Threat Intelligence Report February 28 - March 6 2023

An updated version of a backdoor called ReverseRAT has been observed targeting Indian government entities through spear phishing campaigns. The file masquerades as a fake advisory from India's Ministry of Communications about "Android Threats and Preventions." Once ReverseRAT gains persistence, it enumerates the victim's device, collects data, encrypts it using RC4, and sends it to the command-and-control (C&C) server. Some of its functions include taking screenshots, downloading and executing files, and uploading files to the C2 server.

The R3NIN Sniffer is a toolkit and panel that can be readily used to extract payment card data from e-commerce websites that have been compromised. This sniffer toolkit boasts several notable features, such as the ability to generate custom JavaScript codes for injection, the capability to exfiltrate compromised payment card data across different browsers, data management and analysis functions, BIN checks, and statistics generation.

On January 15, version 1.2 was released, which included features to fully obfuscate malicious scripts and conceal the URLs of the Command-and-Control (C&C) server. Another update was announced on January 26 that would add a keylogger to the sniffer module, enabling it to log input from multiple fields such as 'inputs,' 'selects,' and 'textareas' in a compromised website. On January 30, support for inline frames (iFrames) was added to the existing sniffer module.

WhiteSnake Stealer is a relatively new type of Infostealer that has emerged in the cybercrime market. While there are already established and widely-used InfoStealers available, threat actors prefer to use new toolkits to stay ahead of antivirus detection and update their tactics, techniques, and procedures. In this particular instance, WhiteSnake Stealer has extended its reach by developing a Linux-based malware version alongside its Windows version. This strategic move enables it to target a broader range of users and potentially evade detection by security measures that may be more commonly deployed on Windows-based systems.

8220 Gang is a threat group known for attacking public cloud users with misconfigured applications and services. Their most prevalent attack technique is brute forcing accounts on these cloud servers. Once they have gained the initial foothold, they try and spread to other servers and infect them with miners.

​​​​​​​S1deload Stealer is a malware which gathers user credentials on victim machines and uses the machines for cryptojacking and social media spamming. The initial distribution of this malware is through social engineering attacks where victims are encouraged to download an archive of photos. Upon execution, the malware starts sideloading its components as the legitimate process for defence evasion. It establishes a connection to its Command-and-Control server where the gathered credentials are imported. The threat actor then uses the social media accounts to sell boosting services for YouTube, Facebook, and other known social media platform.

​​​​​​​A cryptocurrency mining attack targeting the Linux operating system has recently included the use of an open-source remote access trojan known as CHAOS. The RAT alters /etc/crontab file, a UNIX task scheduler that downloads itself every 10 minutes from Pastebin to achieve persistence. Once downloaded and launched, it transmits system metadata to a remote server. It is GO Compiled with capabilities to carry out the following operations:

- Perform reverse shell,
- Download files,
- Upload files,
- Delete files,
- Take screenshots,
- Access file explorer,
- Gather operating system information,
- Restart the PC,
- Shutdown the PC, and
- Open a URL

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 41 new ransomware victims from 13 distinct industries across 18 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit3.0, a specific ransomware, has affected the largest number of new victims (27) spread across various countries. Bianlian and Snatch groups follow closely with each hitting 03 new victims. Below is the victim counts for these ransomware groups and a few others.

When we examine the victims by country out of 18 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 13 new victims reported last week. The list below displays the number of new ransomware victims per country.

      

After conducting additional research, we found that ransomware has impacted 13 industries globally. Last week, the manufacturing and business services sectors were hit particularly hard, with the loss of four businesses in each sector. The table below presents the most recent ransomware victims sorted by industry.