Threat Intelligence Report January 3 - January 9 2023

Threat name:

Shc Linux Malware

It has been observed that a Linux malware developed with Shell Script Compiler (Shc) has been installing a CoinMiner. Shc is responsible for converting Bash shell scripts into an ELF (Executable and Linkable Format). The Shc data section contains the original Bash shell script encoded with the Alleged RC4 algorithm. When it is executed afterwards, the same ARC4 algorithm is used to decode the original script, and the decoded script commands are executed.

ViperSoftX Malware

ViperSoftX is a Windows malware that deploys a Google Chrome extension named VenomSoftX. This malware is an information stealer with some clever obfuscation skills. ViperSoftX is a JavaScript-based RAT. It was first discovered in the early 2020s, but recently, this malware has become more widespread and is actively being exploited. Most often, cracked versions of Microsoft Office, Adobe Illustrator, and other programs, as well as torrent downloads are used to propagate ViperSoftX. Up until now, only Windows users have been impacted. India, the USA, and Italy are the nations most affected by ViperSoftX.

RisePro Stealer

RisePro is an information stealer that is similar to Vidar, another stealer. It gathers private information and extracts it as logs. RisePro is created using the C++ programming language. RisePro has been observed being distributed by threat actors using the malware downloader PrivateLoader. Currently, RisePro's developers are selling their malware through Telegram. Cybercriminals may use the data gathered by RisePro to steal identities, hijack internet accounts, and carry out unauthorized purchases and transactions (including cryptocurrency transactions), among other things. It is important to note that accounts that have been stolen could be used to spread malware, scam other users, and perform other actions. It is well known that logs are used to exfiltrate data stolen with RisePro. These logs are offered for sale to third parties and uploaded to black markets.

Linux Backdoor/Wordpress Exploit

Linux Backdoor/WordPress Exploit is a trojan application written in Go language which executes commands from its Command-and-Control server. It exploits vulnerabilities in WordPress plugins and themes. Upon successful exploitation, malicious JavaScript code is injected to redirect visitors to other sites.

Rhadamanthys Stealer

A C++ based trojan that extracts data from its victims. It is distributed alongside legitimate software. It targets device information, documents, as well as digital wallet passwords. It primarily uses Powershell to execute commands from its Command-and-Control server.

Pytorch Malicious Dependency Chain Compromise

Red Piranha regularly collects information about organizations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 18 new ransomware victim organizations in 08 different countries all over the world.

One particular ransomware group named Play tallied the greatest number of new victims (07), the locations of which are spread across different countries. This is followed by BlackByte and Clop groups with 4 and 2 new victims respectively. Victim counts these ransomware groups, and a few others are listed below.

If we look at the victims as per the country, we can say that the USA was once again become the most affected country by ransomware groups where a total of 09 new victims were reported last week followed by Sweden with 3 new victims were reported. The number of new ransomware victims per country is listed below: