Threat Intel Banner
New Threat Detection Added5 (Rhadamanthys Sealer, Hive Malware Backdoor, Zerobot Malware, Playful Taurus APT, and Kimsuky APT)
New Threat Protections12
Overall Weekly Observables Count1,977,832
New Ransomware Victims Last Week 30


Daily Submissions by Observable Type

Chart, line chartDescription automatically generated


Weekly Detected Threats

The following threats were added to Crystal Eye XDR this week:

Threat name:

Rhadamanthys Sealer

Researchers recently discovered a brand-new malware variant named "Rhadamanthys Stealer." This malware stealer variation is now in use, and the TA (Treat Actor) behind it is offering it for sale using the Malware as a Service (MaaS) business model. The Rhadamanthys stealer spreads by tricking users into visiting phishing websites that look like popular programmes like Zoom, AnyDesk, Notepad++, Bluestacks, etc. Additionally, it can propagate through spam emails that include an attachment that contains harmful payload.

Threat Protected:01
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Initial Access T1598 - Execution T1204/T1059 - Privilege Escalation T1055 - Defence Evasion T1218/T1027/T1497 - Credential Access T1003/T1056/T1552 - Discovery T1082/T1518/T1083 - Collection T1005/T1114/T1087 - Command-and-Control T1071/T1095/T1105


Threat name:

Hive Malware Backdoor

Unidentified threat actors have deployed a new backdoor that borrows its features from the U.S. Central Intelligence Agency (CIA)'s Hive multi-platform malware suite.  xdr33 is a backdoor born from the CIA Hive project, its main purpose is to collect sensitive information and provide a foothold for subsequent intrusions. it establishes communication with the Trigger C2 and waits for the execution of the commands issued by it.

Threat Protected:01
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Alert

Alert

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Discovery TA0007 - Command-and-Control TA0011


Threat name:

Zerobot Malware

The distributed denial of service (DDoS) botnet is expanded by hacked devices that have been infected by the Zerobot malware, which also affects routers, cameras, and firewalls. The malware may identify more devices to infect, achieve persistence, attack a variety of protocols, and infect vulnerable devices running a variety of operating systems and architectures using numerous modules.

The most recent version of Zerobot offers new DDoS attack capabilities as well as other features including the ability to exploit Apache and Apache Spark vulnerabilities (CVE-2021-42013 and CVE-2022-33891, respectively).

Threat Protected:01
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Execution T1059/T1064 - Persistence T1543.002 - Privilege Escalation -T1543 - Defence Evasion T1027/T1064/T1222 - Discovery T1082/T1083 - Command-and-Control T1071/T1095/T1571/T1573


Threat name:

Playful Taurus

Playful Taurus is a Chinese threat group known for conducting cyber espionage campaigns. Their primary choice of targets are governments from America, Africa and the Middle East. It has been reported that the threat group has come up with a backdoor called Turian. Frequently updated variants of this malware being discovered suggest that the malware is constantly evolving and being updated. It was recently found to have infected Iranian government networks. Crystal Eye has rules deployed to detect traffic attributed from the Playful Taurus APT group.

Threat Protected:07
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Initial Access T1566 - Execution T1059/T1106 - Persistence T1574 - Command-and-Control T1102


Threat name:

Kimsuky APT

Kimsuky APT, a North Korean threat group, known to conduct government cyber espionage operations, has been recently discovered targeting military base maintenance providers. A common tactic for Kimsuky is to lure their targets with phishing emails resembling a notice from the government ministry department. This will include a malicious document that appears as a sign-up form; once executed, it will immediately contact its command-and-control server for further instructions.

Red Piranha has deployed new rules that will detect the initial domain requests for recently discovered Kimsuky-related sites. The traffic shall be rejected once observed from machine endpoints.

Threat Protected:02
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Initial Access T1566 - Execution T1204 - Command-and-Control T1102


New Ransomware Victims Last Week: 30

Red Piranha regularly collects information about organisations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 30 new ransomware victim organisations from 12 different countries all over the world.

One particular ransomware group named LockBit3.0 tallied the greatest number of new victims (8), the locations of which are spread across different countries. This is followed by Royal group 6 new victims. Victim counts these ransomware groups, and a few others are listed below.

AlphV3
Blackbyte2
Hive1
LockBit3.08
Mallox4
Play2
RansomHouse1
Royal6
vicesociety3


If we look at the victims as per the country, we can say that the USA once again becomes the most targeted country by ransomware groups wherein a total of 11 new victims were reported last week followed by the UK with 6 new victims reported. The number of new ransomware victims per country is listed below:

Belgium

1

Brazil

1

Canada

1

Germany

2

Malaysia

1

Netherlands

1

Saudi Arabia

2

Spain

1

Turkey

2

United Arab Emirates

1

United Kingdom

6

United States

11

      

DOWNLOAD PDF

Details
Date Published
January 23, 2023