Threat Intelligence Report March 14 - March 20 2023

Recently, there has been a surge in the usage of Android Banking Trojans that specifically target Brazilian banks utilising the PIX instant payment platform. A fresh iteration of GoatRAT has been discovered, which exclusively utilises the ATS framework to conduct deceitful money transactions. Notably, GoatRAT lacks other traditional features of banking Trojans, such as stealing authentication codes or incoming SMS messages and solely relies on the Accessibility service to execute the ATS framework, which suffices to execute fraudulent financial transactions. This new version of GoatRAT underlines the increased risk of cyberattacks in the present technological landscape, which may not necessitate numerous permissions or advanced Banking Trojan features to execute financial fraud.

Emotet is a Banking Trojan that spreads through spam emails containing malicious attachments, and once downloaded, it can receive commands from a remote server and steal victims’ emails and contacts. It was once the most widespread malware, but its activity has been declining. However, after three months of inactivity, the Emotet botnet has resurfaced and resumed sending malicious emails to infect devices worldwide. The new spam campaign uses Epoch4 servers and large document attachments, and the botnet's activity has been observed in over 16 countries by the researchers.

Winter Vivern is a threat actor group that is known to conduct espionage using simple yet effective techniques. Recent campaigns revealed that different government organisations have been targeted such as Poland, Ukraine, Italy, and India.

Rules are deployed on Crystal Eye devices to detect and prevent attacks that are attributed to the Winter Vivern.

Prometei is a botnet that was first discovered in 2020. Through continuous monitoring, it was revealed that Prometei kept on improving its infrastructure and capabilities. One of its techniques includes the installation of Apache with a web shell to gain access to their victims' machines accessible. The botnet was also observed to have a self-updating feature. Based on sinkhole data, it is also assessed with high confidence that the Prometei botnet has more than 10,000 infected systems worldwide.

A ransomware has been observed appending its encrypted file with the extension “.ClOP”. The CLOP Ransomware has been seen targeting a victim's network instead of their systems in their attacks' allowing them to persist even after the endpoints are cleaned up. The delivery of the said malware is being done through phishing campaigns. The loader sent in these campaigns in turn downloads software like SDBOT, FlawedAmmyy, and Cobalt Strike to set the stage for deployment of the malware.

Attackers are using Parallax RAT to gain access to their victims with functionality such as upload and download files as well as record keystrokes and screen captures. The first payload is a Visual C++ malware that employs the process hollowing technique to inject Parallax RAT into a legitimate Windows component called pipanel.exe. Parallax RAT, besides gathering system metadata, is also capable of accessing data stored in the clipboard and even remotely rebooting or shutting down the compromised machine. One notable aspect of the attacks is the use of the Notepad utility to initiate conversations with the victims and instruct them to connect to an actor-controlled Telegram channel.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 67 new ransomware victims from 15 distinct industries across 16 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit 3.0, a specific ransomware, has affected the largest number of new victims (30) spread across various countries. Blackbasta and Play groups follow closely with each hitting 10 and 06 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 16 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 41 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      

After conducting additional research, we found that ransomware has impacted 15 industries globally. Last week, the manufacturing and Retail sectors were hit particularly hard, with the loss of four businesses in each sector. The table below presents the most recent ransomware victims sorted by industry.