Threat Intelligence Report July 25 - July 31 2023

The NanoCore RAT was discovered in 2013 and sold in underground forums. It is a versatile malware with functions like keylogging, password stealing, tampering with webcams, screen locking, file theft, and more. The current NanoCore RAT is spread through malspam campaigns using social engineering, containing fake bank receipts and requests for quotation. Malicious attachments with .img or .iso extensions are included. Another version is distributed via phishing campaigns with specially-crafted ZIP files to bypass secure email gateways. Stolen data is sent to the attacker's C&C servers.

RAT Capabilities:

• Information Theft
• Backdoor Commands
• Exploits
• Disabling usage capability

GitHub has issued a warning about a sophisticated social engineering campaign aimed at developers working in blockchain, cryptocurrency, online gambling, and cybersecurity industries. The primary objective of this campaign is to compromise their devices with malicious software. The campaign has been attributed to the North Korean state-sponsored hacking group, Lazarus, which is also known by aliases like Jade Sleet (according to Microsoft Threat Intelligence) and TraderTraitor (as per CISA). The US government published a detailed report in 2022, outlining the tactics employed by these threat actors. Notably, Lazarus has a well-documented history of targeting cryptocurrency companies and cybersecurity researchers for cyberespionage and cryptocurrency theft. The group's activities have raised serious concerns within the affected sectors.

Kimsuky APT, a North Korean threat group known to conduct government cyber espionage operations, has been recently discovered targeting military base maintenance providers. A common tactic for Kimsuky is to lure their targets with phishing emails resembling a notice from the government ministry department. This will include a malicious document that appears as a sign-up form; once executed, it will immediately contact its command-and-control server for further instructions.

Red Piranha has deployed new rules that will detect and prevent the initial domain requests for recently discovered Kimsuky-related sites.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 130 new ransomware victims from 20 distinct industries across 21 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (69) spread across various countries. 8Base and Akira groups follow closely with each hitting 11 and 7 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 31 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 65 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 20 industries globally. Last week, the Manufacturing and Business Services sectors were hit particularly hard, with 19% and 16% of the total ransomware victims belonging to each of those sectors, respectively. The table below presents the most recent ransomware victims sorted by industry.