Threat Intelligence Report December 27 - January 2 2023

Threat name:

YouTube Bot Malware

Recently, a new YouTube bot malware was discovered that can watch, like, and comment on YouTube videos. Additionally, it can steal private data from browsers and function as a bot that takes instructions from a command-and-control (C&C) server to carry out additional nefarious deeds. It was created as a 32-bit executable file using the .NET compiler. The malware first determines whether it is running in a managed environment, like VMware or VirtualBox, before executing. To enhance the number of likes, comments, and views on their YouTube videos in this scenario, The Threat Actors (TAs) deploy specially crafted YouTube bots. Additionally, the YouTube bot can harvest passwords, cookies, AutoFill data, and other sensitive information from its victims.

GodFather Malware Returns

GodFather is a well-known Android banking virus that mostly targets consumers in European nations. Recently, multiple Android samples for GodFather that were posing as MYT applications were discovered. The name of this application is MYT Müzik, and it is written in Turkish. As a result, it is believed that this application targets Turkish Android users. After successfully being installed on the victim's device, the GodFather Android virus collects private data like SMSs, basic device information like loaded app data, and the phone number of the device. In addition to these features, it can also route incoming calls from the victim's device, inject banking URLs, and control the device screen using VNC.

STRRat Malware

STRRAT is a Java-based remote access trojan (RAT) that provides threat actors with full remote control of infected Windows endpoints. STRRAT focuses on stealing credentials from browsers and email clients like Microsoft Edge, Google Chrome, Mozilla Firefox, Microsoft Outlook, Mozilla Thunderbird, and Foxmail. It also steals credentials by recording keystrokes of infected endpoints. STRRat also has the capability of mimicking a ransomware attack. No files are encrypted; the malware appends the file - extension “.crimson” while opening Notepad to display a false ransom note.

Drokbk Malware

The Dead Drop Resolver is a technique where a legitimate cloud service is exploited to host the information that points to the command-and-control infrastructure. A recent example is the latest campaign Using Drokbk Malware. Drokbk is deployed post-intrusion alongside other access mechanisms as an additional form of persistence within the victim's environment. The Drokbk dropper checks for the existence of the c:\programdata\SoftwareDistribution directory and creates the directory if it does not exist. The dropper then writes all bytes from an internal resource to c:\users\public\pla. This is a temporary step; the extracted file (pla) is then copied to c:\programdata\SoftwareDistribution\SessionService.exe.

Red Piranha regularly collects information about organisations hit by ransomware from different sources, including the Dark Web. During the previous week, Red Piranha identified a total of 30 new ransomware victim organisations from 13 different countries all over the world.

One particular ransomware group named Royal tallied the greatest number of new victims (09), the locations of which are spread across different countries. This is followed by AlphV and Snatch groups with 06 new victims each. Victim counts these ransomware groups, and a few others are listed below.

If we look at the victims as per the country, we can say that the USA was once again become the most affected country by ransomware groups where a total of 10 new victims were reported last week followed by Germany and India where 5 and 3 new victims respectively were reported. The number of new ransomware victims per country is listed below: