Threat Intelligence Report June 13 - June 19 2023

RisePro Stealer, closely resembling Vidar, is an insidious information-stealing malware that operates by collecting sensitive data and exporting it in log format. Developed using C++ programming language, RisePro is commonly distributed through PrivateLoader, a malware downloader. The creators of this malicious software have resorted to selling it on the popular messaging platform Telegram. Primarily, cybercriminals exploit information stealers like RisePro to extract valuable credentials such as usernames, passwords, credit card details, social security numbers, and ID card information. One prevalent technique employed by stealers involves keylogging, which records keyboard inputs. Infections often commence when victims unknowingly download the PrivateLoader malware, typically facilitated through malicious email links or attachments, counterfeit software updates, pirated/cracked software pages, P2P networks, third-party downloaders, or free file hosting sites. Various file formats, including malicious MS Office and PDF documents, ISO files, archives like ZIP or RAR, executables, and JavaScript files, are employed by threat actors to disseminate this malware.

Researchers have uncovered a sophisticated attack leveraging the DoubleFinger loader, accompanied by the cryptostealer GreetingGhoul and the remote-access Trojan Remcos. This multistage attack, resembling an advanced persistent threat (APT), begins with a malicious PIF file delivered via email. The stages of the attack involve executing shellcodes, downloading encrypted components from Imgur.com, bypassing security software, and replacing legitimate processes. The final payload, GreetingGhoul, steals cryptocurrency wallet data and intercepts user input, allowing cybercriminals to gain control and withdraw funds. Additionally, some variations of DoubleFinger install the remote access Trojan Remcos, granting complete surveillance and control over the compromised system. This attack demonstrates a high level of technical sophistication and poses a significant threat to victims' digital assets and privacy.

Jockerspy malware is a highly sophisticated and malicious form of spyware that poses significant threats to individuals and organisations alike. By infiltrating computer systems through various delivery mechanisms, such as malicious email attachments or compromised websites, Jockerspy establishes its presence and employs persistence techniques to evade detection. Once active, it establishes communication with its command-and-control infrastructure to receive instructions and transmit stolen data. With its extensive information-gathering capabilities, remote control functionality, and data exfiltration techniques, Jockerspy enables attackers to monitor activities, access files, and exfiltrate sensitive information. Its ability to propagate within networks further amplifies its potential for widespread damage. Understanding the operational intricacies of Jockerspy is crucial for implementing effective cybersecurity measures to protect against this potent threat.

GravityRAT is a highly advanced and sophisticated remote access Trojan (RAT) that poses a significant threat in the world of cybersecurity. Known for its stealthy capabilities and targeted attacks, GravityRAT enables remote control and surveillance of infected systems, allowing attackers to gain unauthorised access, steal sensitive information, and execute malicious commands. With its ability to evade detection, propagate within networks, and gather intelligence, GravityRAT poses a serious risk to individuals, organisations, and even governments, highlighting the need for robust cybersecurity measures to combat this formidable malware.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 132 new ransomware victims from 21 distinct industries across 32 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (35) spread across various countries. 8base and Lockbit3 groups follow closely with each hitting 18 and 17 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 32 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 71 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 21 industries globally. Last week, the Finance and Manufacturing sectors were hit particularly hard, with the loss of 16 and 15 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.