|New Threat Detection Added||3 (NanoCore RAT, TraderTraitor APT, and Kimsuky APT)|
|New Threat Protections||8|
|New Ransomware Victims Last Week||130|
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
The NanoCore RAT was discovered in 2013 and sold in underground forums. It is a versatile malware with functions like keylogging, password stealing, tampering with webcams, screen locking, file theft, and more. The current NanoCore RAT is spread through malspam campaigns using social engineering, containing fake bank receipts and requests for quotation. Malicious attachments with .img or .iso extensions are included. Another version is distributed via phishing campaigns with specially-crafted ZIP files to bypass secure email gateways. Stolen data is sent to the attacker's C&C servers.
Rule Set Type:
|Initial Access T1193 - Execution T1204 - Collection T1056 - Exfiltration T1041|
|Threat name:||TraderTraitor APT|
GitHub has issued a warning about a sophisticated social engineering campaign aimed at developers working in blockchain, cryptocurrency, online gambling, and cybersecurity industries. The primary objective of this campaign is to compromise their devices with malicious software. The campaign has been attributed to the North Korean state-sponsored hacking group, Lazarus, which is also known by aliases like Jade Sleet (according to Microsoft Threat Intelligence) and TraderTraitor (as per CISA). The US government published a detailed report in 2022, outlining the tactics employed by these threat actors. Notably, Lazarus has a well-documented history of targeting cryptocurrency companies and cybersecurity researchers for cyberespionage and cryptocurrency theft. The group's activities have raised serious concerns within the affected sectors.
Rule Set Type:
|Execution T1204 - Defence Evasion T1562 - Discovery T1082 - Impact T1486 – Command-and-Control T1071|
|Threat name:||Kimsuky APT|
Kimsuky APT, a North Korean threat group known to conduct government cyber espionage operations, has been recently discovered targeting military base maintenance providers. A common tactic for Kimsuky is to lure their targets with phishing emails resembling a notice from the government ministry department. This will include a malicious document that appears as a sign-up form; once executed, it will immediately contact its command-and-control server for further instructions.
Red Piranha has deployed new rules that will detect and prevent the initial domain requests for recently discovered Kimsuky-related sites.
Rule Set Type:
|Initial Access T1566 - Execution T1059 - Persistence T1547 - Command-and-Control T1071|
Known exploited vulnerabilities (Week 4 - July 2023):
For more information, refer to the Forum – Security Advisory
Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability
Apple Multiple Products Kernel Unspecified Vulnerability
Zimbra Collaboration (ZCS) Cross-Site Scripting (XSS) Vulnerability
Updated Malware Signatures (Week 4 - July 2023)
A remote access trojan that enables its operator to take control of a victim machine and steal data. It is usually distributed through spam and phishing emails.
Also known as the W32/Parite Virus which infects Windows computers and is classified as a polymorphic virus
A banking trojan used to steal online banking credentials
A malware dropper that is designed to download additional malware on an infected machine.
|New Ransomware Victims Last Week:||130|
Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 130 new ransomware victims from 20 distinct industries across 21 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.
Clop, a specific ransomware, has affected the largest number of new victims (69) spread across various countries. 8Base and Akira groups follow closely with each hitting 11 and 7 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.
|Name of Ransomware Group||Percentage of new Victims last week|