Threat Intelligence Report February 14 - February 20 2023

Dalbit is a threat actor group recently discovered to have targeted Korean organisations. Their usual tactic is to target SQL and Web Servers with exploits to upload web shells. Through these web shells, additional tools such as binaries for privilege escalation, proxy tools, and scanning tools are downloaded. Upon initial foothold, FRP (Fast Reverse Proxy) is deployed to connect back to their Command-and-Control server or another victim's server via RDP. It appears that the end goal is to eventually deploy ransomware on their victims.

Frebniis is a newly observed malware that abuses IIS to deploy a backdoor onto systems. The threat actor or group behind this is still unknown and no attribution has been made yet. Microsoft's IIS feature (iisfreb.dll) used to troubleshoot web requests is injected with a malicious code. This code allows the malware to monitor HTTP requests and recognize specially formatted HTTP requests allowing for remote code execution. However, the attacker needs to gain access to the actual target by other means.

A new cyber threat actor, NewsPenguin, has been discovered targeting organisations in Pakistan using a sophisticated method of payload delivery. The attacker is using a targeted phishing campaign with a weaponized document, disguised as an exhibitor manual for the upcoming Pakistan International Maritime Expo & Conference (PIMEC-2023), to trick their victims. The document contains embedded malicious VBA macro code, which leads to the final payload execution. The final payload is an advanced espionage tool encrypted with a unique "penguin" encryption key.

Researchers have discovered a new cluster of virtualised malware loaders called MalVirt, which utilises the KoiVM virtualizing protector for obfuscating their implementation and execution. They distribute payloads that include the Formbook family of infostealer malware, with an unusual amount of applied anti-analysis and anti-detection techniques. The use of alternative malware distribution methods, such as malvertising and ISO files, is on the rise, as Office macros in documents from the Internet are blocked by Microsoft. The Formbook family is a feature-rich infostealer malware that is used by threat actors with cybercrime motivations but has also been observed in attacks with potentially political motivations. The intricate loader suggests an attempt to co-opt cybercriminal distribution methods to load more targeted second-stage malware onto specific victims after initial validation.

A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organisations in East Asia. It has been observed that the intrusion vector is vulnerable to MySQL database servers exposed online. The threat actors access vulnerable MySQL and web server endpoints by deploying web shells through SQL injection, cross-site scripting, or web server vulnerabilities. Then, the attackers deploy SparkRAT, a Golang-based open-source tool that can run on Windows, macOS, and Linux, offering feature-rich remote access functionality. SparkRAT uses the WebSocket protocol to communicate with the C2 server, and can automatically upgrade itself, constantly adding new features.

SHARPEXT is a malicious browser extension deployed by SharpTongue following the successful compromise of a target system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google Chrome. The latest version (3.0 based on the internal versioning) supports three browsers:

- Chrome, Edge, Whale

Prior to deploying SHARPEXT, the attacker manually exfiltrates the files required to install the extension (explained below) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.

Red Piranha regularly collects information about organisations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 84 new ransomware victim organisations from 26 different countries all over the world.  

One particular ransomware group named LockBit3.0 tallied the greatest number of new victims (38), the locations of which are spread across different countries. This is followed by Medusa groups who hit 14 new victims. Victim counts these ransomware groups, and a few others are listed below. 

 
If we look at the victims as per the country, we can say that the USA was once again become the most affected country by ransomware groups where a total of 41 new victims were reported last week. The number of new ransomware victims per country is listed below: 

      

We conducted more research and discovered that 21 industries were affected globally by ransomware, with the manufacturing and Construction sectors being struck with the loss of 24 and 8 new businesses respectively just last week. The following table lists the latest ransomware victims by sector: