Weekly Intelligence Report – 21 Jul 2022

Weekly Intelligence Report – 21 Jul 2022

Threat Actor in Focus

Latest Transparent Tribe Campaign Targets Education Sector

Attack Type: Spear-phishing, Malware Implant, Potential Data Exfiltration
Objective: Data Theft
Target Technology: Email, Windows
Target Industry: Education
Target Geography: India
Business Impact: Data Loss, Financial Loss, Loss of intellectual Property

Summary:
Researchers have been tracking an ongoing campaign operated by the Transparent Tribe APT group. The campaign targets students at various Indian educational institutions. The attack involves the use of a malicious document delivered to a potential target either as an attachment or a link to a remote location in a spear-phishing email. The malicious document contains malicious VBA macros that lead to the execution of the malware CrimsonRAT. As per the researchers, the RAT is constantly being updated and comes with a number of new capabilities.

The domains used by attackers were registered in June 2021 and named in a way that made them relevant to students and educational entities. Researchers also noticed additional media-themed domains which were found to be consistent with Transparent Tribe’s tactics observed in the past attack.

Insights:

  • Researchers highlight that the three sets of domains observed in this campaign – the malicious Transparent Tribe infrastructure, vebhost[.]com, and zainhosting[.]net/com are related. They also suggest ZainHosting – seemingly legitimate web services and hosting provider – owns and operates the malicious infrastructure. The researchers believe ZainHosting is one of the many hired infrastructure contractors that work for Transparent Tribe. These contractors are hired to prepare and stage the Transparent Tribe’s infrastructure which is then leveraged by the APT group themselves in their attacks.
  • While the Transparent Tribe has been aggressively trying to widen its attack surface within the Indian subcontinent, its focus has been on government and military officials and in past few years, pseudo-government entities have been targeted. This new campaign indicates an interest in civilians from the education sector. The shift is likely to maintain long-term access and/ or steal valuable or restricted research from top Indian research institutions that work closely with the Indian government.

Major Geopolitical Developments in Cybersecurity

Government Services In Albania Suffer a ‘Massive’ Cyber Attack

A ‘synchronized criminal attack from abroad’ forced the government of Albania to shut down its online services after suffering a cyberattack. The attack caused the primary servers of the National Agency for Information Society to go down.

In a press release, the Council of Ministers said “Albania is under a massive cybernetic attack that has never happened before. This criminal cyber-attack was synchronized… from outside Albania.”

The government said the cyberattack began on Friday targeting government and other public online services. The attackers have not been identified yet, although the attack method leveraged by attackers is said to be identical to attacks on Belgium, Germany, Lithuania, Malta, the Netherlands, and Ukraine last year.

The authorities have assured that citizens’ data stored in government systems is safe. The former PM blamed the government for concentrating too many services on the AKSHI system without considering proper protection.

Notably, the cyberattack took place shortly after the Albanian PM ordered mandatory use of online services by the population. As a result of the breach, several government services were put offline as a preventive measure.

Updates on Lockbit Ransomware Operations

Around January 2020, LockBit operators first appeared on Russian-language cybercrime underground forums. In June 2021, the operators introduced version two of the LockBit RaaS, advertised as LockBit 2.0, and was reportedly bundled with StealBit – a built-in information stealing feature.

The LockBit 2.0 operators are known to implement the double extortion techniques by threatening to publish the exfiltrated data to their dark web leak site “LockBit BLOG” if ransom demands are not met. The enforcement of such tactics coerces victims into paying the ransom demands.

At the start of November 2021, the increased pressure from law enforcement agencies and the unavailability of members forced the prolific RaaS group BlackMatter to shut down its operations. However, researchers reported that existing BlackMatter affiliates are moving their victims to LockBit DLS – most likely to facilitate their extortion efforts. They observe that the BlackMatter victims are provided with URLs to new negotiation pages which belong to LockBit. With more experienced affiliates joining the LockBit ransomware group, it is going to be one of the largest and arguably the most successful ransomware groups in operation.

Researchers have recently provided a relationship between LockBit and the Russian cybercrime group Evil Corp. Notably, in 2019, the US government sanctioned the cybercriminal organization Evil Corp resulting in prohibitions on US organizations targeted by Evil Corp to comply with their ransom demands. The report states that Evil Corp is now using the LockBit ransomware variant to overcome these sanctions. This development essentially hampers LockBit’s own ransomware business since being linked to Evil Corp, impacted organizations from the US would be more reluctant to pay the ransom. A huge chunk of LockBit’s income comes from US organizations. In 2022 alone, more than 30% of its claimed victims were organizations operating in the US.

The LockBit ransomware group has recently released its LockBit 3.0 variant and the operation also introduced a few tweaks to their dedicated leak site including introducing a bug bounty program. The dedicated leak site now also shows what seems to be the amount of ransom to be paid by the victim alongside the old countdown timer. As the time goes by and the timer approaches zero, the amount of ransom also decreases, and if no ransom is paid the exfiltrated data is leaked. The group has also introduced support for Zcash cryptocurrency as a payment option. Researchers indicate that the LockBit 3.0 appears to be inspired by another ransomware known as BlackMatter (rebrand of DarkSide) by stating “Large portions of the code are ripped straight from BlackMatter/Darkside.”