New Threat Detection Added | 4 (HelloTeacher Malware, NoEscape Ransomware, GobRAT, and HiatusRAT) |
New Threat Protections | 4 |
New Ransomware Victims Last Week | 86 |
Weekly Detected Threats
The following threats were added to Crystal Eye XDR this week:
Threat name:
|
HelloTeacher Malware | ||||||||||||||||||
A new variant of Android spyware has emerged, posing a threat to unsuspecting users. This malware, which has been named "HelloTeacher" based on a test service mentioned in its source code, is a fresh addition to the cyber landscape. HelloTeacher disguises itself as a popular messaging application such as Viber or Kik Messenger, enticing users to install the malicious software. However, this malware possesses advanced capabilities that go beyond its initial appearance. It can extract contact details, SMS data, photos, and a list of installed applications, and even capture screenshots and record the infected device's screen. But that is not the end of its malicious agenda. The creators behind HelloTeacher attempted to combine the functionality of a banking trojan by exploiting an Accessibility Service. Their primary focus has been on targeting three prominent banks. |
|||||||||||||||||||
Threat Protected:
|
01 | ||||||||||||||||||
Rule Set Type:
|
|
||||||||||||||||||
Class Type:
|
Trojan-activity | ||||||||||||||||||
Kill Chain:
|
Initial Access T1476/T1444 – Collection T1432/T1412/T1512/T1513 - Discovery T1418 |
Threat name: | NoEscape Ransomware | ||||||||||||||||||
Researchers have identified a newly established Ransomware-as-a-Service (RaaS) program called NoEscape. The program was actively seeking affiliates to join its operations. The NoEscape ransomware is written in C++ and affiliates to employ the triple-extortion technique, allowing for the effective extortion of victims. Support for ChaCha20 and RSA encryption algorithms, offering strong file encryption and key protection and Utilisation of asynchronous LAN scanning to identify and exploit Distributed File System (DFS) and Server Message Block (SMB) protocols for lateral movement, persistence, and evasion. Implementation of shared encryption, using a single key to encrypt all files on a network or system, enables faster encryption of large datasets but allows for decryption by victims. Compatibility with various operating systems, including Windows Desktop XP – 11, Windows Server 2003 – 2022, Linux (including Ubuntu and Debian-based distributions), and VMware ESXi. |
|||||||||||||||||||
Threat Protected:
|
01 | ||||||||||||||||||
Rule Set Type:
|
|
||||||||||||||||||
Class Type:
|
Trojan-activity
|
||||||||||||||||||
Kill Chain:
|
Execution TA0002/T1204/T1569 - Persistence T1547 - Defence Evasion TA0005/TA0005/T1070 - Lateral Movement T0008 - Impact T1490/T1486 |
Threat name: | GobRAT | ||||||||||||||||||
GobRAT is a sophisticated and evolving malware that poses a significant threat to cybersecurity. First discovered in recent years, GobRAT is known for its advanced capabilities and ability to bypass traditional defence mechanisms. It primarily targets Windows operating systems, infiltrating systems through various distribution vectors such as malicious email attachments, exploit kits, or compromised websites. Once inside a system, GobRAT establishes persistence, allowing it to execute malicious commands and exfiltrate sensitive information. GobRAT's modular design enables it to adapt and evolve, making it a formidable challenge for security professionals striving to detect and mitigate its impact. |
|||||||||||||||||||
Threat Protected:
|
01 | ||||||||||||||||||
Rule Set Type:
|
|
||||||||||||||||||
Class Type:
|
Trojan-activity | ||||||||||||||||||
Kill Chain:
|
Defence Evasion TA0005 – Discovery TA0007 – Command-and-Control TA0011 |
Threat name: | HiatusRAT | ||||||||||||||||||
HiatusRAT is a remote access Trojan (RAT) that presents a significant risk to computer systems and networks. Developed by cybercriminals, HiatusRAT is designed to provide unauthorised access and control over compromised machines. It typically enters systems through various social engineering techniques or via malicious downloads. Once installed, HiatusRAT allows attackers to perform a wide range of malicious activities, including keystroke logging, screen capturing, file manipulation, and remote command execution. Its modular architecture enables the deployment of additional malicious plugins, expanding its capabilities and making it harder to detect. HiatusRAT poses a serious threat to data privacy and network security, requiring robust measures to detect, prevent, and mitigate its impact. |
|||||||||||||||||||
Threat Protected:
|
01 | ||||||||||||||||||
Rule Set Type:
|
|
||||||||||||||||||
Class Type:
|
Trojan | ||||||||||||||||||
Kill Chain:
|
Execution TA0002 - Persistence TA0003 - Privilege Escalation TA0004 - Defence Evasion TA0005 - Credential Access TA0006 - Discovery TA0007 - Command-and-Control TA0011 |
Known exploited vulnerabilities (Week 2 - June 2023):
For more information, refer to the Forum – Security Advisory
Vulnerability |
Description
|
CVE-2023-33010
CVE-2023-33009 |
Zyxel Multiple Firewalls Buffer Overflow Vulnerability
|
CVE-2023-3079
|
Google Chromium V8 Type Confusion Vulnerability
|
Updated Malware Signatures (Week 2 - June 2023)
Threat
|
Description
|
Zusy
|
Zusy, alternatively referred to as TinyBanker or Tinba, is a trojan specifically designed to engage in man-in-the-middle attacks to pilfer banking data. Upon execution, it inserts itself into legitimate Windows processes like "explorer.exe" and "winver.exe." As the user visits a banking site, Zusy deceitfully presents a fraudulent form, aiming to deceive the user into providing personal information.
|
Glupteba
|
A malware dropper that is designed to download additional malware on an infected machine.
|
Upatre
|
A malware dropper that downloads additional malware on an infected machine. It is usually observed to drop banking trojan after the initial infection.
|
Nanocore
|
The Nanocore trojan, built on the .NET framework, has been the subject of multiple source code leaks, resulting in its widespread accessibility. Similar to other remote access trojans (RATs), Nanocore empowers malicious actors with complete system control, enabling activities such as video and audio recording, password theft, file downloads, and keystroke logging.
|
LokiBot
|
An information-stealer malware used to gather data from victims’ machines such as stored account credentials, banking information and other personal data.
|
Ramnit
|
A banking trojan used to steal online banking credentials.
|
Zeus
|
Also known as Zbot and is primarily designed to steal banking credentials.
|
Valyria
|
A Microsoft Word-based malware which is used as a dropper for second-stage malware.
|
New Ransomware Victims Last Week: | 86 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 86 new ransomware victims from 18 distinct industries across 25 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors. lockbit3, a specific ransomware, has affected the largest number of new victims (37) spread across various countries. Alphv and Snatch groups follow closely with each hitting 08 and 05 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Name of Ransomware Group | Percentage of new Victims last week | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8base
|
1.16%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Akira
|
4.65%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alphv
|
9.30%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Bianlian
|
8.14%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Blackbasta
|
2.33%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Darkrace
|
8.14%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Karakurt
|
1.16%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Lockbit3
|
43.02%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Mallox
|
4.65%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Medusa
|
3.49%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Qilin
|
4.65%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Ransomware blog
|
1.16%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Snatch
|
5.81%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Trigona
|
1.16%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Vicesociety
|
1.16%
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|