Threat Intelligence Report February 21 - February 27 2023

Throughout 2023, there have been reports of the DarkCloud Stealer appearing in numerous spam campaigns. This malware is capable of extracting sensitive data from compromised devices, such as credit card numbers, passwords, social security numbers, and other personal or financial information.

The DarkCloud Stealer operates through a multi-stage process that ultimately loads a final payload into the system's memory. Its data exfiltration capabilities are versatile and include the use of several communication channels, such as SMTP, Telegram, Web Panel, and FTP. Additionally, this advanced malware has the ability to customize its payload, enabling it to target different applications effectively and making it highly adaptable.

The Qakbot malware serves as a prime illustration of the ever-changing threat environment, emphasizing the criticality of maintaining a watchful eye in the cybersecurity realm. The malware's intricate architecture, far-reaching consequences, and pervasive prevalence stress the significance of taking pre-emptive and resilient security measures. The threat actors behind Qakbot exhibit considerable activity, frequently modifying their tactics to evade detection and increase their profits. They employ inventive attack methods such as OneNote attachments to showcase their level of sophistication and resourcefulness.

Orcus RAT is a type of malicious software program that enables remote access and control of computers and networks. It is a type of Remote Access Trojan (RAT) that has been used by attackers to gain access to and control computers and networks. Once downloaded onto a computer or network, it begins to execute its malicious code, allowing the attacker to gain access and control. It can steal data, conduct surveillance, and launch DDoS attacks. The malware is usually spread via malicious emails, websites, and social engineering attacks. It is also often bundled with other malicious software programs, such as Trojans, worms, and viruses.

Doublezero is a data wiper malware, which destroys files, registry keys, and trees on the Victim machine. The malware is written in the .net programming language.  It has customized obfuscation and a huge amount of junk code that makes malware reverse engineering harder to analyse these codes fully. The malware first enumerates the list of domain controllers connected to the infected host. When the malware is executed, it first checks if the compromised machine is one of the domain controllers. If this host is one of the domain controllers, the malware will not be executed.

OxtaRAT is an AutoIt-based malware for remote access. It is capable of remotely controlling its victim machines, searching and exfiltrating files, recording videos through the webcam and desktop, port scanning and more. The latest campaign is observed to be targeting human rights organisations and independent media from Azerbaijan and Armenia. The malware is being distributed as a document which appears to have a political context in the region. Once, opened, it drops an executable which executes scripts to run AutoIt. AutoIt is used to execute a code hidden in the attached image. The code installs a web shell, contacts its C&C, and downloads/uploads files.

Clasiopa is a threat actor group that is known to target materials research organisations in Asia. Evidence gathered from Clasiopa reveals that they mostly gain access to their victim networks via brute force attacks. Toolsets used by Clasiopa are mostly distinct and customized. These tools include Atharvan, a custom remote access trojan; Lilith, which is used for modifying system processes; Thumbsender, which lists file names on a victim machine and sends them out to its Command-and-Control server.

Red Piranha regularly collects information about organisations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 61 new ransomware victim organisations in 27 different countries all over the world.  

One particular ransomware group named LockBit3.0 tallied the greatest number of new victims (27), the locations of which are spread across different countries. This is followed by AlphV groups who hit 18 new victims. Victim counts these ransomware groups, and a few others are listed below.

If we look at the victims as per the country, we can say that the USA was once again the most affected country by ransomware groups where a total of 27 new victims were reported last week. The number of new ransomware victims per country is listed below:

      

We conducted more research and discovered that 21 industries were affected globally by ransomware, with the manufacturing and Business Services sectors being struck with the loss of 11 and 6 new businesses respectively just last week. The following table lists the latest ransomware victims by sector: