Threat Intelligence Report March 21 - March 27 2023

Royal Ransomware has been observed approaching its victims through phishing campaigns and using common threat loaders such as BATLOADER and Qbot. The threat loader then downloads a Cobalt Strike payload to continue the malicious operation within the infected environment. Other ransomware operations like Qbot and BlackBasta have been noted using the same technique. The ransomware has been gaining momentum in its no of victims beating some of the top ransomware groups.

A sophisticated advanced persistent threat (APT) group has been active since at least, 2016 and has targeted multiple organisations in various countries. The group, which the researchers refer to as "Bad magic," uses a variety of tactics and techniques, including spear-phishing emails, custom malware, and strategic web compromises, to gain access to their targets' networks and exfiltrate sensitive data.

According to the researchers, Bad magic has a particular interest in telecommunications, financial services, and government organisations, and they suspect that the group may be state-sponsored. The group's malware is highly sophisticated and its advanced evasion techniques and anti-analysis measures avoid detection. The researchers also note that Bad magic is highly skilled and adaptable, constantly evolving its tactics and techniques in response to new security measures.

Xaview Stealer is a type of malware that is designed to steal sensitive information from an infected device. This malware is a type of Trojan, which means that it disguises itself as a legitimate file or application to deceive users into downloading and installing it. Once Xaview Stealer is installed on a device, it starts to collect a wide range of information, including browser history, cookies, usernames and passwords, credit card information, and more. This information is then sent back to the attacker's server, where it can be used for malicious purposes such as identity theft or financial fraud. One of the main ways that Xaview Stealer is distributed is through spam email campaigns. These emails often contain malicious attachments or links that, when clicked on, download, and install the malware onto the victim's device.

SOMNIRECORD is a malware written in C++. It acts as a backdoor and masquerades its traffic as DNS as a form of evasion. It makes a DNS query to retrieve its commands from a hardcoded domain in the binary. Its commands allow the attacker to execute any software from the victim machine, list processes, and deploy a webshell.

Muggle Stealer is a malware that collects Windows and browser passwords, collects information, and takes screenshots of victim machines. The collected data is then uploaded to a Chinese IP. There is not enough data yet on how this stealer is commonly distributed and is not currently attributed to any threat actor.

Rules have been deployed on Crystal Eye devices that will detect and prevent this traffic.

It has been observed that the fake ChatGPT Chrome extension is being used as Facebook Ads account stealer. The malicious extension named Chat GPT for Google intends to steal Facebook session cookies and compromise accounts at go. The cookies are, subsequently, sent to the attackers’ server via a GET request. The cookie list is AES-encrypted and attached to the X-Cached-Key HTTP header value. This ensures that the cookies could be pilfered without any deep packet inspection mechanisms raising alarms.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 188 new ransomware victims from 26 distinct industries across 34 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

Clop, a specific ransomware, has affected the largest number of new victims (105) spread across various countries. LockBit 3.0 and AlphV groups follow closely with each hitting 27 and 15 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

 
When we examine the victims by country out of 34 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 108 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      

After conducting additional research, we found that ransomware has impacted 26 industries globally. Last week, the manufacturing and Business Services sectors were hit particularly hard, with the loss of 27 and 26 businesses in each sector, respectively. The table below presents the most recent ransomware victims sorted by industry.