Threat Intelligence Report December 13 - December 19 2022

GootLoader Malware, DolphinCape Malware, PyPi-NPM CIA Ransomware, BlackMagic Ransomware, CHAOS RAT, DEV-1028 botnet

Threat name:

Gootloader aka Gootkit was originally delivered through spam campaigns and legacy exploit kits. Gootloader operators are increasingly observed using search engine optimization (SEO) poisoning tactics to gain access to victims' environments and initiate multifaceted breaches involving subsequent payloads such as Cobalt Strike and Gootkit. Gootloader poses a significant threat to enterprise environments because it is designed to deliver additional malware. Gootloader operators compromise legitimate infrastructures like WordPress blogs and seed these sites with common keywords. The operators then use SEO techniques to direct anyone who types these keywords into a search engine to a page that entices the user to download a ZIP file containing the initial Gootloader script. Most observed Gootloader campaigns involved initial malicious ZIP files containing the word "contract" in the file name.

According to the latest CERT-UA advisory, the new malicious campaign against the state railway transport organization of Ukraine "Ukrzaliznytsia" used a phishing email delivering DolphinCape malware developed with Delphi to targeted users. In this attack, threat actors send out decoy emails that promise to reveal information on how to identify Iran's Shahed-136 drones. The infection chain starts by opening a decoy RAR file attachment that contains a PPSX document with malicious VBScript code. It is designed to generate a scheduled task and decrypt, create, and run a PowerShell script. The hackers use the RC4 encryption algorithm, and a key created by concatenating the value string of the "Manager" attribute and the file name. The malicious PowerShell script will use the BITS component of Microsoft Windows to download DLL and EXE files and create a scheduled task to run the latter using the DLL sideloading technique. The DLL file is identified as DolphinCape malware, which collects information about hostname, username, and operating system version, and exfiltrates other data from infected computers executes EXE and DLL files and displays a list of files and their uploads. DolphinCape malware is also capable of capturing screenshots from target computers.

PyPi-NPM CIA Ransomware

An ongoing distribution of a CIA-themed ransomware that targets PyPi users has been discovered. Python's 'requests' package has been a target of typosquatting. The threat actor published ransomware binaries written in Golang disguised as a legitimate Python package. It was determined that NPM packages are also being affected. Upon execution of malware, it will immediately change the background screen with a fake message from the CIA and will start encrypting the victim's files.

A ransomware that targets the logistics sector. The threat group exfiltrates their victims' data first then encrypts it. Their ransom notes do not contain any links to where they can be paid, instead, they contain links to where the data is dumped and sold. Upon execution, the malware kills system processes, disables the task manager via registry, gathers information from the system then sends a request to its remote Command-and-Control server. After encryption, it creates a batch file that cleans up its traces and changing the screen background.

A cryptocurrency mining attack targeting the Linux operating system has recently included the use of an open source remote access trojan known as CHAOS. The RAT alters /etc/crontab file, a UNIX task scheduler that downloads itself every 10 minutes from Pastebin to achieve persistence. Once downloaded and launched, it transmits system metadata to a remote server. It is GO Compiled with capabilities to carry out following operations.

Perform reverse shell
Download files
Upload files
Delete files
Take screenshots
Access file explorer
Gather operating system information
Restart the PC
Shutdown the PC
Open a URL

A new cross-platform botnet has been found originating from malicious software downloads on Windows devices and succeeds in infecting Linux-based devices like Minecraft servers. The botnet spreads by enumerating default credentials on internet-exposed Secure Shell (SSH)-enabled devices. IoT devices with remote configuration enabled and configured with potentially insecure settings are at risk to attacks like this botnet. The botnet’s spreading mechanism makes it uniquely interesting. While the malware can be removed from the infected source PC, it could persist on unmanaged IoT devices in the network and continue to operate as part of the botnet.

Red Piranha periodically collects information about organizations hit by ransomwares from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 45 new ransomware victim organizations.

One particular group linked to the LockBit 3.0 ransomware tallied the most number of new victims (11), the locations of which are spread across different countries. This is followed by AlphaV and Bianlian groups with 9 and 6 new victims respectively. Victim counts these ransomware groups and a few others are listed below.
 

If we look the victims as per the country, we can say that USA was once again become the most targeted country by ransomware groups where a total 18 new victims were reported last week followed by India and Japan where 3 new victims each were reported. The number of new ransomware victims per country are listed below: