messaging platforms such as Telegram and Discord, intercepting ongoing sessions and accessing private conversations, which can have serious consequences for users' privacy. Additionally, Agniane Stealer displays a keen interest in cryptocurrency, targeting crypto wallets to seize digital assets discreetly. The malware captures screenshots to provide cybercriminals with a visual overview of victims' activities. Disseminated through phishing emails, it tricks recipients into opening attachments, facilitating the theft of user data, crypto wallets, browser specifics, VPN credentials, and more. This enables attackers to also access victim details like geolocation and IP address.

Researchers have noticed a rise in TOAD (Telephone-oriented attack delivery) phishing campaigns. TOAD involves luring victims to engage with deceptive call centres run by malicious actors. These campaigns aim to steal credentials or implant malware. The messages in these attacks impersonate companies like Norton, PayPal, or McAfee, citing service bills or transaction fees. Recipients are prompted to view an attached PDF invoice and call a provided number for cancellations or refunds. These messages falsely suggest accidental service sign-ups. They lead to fake customer service helplines that seek credentials and encourage downloading malicious software. While potential victims should be cautious, signs like unofficial email accounts, vague details, and basic formatting can help identify these schemes. We identified some TOAD domains and created some rules to prevent attacks against our users.

FormBook is a type of malware that is designed to steal sensitive information from infected computers. It is primarily used for cybercriminal activities, such as stealing login credentials, financial data, and other personal information. FormBook is typically distributed through malicious email attachments, phishing websites, and other deceptive methods. Once a system is infected, FormBook can capture keystrokes, take screenshots, and record user interactions, effectively capturing sensitive data entered by the victim. This stolen information is then sent to remote servers controlled by the attackers. FormBook has been used in various cyberattacks and has evolved over time with new features and capabilities to evade detection and improve its effectiveness. It has been a significant concern for cybersecurity professionals and organizations due to its potential to cause financial and data breaches.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 48 new ransomware victims from 16 distinct industries across 15 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit3.0, a specific ransomware, has affected the largest number of new victims (19) spread across various countries. Akira and AlphV hit 06 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 15 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 28 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 16 industries globally. Last week, the Manufacturing and Education sectors were hit particularly hard, with 14% and 12% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.