Self Assessment

Weekly Intelligence Report – 01 Mar 2024

Published On : 2024-02-29
Share :
Weekly Intelligence Report – 01 Mar 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows, Linux and MacOS

Introduction
CYFIRMA Research and Advisory Team has found Kuiper ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Kuiper ransomware
Kuiper ransomware was discovered in the wild in September 2023, coinciding with the launch of their Ransomware-as-a-Service (RaaS) platform during the same month. Ransomware is written in Golang.

The initial sales post for the Kuiper ransomware (Source: Surface Web)

Researchers found various versions of ransomware, namely A, B, and C. Each version has distinct “variants” corresponding to the targeted platform of the binary.

The Flow charts of Windows Variants of different versions:
For all flowcharts, a dotted line is a conditional action, whereas a solid line defines an action that will happen.

The ransomware’s flowchart for the Windows-targeting variant of version A (Source: Surface Web).

The third step, involving the termination and stopping of unwanted processes and services, occurs in two loops within the main function.

The ransomware’s flowchart for the Windows-targeting variant of version B (Source: Surface Web).

Although the flowchart for the Windows variant of version B bears a resemblance to version A, notable differences exist. Version B optimally utilizes Golang’s concurrency. Furthermore, the function for stopping and terminating unwanted processes and services is now distinct. A significant addition in version B is the continuous loop for terminating specific processes based on various process names, distinguishing it from version A.

The ransomware’s flowchart for the Windows-targeting variant of version C (Source: Surface web).

Linux & MacOS
Since researchers found only a single MacOS sample, it will be analyzed by comparing it with the Linux variant of the same version which is Version C.

The initial Linux-based sample acquired is version B. The ransomware’s capabilities on Linux are relatively straightforward compared to the Windows variant. It initiates recursive encryption of the designated folder, clears keys from memory, and optionally restarts the system. Essentially, it eliminates any Windows-specific functionalities, relying solely on platform agnostic code.

The ransomware’s flowchart for the Linux-targeting variant of version B (Source: Surface Web)

In version C, there are no significant differences, aside from minor details. Like the similarity between the Linux variants of version B and C, the MacOS version shows minimal variance from the mentioned Linux versions. The following flowchart encompasses both the Linux and MacOS variants of version C.

The ransomware’s flowchart for the Linux- and MacOS-targeting variants of version C (Source: Surface Web)

CLI-arguments of Ransomware
The ransomware employs an internal configuration to execute or skip particular actions. Some settings are adjustable through the command-line interface (CLI), while others are hardcoded into the binary.

The following lists the arguments along with brief explanations of their purposes.

Argument Introduced in version Type Default value Purpose
–help A String Display the help menu
–p A String The root of the drive The path to start the recursive file encryption in. When omitted, the root of the file system is used. On Windows, the drive letters A through Z are targeted when not specifying a path.
–note A Boolean (yes/no) yes Defines if the ransom note is to be left during the encryption process, or only once the encryption process is complete.
-reboot A Boolean (yes/no) yes When true, the malware forces the machine to reboot once the encryption has finished.
–rename A Boolean (yes/no) yes Ensures the encrypted files are renamed to include the ransom extension, either on a per encrypted file basis, or once the encryption has finished, for yes and no respectively.
–kill A Boolean (yes/no) yes Terminates specific processes to avoid interruption prior and during the encryption, when set to true.
–bm A Boolean (yes/no) yes Ensures big files are encrypted first when set to true.
–shared C String auto or ip The ransomware will find and mount remote shares.
–chacha C Boolean (yes/no) yes Use the ChaCha20 algorithm, rather than the default AES, to encrypt files whose size is no larger than 500 megabyte.
–safe C Boolean (yes/no) yes Reboot the system into safe mode, and start the encryption from there.
–spread C Boolean (yes/no) yes Spread from a domain controller to all connected hosts.

Settings are stored in global variables and accessed during the ransomware’s execution. Samples where the debug setting isn’t enabled can be patched by changing the boolean value in the binary to “1,” allowing debug messages to be printed during runtime. This setting is enabled by default in all encountered samples.

Once the ransomware starts, it will print debug messages in the console.

Using the “-safe” command-line argument triggers an immediate response during internal configuration initialization. It checks if the ransomware has administrative privileges. If not, it requests these privileges, rebooting the device into safe mode. If already granted, it directly reboots the system into safe mode.

The check for administrative privileges involves attempting to read physical drive 0. Only processes with admin privileges can access this file, and an error is triggered if attempted without the necessary privileges, resulting in a boolean outcome.

In the absence of administrative privileges, a PowerShell script is run using “cmd.exe /c.” This script restarts the ransomware with the necessary privileges.

After the sleep period concludes, normal execution resumes as the function returns. If the necessary privileges are present, the “main.RestartSafemode” function is invoked. Initially, it reads itself and writes the newly acquired data into “safemode.exe” within the public user profile’s home folder.

Following that, it creates a file named “safemode.bat” in the same folder as “safemode.exe.” This batch file adds a registry key named “Shell” to execute the ransomware on system startup. If the key already exists, it is overwritten. After writing the batch file, it’s executed, and after a one-second sleep, it’s removed. The system is then configured to start in safe mode with network access during the next boot sequences, ultimately leading to an automatic launch of the ransomware.

Deleting Backup:
Versions A, B, and C all employ a wrapper call to execute command-line interface strings. On Windows, it uses “cmd.exe /c,” and on Linux platforms, it uses “/bin/bash -c,” followed by a space and the command to execute. In Windows variants, the process window is hidden. While Version A utilizes stack strings for constructing command-line interface strings, Versions B and C use hard coded strings.

Noteworthy in Version A is the inclusion of “cmd.exe /c” at the beginning of the strings, indicating the presence of two “cmd.exe” instances in the execution chain before the actual command. Starting from Version B, “cmd.exe /c” has been excluded from the command strings. The table below illustrates the executed commands for each version, with potential additions in Versions B and C. No commands were removed over time.

Source: Surface Web

In the Windows variant of Version A, the boot status policy is configured to ignore all failures, with recovery mode disabled to prevent Windows’ automatic repair feature from activating. Additionally, all shadow copies, existing backup catalogs, system state backups, and application and security logs are quietly deleted. This removal reduces traces available for detecting the intrusion, although clearing logs can signal an intrusion, the specific details become inaccessible. Furthermore, the presence of ransomed files alone suffices, rendering the telltale sign argument irrelevant.

Before encrypting files, the ransomware takes precautions by terminating specific processes and stopping targeted services to prevent interruptions during its main activity. The following tables list the targeted processes and services slated for neutralization. No removals were identified between the different versions.

This practice is widespread among various ransomware families, enhancing the likelihood of successfully encrypting the victim’s files. Concerning blocklisted services, there is a slight increase in their number from version A to B, with only one addition. The count then doubles from version B to C, resulting in a total of 22 blocklisted services.

Source: Surface Web

Blocklisted processes exhibit a similar pattern, initiating at 13; version B contributes one, and version C substantially increases the count to 27 by adding 13 more processes.

After attempting to disable blocklisted processes and services, the ransomware proceeds to disable Windows Defender, with different methods in various Kuiper versions.

In Kuiper version A, the commands to disable Defender are hex encoded and decoded at runtime, likely to evade literal string matching in binary detection rules. In contrast, versions B and C use base64 encoded PowerShell commands instead of hex encoded strings.

The structure of each command is consistent, employing the SetMpPreferences cmdlet: “powershell.exe -ep bypass -c Set-MpPreference -[setting] 1 -ErrorAction SilentlyContinue.” The value of “[setting]” varies for each command, and there is no string replacement; each command is present in full. The error action ensures that any failed command is silently ignored. The command execution wrapper function utilizes “cmd.exe /c,” followed by a space and the given command, to execute each command.

In Version B, the approach diverges by implementing multiple loops. One loop continuously disables Defender’s real-time monitoring capability, while other loops continually terminate processes such as “taskkill.exe,” “tasklist.exe,” “taskmgr.exe,” “cmd.exe,” and “ps.exe.”

Version C maintains the disablement of real-time monitoring and targets several processes, with three notable changes: the processes have undergone slight modifications, all code is consolidated within a single loop, and the loop now includes a one-second sleep at the end of each iteration. Notably, “taskkill.exe,” “cmd.exe,” and “ps.exe” have been removed, and “regedit.exe” and “ProcessHacker.exe” have been added.

Source: Surface Web

Version C introduces extra functionalities, including the ability to bypass sandbox environments and disable Defender through a single function call.

The sandbox evasion process involves attempting to read “C:\Windows\system32\cmd.exe.” If unsuccessful, the malware initiates a shutdown.

Subsequently, it seeks to disable Windows Defender by invoking WDEnable. The malware first loads this DLL to ensure its accessibility, then acquires the function’s address. Utilizing the obtained address, the function is called with “false” passed as the sole argument.

The malware author implements another sandbox bypass strategy, consisting of an empty loop iterating 1000 times. This loop, devoid of any content, is intended to consume CPU cycles. However, in practice, this bypass accomplishes nothing substantial. Although the loop exists within a function in the leaked source code, the compiler places it within the overarching bypass function. This decision ensures that calling the function would merely increase runtime overhead.

The sole ‘bypass’ function present in the Linux and MacOS variants is this empty loop, whose purpose is derived from the leaked Kuiper source code. The significance of the empty loop in the decompiled code remains unclear. In the Linux and MacOS variants, this loop is situated within the threaded main function, with the compiler opting for inlining to eliminate function calls and minimize overhead.

The ransomware attempts to propagate across the network by first acquiring the IP address of the current device. It then spreads the executable over IPs within the range of the last octet of the local IP and proceeds to mount all shared folders and drives.

For obtaining the local IP, there are two methods, depending on the command-line interface argument. The “auto” method utilizes “main.GetNetworkIp,” while the “main.GetNetworkIpByIp” is used if an IP address is provided through the command-line interface.

In “main.GetNetworkIp,” Golang’s net.Interfaces are utilized to fetch a list of interfaces on the machine. It excludes interfaces with names “docker,” “lo,” and “lo0.” The function iterates through the remaining interfaces, calling “main.GetNetworkIpByIp” in a loop with a gradual IP increment. This results in a list of reachable IP addresses.

The objective of “main.GetNetworkIpByIp” is to verify the feasibility of an SMB connection on devices within the last octet of the local IP. Any IP where this connection is possible is then recorded.

After iterating through the IP addresses and obtaining the local address, the malware initiates the process of spreading to all previously identified IPs where an SMB connection is possible. This is accomplished by copying itself into the public user profile on the remote machine.

The newly copied ransomware is launched using “wmic /node:[location] process call create” with the path to the ransomware and command-line interface arguments for its initiation. In this instance, the ransomware runs with default settings but refrains from rebooting the machine once the encryption is complete.

After replicating itself to other machines and initiating processes on remote machines, the ransomware proceeds to mount shared folders on the machine where it is currently executing. It retrieves all shares using WMIC and verifies if there are additional shares beyond the default ones, which are blocklisted.

The obtained locations are then mapped to a drive letter using “net use [drive] [location]”

Getting into the ransom notes, the notes of Kuiper have not changed much throughout the different versions. In each version thus far, the notes are hex encoded, only to be decoded during runtime.

In Version A, the victim ID is dynamically generated at runtime and encompasses the utilized key and IV, encrypted, along with an MD-5 hash of the public key. The data is delimited with colons, and the entire string commences with “RSA=”. This lengthy string is hex encoded and replaces the “ID” in the ransom note, providing all the necessary information for the threat actor to retrieve the key and IV, enabling file decryption.

In Version C, the format evolves with the introduction of ChaCha20 as an option for encrypting large files. The ID remains hex encoded and still starts with “RSA=” before encoding. It now consists of 32 characters, a colon, four digits, and a boolean. The data within the ID is akin to the previous version but now also includes the ChaCha20 key and IV, alongside the AES key and IV. This data is gzip compressed, with the boolean indicating whether ChaCha20 was employed.

Ransomware will exclude some folders from encryption.

Source: Surface Web

On Linux, excluded folders are incorporated starting from version B onwards, although they are not explicitly present in the specific version C build. The leaked source code contains this information, suggesting a potential error made by the actor during the construction of version C. The excluded folders are detailed below.
/bin, /boot, /dev, /etc, /initrd, /lib, /lib64, /libx32, /opt, /proc, /root, /run, /sbin, /srv, /sys, /tmp,
/usr/, /var

The MacOS variant also excludes specific folders. The excluded folders are listed below.

/Applications, /bin, /cores, /dev, /etc, /home, /Library, /net, /private, /sbin, /System, /tmp, /usr, /var

Each identified file undergoes evaluation based on its extension. If the extension is not included in the blocklist, the file is encrypted. The blocked extensions are outlined in the table below.

Source: Surface Web

For large files intended to be encrypted differently, employing either ChaCha20 or AES, a distinct percentage of the file undergoes encryption. Furthermore, the extension of any substantial file undergoes an additional check. If it matches “.sql,” “.txt,” “.db,” or “.json,” it is encrypted as if it were a normal-sized file, irrespective of its actual size.

If the file is categorized as large, an additional extension check is performed. If the extension corresponds to any of the extensions listed below, it undergoes encryption in fast mode, wherein only a quarter of the file is encrypted.

Abk, .abu1, .acp, .adi, .avdx, .avhd, .backup, .bkz, .blend1, .doc, .docx, .dsb, .gho, .iso, .jpa, .mbk, .nba, .nvram, .pdf, .pvm, .qbmb, .qcow2, .raw, .scripa, .sis, .spg, .subvol, .vbox- prev, .vdi, .vhd, .vhdx, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vsv, .wx, .xlsx, .zip.

After encrypting the files, ransomware adds the “.kuiper” extension to that encrypted files.

After completing the encryption process, the ransomware executes several actions. It proceeds to clear the memory keys, with the boolean checked defaulting to “true” and remaining unaltered during runtime. If the reboot function is invoked, the ransomware’s execution halts at that point. If not, the execution continues.
Establishing a Signature and Performing Cleanup

After encrypting the machine, the ransomware employs additional tactics, which vary depending on the malware’s version. Across all versions, the removal of backups is a consistent action, eliminating any trace of the execution except for the modified files on the disk. The function utilized for deleting backups remains the same.
In Version C, additional features are introduced, including a modification of the desktop’s wallpaper and the removal of the binary itself (In version C of this ransomware, the wallpaper is hex encoded. During runtime, it is decoded, after which it is set as the new wallpaper).

The decoded wallpaper within the ransomware executable (Source: Surface web)

The function to set the new wallpaper comes from user32.dll, and is named SystemParametersInfoW.
Following the completion of the wallpaper change function, the ransomware proceeds to remove itself from the disk. This is achieved by generating a small batch file named “setup.bat.”

Screenshot of file encrypted by Kuiper ransomware (Source: Surface web)

Relevancy & Insights:

  • Targeting widely used operating systems including Windows, Linux, and MacOS, this ransomware poses a significant threat to diverse industries and organizations.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • User Input Checks: The ransomware is performing checks on user input. This behaviour implies that the ransomware can interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities. This behaviour indicates a level of sophistication and interactivity in the ransomware’s design.
  • The use of idle periods may indicate that the ransomware is designed to operate more stealthily, waiting for the computer to be idle before encrypting files or performing other malicious activities.
  • A leak site, to double extort victims, is under development.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
    T1059: Command and Scripting Interpreter
T1106: Native API
T1129: Shared Modules
2 TA0003: Persistence T1543.003: Create or Modify System Process: Windows Service
T1547.004: Boot or Logon Autostart Execution: Winlogon Helper DLL
3 TA0004:Privilege Escalation T1543.003: Create or Modify System Process: Windows Service
T1547.004: Boot or Logon Autostart Execution: Winlogon Helper DLL
4 TA0005:Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1070.001: Indicator Removal: Clear Windows Event Logs
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1202: Indirect Command Execution
T1497.001:Virtualization/Sandbox Evasion: System Checks
T1562.001: Impair Defenses: Disable or Modify Tools
5 TA0006:Credential Access T1056: Input Capture
6 TA0007:Discovery T1016: System Network Configuration Discovery
T1082: System Information Discovery
T1124: System Time Discovery
T1135: Network Share Discovery
T1497.001: Virtualization/Sandbox Evasion : System Checks
T1518.001: Software Discovery: Security Software Discovery
7 TA0009:Collection T1056: Input Capture
8 TA0011: Command and Control T1071: Application Layer Protocol
9 TA0040:Impact T1485: Data Destruction
T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

ETLM Assessment:
CYFIRMA’s assessment, relying on available information, indicates potential future developments in Kuiper ransomware. The evolving tactics, such as the inclusion of new features in recent Versions, signify an ongoing trend of ransomware enhancements. Future iterations may continue to refine evasion techniques, expand targeting capabilities, and possibly introduce more sophisticated anti-detection measures. Organizations should remain vigilant, continuously update cybersecurity measures, and monitor threat intelligence for proactive defense against emerging ransomware threats.

Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’
selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high

(Source: Surface web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Credential Stealing, Data Exfiltration
Target Technology: Windows OS
Target Geography: Vietnam
Targets: Government, Public and Private Organizations, Universities, Banks, Enterprises, Social Media Platforms (Facebook)

Active Malware of the Week
This week “VietCredCare” is trending.

Summary
Researchers have identified multiple variants of the VietCredCare malware targeting Windows operating systems. The malware, which continuously evolves, is primarily designed to take over corporate Facebook accounts. The researchers’ analysis shows that various Vietnamese Government Agencies, Public and Private Organizations, Universities, Banks, Enterprises, and personal/business social media accounts are at risk of compromise, indicating a widespread threat affecting diverse sectors in Vietnam.

VietCredCare
VietCredCare, an information stealer operational since at least August 2022, operates under the stealer-as-a-service model and is likely managed by Vietnamese-speaking individuals. Noteworthy for its automatic filtering of session cookies and credentials for Facebook accounts, the malware targets individuals in Vietnam, especially those managing profiles of prominent businesses. Compromised Facebook accounts with large followings can be exploited for political posts or financial gains through scams and credential sales.

VietCredCare spreads through phishing sites shared on social media, disguised as legitimate software downloads. Purchasers of VietCredCare gain access to individual Telegram bot channels, facilitating the exfiltration, delivery of stolen data, and communication with developers. Researchers identified over 20 distinct Telegram bot channels associated with VietCredCare.

VietCredCare Structure
VietCredCare’s stealer-as-a-service campaign affects three main groups: the malware developers and advertisers, the users (buyers), and the unwitting victims who download it. Each group plays a distinct role in the operation of VietCredCare.

Developers and advertisers of the stealer
The first group in the VietCredCare campaign consists of the developers responsible for creating the information stealer. They manage components, Telegram bots for data reception, and distribute the stealer as a loader to buyers. Notably, researchers discovered numerous advertisements for the information stealer not only on the dark web but also on widely used public platforms like YouTube and Facebook.

Buyers of the stealer
The second group in the VietCredCare campaign comprises individuals who purchase the information stealer and employ advanced phishing tactics to trick victims into downloading the payload onto their devices. After successful exfiltration, buyers gain access to victims’ credentials and cookies, with a focus on Facebook data. Each buyer receives a unique Telegram bot channel configured by the threat actor. These buyers may use various strategies to exploit compromised Facebook accounts, including spreading misinformation or shaping public perception, or engaging in financially motivated activities such as phishing campaigns, fake product sales, affiliate scams, directing web traffic for advertising revenue, or selling stolen credentials.

Hunting for buyers: stealer–as-a-service
Researchers uncovered a series of Vietnamese-language advertisements on Facebook promoting VietCredCare to potential buyers involved in cybercriminal activities. These ads also surfaced in prominent Vietnamese-language Telegram channels, enticing users with access to a 1MB C# executable file specifically crafted to evade antivirus and firewall protections. This malware can disguise itself as a legitimate application, enhancing its chances of avoiding detection. Advertisements highlight features such as stealing browser cookies and passwords, as well as bypassing Facebook’s two-factor authentication system. Following these operations, the threat actor gains two .txt files containing stolen cookies and passwords. Notably, researchers identified over 20 individual threat actors utilizing the same VietCredCare sample, with one case standing out as a buyer attempted to modify the stealer malware.

Technical Analysis
VietCredCare, an information stealer designed for Windows operating systems and developed in .NET, functions by tricking users into executing a file (payload) disguised as legitimate software. Upon execution, VietCredCare cleverly generates a self-replicating copy named “crsysys.exe” in the %STARTUP% folder. Notably, this information stealer operates autonomously without relying on a command-and-control (C2) server to launch a payload. Stolen data from the infected device is discreetly transmitted to a Telegram bot, making it accessible to the threat actor. Researchers identified over 20 distinct Telegram bots utilizing messenger’s API functionality for this purpose. VietCredCare can pilfer various data, including session IDs, cookies, and passwords, from the browsers (Chrome, Chromium, and MS Edge, along with the Vietnam-specific Cốc Cốc) of infected devices, showcasing its multifaceted functionalities.

Functions of VietCredCare

  • Retrieve victim’s IP address using external resources.
  • This is done by sending a HTTP request to hxxps[:]//ipinfo[.]io/ip
  • Identify Facebook accounts and whether they are business profiles.
  • VietCredCare, upon detecting an active Facebook browser session, assesses if it’s a business account through an HTTP request using a custom agent. By making a request to hxxps[:]//business[.]facebook[.]com/content_management/, the malware extracts the access token, information about managed groups, and the Meta ad credit balance. These details are then sent to a Telegram bot for access by the threat actor.
  • Identify folder path with browser profile and exfiltrate cookies and login data.
  • The source code of VietCredCare discloses the capability to extract data from specific file paths associated with different web browsers.
  • Similarly, the source code of VietCredCare details the method through which it accesses cookie files, using Chrome as an illustrative example.
  • Assess whether Facebook accounts are managing any advertisements.
  • A significant feature of VietCredCare is its capacity to determine if a Facebook account is managing advertisements, with this information relayed to the threat actor through a message posted from the Telegram bot.
  • VietCredCare’s evaluation process, as mentioned in the above screenshot, involves checks such as verifying if the account possesses a positive Meta ad credit balance.
  • Evasion tactics
  • VietCredCare is typically packed before distribution. When launched on a victim’s device, it not only activates the information stealer but also employs various evasion techniques.
  • Add itself to the exclusion list of Windows Defender
  • Disables AMSI functionality.

Telegram Bot Functionalities
VietCredCare relies on its Telegram bot functionalities for a crucial role in the data exfiltration process. The primary purpose of this bot, beyond notifying about the presence of Facebook account credentials in the stealer logs, is to receive the stolen data. This data is converted into two text files (.txt), containing cookies and passwords extracted from compromised devices. Additionally, the bot facilitates communication between the malware’s developers and buyers.

In the data exfiltration process, the threat actor first receives a message indicating the number of Facebook accounts present in the logs. Subsequently, a second message includes an attachment of a .txt file containing the browser cookies exfiltrated from the infected device. The final message in this thread contains the compromised passwords stolen from the browsers of infected devices, also sent in a .txt file. This workflow was detailed in advertisement videos uploaded to YouTube and posts on Facebook, all presented in the Vietnamese language.

INSIGHTS

  • In October 2022, a high-profile employee of a leading Vietnamese bank was targeted through a deceptive link on Zalo (a widely used local messenger), leading to the download of a malicious .zip file. These information stealers, dedicated to infiltrating systems and harvesting sensitive data, specifically targeted Vietnamese users. Active since at least August 2022, the information stealer is now known as VietCredCare, highlighting the persistent and evolving nature of cyber threats in the region.
  • VietCredCare, a sophisticated information stealer operating under the stealer-as-a- service model, reveals a complex web of connections among its developers, buyers, and victims. VietCredCare’s primary function, harvesting and exfiltrating cookies and credentials, poses significant risks to organizations in both the Vietnamese public and private sectors. The stealer-as-a-service business model enables threat actors with little to no technical skills to enter the cybercrime field, which results in more innocent victims being harmed.
  • The targeted nature of VietCredCare emphasizes the strategic focus on individuals managing profiles of prominent businesses and organizations in Vietnam. This approach suggests a deliberate effort to exploit the influence and credibility associated with these accounts, amplifying the potential fallout from account takeovers. The blend of financial and reputational risks underscores the intricate challenges companies face in safeguarding against evolving cyber threats.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the impact of VietCredCare on organizations appears poised to deepen, with a potential escalation in the scale and sophistication of cyber threats. As this information stealer continues to target individuals managing profiles of prominent businesses and organizations in Vietnam, the risks associated with account takeover are likely to grow. Recent findings indicate active promotion within the Vietnamese cybercriminal community, suggesting a sustained threat in the coming months. This highlights the ongoing relevance and potential risks associated with VietCredCare in the evolving cybersecurity landscape.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Always inspect the full URL before downloading files to ensure it matches the source.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Brute force, Password spraying attack, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Rhysida Ransomware | Malware – VietCredCare
  • Rhysida Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – VietCredCare
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

APT29’s Latest Tactics: Navigating the Evolving Threat Landscape

  • Threat Actors: APT 29
  • Attack Type: Brute force, and Password spraying
  • Objective: Espionage
  • Target Technology: Cloud Infrastructure
  • Target Geographies: USA, Australia, Canada, New Zealand
  • Target Industries: Government organization
  • Business Impact: Data Loss, Data exfiltration

Summary:
In a recent observation, Russian hackers affiliated with APT29, also known as Cozy Bear or Midnight Blizzard, are now shifting their focus to target cloud services, according to a warning issued by members of the Five Eyes intelligence alliance. These hackers, also linked to the Russian Foreign Intelligence Service (SVR), have previously breached U.S. federal agencies and compromised Microsoft 365 accounts belonging to entities within NATO nations.

SVR actors exploit service accounts through brute forcing and password spraying, as they lack Multi-Factor Authentication and hold high privileges. Dormant accounts of former employees are also targeted for access. SVR actors exploit enforced password resets to regain access via inactive accounts, complicating incident response efforts. SVR actors leverage password spraying and credential reuse to breach personal accounts, bypassing password authentication. They also use “MFA bombing” to overwhelm victims with Multi-Factor Authentication requests until access is granted.

Once inside the cloud environment, they register their own devices to gain network access, exploiting gaps in device validation rules. To evade detection, SVR actors utilize residential proxies, masking their true origin and complicating identification by network defenses reliant on IP addresses. This underscores the importance of employing a range of detection methods, such as application and host-based logging, to detect and thwart such malicious activities.

Relevancy & Insights:
APT29, also known as Cozy Bear or Midnight Blizzard, has long been associated with the Russian SVR intelligence service. With the increasing migration of infrastructure and data to the cloud organizations, have adapted their techniques and procedures (TTPs) to infiltrate and access intelligence hosted in cloud environments. In 2022, APT29 introduced MagicWeb; a sophisticated post-exploitation malware, leveraging a rogue DLL to gain covert access to AD FS systems through an authentication bypass. Recent attacks by APT29 have also incorporated password spray attacks, indicating a convergence of tactics among threat actors targeting cloud-hosted infrastructure. This adaptation highlights APT29’s agility and suggests a potential exchange of cyber tactics among state-sponsored threat groups, emphasizing the importance of robust cybersecurity measures for organizations moving to the cloud.

ETLM Assessment:
The recent nation-state attack by Cozy Bear/Midnight Blizzard, known as APT29 and linked to the Russian SVR, highlights the critical need for effective management of external threats. Targeting organizations shaping foreign policies in NATO countries, across sectors like education, and government, APT29 has demonstrated agility by incorporating password spray attacks, particularly focusing on cloud-hosted infrastructure. This convergence of tactics underscores the importance of robust cybersecurity measures, necessitating advanced threat detection, updated security protocols, and a culture of cybersecurity awareness. Collaboration with cybersecurity experts and information sharing among industry peers is essential to enhance readiness against evolving external threats.

Recommendations:

  • Educate employees about evolving threats and the importance of security best practices, such as recognizing phishing attempts.
  • Enforce MFA across all user accounts to add a layer of security, making it significantly harder for threat actors to compromise accounts through password-based attacks.
  • Perform frequent security assessments, including penetration testing and vulnerability scans, to identify and address potential weaknesses.
  • Perform routine security audits and assessments to identify potential weaknesses in the network, applications, and configurations. Regular testing helps in proactively addressing vulnerabilities before they can be exploited.

Major Geopolitical Developments in Cybersecurity

Chinese cyberespionage company data leak
A massive collection of files from the Chinese cyberespionage firm i-SOON, also known as Sichuan Anxun, was released online by an unknown source, probably an insider. Business pitches, internal conversation logs, product descriptions, passwords and other credentials taken from victims are among the documents that were uploaded to a public GitHub repository. The topics covered in the business presentations are diverse and include everything from data analysis and Outlook email account hacking tools to i-SOON’s bids for a contract for a surveillance tool that will be used against Uyghurs in Xinjiang. The company targeted colleges and NATO offices in Europe, pro-democracy movements in Hong Kong, and businesses in Southeast Asia, giving the impression that it had a wide range of overseas targets.

ETLM Assessment:
The compromised conversation logs demonstrate how cyber espionage has been made possible by China’s vulnerability disclosure policy, which has been altered in the last year to require companies to notify the government of flaws, before making them public. Wu Haibo, the CEO of i-SOON, asked one of his staff members in the chats if he could get an exploit code from the local Ministry of Public Security for the Tianfu Cup; a Chinese cybersecurity firm. China is then using this knowledge to engage in large-scale IP theft, which we have reported earlier.

Rise in Malware/Ransomware and Phishing

The Rhysida Ransomware impacts the Ironrock

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: The United States of America
  • Ransomware: Rhysida Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United States of America; (www[.]ironrock[.]com), was compromised by the Rhysida Ransomware. Ironrock is a manufacturer of high-quality indoor/outdoor unglazed ceramic quarry tile and architectural thin brick. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. Within the compromised data are confidential and sensitive details pertaining to the organization. The ransom demanded for the entire dataset is set at 5 BTC.

The following screenshot was observed published on the dark web:


Source: Dark Web

Relevancy & Insights:

  • Rhysida ransomware group, which first appeared in May 2023, operates as a ransomware-as-a-service. It utilizes the malware families PortStarter and SystemBC. Rhysida employs a double extortion technique; stealing data from victim networks before encrypting it and threatening to publish it on the dark web unless a ransom is paid.
  • Motivated by financial gains, Rhysida’s operators have been known to use phishing attacks as a means of gaining initial access, after which Cobalt Strike is used for lateral movement in infected machines. In July 2023, we observed that the Rhysida ransomware was using PsExec to deliver a script, detected as SILENTKILL, to terminate antivirus programs. In August 2023, we observed the PowerShell versions of the Rhysida ransomware. Notably, the PowerShell variant does not include any command-line arguments for execution.
  • The Rhysida Ransomware group primarily targets countries such as the United States of America, the United Kingdom, Italy, Germany, and China.
  • The Rhysida Ransomware group primarily targets industries including Specialized Consumer Services, Industrial Machinery, Software, Health Care Providers and Government Agencies.
  • Based on the Rhysida Ransomware victims list from 1 Jan 2023 to 28 Feb 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Rhysida Ransomware from 1 Jan 2023 to 28 Feb 2024 are as follows:

ETLM Assessment:
CYFIRMA’s assessment indicates a sustained focus on US-based companies by the Rhysida ransomware, as illustrated in the attached graph. Despite this, recent events, including the Ironrock attack, underscore the potential vulnerability of other prominent manufacturing entities to similar targeting. It is evident that the threat landscape is dynamic, and organizations across various sectors should remain vigilant to mitigate risks associated with ransomware attacks.

Vulnerabilities and Exploits Vulnerability in libdicom

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Universal components / Libraries
  • Vulnerability: CVE-2024-24794 (CVSS Base Score 8.1)
  • Vulnerability Type: Use After Free
  • Patch: Available

Summary:
The vulnerability allows a remote attacker to compromise a vulnerable system.

Relevancy & Insights:
The vulnerability exists due to a use-after-free error in the DICOM Element Parsing as implemented within the parse_meta_sequence_end() function.

Impact :
A remote attacker can use a specially crafted DICOM file and execute arbitrary code on the target system.

Affected Products:
https[:]//www[.]talosintelligence[.]com/vulnerability_reports/TALOS- 2024-1931

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

US PHARMACY OUTAGE CAUSED BY BLACKCAT RANSOMWARE ATTACK ON OPTUM SOLUTIONS

  • Threat Actors: BlackCat/ALPHV
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: USA
  • Target Industry: Healthcare
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Sources familiar with the investigation have linked a cyberattack on Optum; a subsidiary of UnitedHealth Group, to the BlackCat ransomware group. This attack has caused an ongoing outage of the Change Healthcare payment exchange platform, significantly impacting its operations. Change Healthcare has informed its customers of the service disruptions due to a cybersecurity incident. In a filing with the SEC, UnitedHealth Group reported that the cyberattack was executed by hackers, suspected to be affiliated with a nation-state, who managed to infiltrate Change Healthcare’s IT systems.

This incident has resulted in extensive billing outages across the U.S. healthcare system, affecting a wide array of services, including electronic health records (EHR), payment processing, care coordination, and data analytics in various healthcare facilities, such as hospitals, clinics, and pharmacies. The outage is particularly disruptive given the central role of the Change Healthcare platform in these operations. BlackCat has not officially claimed responsibility for the cyberattack on Change Healthcare. This might suggest that the group is possibly negotiating a ransom. A key sign of the breach, according to those close to the investigation, is the exploitation of a critical vulnerability, known as the ScreenConnect auth bypass flaw (CVE-2024-1709). This flaw has been actively exploited to deploy ransomware on servers that have not been patched, indicating the sophisticated nature of the attack.

Relevancy & Insights:
The BlackCat/ALPHV ransomware gang, operational since November 2021, has left a trail of victims across various sectors. Among its notable targets are SOLAR INDUSTRIES INDIA; a manufacturer of industrial explosives, the US defense contractor NJVC, gas pipeline operator Creos Luxembourg S.A., renowned fashion brand Moncler, aviation services provider Swissport, technology companies such as NCR, and data storage solutions provider Western Digital. The ransom demands issued by this group span from modest sums ranging from tens of thousands of dollars to staggering amounts in tens of millions.

ETLM Assessment:
BlackCat operates as a ransomware-as-a-service (RaaS) under the umbrella of ALPHV; a group of cybercriminals primarily communicating in Russian. Their modus operandi frequently involves a triple-extortion strategy. While BlackCat has historically targeted entities in the financial, manufacturing, legal, and professional services sectors, its reach extends across all industries. Assessments by CYFIRMA from the ongoing campaign indicate a strong likelihood of BlackCat persisting in its global ransomware activities, driven by the pursuit of substantial financial rewards.

Data Leaks

Chunghwa Telecom data advertised in the Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Telecommunication
  • Target Geography: Taiwan
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data sale related to Chunghwa Telecom, {www[.]cht[.]com[.]tw}. Chunghwa Telecom Company, Ltd. is the largest integrated telecom service provider in Taiwan, and the incumbent local exchange carrier of PSTN, Mobile, and broadband services in the country. The dataset for sale includes internal documents, databases, contracts from both The Company and the Taiwan government, along with other confidential information. The total size of the dataset available for sale is approximately 1.7 Terabytes.

Source: Underground forums

Relevancy & Insights:
In the realm of cybersecurity, opportunistic cybercriminals driven by financial incentives are perpetually scanning for exposed and vulnerable systems and applications. A significant portion of these adversaries operate within clandestine underground forums, where they engage in discussions related to cybercrime and trade stolen digital assets. Unlike more overt financially motivated threat actors such as ransomware or extortion groups, these individuals prefer to operate discreetly. They exploit unpatched systems or vulnerabilities within applications to gain unauthorized access and pilfer valuable data. Subsequently, this stolen data is advertised for sale within underground forums, facilitating its resale and repurposing by other malicious actors in their illicit activities.

ETLM Assessment:
The “303’s Forum threat actor” is driven predominantly by financial incentives. At present, they are actively involved in the illicit trade of sensitive data, encompassing personally identifiable information (PII), financial records, and other confidential data sourced from Chunghwa Telecom. As per CYFIRMA’s evaluation, this threat actor, based in Taiwan, poses a heightened risk to institutions with inadequate security protocols and infrastructure, making them susceptible to potential cyberattacks.

Other Observations

CYFIRMA Research team observed a potential data leak related to Mahalasa Group, {www[.]mahalasa[.]co[.]in}. Mahalasa Group stands as a reputable IT company in delivering comprehensive IT solutions and services to clients globally. The compromised data includes personally identifiable information such as names, phone numbers, email addresses, physical addresses, access tokens, and other confidential and sensitive data.

Source: Underground forums

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.