Threat Intel Banner
New Threat Detection Added6 (Shc Linux Malware, VipersoftX Malware, RisePro Stealer, Linux Backdoor/Wordpress Exploit, Rhadamanthys Stealer, and Pytorch Malicious Dependency Chain Compromise)
New Threat Protections134
Overall Weekly Observables Count2,085,923
New Ransomware Victims Last Week 18


Daily Submissions by Observable Type



Weekly Detected Threats

The following threats were added to Crystal Eye XDR this week:

Threat name:

Shc Linux Malware

It has been observed that a Linux malware developed with Shell Script Compiler (Shc) has been installing a CoinMiner. Shc is responsible for converting Bash shell scripts into an ELF (Executable and Linkable Format). The Shc data section contains the original Bash shell script encoded with the Alleged RC4 algorithm. When it is executed afterwards, the same ARC4 algorithm is used to decode the original script, and the decoded script commands are executed.

Threat Protected:01
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Malware
Kill Chain:Execution TA0002 - Defense Evasion TA0005 - Discovery TA0007 - Exfiltration TA0010 - Command-and-Control TA0011


Threat name:

ViperSoftX Malware

ViperSoftX is a Windows malware that deploys a Google Chrome extension named VenomSoftX. This malware is an information stealer with some clever obfuscation skills. ViperSoftX is a JavaScript-based RAT. It was first discovered in the early 2020s, but recently, this malware has become more widespread and is actively being exploited. Most often, cracked versions of Microsoft Office, Adobe Illustrator, and other programs, as well as torrent downloads are used to propagate ViperSoftX. Up until now, only Windows users have been impacted. India, the USA, and Italy are the nations most affected by ViperSoftX.

Threat Protected:56
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Alert

Alert

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Execution T1059 - Defense Evasion T1497 - Discovery T1082/T1497/T1518


Threat name:

RisePro Stealer

RisePro is an information stealer that is similar to Vidar, another stealer. It gathers private information and extracts it as logs. RisePro is created using the C++ programming language. RisePro has been observed being distributed by threat actors using the malware downloader PrivateLoader. Currently, RisePro's developers are selling their malware through Telegram. Cybercriminals may use the data gathered by RisePro to steal identities, hijack internet accounts, and carry out unauthorized purchases and transactions (including cryptocurrency transactions), among other things. It is important to note that accounts that have been stolen could be used to spread malware, scam other users, and perform other actions. It is well known that logs are used to exfiltrate data stolen with RisePro. These logs are offered for sale to third parties and uploaded to black markets.

Threat Protected:52
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Execution T1059/T1129 -Privilege Escalation T1055 - Defense Evasion T1055/T1497 - Discovery T1018/T1082/T1497 - Discovery T1082/T1083 - Command-and-Control T1071/T1095/T1573


Threat name:

Linux Backdoor/Wordpress Exploit

Linux Backdoor/WordPress Exploit is a trojan application written in Go language which executes commands from its Command-and-Control server. It exploits vulnerabilities in WordPress plugins and themes. Upon successful exploitation, malicious JavaScript code is injected to redirect visitors to other sites.

Threat Protected:21
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain: Initial Access T1190 - Execution T1059 - Command-and-Control T1102


Threat name:

Rhadamanthys Stealer

A C++ based trojan that extracts data from its victims. It is distributed alongside legitimate software. It targets device information, documents, as well as digital wallet passwords. It primarily uses Powershell to execute commands from its Command-and-Control server.

Threat Protected:01
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Reject

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain: Initial Access T1189 - Execution T1059 - Command-and-Control T1102


Threat name:

Pytorch Malicious Dependency Chain Compromise

​​​A malicious dependency has been found in the PYPI library, sharing the name Torchtriton with the official library published on PyTorch-nightly's repo. When fetching dependencies in the Python ecosystem, PyPI normally takes precedence, causing the malicious package to get pulled on your machine instead of PyTorch's legitimate one. This type of supply chain attack is known as dependency confusion and allows the threat actor to register a package by the same name as one that exists in a third-party index, and pip will install their version by default.
Threat Protected:03
Rule Set Type:

Ruleset

IDS: Action

IPS: Action

Balanced

Alert

Drop

Security

Reject

Drop

WAF

Disabled

Disabled

Connectivity

Alert

Alert

OT

Disabled

Disabled

Class Type:Trojan-activity
Kill Chain:Execution TA0002 - Persistence TA0003 - Privilege Escalation TA0004 - Command-and-Control TA0011


New Ransomware Victims Last Week: 18

Red Piranha regularly collects information about organizations hit by ransomware from different sources including the Dark Web. During the previous week, Red Piranha identified a total of 18 new ransomware victim organizations in 08 different countries all over the world.

One particular ransomware group named Play tallied the greatest number of new victims (07), the locations of which are spread across different countries. This is followed by BlackByte and Clop groups with 4 and 2 new victims respectively. Victim counts these ransomware groups, and a few others are listed below.

BlackByte4
Clop2
Everest1
Hive1
Play7
Royal2
Vicesociety1


If we look at the victims as per the country, we can say that the USA was once again become the most affected country by ransomware groups where a total of 09 new victims were reported last week followed by Sweden with 3 new victims were reported. The number of new ransomware victims per country is listed below:

Canada

1

China

1

Colombia

1

France

1

Germany

1

Spain

1

Sweden

3

USA

9

      

DOWNLOAD PDF

Details
Date Published
January 09, 2023