Threat Intelligence Report July 18 - July 24 2023

The Konni APT is a sophisticated cyber espionage group dating back to at least 2014, suspected to operate from North Korea. Known for targeting government agencies in South Korea and the US, they use phishing messages to distribute the malicious Konni RAT tool. Once victims open weaponised files, the attackers gain access to their systems, extracting sensitive information and deploying a remote interactive shell. Linked to alleged attacks across Russia, East Asia, Europe, and the Middle East, the group shows code similarities with NOKKI malware. Their activities also involve targeting malicious Russian documents, and a spear phishing campaign in January 2022 revealed their continued cyber threat, necessitating heightened vigilance and proactive defence measures.

The ransomware dubbed "TargetCompany," which emerged in June 2021, garnered attention for its distinct approach of adding the targeted company's name as a file extension to encrypted files. Initially identified as "Mallox" due to its use of the ".mallox" extension, the ransomware variant has evolved. A recent encounter reveals it now uses the ".malox" extension instead. The malware is distributed through BatLoader, akin to RATs and Stealers. The Mallox ransomware group has integrated BatLoader into their operations to deliver the ransomware payload. This loader exhibits resemblances to previously identified ones utilised in disseminating malware like Quasar RAT, Async RAT, Redline Stealer, and DC RAT. The adoption of new infection techniques underscores the group's dedication to evasiveness and maintaining their malicious activities.

CHAOS is a free and open-source Remote Administration Tool that allows any user to generate binaries to control remote operating systems. Rules have been created to detect the usage of Chaos as it can be used for nefarious activities.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 139 new ransomware victims from 22 distinct industries across 28 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Nokoyawa, a specific ransomware, has affected the largest number of new victims (25) spread across various countries. Clop and LockBit3.0 groups follow closely with each hitting 24 and 21 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 28 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 75 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 22 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with 17% and 9% of the total ransomware victims belonging to each of those sectors respectively. The table below presents the most recent ransomware victims sorted by industry.